How Cyber Secure Are Your Physical Security Devices

How Cyber Secure Are Your Physical Security Devices?

Protecting the network with your sensitive business data

Are your physical security devices attached to the same network as your sensitive business data? Then, you had better take as much care to cyber secure those devices as you do your wireless access points, printer connections, scanners and other traditional networkattached technology. Any network node left unprotected could become a potential threat to overall network security.

What you need to do to harden your network connections depends on your risk assessment. First identify what assets need protection. Then investigate what threats or vulnerabilities pose a risk to those assets. Once you have that information in hand you can decide whether those risks are worth mitigating. For organizations handling credit card payments and/or patient data, the physical security of stored data—whether in the cloud or an in-house data center—is mandated by law and the financial penalties for non-compliance are significant. For some business owners, the consequences of unauthorized system breaches might be minimal which would influence how much they spend on protection technology.

Sometimes, the solution is as simple as network segmentation either through physical wiring or a VLAN. Separating network resources that shouldn’t interact or have no need to interact with each other increases overall network protection levels and assists in optimizing resource management.

Breaches Aren’t Always the Result of a Frontal Attack

The convergence of so many new technologies on the same network infrastructure has placed an enormous burden on IT departments to pay particular attention to the cyber security of a plethora of non-traditional network-attached devices. Due diligence must be paid to the security configuration of these devices to eliminate exploitation—whether the devices are heating, ventilation and air conditioning (HVAC) controls and monitors; intelligent building automation devices such as smart thermostats, Smart Grid power monitoring and control devices; or networked surveillance cameras and IP-based access control systems.

One recent, highly publicized and massive retail customer data breach stemmed from the hijacked login credentials of a thirdparty HVAC service provider. Typically the HVAC services company would remotely log into the retail stores’ HVAC monitoring systems for maintenance. Cyber hackers followed the same protocol, logging into the system using the stolen services company’s login credentials to gain access to the network. From there they were able to tap into the retailer’s point of sale systems which resided on the same physical network infrastructure. As a result confidential customer data was compromised.

The moral of the story? Keep a close eye on all network connected systems. They could be your Achilles Heel when it comes to securing sensitive corporate and client data. Once you understand what impact a successful breach might have on your business—financial penalties, loss of company reputation and market share, or perhaps negligible repercussions—you can plan your security spending accordingly.

Strategies for Protecting Network Ports

With more companies migrating to IPbased video surveillance and access control systems, both IT and physical security departments need to educate themselves on best practices for protecting these potentially vulnerable network nodes. To help you decide which security mechanisms, policies and procedures to deploy let’s look at how a typical IP-based video system is configured.

Video cameras and access control devices attach over the network to a video and/or access control server. Or, the system can contain multiple servers for load sharing and redundancy. The video can be stored to a local hard drive, a networkattached storage device (NAS), or a server storage array located at a remote data center or in the cloud. The network can also contain video viewing clients that can access video directly from the cameras or through a VMS.

To cyber-harden these physical security component, you need to focus on three areas: user/administrator credential management, physical port security, and video and data flow protection.

User/Administrator credential management: Credential management can be as simple as making sure that default logins and passwords are changed from factory defaults. IT professionals already do this as a default installation and maintenance best practice for networking hardware and attached devices. You can add another layer of protection by creating separate user and administrative logins, passwords and privileges.

IT can install other credential security measures such as multi-factor authentication if the camera/access control manufacturer supports this feature. Many of the major VMS application platforms can help you automate the setup and maintain those attached device credentials.

Physical port security: There are a number of measures you can employ to prevent a device’s removal from the network and the attachment of a laptop or other device configured to spoof the MAC or IP address of the camera or access control pad in order to gain access to the network and network assets. Depending on the capabilities of your network hardware management software, this can be as simple as a port-based MAC address lockdown that requires manual provisioning when a port link is lost and then recovered. This does not address cable tapping, however. In that case more rigorous measures are needed such as onboard credential authentication.

When it comes to defending against network port hijacking, there are a number of network standard authentication measures you can deploy. It all depends on which ones are supported by the cameras and access control devices you’ve installed. For instance, many cameras support basic .X or RADIUS client for edge device authentication. Some camera manufactures support PKI or token-based resident certificate authentication.

The bottom line is that you should include port-based/edge-connection cyber security on all your network edge devices no matter what they are. And the cyber security of those devices should align with the high security standards your company already has in place to protect other devices and data residing on the network.

Video and data flow protection: Protecting the transmission of video or data focuses on preventing the wrong people from putting eyes on or having access to your organization’s video. You can just imagine how tactical it can be for “bad guys” to have visibility inside the walls of your business or what a PR or legal nightmare you’d have on your hands if certain sensitive video footage showed up on YouTube.

The goal is to protect the data flowing from end to end: from the camera or access control device through the network to the server and ultimately the storage device. To achieve that, your first step would be to define the protection scheme you want to deploy and then search out components that can readily integrate into that scheme. For instance, some video system manufacturers support a variety of encryption schemes from edge devices to servers. Other system components support encryption from the servers to the viewing client PCs, laptops and smartphones.

Network camera and access control system encryption generally adhere to IT methodologies standards such as .x, SSL/ TLS, HTTPS, and PKI certificates. There are also appliance-based heavier encryption methods available. But because video transmissions are extremely sensitive to transmission latency, anything short of zero latency encryption will likely disrupt recoding capabilities.

Before you make any decisions about encryption, research what your camera and VMS suppliers recommend. Then, to ensure compatibility across the board, surveillance and physical security decision makers should closely align themselves with IT to confirm that the hardware and software products they plan on deploying will meet IT standards for cyber security.

Know What Security Options are Out There

To keep abreast of what encryption and other physical security technologies are on the horizon and what are currently available on the market, you can surf online content from camera and server manufacturers, participate in physical security seminars and trade shows held in the US and around the world, as well as attend traditional IT tradeshows and events where a sizable number of physical security companies participate as well.

The point is to educate yourself and get involved in cyber-security issues early in the vendor selection process whether you own the solution or are supporting the solution on your company’s network infrastructure.

This article originally appeared in the May 2015 issue of Security Today.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3