2. Introduction
About Infracritical and Evolutionary Security Management
Infracritical and ESM were formed as a result of the need to establish and
define standards and protocols for Critical Infrastructure Protection (CIP).
We’re one of the industrial leaders within the private sector, providing research
to management, best practice capabilities, education and training, information
sharing practices, and (most importantly) information security awareness
programs to both private and public sectors throughout the United States,
Canada and North America.
About Bob Radvanovsky and Allan McDougall
Experienced in Critical Infrastructure Protection (CIP), visionaries, speakers,
and published authors on the subject (Bob: 4 books, Allan: 2 books).
2008 Midwest Information Security Forum 1
3. Convergence of Physical and Logical Infrastructure
Physical Security infrastructure (access control systems, CCVE, etc) has
traditionally operated in isolation from other systems in order to maintain the
confidence that the system has not been compromised.
– As these systems become web-enabled, there is increasing concern that
they can be subject to compromises such as hacking, spoofing, etc.
– As these systems take up space within the network infrastructure, there is
increasing concern that network assets are becoming single points of
failure that can expose the whole organization to compromise.
– Finally, there is increasing concern that as the complexity of these physical
security systems increase, they can occupy increasing amounts of network
resources (bandwidth) and become a business limiter.
2008 Midwest Information Security Forum 2
4. Convergence of Physical and Logical Infrastructure
Consider this diagram of a
network enabled CCTV
system spanning several
locations
Each element assigned an IP
Do these infrastructure points
allow for an attacker to control
the infrastructure point or gain
access through the
infrastructure point?
2008 Midwest Information Security Forum 3
5. Solution Strategy
Build awareness and integrate Physical Security and IT Security communities
into a common Asset Protection community paying particular attention to
building a comprehensive awareness and capacity of personnel to work across
domains.
– Put forward a plausible vision
– Manage expectations
– Set achievable goals
– Maximize the ability to first anticipate then detect and respond to emerging
issues
2008 Midwest Information Security Forum 4
6. Key Steps
Key Activities:
– A – Cross train personnel to build awareness
– B – Small scale projects to build and proof interaction between communities
– C – Ensure expert-driven contributions to improve effectiveness, reduce
waste and identify possible avenues of risk
Key Resources
– Visionary leadership
– Cross training up to cross certification integrated into job expectations
– Small scale test environment isolated from critical systems
2008 Midwest Information Security Forum 5
7. Results
Security personnel more aware of situations that allow the means and
opportunity for threat agents to compromise the organization
Greater granularity of understanding of infrastructure at the enterprise level
Greater ability to achieve domain awareness in terms of facility security and
trend analysis through automation
2008 Midwest Information Security Forum 6
8. Lesson #1: Manage Expectations
Just because technology exists doesn’t mean it’s appropriate to your
environment
– Security intrinsic to system commensurate to assets being protected
– Tested, certified, or accredited?
Put a check and balance on new technology acquisitions ensuring that they are
being proposed based on business lines
– New technology should be linked to improvements in business processes
or reductions in overhead
– Closely monitor communities that constantly attempt to install the “latest
and greatest”
Unnecessary collections of shiny things only attract trouble
2008 Midwest Information Security Forum 7
9. Lesson #2: Set a Central Change Management Authority
Senior Management Support
– Early step in the consultation process
– Mandatory step in approval process
Check and balance for integration of new technologies
– Consistency (procurement, maintenance and disposal)
– Modularity to ensure granularity (detail) and interoperability (compatibility)
– Scalability in support of changing and evolving business requirements
Management of change means appropriately integrating tools to improve
efficiency and effectiveness
2008 Midwest Information Security Forum 8
10. Lesson #3: Balance the Team
Do not allow Physical Security or IT Security to dominate
– Symbiosis under the need to ensure effective and efficient business
processes
– Take advantage of knowledge bases across communities to ensure best
possible solution
Appropriate Delegation
– Prevent decisions without understanding risk
– Ensure risk management includes consideration for all potentially impacted
parties (including system and data owners where appropriate)
Reinforce the concept of individual success is dependent upon team success
2008 Midwest Information Security Forum 9
11. Lesson #4: Integrate Process Models for Integration
Similar to the COBIT Model
– Plan and Organize based on business needs and ensuring the ability to
prevent, detect, respond to and recover from security events
– Acquire and Implement to ensure that modularity and scalability
maintained while not exposing critical infrastructure to unknown risks
– Deliver and Support using personnel who understand physical and logical
risks so that internal actions do not create unknown vulnerabilities
– Monitor and Evaluate the performance of the system against system
performance criteria commensurate to the sensitivity of assets involved
Remember that process is there to serve a purpose, not to be the purpose
2008 Midwest Information Security Forum 10
12. Lesson #5: Understand that Knowledge is Power
Awareness in Management of key issues
– What is real and what is visionary
Cross training of experts to minimize conflicts of ideologies and maximize
understanding
– Definition bases
– Core concepts and models
– Due diligence
Impose continuous learning and professional development
– Do not allow complacency
– When you’re green you’re ripe, when you’re ripe you’re rotten
You need to understand that administration, management and leadership are
complimentary but not the same thing
2008 Midwest Information Security Forum 11
13. Contact Information
Bob Radvanovsky, CIFI, CISM, CIPS
rsradvan@infracritical.com
Allan McDougall, PCIP, CMAS
amcdougall@evolutionarysecurity.ca
2008 Midwest Information Security Forum 12