Reducing the Risk

Strengthening physical security systems again cyberattacks in the public sector

• By Justin Himelberger
• May 31, 2022

Recent statistics highlight the rise of cyberattacks in the public sector. In its latest Internet Crime Report, the FBI stated that they received nearly 2,500 ransomware complaints in 2020. And, the Identity Theft Resource Center reports that, as of September 2021, the year-to-date total number of data compromises related to cyberattacks was already 27% higher than for all of 2020. For the public sector, cybersecurity has become a top priority.

IT teams at all levels of government are understandably concerned about how vulnerable their networks are to these disruptive and costly cyberattacks. But government organizations aren’t the only targets. The K-12 Cybersecurity Resource Center 2020 Year in Review Report found that K-12 schools experienced more than 400 cyber incidents in 2020, up 18% from the previous year.

For organizations in the public sector—including governments and schools—the question is how to reduce the risk of cyberattacks. The first step in addressing the situation is determining how cybercriminals are gaining access.

Understanding Network Vulnerabilities
There are several ways that cybercriminals can gain access to an organization’s network. An employee can click on a link in a phishing email. A default application password can remain unchanged. Or a network-connected device can be inadequately protected.

It is important to remember that these devices include elements in a physical security system. Cameras as well as door controllers and their monitoring systems can all pose cybersecurity risks.

Unfortunately, the risks associated with under-protected network devices has increased during the COVID-19 pandemic. As millions of people began working from home, organizations faced new challenges around protecting their spaces.

According to Morgan Wright, a Center for Digital Government (CDG) Senior Fellow, “When fewer people are working in buildings, organizations need more technology to maintain physical protection.”

Many organizations deployed additional cameras and other technology to keep an eye on their environments and assets and also implemented measures to protect the devices themselves. But, while their goal was greater security, their focus was frequently limited.

“When it comes to protecting physical security devices, too often the worry is about damage or theft, not that they can be used as an entry point from ransomware,” Wright said.

Organizations in the public sector need to think about how they deploy physical protection technologies so they can better control access to sensitive and restricted areas and, at the same time, increase the cybersecurity of their networks. They need to look at deploying new technologies, establishing new staff roles, and implementing new practices that will strengthen both physical and cybersecurity.

The Risks Associated with Security Devices
Physical security devices are purpose-built to help keep people, assets and environments safe. In the face of rising cybercrime, organizations have to expand their view of security. Most cyberattacks are not intended to compromise physical safety. Instead, they target applications, files and data managed by IT departments. An attack that originates in a camera can find its way through an organization’s network to block access to critical applications, lock and hold files for ransom, or steal personal data from employees, students, program clients, and residents.

One major challenge is that many public sector organizations continue to use older model cameras and door controllers. With their limited security capabilities, these devices, especially cameras, can present significant risk. Organizations in the public sector tend to replace these devices only when absolutely necessary or when their capital costs can be fully amortized. These are not effective strategies.

“Today’s hackers know that certain security devices are easy to take over and use as an entry point to a connected network,” Wright said. “This means that security cameras and access control systems need to be considered critical network devices. They need to receive a high level of protection and monitoring for both operations and cybersecurity.”

The good news is that the public sector is beginning to realize how internet-connected security cameras and door controllers can give hackers easy access to their networks. At the same time, IT departments are becoming increasingly aware of the risks that inadequately protected devices can pose when connected to their networks. The problem is that historically, IT has had limited visibility and control over an organization’s security devices.

Unifying Physical and Cybersecurity
Currently, many organizations in the public sector approach physical security and IT as separate. But the growing cyber risks that physical security technologies can present mean that this needs to change.

In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) recommends joining IT and physical security into a single, integrated team. As a single team, they can better focus on developing a comprehensive security program that is based on a common understanding of risk, responsibilities, strategies, and practices. Wright agrees with this recommendation, saying “Physical security needs to be integrated into the network security team and not viewed as an ancillary function.”

According to CISA, there are several benefits to this approach. First, it would provide a more holistic view of security threats across the organization, which can lead to improved information sharing and threat response preparation. In addition, by implementing unified policies and shared practices, organizations would be able to achieve greater flexibility and resilience.

Starting with what is Already in Place
The first step towards better protecting a physical security system against cyberattacks is conducting a current posture assessment, which will help identify specific devices of concern. The assessment process allows an integrated IT and physical security team to focus on:

• Creating an up-to-date inventory of all network-connected cameras, door controllers, and associated management systems performing a thorough vulnerability assessment of all connected physical security devices to identify models and manufacturers of concern
• Consolidating and maintaining detailed information about each physical security device, including connectivity, firmware version, and configuration
• Improving network design as needed to segment older devices and reduce potential for crossover attack
• Identifying all users who have knowledge of physical security devices and systems and then documenting that knowledge for broader use and retention.

Once the assessment is complete, the team can then move to reviewing the necessary changes that need to be made.

The Next Phase in Protecting Network Security
After assessing an organization’s current physical security, the team should produce a review of required improvements for individual devices as well as the entire system. These improvements can include ensuring that all network-connected devices are managed by IT network and security monitoring tools as well as implementing end-to-end encryption that protects video streams and data in transit and in storage.

Organizations can also think about strengthening protection measures by improving existing configurations and management practices for physical security devices. This could require using secure protocols for connecting devices to the network, disabling access methods that don’t support a high level of security protection, verifying configurations of security features and alerts, and replacing defaults with new passwords that must be changed on a regular and verified schedule.

Another option for protecting network security is to enhance access defenses with a layered strategy that includes multifactor access authentication and defined user authorizations. Organizations can also improve update management by defining who is responsible for tracking updates availability, and for vetting, deploying and documenting updates on all eligible systems and devices.

Developing a Replacement Strategy
Ultimately, this review can help determine which devices and systems should be replaced because they present a high cyber risk. When it comes to developing replacement programs, organizations in the public sector need to prioritize strategies that support modernization for both physical and cybersecurity. One effective approach is to unify physical and cybersecurity devices and software on a single, open architecture platform with centralized management tools and views.

Replacement programs can also focus on cybersecurity features, including data encryption and anonymization that are built into a device’s firmware and management software. Another important consideration is looking at a vendor’s capabilities to support a solution lifecycle of up to 10 years, including ongoing availability of updates for firmware and management system software.

In the United States, federal funding may be available to help cover some of the costs associated with replacement programs. The 2021 Investment and Jobs Act includes $1billion in funds, managed by the Department of Homeland Security, designed to help state and local governments modernize their cybersecurity.

With the number of cyberattacks increasing around the world, it is becoming clear that the public sector needs to implement effective cybersecurity improvements to their IT networks. An important step towards reducing the cybersecurity risks associated with physical security devices is to integrate physical security and IT and develop a coordinated strategy for hardening systems.