The Implications of Cyber-Physical Security Convergence in Higher Education

Higher Ed Institutions Operate as Small Cities

Asked how such deployment and management questions are taking shape at Rutgers University–Newark, Assistant Vice Chancellor for Technology, Innovation and Learning Environments Kevin Dowlin says, “That is a rabbit hole.”

Joanna Grama, senior principal and partner at Vantage Technology Consulting Group, attorney, and former director of EDUCAUSE’s cybersecurity and IT governance, risk and compliance programs, points to structural complexity as the root cause.

“Higher education institutions are large, decentralized and in many ways resemble small cities,” she says. “It is perhaps unsurprising, then, that responsibility for IT systems, IT security and operational technology security has become fragmented across the sector.”

And just as college and university campuses mimic cities in the broader world, cities, state and local governments, and federal agencies are entrenched in their own conversations and debates around public safety technology; implications for privacy and data protections; and responsibility for purchasing, maintenance and more.

In February, The George Washington University’s College of Professional Studies joined The Cyber Guild to host the annual Cybersecurity, Stronger Together Conference. This year’s theme, Converging Threats and Defenses, brought together industry leaders from cybersecurity, operational technology, kinetic security and policy management to explore the “evolving intersection of digital and physical threats,” according to the event’s website.

DISCOVER: Centralizing cybersecurity is key to a strong defense.

“The digital world impacts the physical world, and we’re living in an era where that integration between IT and OT is real, and every single person carries a device in their pocket that can impact the way that the physical world operates,” Cory Simpson, CEO of the Institute for Critical Infrastructure Technology, shared in a video produced by the conference.

“When you tackle topics identifying vulnerabilities from stadium climate controls and transportation grids to broadcast infrastructure, and brainstorm methodologies for modeling cascading failures, mapping those vulnerabilities at the convergence of digital and kinetic systems, and translating complex threat data into actionable intelligence for executive decision-makers, you need to establish a shared risk language between cybersecurity, physical security and political stakeholders to ensure defense strategies are fully integrated, not siloed,” Liesl Riddle, dean of GW’s College of Professional Studies, noted in her opening conference address.

What’s at Stake in Higher Education?

Historically, facilities or campus police handled physical security. Today, access control, cameras and visitor management platforms run on institutional networks, store footage in the cloud, require regular firmware updates and must comply with cybersecurity standards. That convergence finds resource-strapped higher ed IT teams, particularly on smaller campuses, increasingly responsible for protecting both digital and physical assets. The convergence has also prompted operational challenges at many colleges and universities — of all sizes — to mount.

As high-profile agencies and industry partners continue to work through jurisdictional boundaries and chains of command, in higher education, the challenge grows more complicated due to a growing dearth of qualified or skilled cybersecurity and IT professionals and the heavily siloed IT/OT and cyber infrastructure that’s long proliferated on most campuses, particularly heavily research-focused institutions.

LEARN MORE: Cyber resilience requires a combination of security techniques.

“What we’re seeing now, with the proliferation of Internet of Things devices and everything going on the network, is that we have real skills gaps,” Grama says. “We’re learning that response time isn’t as fast as we would like it to be. Efficiency isn’t as great as we would like it to be. Insights into our data aren’t as great as we would like them to be, just because all of these systems are so separate. That also ties into governance, because if a campus leader needs to have a comprehensive view, and they can’t have a comprehensive view, more issues around compliance and accountability arise.”

At the end of the day, the questions and the challenges boil down to resilience, Grama adds. “If you can’t figure out a way to get all of these different places talking to one another with some sort of controlled review, your campus isn’t resilient. A disaster or an event could be really harmful, especially if you don’t know really where you’re going to fight it. There’s a lot going on in this space.”

Institutions Work to Converge Cybersecurity and Physical Security

At the University of Florida’s Gainesville campus, updates to physical security technology in 2021 opened an opportunity for the physical security office to partner with the university’s IT team to solve campus security storage challenges. The departments collaborated on the design and built out of a solution to host more cameras and video analytics, which could be used by all departments and colleges.

“The university had several distinct video security environments, and not all met the recording standards,” Saira Hasnain, associate CIO and senior director for UF Information Technology, said in a press release. “This allowed the university to standardize and provide a platform where consistency and resiliency could be attained.”

UP NEXT: Stronger security starts with skilled staff.

The University of Michigan’s information technology policies, published by the Office of the Vice President for IT & CIO, include a robust section detailing facets of physical security, defining what technology is included and employing a rubric that clearly delineates which teams are responsible for what.

Physical Security Industry Closes Gaps

Some physical security technology manufacturers tout “secure by design” protections built into their products, offering reassurance that they cannot be readily taken over by bad actors without massive effort and skill, and even as responsibility for the cybersecurity infrastructure around them may be in flux. Axis Communications safeguards include, for example, the company’s Axis Edge Vault for hardware-based cryptographic keys, signed firmware to prevent tampering and Secure Boot to validate integrity.

In December, Axis signed the U.S. Cybersecurity and Infrastructure Security Agency’s Secure by Design pledge “to transparently communicate about the cybersecurity posture of Axis products,” according to a press release. CISA has called on manufacturers to make the security of their customers a core business requirement by addressing the use of multifactor authentication, reducing default passwords, allowing customers to install security patches, publishing a vulnerability disclosure policy and demonstrating transparency in vulnerability reporting, among other protections.