Automation Can Close the Gap on Cyber Exposures
Security pros can protect their systems without being cybersecurity experts
- By Tom Galvin
- Apr 01, 2019
See no evil, hear no evil, speak no evil: It is tempting
for physical security professionals to take this passive
approach to cybersecurity. End users can be blind to
threats and vulnerabilities from their security system
and other IoT devices. Many integrators and installers
don’t feel comfortable discussing the topic with their customers.
While IT departments may have the responsibility for cybersecurity,
they often don’t have good visibility into the physical security
system and other IoT assets. Even as security systems become
increasingly interconnected and IT-oriented, physical security pros
and IT often don’t want to hear from or talk to each other. Speaking
different languages, many just don’t know how to communicate.
Physical security pros must take responsibility for cybersecurity
now. By using automation technologies, installers can apply cyber
practices without being cybersecurity experts. Monitoring for cyber
and other system health issues sustains a secure and reliable system
for end users and differentiates the service provided by the system
installer.
Physical Security Cyber Vulnerabilities
Technologies connected to the physical realm are yielding incredible
applications, from predicting maintenance problems in oil field
equipment to recognizing the signature walk of employees for identity
management. Yet these applications create threats to organizations
and opportunities for criminals. Hackers can use unsecured IoT
devices to infiltrate corporate networks, launch attacks on the public
internet or disrupt the video surveillance system.
A growing list of elements provide attack surfaces that IT organizations cannot see, such as network cameras,
sensors, cloud-based video and mobile
devices, Windows-based video management
systems, and Ethernet networks that extend
to hallways and parking lots.
Neither IT nor their access layer switches
typically monitor site-specific endpoints such
as cameras and access control. Unfortunately,
this means that security managers don’t
know when these units are compromised, go
off-line, stop streaming video or audio, reboot,
or are just missing.
In general, many organizations don’t
know just how many devices they have. For
instance, business units are deploying many
IoT devices with some help from IT but few
consultations with physical security experts.
According to a survey by the Ponemon Institute
and Shared Assessments, just 15
percent of organizations have an inventory
of most of their IoT devices and less than
half have a policy to disable those that present
a risk.
IT and Physical
Security Systems
Increasingly Linked
While organizations across the globe are
gravely concerned about cybersecurity, the
relationship between IT and physical security
can be blurry. It’s challenging to safeguard
all physical and digital assets when there’s little
communication, collaboration, or shared
understanding between these teams. IT managers
often “solve” the problems by asking
the physical security team to create separate
networks for cameras and other physical security
devices.
While such arrangements may give IT
managers a sense of security, rarely is there a
complete, clean break between the enterprise
network and the physical security network.
For example, even well-protected and isolated
“camera only” networks can have both
intentional and unintended connections that
link to the main corporate network. Deploying
just one IP-based camera or other IoT
device at a remote site can open an organization’s
corporate network to a cyber threat.
Lack of Expertise
on Both Sides
IT is struggling to secure the elements in its
traditional domain, and expertise is a scarce
commodity on both sides. The (ISC)2 Cybersecurity
Workforce Study cites a global
shortage of three million cybersecurity professionals,
with 500,000 of those in North
America. Nearly two-thirds of those surveyed
said their organizations lack enough
cybersecurity staff, and this puts them at risk
of attack.
In Kasperky Lab’s 2018 “The State of
the Industrial Cybersecurity” report, survey
respondents listed their top challenges as hiring
employees with the right skills, securing
new IoT systems, finding dependable partners
and service providers for implementing
cybersecurity solutions, and increasing interconnectedness
with corporate/enterprise IT.
Many physical security pros do not have
the time, budget, or knowledge to properly
harden cameras and other IoT devices. Securing
these endpoints often requires a detailed
understanding of network operations
and a labor-intensive process. Then there’s
the challenge of monitoring and maintaining
hundreds or thousands of installed devices
against evolving risks.
Automation to the Rescue
Even if the industry had enough professionals
in the right positions—or could find the
right partners—humans alone cannot handle
the myriad tasks required to secure, monitor,
and maintain these systems. CSOs know well
the challenges of identifying credible threats
hidden among billions of daily security
events. They’ve been investing in automation
technologies to do things such as threat
hunting, alert triage, event management, incident
response, and user management.
Physical security teams should do the
same. Instead of see no evil, hear no evil,
speak no evil, operators should explore automation
tools that enable them to see all assets,
secure all assets and monitor all assets.
See all assets. The fundamental first step
to securing the security network is knowing
what is connected to it. An effective system
automatically detects what devices are connected
to the network. This “device” scan
should be continuous, discovering when new
devices are placed on the network.
For instance, have new network cameras
been added or broken cameras replaced?
Have other devices been added to the network
ports either unintentionally or maliciously?
Newly detected devices should not
be allowed to communicate with the network
until they are acknowledged and bound to
the network port with MAC binding or with
a certificate.
A complete, real-time inventory of connected
devices can help identify potential
threats and weaknesses. In addition to identifying
devices by type such as camera, access
control device, IP phone, and laptop, the inventory
should include manufacturer, model,
and firmware version.
Secure all assets. Once devices are detected,
automation should protect or “harden”
legitimate ones with best practices. Rogue or
unnecessary devices should be automatically
blocked or locked out.
IoT hardening is usually unique to the IoT
device type. For example, camera hardening is
different from IP phone hardening. Automation
can correctly identify the device type and
guide the installer through the hardening process
that is appropriate for that device.
Automation tools can also configure
best practices such as enabling a protected
VLAN for the security system, changing a
camera’s default login credentials, and binding
a camera’s MAC-ID to the network.
This ensures that rogue devices are not
plugged into exposed Ethernet ports on the
perimeter of the network.
Other key hardening practices that
can be automated include closing unused
ports, removing unneeded network services, whitelisting to restrict traffic to known networks, locking down exposed
network connections, and enforcing password complexity to
stop default and common password usage.
Monitor all assets. Once detected, automation can passively monitor
all assets 24/7. Yet monitoring to the server or switch is insufficient.
Visibility is needed down to the IoT device to provide notifications
when devices have vulnerabilities or performance problems.
Automated cyber protections can monitor network flows, detect
abnormalities, and respond immediately to suspected attacks. These
tools can be configured to look for events such as cable changes, device
disconnections, changes in data flow and direction, abnormal bandwidth
and power consumption, and camera image quality changes.
When abnormal behavior is detected, automation technologies
can generate alerts and take proactive interventions such as disabling
a device’s data or power port. For example, is that camera that just
went offline for a second a momentary glitch, or a hacker plugging
in a laptop?
Cyber monitoring is most effective if it is integrated with the existing
dashboards used to monitor physical security systems. For many
systems, the video management software or central station alarm
software is the primary health dashboard. Other physical security
systems are integrated with IT-oriented tools such as network monitoring
systems.
Automation Today
Physical security pros can take the same approach as CSOs who are
investing in automation technologies to evolve their security programs.
CSOs recognize that innovations in AI, machine learning, and automation
can bridge their gaps in expertise and the sheer manual labor
required to properly secure their IT assets. According to Accenture’s
2018 “State of Cyber Resilience” report, 40 percent of CSOs are investing
in automation and more than half are investing in IoT security.
The physical security industry does not have enough of these automated
tools, but some early models have emerged. For example, Axis’
Device Manager has evolved to facilitate device discovery and device
hardening functions for Axis branded cameras, access control, and
audio devices. Razberi’s CameraDefense cybersecurity solution automatically
discovers, hardens, and monitors cameras and IoT devices.
Integrating these types of tools with existing security management
tools can help provide comprehensive coverage of the physical
security ecosystem. A single management and operational dashboard
creates a more efficient workflow to address cyber threats within the
surveillance system infrastructure. For instance, alerts from Razberi
CameraDefense are supported by video management systems such as
Milestone XProtect or IT network tools such as SolarWinds.
It is time for the physical security industry to take control of its own
destiny. See no evil, hear no evil, speak no evil is not a security strategy.
Working more closely with IT to secure the burgeoning number
of IoT devices is imperative. Applying automation
to physical security can ensure that best practices
are done correctly and at scale, saving staff hours,
preventing cyber attacks, and avoiding adverse impacts
to bottom lines and reputations.
This article originally appeared in the April 2019 issue of Security Today.