A Cultural Blending
How to protect physical security and cybersecurity
- By Lance Holloway
- Jan 01, 2018
The concept of “securing security” emerged when physical
security was being affected by cybersecurity attacks.
In today’s physical security landscape these new threats
have been introduced and reinvent the traditional security
battle lines. While life safety, executive protection,
asset protection and compliance are but a few of the traditional focuses
of physical security, cybersecurity has emerged, often right behind
the physical security team’s field of view. Understanding cyberattack
methodology combined with the risk-based security model
allows for a successful strategy to address vulnerabilities within IPbased
physical security ecosystems – preparing your organization for
battle in the digital age.
By examining a few front-page cyberattacks, general insight about
methodologies used to gain malicious access to IP-enabled security
equipment – whether for denial of services or surreptitious intelligence
gathering – can be gained. Additionally, spelling out the immediate
concentric circles that many companies define as their security
battle lines allows for applying not just the right technologies to cover
the gaps, but the essential disciplines required to shore up a healthy,
layered security approach to ensure information security, life safety
and shareholder trust.
In October of 2016, the Marai attack on the internet infrastructure
launched the largest Distributed Denial of Service (DDoS) impact
ever documented in human history. The tragedy is that most of
the Linux bot devices used in the attack were actual security cameras
and network video recorders. The Marai malware infects a device and
immediately begins scanning for any Internet of Things (IoT) devices
that may have default passwords and settings still in place. Subsequently,
infected devices were then commandeered as “bots” — or
soldiers in the attack against internet commerce.
The resulting torrent of internet garbage directed at the target
was in excess of 600 GBps, bringing down sites such as Netflix and
Twitter in the process. Service assurance products now exist that deliberately
monitor IoT devices on a customer network, providing proactive
reports and alerts regarding deficient passwords, out-of-date
firmware and quality-of-video storage to ensure use when needed.
Credential and Patch Management
In December 2015, a large-scale cyberattack was launched on the
Ukrainian power grid. What is termed as an “attack in depth” began
with spear phishing — an artful message (typically email) directed at
a specific individual with contextually relevant information, action
items and an infected attachment or deceptive URL to click.
Once the attachment or URL is opened, malicious code is introduced
to the network to begin the process of gaining illicit access. It
is believed that over a period of six months, the hackers were able to capture network credentials and own the
bios level of the power command center
software servers, the battery backup devices
(after all, the power was about to be cut), the
phone system (hit by DDOS at the same moment)
and other attack vectors. The result
was a loss of power to a quarter-million people
for approximately six hours. Aggressive
awareness campaigns around the nature of
cyberattacks can greatly mitigate such intrusions.
Coupled with strategic network design
and privilege management, these layers and
awareness should now be commonplace.
In 2010, the Stuxnet worm was discovered
and eventually tagged as the key element in
frustrating uranium production in the Iranian
centrifuges at Natanz. The delivery vehicle
is of particular interest here. Contractors
entering and exiting the facility each day
were one point of infection. A laptop being
brought onto the premise and connecting to
the production network availed the requisite
access for the worm to hit pay dirt. The malware
then provided the means to find exact
manufacturer products and adjust the settings
necessary to spoil batches of uranium
— delaying the enrichment process considerably
and invisibly for a period of time.
There is a direct parallel between this
incident and numerous U.S.-based high security
locations. These concerns can be addressed
with a high degree of success with
what Microsoft terms “Privileged Access
Workstations” (PAW). The end user issues a
whitelisted, pre-configured laptop or device
to the contractor for the work to be performed
on-site. This laptop undergoes the
governance scrutiny that the IT department
dictates and the contractor has the tools required,
all made available at low risk.
This specific vulnerability also threatens
air-gapped networks. An air-gapped strategy
calls for the literal separation of two networks
to completely avoid the possibility of
a hacker spanning their invasive reach from
the security equipment to the corporate production
network. Separate topologies do reduce
the attack surface exposure, but, most
importantly, they provide damage control
measures for the IT department: if the separate
physical security network is compromised
it is quarantined and does not impact
the production business environment.
The next challenge is stronger, however.
Leaving security equipment out on its own
infrastructure without aggressive oversight
fosters a vulnerability breeding ground. The
answer is to craft a hybrid cybersecurity solution
that bridges and thoroughly interfaces
physical security assets with the already
existing risk management and cybersecurity
campaigns. Service Assurance Engines, IoT
Monitoring and Physical Identity Access Management (PIAM) platforms open the
door to a fully bi-directional physical security
and IT governance program.
Privileged Access Devices
and IoT Governance
Moving beyond fundamental cybersecurity
provisions, identity access management is
a hidden mountain of opportunity for securing
a company’s physical security enterprise.
Showcased in recent Hollywood
productions is the now famous “Snowden”
incident primarily involving the component
of “Insider Threat.”
Through social engineering and other
means, Edward Snowden obtained and
abused the network privileges of up to six
of his colleagues prior to releasing sensitive
information outside the agency. Banks,
healthcare and other businesses have equally
suffered this sort of blow to their public
trust due to confidential information being
exported by a trusted administrator. A
question arises: is the network login identity
being abused by the person it was assigned
to or was it hijacked by a third party? The
matter of the network login accessing assets
and data to which it was assigned privileges
is at stake.
Administrative and delegated permissions
must exist for a company to function.
However, best practices around identity access
management must be leveraged in order
to tighten the usage of precious network
permissions. Elastic rights provisioning,
abnormal or harmful behavior monitoring
and iterative privilege audits need to be automated.
This is done by implementing the
correct technology solutions and crafting a
policy and procedure culture around managing
these permissions across the enterprise.
Critical infrastructure and financial and
aviation facilities have been forced to the
forefront of this accountability framework.
Contractors should not have privileges for
longer than their work order/task requires
and those privileges should be revoked immediately
and automatically upon completion.
Next, sudden departures from normal
behavior for security card or network access
should be flagged immediately to raise
awareness. An employee may have administrative
permission to go into the data center
but has never before had a need to enter at
2 a.m. and access the customer account file.
This insight is achieved through today’s
proliferate machine learning and data mining
engines. This fully convergent data sharing
should also bear the minimum fruit of
allowing security (physical and IT) a transparent
view across the enterprise to drive
internal controls, policy enforcement and
awareness of possible misuse of corporate
trust and assets.
Physical Identity and
“Securing security” has been a battle cry for
a small band of forward-thinking manufacturers
within the physical security market.
Advanced IP architecture products
have often been shut down at the proposal
stage during meetings with IT staff who are
scouring what is and is not allowed on their
corporate network. Progressive security
integrators have found the need to recruit
cybersecurity-minded talent to accelerate
alignment to today’s requirements and available
technology. By taking the “fight” to the
cybersecurity arena, these progressive integrators
and manufacturers can support not
only IT and cybersecurity departments but
compliance, risk management and other internal
Additionally, several organizations’ CIO
and CSOs have begun to advocate crossteam
hiring between IT and physical security.
An IT liaison is embedded within physical
security and trained on the equipment, and
a physical security team member is similarly
attached to IT. This cultural blending has
proven to shorten project design and deployment
time-frames and has shown a tremendous
return on investment for service and
When considering physical security today,
organizations need to take a clear inventory
of their respective teams’ technology
strengths and supplement accordingly.
Humbly navigating the daunting board room
meetings where cybersecurity subject matter
experts may have had a negative experience
with physical security is the next step. Most
often, there is widespread relief to find that
the integrator and manufacturers have not
just an awareness of cybersecurity but an urgent
business posture to collaborate for the
greater good. Victory comes when IT is allied
to assist in protecting physical security.
This article originally appeared in the January 2018 issue of Security Today.