Blurring the Lines
Networks, departments and the line between physical and cybersecurity
- By Peter Boriskin
- Dec 01, 2018
Thanks to wireless lock technologies, cloud-based software,
and smartphone/tablet integration, it is now possible
to deploy a secure, manageable, and cost-effective
security solution without the need for complicated and
expensive infrastructure. With these advancements and
the continued overall reduction in device costs as performance increases,
we are seeing a sharp upsurge in the deployment of “smart”
locks and integrated/networked access control and security systems.
From private homes and multi-family environments, to public facilities
and agencies of all types, customers are recognizing the value
of enhanced security, control, and detailed information possible
with today’s access control and security systems—but if not properly
“hardened” and designed with physical and cybersecurity best practices
in mind—there is also great risk.
These new solutions reach far beyond door openings. Server
cabinets, lockers, traditional cabinets, and other high-density lock
applications represent tremendous opportunities and provide a
path for security professionals to increase business and deliver a
compelling new service for customers if designed with protection
foremost in mind.
Here are a few topics we expect to dominate the security integration
discussion in 2019.
It is All Just Security
Documents, assets and information, are often discussed as an element
separate from cybersecurity. While these functions have been
managed separately, in today’s highly networked and integrated environment,
this is no longer tenable.
There is a long list of physical items containing data that must be
protected—even if the data is offline. In just the last few years, the
Department of Health and Human Services’ Office for Civil Rights
has settled with a number of organizations that failed to secure or
protect physical devices. These cases highlight the need for not only
better encryption policies but stronger physical security mechanisms.
Many industries have figured out that physical and information
security are no longer two separate functions—physical security
and cybersecurity can and should support each other. Cyber risks
can rapidly compromise a facility’s physical security. When internal
systems are shut down by a cyber attack, it jeopardizes the facility’s
entire security profile.
If left unprotected, a range of background systems can inadvertently
provide access to the larger network—water purity systems, fire
controls, lighting and HVAC systems—even well-hardened security
systems may have cameras or lock systems that can provide malicious
access. Interruption to power systems can be devastating. At this level of connectivity, cybersecurity quickly becomes a physical concern.
Engineers, integrators, and administrators of all systems today have
a very heavy reliance on the network. If the core network system isn’t
working correctly—or is under attack from internal as well as external
threats—the system will not be able to perform its functions as
intended, and any security breach can reach far beyond the security
network to the rest of the organization’s digital infrastructure.
Edge devices of all types—cameras, locks, sensors, control pads—
are vulnerable parts of a network. Any security system design must
take this into account. Because one solution does not fit all applications
or address all threats, a multi-layered approach is best for deploying
an optimally functional and secure network.
Due to the shift to a digital world, both facilities and IT now need
to look at the network and physical assets together. Just as a facilities
worker needs to understand wireless security on an access control
unit, IT personnel need to worry about people getting unauthorized
access to servers.
Network design considerations for security management are essential
to ensure system performance, data integrity, and threat mitigation.
The challenge is that system security integrators are often
confronted with a multitude of existing situations, which may not
meet industry or manufacturer best-practice standards in today’s dynamic
cybersecurity-centric world. For this, Facility, Security and IT
departments must work more closely than ever before—often merging
into single departments.
Critical Password Management
As we work to prevent access to the core network, the device layer
becomes critical. System designers must secure all devices and make
sure they are addressing the right resources and that the traffic has
been authenticated. This can be done through the use of proper traffic
certificates and password management.
Most devices today can encrypt command and control traffic, but
to do this, a certificate needs to be assigned to it. Typically, a selfassigned
certificate is used, but which in itself is not inherently secure.
One of the best ways to do this is with a third-party, certificate/policy
enforcement service utility.
With a certificate authority in the mix, the service says yes, this is a
signed certificate between the device and the server. These two parties
can now communicate. Password management systems such as YubiKey
and LastPass, for example, can provide solid, easy-to-use hardware and
software password management solutions. For additional protection,
management utilities can dictate password changes and password hygiene
so administrators can request through the server that they want all
devices to have a password with 25 characters and this will be randomly
generated by the server, adding a high level of security.
We have seen big network-distributed denial-of-service hacks
based on devices that for the most part still had default passwords
in them—clearly a fundamental IT security mistake. If the IT department
had been involved, those devices probably would not have
still had their default passwords and would have been secure. Password
management and certification hygiene are already essential
topics for integrators, and this will only continue to become even
The IoT Opportunity
As the Internet of Things continues to expand, the intersection of
IT and physical security is more critical than ever. Integrators need
to be knowledgeable in these solutions to deliver more value to their
customers, and to ensure successful deployments. This requires the
ability to work effectively with both security and IT departments for
a comprehensive and holistic approach that provides the highest efficiency
and level of protection for their customers.
Now that IT and physical security are often using the same equipment
and infrastructure, investment costs for each department can be
reduced. For example, smart card or mobile phone solutions can be
used for both IT applications (network logon or secure printing) and
physical security (to gain access to the building itself or areas within
The ability to gain additional utility not only helps lower the costs
for each department but also simplifies management because a single
credential is being used across multiple applications.
While the proliferation of IP-enabled equipment represents an
opportunity for integrators to grow their business by securing a greater
percentage of a facility, the growth in connected solutions combined
with declining hardware prices is driving solutions providers to
search for new revenue streams.
For security dealers and integrators who service environments of
most any size, cost-effective, easy-to-deploy, and easy-to-use mobile
access management systems are now attainable. The latest technology
allows managers and developers to not only increase security and
convenience but to increase the value of their properties by making
convenient access a marketable asset to attract and retain residents.
With the majority of the population now relying on their mobile
phones for managing nearly every aspect of their lives, mobile credentials
will soon become a requirement for many customers. This
drastically impacts the way that access control software is delivered.
Wireless and mobile technologies offer a secure, manageable and
cost-effective approach without the need for expensive infrastructure.
Partner for Success
It’s critical today that integrators embrace emerging technologies
such as mobile, cloud-based services and other new tools to make
their jobs easier, their companies more profitable, and to provide better
solutions for their customers.
It would be next to impossible for a single company to provide the
in-depth expertise for planning for and managing all these concerns.
Just as IT and Security departments are merging, and just as Physical
Security and cybersecurity are becoming a single
discipline, it is essential that integrators seek out
and work with manufacturers and other subject
matter experts who understand, embrace and support
these technologies within their solutions.
This article originally appeared in the November/December 2018 issue of Security Today.