ISC West Live 2018
A Cultural Blending

A Cultural Blending

How to protect physical security and cybersecurity

The concept of “securing security” emerged when physical security was being affected by cybersecurity attacks. In today’s physical security landscape these new threats have been introduced and reinvent the traditional security battle lines. While life safety, executive protection, asset protection and compliance are but a few of the traditional focuses of physical security, cybersecurity has emerged, often right behind the physical security team’s field of view. Understanding cyberattack methodology combined with the risk-based security model allows for a successful strategy to address vulnerabilities within IPbased physical security ecosystems – preparing your organization for battle in the digital age.

By examining a few front-page cyberattacks, general insight about methodologies used to gain malicious access to IP-enabled security equipment – whether for denial of services or surreptitious intelligence gathering – can be gained. Additionally, spelling out the immediate concentric circles that many companies define as their security battle lines allows for applying not just the right technologies to cover the gaps, but the essential disciplines required to shore up a healthy, layered security approach to ensure information security, life safety and shareholder trust.

In October of 2016, the Marai attack on the internet infrastructure launched the largest Distributed Denial of Service (DDoS) impact ever documented in human history. The tragedy is that most of the Linux bot devices used in the attack were actual security cameras and network video recorders. The Marai malware infects a device and immediately begins scanning for any Internet of Things (IoT) devices that may have default passwords and settings still in place. Subsequently, infected devices were then commandeered as “bots” — or soldiers in the attack against internet commerce.

The resulting torrent of internet garbage directed at the target was in excess of 600 GBps, bringing down sites such as Netflix and Twitter in the process. Service assurance products now exist that deliberately monitor IoT devices on a customer network, providing proactive reports and alerts regarding deficient passwords, out-of-date firmware and quality-of-video storage to ensure use when needed.

Credential and Patch Management

In December 2015, a large-scale cyberattack was launched on the Ukrainian power grid. What is termed as an “attack in depth” began with spear phishing — an artful message (typically email) directed at a specific individual with contextually relevant information, action items and an infected attachment or deceptive URL to click.

Once the attachment or URL is opened, malicious code is introduced to the network to begin the process of gaining illicit access. It is believed that over a period of six months, the hackers were able to capture network credentials and own the bios level of the power command center software servers, the battery backup devices (after all, the power was about to be cut), the phone system (hit by DDOS at the same moment) and other attack vectors. The result was a loss of power to a quarter-million people for approximately six hours. Aggressive awareness campaigns around the nature of cyberattacks can greatly mitigate such intrusions. Coupled with strategic network design and privilege management, these layers and awareness should now be commonplace.

Employee Training

In 2010, the Stuxnet worm was discovered and eventually tagged as the key element in frustrating uranium production in the Iranian centrifuges at Natanz. The delivery vehicle is of particular interest here. Contractors entering and exiting the facility each day were one point of infection. A laptop being brought onto the premise and connecting to the production network availed the requisite access for the worm to hit pay dirt. The malware then provided the means to find exact manufacturer products and adjust the settings necessary to spoil batches of uranium — delaying the enrichment process considerably and invisibly for a period of time.

There is a direct parallel between this incident and numerous U.S.-based high security locations. These concerns can be addressed with a high degree of success with what Microsoft terms “Privileged Access Workstations” (PAW). The end user issues a whitelisted, pre-configured laptop or device to the contractor for the work to be performed on-site. This laptop undergoes the governance scrutiny that the IT department dictates and the contractor has the tools required, all made available at low risk.

This specific vulnerability also threatens air-gapped networks. An air-gapped strategy calls for the literal separation of two networks to completely avoid the possibility of a hacker spanning their invasive reach from the security equipment to the corporate production network. Separate topologies do reduce the attack surface exposure, but, most importantly, they provide damage control measures for the IT department: if the separate physical security network is compromised it is quarantined and does not impact the production business environment.

The next challenge is stronger, however. Leaving security equipment out on its own infrastructure without aggressive oversight fosters a vulnerability breeding ground. The answer is to craft a hybrid cybersecurity solution that bridges and thoroughly interfaces physical security assets with the already existing risk management and cybersecurity campaigns. Service Assurance Engines, IoT Monitoring and Physical Identity Access Management (PIAM) platforms open the door to a fully bi-directional physical security and IT governance program.

Privileged Access Devices and IoT Governance

Moving beyond fundamental cybersecurity provisions, identity access management is a hidden mountain of opportunity for securing a company’s physical security enterprise. Showcased in recent Hollywood productions is the now famous “Snowden” incident primarily involving the component of “Insider Threat.”

Through social engineering and other means, Edward Snowden obtained and abused the network privileges of up to six of his colleagues prior to releasing sensitive information outside the agency. Banks, healthcare and other businesses have equally suffered this sort of blow to their public trust due to confidential information being exported by a trusted administrator. A question arises: is the network login identity being abused by the person it was assigned to or was it hijacked by a third party? The matter of the network login accessing assets and data to which it was assigned privileges is at stake.

Administrative and delegated permissions must exist for a company to function. However, best practices around identity access management must be leveraged in order to tighten the usage of precious network permissions. Elastic rights provisioning, abnormal or harmful behavior monitoring and iterative privilege audits need to be automated. This is done by implementing the correct technology solutions and crafting a policy and procedure culture around managing these permissions across the enterprise.

Critical infrastructure and financial and aviation facilities have been forced to the forefront of this accountability framework. Contractors should not have privileges for longer than their work order/task requires and those privileges should be revoked immediately and automatically upon completion. Next, sudden departures from normal behavior for security card or network access should be flagged immediately to raise awareness. An employee may have administrative permission to go into the data center but has never before had a need to enter at 2 a.m. and access the customer account file.

This insight is achieved through today’s proliferate machine learning and data mining engines. This fully convergent data sharing should also bear the minimum fruit of allowing security (physical and IT) a transparent view across the enterprise to drive internal controls, policy enforcement and awareness of possible misuse of corporate trust and assets.

Physical Identity and Access Management

“Securing security” has been a battle cry for a small band of forward-thinking manufacturers within the physical security market. Advanced IP architecture products have often been shut down at the proposal stage during meetings with IT staff who are scouring what is and is not allowed on their corporate network. Progressive security integrators have found the need to recruit cybersecurity-minded talent to accelerate alignment to today’s requirements and available technology. By taking the “fight” to the cybersecurity arena, these progressive integrators and manufacturers can support not only IT and cybersecurity departments but compliance, risk management and other internal stakeholders.

Additionally, several organizations’ CIO and CSOs have begun to advocate crossteam hiring between IT and physical security. An IT liaison is embedded within physical security and trained on the equipment, and a physical security team member is similarly attached to IT. This cultural blending has proven to shorten project design and deployment time-frames and has shown a tremendous return on investment for service and maintenance initiatives.

When considering physical security today, organizations need to take a clear inventory of their respective teams’ technology strengths and supplement accordingly. Humbly navigating the daunting board room meetings where cybersecurity subject matter experts may have had a negative experience with physical security is the next step. Most often, there is widespread relief to find that the integrator and manufacturers have not just an awareness of cybersecurity but an urgent business posture to collaborate for the greater good. Victory comes when IT is allied to assist in protecting physical security.

This article originally appeared in the January 2018 issue of Security Today.

If you like what you see, get more delivered to your inbox weekly.
Click here to subscribe to our free premium content.

comments powered by Disqus

Digital Edition

  • Security Today Magazine - April 2018

    April 2018

    Featuring:

    • The Changing Landscape
    • Booking an Upgrade
    • The Best Bet
    • Get Out of Our Space
    • Poised for Expansion

    View This Issue

  • Environmental Protection
  • Occupational Health & Safety
  • Infrastructure Solutions Group
  • School Planning & Managmenet
  • College Planning & Management
  • Campus Security & Life Safety