As conflicts continue and geopolitical tensions rise, public and private sector organisations must be extra vigilant and on heightened alert for malicious cyber activity targeting their networks. Borders do not exist in cyberspace and once malware is deployed it can infect vulnerable systems worldwide.
It may seem ironic that a physical security solution designed to protect people and property can provide an entry point for cybercriminals. But because these systems – video surveillance, access control, alarms, communications, and more – are increasingly connected to a range of IoT devices, networks and IT infrastructure, they can be quite vulnerable.
While security teams are regularly on the alert to ward off attacks designed to remotely stop the video feed from a camera, open or lock a door, or disrupt critical building systems, most cyber-attacks are not intended to compromise the physical safety of people or property. Instead, these attacks target applications, files and data managed by IT. An attack that originates in a camera can find its way through the network to block access to critical applications; lock and hold files for ransom; and steal personal data.
Closing the Gaps
To determine the cyber risk of physical security systems, organisations should conduct a posture assessment, creating and maintaining an inventory of all network-connected devices and their connectivity, firmware version and configuration. As part of the assessment, they must identify models and manufacturers of concern. They should also document all users with knowledge of security devices and systems.
The review can pinpoint devices and systems that should be replaced. When developing a replacement program, organisations should prioritise strategies that support modernisation. One effective approach is to unify physical and cybersecurity devices and software on a single, open architecture platform with centralised management tools and views.
Additionally, while it’s a bigger undertaking, it is highly recommended that organisations bring cybersecurity and physical security teams together to work collaboratively and proactively, so they can develop a comprehensive security program based on a common understanding of risk, responsibilities, strategies, and practices.
Ongoing Best Practices
Once secure devices and protocols are in place, organisations should follow best practices to keep physical security systems safe and sound.
Security monitoring. Ensure all network-connected physical security devices are monitored and managed by the IT tools for network and security management. Also check for features in the video management system (VMS) and access control system (ACS) that provide alerts or data for use by IT’s network and security monitoring tools.
Protection measures. Use secure protocols to connect devices to the network. Disable access methods that support a low level of security protection, and continually verify configurations of security features and alerts. Of course, replace default passwords with new ones that are changed on a regular schedule.
Encryption. End-to-end encryption offers the most security to protect video streams and data as they travel from the physical security device to a management system for viewing. Also ensure that encryption protects these files and data while in storage.
Access defenses. Strengthen the security of user and device access with a multilayer strategy that includes multifactor access authentication and defined user authorisations.
Software updates. One management function that can be overlooked when cybersecurity and physical security teams are separate is installation of software updates and patches. Define who is responsible for maintaining awareness of when updates are available, and who vets, deploys and documents updates on all devices and systems.
Supply chain. Ensure that all suppliers of hardware and software for your physical security systems – including manufacturers of components within OEM solutions -- take cybersecurity into account in the development of their solutions, right from the design stage. They should communicate transparently about their possible vulnerabilities, do everything possible to remedy them, and assume their responsibilities in the event of a breach.
There is no such thing as zero risk when it comes to cybersecurity. By recognising that physical and cyber domains are interdependent, by applying best practices and implementing systematic cyber-hygiene policies, organisations can dramatically reduce risk and strengthen security, even as cyber-threats grow more sophisticated and targeted amidst global political turmoil.