Focus on Physical and Cyber Linkages

Focus on Physical and Cyber Linkages

All the discussions in recent years about the “convergence” of physical and cyber security have fallen short in one crucial area. The arguments about how best to organize the departments, set the budgets, and who should report to whom have not succeeded in making organizations more secure. Network penetrations are still happening, doors are still being propped open, and ransomware attacks are still succeeding.

As recently as December 2020, the federal government confirmed perhaps the largest and most damaging cybersecurity breach in history, and the most sobering thing about that breach is that we still do not know the intentions of the attackers. Instead of organizational debates, leadership at every organization should be squarely focused on preventing security breaches of all kinds, and engaging the entire team with processes and actions to work toward that result.

Physical Security Vulnerabilities Are Cyber Vulnerabilities
We now know that physical security devices – including not only cameras but also every networked device that is part of these systems – is a potential entry point for cyber attackers and breaches. Physical security devices are themselves IoT devices (Internet of Things) and designed to access networks. But while most IT departments have specific processes for protecting networked PCs and similar organizational devices, the same is often not the case for physical security IoT equipment.

For example, unlike with traditional computers or mobile devices, there are no built-in mechanisms to address new vulnerabilities that are discovered after physical security devices are placed in service. Often the devices are installed with out-of-date firmware that is vulnerable to known attack methods. This is one reason why physical security systems are the #2 most successful attack surface used by cyber criminals to breach an organization.

Even worse, the problem is quickly becoming bigger – the number of connected devices that could compromise network security is increasing at a phenomenal rate. The consensus of a number of market analysts is that the number of network-connected devices will exceed 25 billion within the coming year – and that more than half of those devices will be unmanaged and/or IoT devices. Examples of the devices in this category include not only security cameras, but also VoIP terminals, printers, point-of-sale terminals, medical devices, and many more. These devices will greatly outnumber the traditional enterprise devices such as PCs and servers, as well as managed BYOD devices such as tablets, smartphones, and laptops.

Protecting Physical Security and IoT Devices
Taking action to protect these devices from unauthorized access also helps to protect your entire network. Protecting an IoT device involves reducing the device’s attack surface by eliminating or hardening points of attack, especially for these three areas of vulnerability:

  • Logon credentials
  • Firmware vulnerabilities
  • Digital certificates used for device ID and data encryption

Let’s look at proactive strategies for each of these areas.

Logon Credentials
Logon credentials, such as for security video cameras, are especially vulnerable in high device count deployments because it is hard to conform to good password practices using a manual management process. Typical risky practices include the use of default, repeated, or shared passwords across groups of devices, and delegation of password management to service firm technicians.

A good strategy would be to use automated tools to ensure that default passwords and easily-guessed passwords are not allowed, while requiring secure (i.e. HTTPS) network connections to ensure that passwords are not transmitted over the network in plain text.

An even better strategy would be to use an automated password management application to harden all connected IoT device logons. In this way, unique names and passwords can be assigned to each individual device, while also providing a single sign-on capability so that human users require just one set of logon credentials to access any device, which could be enabled as-needed for short periods of time and be cancelled when user authorization ends.

Firmware Vulnerabilities
Experts have predicted that by 2022, 70% of organizations that have not implemented a firmware upgrade process will be breached due to firmware vulnerabilities. Recent studies of ransomware distribution methods also implicated compromised firmware as a common infection vector.

It is critical for an effective network security program to incorporate sound firmware management. A strong program would include, for example, automation to track current device firmware versions with a cross-reference matrix documenting compatibility with each application that uses the devices. It would incorporate the ability to quickly update device firmware as new firmware versions are released, and it would maintain a log of when firmware updates were performed and by whom for verification of compliance to security policies and practices.

Digital Certificates
Public key encryption based on digital certificates is the strongest known form of encryption, and increasingly used in IoT systems. In a network-based IoT system, such as a security video surveillance system, digital certificates are used for:

  • Identification of each specific device
  • Authenticating that the device is not an impostor
  • Allowing the secure exchange of encryption keys

For a strong protection strategy, digital certificates should be set to expire at intervals that make sense based on their use. If a certificate has been compromised without discovery, expiration shortens the length of time that the compromise can be used to advantage by an attacker. Many organizations with strong security postures rotate their certificates frequently to minimize their risks – and again, automating certificate management is a protective strategy for the effective management of large scale intelligent device deployments with hundreds or thousands of devices.

Moving Forward
We encourage every business, and every security provider, to review their security stance and move forward to improve their processes to make use of available security and management automation. Automation can be used to efficiently and effectively manage firmware, certificates, and passwords at scale – these are the critical linkages between physical and cyber security that can either deny hackers access, or provide an easy entry point. Increasing your attention and proactive prevention efforts on these linkages will not only improve your safety and security, but also provide a path for easily showing that these devices are in compliance to cyber security protocols.

Featured

  • Just as Expected

    GSX produced a wonderful tradeshow earlier this week. Monday was surprisingly strong in the morning, and the afternoon wasn’t bad at all. That’s Monday’s results and asking attendees to travel on Sunday. Just a quick hint, no one wants to give up their weekend to travel and set up an exhibit booth. I’m just saying. Read Now

    • Industry Events
    • GSX
  • NOLA: The Crescent City

    Twenty years later we finds ourselves in New Orleans. Twenty years ago the aftermath of Hurricane Katrina forced exhibitors and attendees to look elsewhere for tradeshow floor space. Read Now

    • Industry Events
    • GSX
  • Nothing Artificial About this Intelligence

    I have been looking forward to this year’s GSX show in New Orleans, the Cresent City, or if you prefer The Big Easy. It seems like quite a while since we’ve been here. Twenty years ago, ASIS, as it was known then was literally washed out of the city by someone known as Katrina. It is a good thing to come back to NOLA. Read Now

  • From Monitors to Mission Control

    Security Operations Centers (SOC) were once defined by rows of static monitors, each displaying a single feed with operators quietly watching for issues. That model has become obsolete. Incidents evolve too quickly, data comes from multiple locations, and decisions must be made in seconds—not minutes. Read Now

  • New Gas Monkey Garage Venue Uses AI-Enhanced Video Technology

    Gas Monkey Garage, the automotive custom shop and entertainment brand founded by Richard Rawlings of Fast N’ Loud TV fame, has opened a vibrant new restaurant and bar in South Dakota, equipped with advanced, AI-enhanced video tech from IDIS Americas. Read Now

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.