Blurring the Lines

Blurring the Lines

Networks, departments and the line between physical and cybersecurity

Thanks to wireless lock technologies, cloud-based software, and smartphone/tablet integration, it is now possible to deploy a secure, manageable, and cost-effective security solution without the need for complicated and expensive infrastructure. With these advancements and the continued overall reduction in device costs as performance increases, we are seeing a sharp upsurge in the deployment of “smart” locks and integrated/networked access control and security systems.

From private homes and multi-family environments, to public facilities and agencies of all types, customers are recognizing the value of enhanced security, control, and detailed information possible with today’s access control and security systems—but if not properly “hardened” and designed with physical and cybersecurity best practices in mind—there is also great risk.

These new solutions reach far beyond door openings. Server cabinets, lockers, traditional cabinets, and other high-density lock applications represent tremendous opportunities and provide a path for security professionals to increase business and deliver a compelling new service for customers if designed with protection foremost in mind.

Here are a few topics we expect to dominate the security integration discussion in 2019.

It is All Just Security

Documents, assets and information, are often discussed as an element separate from cybersecurity. While these functions have been managed separately, in today’s highly networked and integrated environment, this is no longer tenable.

There is a long list of physical items containing data that must be protected—even if the data is offline. In just the last few years, the Department of Health and Human Services’ Office for Civil Rights has settled with a number of organizations that failed to secure or protect physical devices. These cases highlight the need for not only better encryption policies but stronger physical security mechanisms.

Many industries have figured out that physical and information security are no longer two separate functions—physical security and cybersecurity can and should support each other. Cyber risks can rapidly compromise a facility’s physical security. When internal systems are shut down by a cyber attack, it jeopardizes the facility’s entire security profile.

If left unprotected, a range of background systems can inadvertently provide access to the larger network—water purity systems, fire controls, lighting and HVAC systems—even well-hardened security systems may have cameras or lock systems that can provide malicious access. Interruption to power systems can be devastating. At this level of connectivity, cybersecurity quickly becomes a physical concern.

Departments Converge

Engineers, integrators, and administrators of all systems today have a very heavy reliance on the network. If the core network system isn’t working correctly—or is under attack from internal as well as external threats—the system will not be able to perform its functions as intended, and any security breach can reach far beyond the security network to the rest of the organization’s digital infrastructure.

Edge devices of all types—cameras, locks, sensors, control pads— are vulnerable parts of a network. Any security system design must take this into account. Because one solution does not fit all applications or address all threats, a multi-layered approach is best for deploying an optimally functional and secure network.

Due to the shift to a digital world, both facilities and IT now need to look at the network and physical assets together. Just as a facilities worker needs to understand wireless security on an access control unit, IT personnel need to worry about people getting unauthorized access to servers.

Network design considerations for security management are essential to ensure system performance, data integrity, and threat mitigation. The challenge is that system security integrators are often confronted with a multitude of existing situations, which may not meet industry or manufacturer best-practice standards in today’s dynamic cybersecurity-centric world. For this, Facility, Security and IT departments must work more closely than ever before—often merging into single departments.

Critical Password Management

As we work to prevent access to the core network, the device layer becomes critical. System designers must secure all devices and make sure they are addressing the right resources and that the traffic has been authenticated. This can be done through the use of proper traffic certificates and password management.

Most devices today can encrypt command and control traffic, but to do this, a certificate needs to be assigned to it. Typically, a selfassigned certificate is used, but which in itself is not inherently secure. One of the best ways to do this is with a third-party, certificate/policy enforcement service utility.

With a certificate authority in the mix, the service says yes, this is a signed certificate between the device and the server. These two parties can now communicate. Password management systems such as YubiKey and LastPass, for example, can provide solid, easy-to-use hardware and software password management solutions. For additional protection, management utilities can dictate password changes and password hygiene so administrators can request through the server that they want all devices to have a password with 25 characters and this will be randomly generated by the server, adding a high level of security.

We have seen big network-distributed denial-of-service hacks based on devices that for the most part still had default passwords in them—clearly a fundamental IT security mistake. If the IT department had been involved, those devices probably would not have still had their default passwords and would have been secure. Password management and certification hygiene are already essential topics for integrators, and this will only continue to become even more important.

The IoT Opportunity

As the Internet of Things continues to expand, the intersection of IT and physical security is more critical than ever. Integrators need to be knowledgeable in these solutions to deliver more value to their customers, and to ensure successful deployments. This requires the ability to work effectively with both security and IT departments for a comprehensive and holistic approach that provides the highest efficiency and level of protection for their customers.

Now that IT and physical security are often using the same equipment and infrastructure, investment costs for each department can be reduced. For example, smart card or mobile phone solutions can be used for both IT applications (network logon or secure printing) and physical security (to gain access to the building itself or areas within the building).

The ability to gain additional utility not only helps lower the costs for each department but also simplifies management because a single credential is being used across multiple applications. While the proliferation of IP-enabled equipment represents an opportunity for integrators to grow their business by securing a greater percentage of a facility, the growth in connected solutions combined with declining hardware prices is driving solutions providers to search for new revenue streams.

Mobile Access

For security dealers and integrators who service environments of most any size, cost-effective, easy-to-deploy, and easy-to-use mobile access management systems are now attainable. The latest technology allows managers and developers to not only increase security and convenience but to increase the value of their properties by making convenient access a marketable asset to attract and retain residents.

With the majority of the population now relying on their mobile phones for managing nearly every aspect of their lives, mobile credentials will soon become a requirement for many customers. This drastically impacts the way that access control software is delivered. Wireless and mobile technologies offer a secure, manageable and cost-effective approach without the need for expensive infrastructure.

Partner for Success

It’s critical today that integrators embrace emerging technologies such as mobile, cloud-based services and other new tools to make their jobs easier, their companies more profitable, and to provide better solutions for their customers.

It would be next to impossible for a single company to provide the in-depth expertise for planning for and managing all these concerns. Just as IT and Security departments are merging, and just as Physical Security and cybersecurity are becoming a single discipline, it is essential that integrators seek out and work with manufacturers and other subject matter experts who understand, embrace and support these technologies within their solutions.

This article originally appeared in the November/December 2018 issue of Security Today.

Featured

  • TSA Intercepts 6,678 Firearms at Airport Security Checkpoints in 2024

    During 2024, the Transportation Security Administration (TSA) intercepted a total of 6,678 firearms at airport security checkpoints, preventing them from getting into the secure areas of the airport and onboard aircraft. Approximately 94% of these firearms were loaded. This total is a minor decrease from the 6,737 firearms stopped in 2023. Throughout 2024, TSA managed its “Prepare, Pack, Declare” public awareness campaign to explain the steps for safely traveling with a firearm. Read Now

  • 2024 Gun Violence Report: Fewer Overall Incidents, but School Deaths and Injuries Are on the Rise

    Omnilert, provider of gun detection technology, today released its compilation of Gun Violence Statistics for 2024 summarizing gun violence tragedies and their adverse effects on Americans and the economy. While research showed a decrease in overall deaths and injuries, the rising number of school shootings and fatalities and high number of mass shootings underscored the need to keep more people safe in schools as well as places of worship, healthcare, government, retail and commerce, finance and banking, hospitality and other public places. Read Now

  • Survey: Only 7 Percent of Business Leaders Using AI in Physical Security

    A new survey from Pro-Vigil looks at video surveillance trends, how AI is impacting physical security, and more. Read Now

  • MetLife Stadium Uses Custom Surveillance Solution from Axis Communications

    Axis Communications, provider of video surveillance and network devices, today announced the implementation of a custom surveillance solution developed in collaboration with the MetLife Stadium security team. This new, tailored solution will help the venue augment its security capabilities, providing high-quality video at unprecedented distances and allowing the security team to identify details from anywhere in the venue. Read Now

Featured Cybersecurity

Webinars

New Products

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3