How to Prevent Your Physical Security System from Becoming Your Biggest Cybersecurity Threat

• By Bud Broomhead
• Aug 03, 2023

One of the fastest growing threats to organizations is being breached through cyber vulnerabilities in their IoT devices, specifically physical security systems. The number of attacks reach a record of over 3 billion in 2022, and 2023 is likely to be bigger still. Threat actors see physical security devices (like an IP camera) not based on what they do, but what they can do if exploited, since many IoT devices are complex, with the compute, storage and networking capabilities for malicious hackers to leverage.

Physical security systems don’t live in isolation. If you have heard about DDoS attacks (distributed denial of service attacks) you may be aware that they are increasing in both volume and velocity. Many DDoS attacks come from bots (or malware) placed on network-connected physical security devices, quietly lying in wait to be activated to launch attacks.

Their continued (and expanded) presence is a sign that the basic security needed to prevent the malware from being placed on the device is simply not there.

Ready to improve your organization’s cybersecurity around physical security? Here a few concepts that are useful in developing strategy and tactics:

• Think of it as a “Security Journey” rather than arriving at a destination. Like most journeys there are stages you go through; reading an article like this shows you at least are aware of the problem and want to do something about it. Deploying an agentless asset discovery solution, followed by an automated agentless remediation solution suggests you are further along. Needing automated documentation to for audit and compliance purposes shows even further progress.
• Also keep in mind that threat vectors and types of attacks may vary; what matters most is resilience and ability to stem damages and recover operations. Preventing all threats from ever occurring should not be the focus; having an active program that can adjust to changes is.
• Going it alone is not effective; cybersecurity is a team sport, and there are partners both inside and outside your organization that need to be actively involved.

With these factors in mind, here are 10 steps you should be taking on your security journey specific to physical security:

1. Avoid agent-based solutions; they are a dead end. Many cybersecurity solutions were designed for IT environments that use Windows or Linux by putting agents (software code) directly onto the IT device. In the physical security world, there are many different forms of operating systems, making the use of agents highly limited. In addition, the scale of physical security devices is often 10x that of IT, so you should never sign up for the overhead of putting and managing agents onto devices. Only use solutions that are agentless and don’t require putting software onto cameras or access control systems.
2. Know what you have gotten by using an agentless asset discovery solution: the starting point for securing your systems is having a complete inventory. There are several agentless asset discovery solutions that can provide you with both asset inventory and which devices are vulnerable and in need of remediation.
3. Think of your networks as layers of defense. Having a network dedicated to your physical security devices has always been a best practice, but there is more you can do. Using network access control allows you to block devices from network communication, a good initial strategy to limit a threat from progressing through your network.
4. Mitigation is good in short term but needs to be followed by remediation in the form of firmware updating (or patching). When you mitigate threats by stopping network traffic you are also stopping the function of the devices (capturing video evidence or granting access).
5. Focus on both remediation and repatriation. With IoT systems like physical security you remediate a vulnerability in a device but that needs to be followed by repatriation, where for audit and compliance purposes you need to show that the devices are functioning back in its overall workflow.
6. Lifecycle management includes cyber hygiene. Just like regular maintenance and decommissioning devices that have reached their end of life, maintaining device firmware, passwords, and certificates should be thought of as part of overall lifecycle management.
7. Key functions (firmware, passwords, certificates) must be automated because of both the scale and physical placement of video and access control devices. Studies performed on large fleets of devices (8,000+) has shown that there is an 80% or more reduction in both people and budget needed to perform required cyber hygiene functions.
8. Use automation to enforce and audit corporate policies. Like the point above, the sheer scale of devices and applications requires automated methods of alerting and reporting to be able to manage the overall process. Especially if your organization holds a cyber insurance policy having a push-button mechanism to deliver detailed information about your cyber hygiene can make the difference in the insurer being willing to underwrite the risk or process claims.
9. Work across organizational boundaries, especially procurement. The data held by physical security teams is an asset in working with other parts of the organization to appropriately set budgets, allocate headcount, and be able to plan and negotiate upcoming purchases. For example, providing your procurement team with a schedule of what devices are going end of life can help them negotiate and purchase systems more efficiently and with the proper cyber security as it is deployed.
10. Managed services more than ever offer organizations flexibility to address cybersecurity issues without having to add permanent headcount and to be faster in reducing the attack surface from physical security. Not only are there highly skilled service providers who can extend your workforce, but they are likely to help expose your team to what the latest and most efficient and cost-effective methods for maintaining your cyber hygiene.

In summary, there is an imperative for physical security teams to improve their cyber hygiene. By focusing on the best practices listed here organizations will not only shrink their attack surface from physical security but also gain valuable operation data, reporting capabilities, and closer ties to other parts of the organization. The result is a physical security organization that is increasing its organizational value in numerous ways while making the organization safer and more resilient.