Data breaches are on the rise worldwide and across industries. In October 2021 a global cloud communications company reported losses of between $9 and $12 million due to a DDoS attack. That same quarter, the manufacturing sector saw a 641% increase in application-layer DDoS attacks compared to the previous quarter.
While some breaches are caused by weaknesses in an organization’s virtual perimeter that allow hackers to exploit software vulnerabilities, a growing number sneak through connected IoT (Internet of Things) devices. As Carl Wearn, head of risk and resilience for e-crime and cyber investigation at Mimecast, noted in this magazine, “Your lightbulb feels a strange compulsion to connect to the Internet, and security is not an underlying premise that people take in connection with these devices.”
Security cameras, access control readers, and other devices that make up physical security systems are likewise often overlooked as a source of vulnerability. With physical security devices of the past, like perimeter fences and door locks, the approach was ‘install what you need and let it do its job.’ As security technology advanced, this mindset persisted. Even as organizations began implementing IP-based technology and IoT devices, they didn’t always think about how these assets might make their networks vulnerable. In some instances, even though a physical security system resides on an organization’s network, it is managed by corporate security instead of the IT department.
Physical security and information security are linked. There’s no difference in the result whether a hacker accesses an organization’s server rooms physically, or through a video surveillance camera, a piece of HVAC equipment, or an employee’s laptop. As cyber threats grow, physical security and IT must work together to safeguard an organization’s network infrastructure.
Unifying physical and cybersecurity
A unified IT-and-physical-security team can develop a comprehensive security program based on a common understanding of risk, responsibilities, strategies, and practices. First, the team should conduct a current posture assessment to identify devices of concern.
- Create an inventory of all network-connected cameras, door controllers, and associated management systems, identify their functions and confirm their role/relevance
- Perform a vulnerability assessment of all connected physical security devices to identify models and manufacturers of concern
- Consolidate/maintain detailed information about each physical security device, including connectivity, firmware version, and configuration
- Improve network design as needed to segment older devices and reduce crossover attack potential
- Document all users who have knowledge of physical security devices and systems.
Hardening devices and systems
The team should then recommend improvements for individual devices and the entire system. These can include ensuring all network-connected devices are managed by IT network and security monitoring tools as well as implementing end-to-end encryption to protect video streams and data in transit and storage. Devising and implementing a schedule of ongoing testing and reassessment of risk associated with all inventoried devices is an important part of managing and mitigating risk.
Existing configurations and management practices for physical security devices can be improved by using secure protocols to connect devices to the network, disabling access methods that don’t support adequate security protection, verifying configurations of security features and alerts, and replacing defaults with new passwords that must be changed regularly.
Another best practice for protecting network security is to enhance access defenses with a layered strategy that includes multifactor access authentication and defined user authorizations. Organizations can also improve update management by defining who is responsible for tracking update availability, and for vetting, deploying, and documenting updates on all eligible systems and devices.
Developing a product replacement strategy
Ultimately, a posture assessment can help determine which devices and systems should be replaced because they present a high cyber risk. When developing replacement programs, organizations should prioritize strategies that support modernization for both physical and cybersecurity. One effective approach is to unify physical and cybersecurity devices and software on a single, open architecture platform with centralized management tools and views.
Replacement programs should also focus on cybersecurity features, including data encryption and anonymization, that are built into a device’s firmware and management software. Another important consideration is looking at a vendor’s capabilities to support a solution lifecycle of up to 10 years, including ongoing availability of updates for firmware and management system software. Vendors should conduct their own penetration tests on a recurring basis to catch any vulnerabilities that could have been missed during product development and guard against new forms of cyberattack.
With cyberattacks increasing, organizations must implement effective measures. An important step towards reducing risks to the IT network associated with physical security devices is to integrate physical security and IT and develop a coordinated strategy for hardening systems. Vigilance is key, and it should extend to every partner in the chain of your physical security system and devices.
Mark Feider is National Director, Enterprise, at Genetec. Prior to joining the company in 2007 he was a national account manager at a large Canadian security systems integrator.
