How to Prevent Your Physical Security System from Becoming Your Biggest Cybersecurity Threat

One of the fastest growing threats to organizations is being breached through cyber vulnerabilities in their IoT devices, specifically physical security systems. The number of attacks reach a record of over 3 billion in 2022, and 2023 is likely to be bigger still. Threat actors see physical security devices (like an IP camera) not based on what they do, but what they can do if exploited, since many IoT devices are complex, with the compute, storage and networking capabilities for malicious hackers to leverage.

Physical security systems don’t live in isolation. If you have heard about DDoS attacks (distributed denial of service attacks) you may be aware that they are increasing in both volume and velocity. Many DDoS attacks come from bots (or malware) placed on network-connected physical security devices, quietly lying in wait to be activated to launch attacks.

Their continued (and expanded) presence is a sign that the basic security needed to prevent the malware from being placed on the device is simply not there.

Ready to improve your organization’s cybersecurity around physical security? Here a few concepts that are useful in developing strategy and tactics:

  • Think of it as a “Security Journey” rather than arriving at a destination. Like most journeys there are stages you go through; reading an article like this shows you at least are aware of the problem and want to do something about it. Deploying an agentless asset discovery solution, followed by an automated agentless remediation solution suggests you are further along. Needing automated documentation to for audit and compliance purposes shows even further progress.
  • Also keep in mind that threat vectors and types of attacks may vary; what matters most is resilience and ability to stem damages and recover operations. Preventing all threats from ever occurring should not be the focus; having an active program that can adjust to changes is.
  • Going it alone is not effective; cybersecurity is a team sport, and there are partners both inside and outside your organization that need to be actively involved.

With these factors in mind, here are 10 steps you should be taking on your security journey specific to physical security:

  1. Avoid agent-based solutions; they are a dead end. Many cybersecurity solutions were designed for IT environments that use Windows or Linux by putting agents (software code) directly onto the IT device. In the physical security world, there are many different forms of operating systems, making the use of agents highly limited. In addition, the scale of physical security devices is often 10x that of IT, so you should never sign up for the overhead of putting and managing agents onto devices. Only use solutions that are agentless and don’t require putting software onto cameras or access control systems.
  2. Know what you have gotten by using an agentless asset discovery solution: the starting point for securing your systems is having a complete inventory. There are several agentless asset discovery solutions that can provide you with both asset inventory and which devices are vulnerable and in need of remediation.
  3. Think of your networks as layers of defense. Having a network dedicated to your physical security devices has always been a best practice, but there is more you can do. Using network access control allows you to block devices from network communication, a good initial strategy to limit a threat from progressing through your network.
  4. Mitigation is good in short term but needs to be followed by remediation in the form of firmware updating (or patching). When you mitigate threats by stopping network traffic you are also stopping the function of the devices (capturing video evidence or granting access).
  5. Focus on both remediation and repatriation. With IoT systems like physical security you remediate a vulnerability in a device but that needs to be followed by repatriation, where for audit and compliance purposes you need to show that the devices are functioning back in its overall workflow.
  6. Lifecycle management includes cyber hygiene. Just like regular maintenance and decommissioning devices that have reached their end of life, maintaining device firmware, passwords, and certificates should be thought of as part of overall lifecycle management.
  7. Key functions (firmware, passwords, certificates) must be automated because of both the scale and physical placement of video and access control devices. Studies performed on large fleets of devices (8,000+) has shown that there is an 80% or more reduction in both people and budget needed to perform required cyber hygiene functions.
  8. Use automation to enforce and audit corporate policies. Like the point above, the sheer scale of devices and applications requires automated methods of alerting and reporting to be able to manage the overall process. Especially if your organization holds a cyber insurance policy having a push-button mechanism to deliver detailed information about your cyber hygiene can make the difference in the insurer being willing to underwrite the risk or process claims.
  9. Work across organizational boundaries, especially procurement. The data held by physical security teams is an asset in working with other parts of the organization to appropriately set budgets, allocate headcount, and be able to plan and negotiate upcoming purchases. For example, providing your procurement team with a schedule of what devices are going end of life can help them negotiate and purchase systems more efficiently and with the proper cyber security as it is deployed.
  10. Managed services more than ever offer organizations flexibility to address cybersecurity issues without having to add permanent headcount and to be faster in reducing the attack surface from physical security. Not only are there highly skilled service providers who can extend your workforce, but they are likely to help expose your team to what the latest and most efficient and cost-effective methods for maintaining your cyber hygiene.

In summary, there is an imperative for physical security teams to improve their cyber hygiene. By focusing on the best practices listed here organizations will not only shrink their attack surface from physical security but also gain valuable operation data, reporting capabilities, and closer ties to other parts of the organization. The result is a physical security organization that is increasing its organizational value in numerous ways while making the organization safer and more resilient.

About the Author

Bud Broomhead is the CEO of Viakoo.

Featured

Featured Cybersecurity

Webinars

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3