Focus on Physical and Cyber Linkages

Focus on Physical and Cyber Linkages

All the discussions in recent years about the “convergence” of physical and cyber security have fallen short in one crucial area. The arguments about how best to organize the departments, set the budgets, and who should report to whom have not succeeded in making organizations more secure. Network penetrations are still happening, doors are still being propped open, and ransomware attacks are still succeeding.

As recently as December 2020, the federal government confirmed perhaps the largest and most damaging cybersecurity breach in history, and the most sobering thing about that breach is that we still do not know the intentions of the attackers. Instead of organizational debates, leadership at every organization should be squarely focused on preventing security breaches of all kinds, and engaging the entire team with processes and actions to work toward that result.

Physical Security Vulnerabilities Are Cyber Vulnerabilities
We now know that physical security devices – including not only cameras but also every networked device that is part of these systems – is a potential entry point for cyber attackers and breaches. Physical security devices are themselves IoT devices (Internet of Things) and designed to access networks. But while most IT departments have specific processes for protecting networked PCs and similar organizational devices, the same is often not the case for physical security IoT equipment.

For example, unlike with traditional computers or mobile devices, there are no built-in mechanisms to address new vulnerabilities that are discovered after physical security devices are placed in service. Often the devices are installed with out-of-date firmware that is vulnerable to known attack methods. This is one reason why physical security systems are the #2 most successful attack surface used by cyber criminals to breach an organization.

Even worse, the problem is quickly becoming bigger – the number of connected devices that could compromise network security is increasing at a phenomenal rate. The consensus of a number of market analysts is that the number of network-connected devices will exceed 25 billion within the coming year – and that more than half of those devices will be unmanaged and/or IoT devices. Examples of the devices in this category include not only security cameras, but also VoIP terminals, printers, point-of-sale terminals, medical devices, and many more. These devices will greatly outnumber the traditional enterprise devices such as PCs and servers, as well as managed BYOD devices such as tablets, smartphones, and laptops.

Protecting Physical Security and IoT Devices
Taking action to protect these devices from unauthorized access also helps to protect your entire network. Protecting an IoT device involves reducing the device’s attack surface by eliminating or hardening points of attack, especially for these three areas of vulnerability:

  • Logon credentials
  • Firmware vulnerabilities
  • Digital certificates used for device ID and data encryption

Let’s look at proactive strategies for each of these areas.

Logon Credentials
Logon credentials, such as for security video cameras, are especially vulnerable in high device count deployments because it is hard to conform to good password practices using a manual management process. Typical risky practices include the use of default, repeated, or shared passwords across groups of devices, and delegation of password management to service firm technicians.

A good strategy would be to use automated tools to ensure that default passwords and easily-guessed passwords are not allowed, while requiring secure (i.e. HTTPS) network connections to ensure that passwords are not transmitted over the network in plain text.

An even better strategy would be to use an automated password management application to harden all connected IoT device logons. In this way, unique names and passwords can be assigned to each individual device, while also providing a single sign-on capability so that human users require just one set of logon credentials to access any device, which could be enabled as-needed for short periods of time and be cancelled when user authorization ends.

Firmware Vulnerabilities
Experts have predicted that by 2022, 70% of organizations that have not implemented a firmware upgrade process will be breached due to firmware vulnerabilities. Recent studies of ransomware distribution methods also implicated compromised firmware as a common infection vector.

It is critical for an effective network security program to incorporate sound firmware management. A strong program would include, for example, automation to track current device firmware versions with a cross-reference matrix documenting compatibility with each application that uses the devices. It would incorporate the ability to quickly update device firmware as new firmware versions are released, and it would maintain a log of when firmware updates were performed and by whom for verification of compliance to security policies and practices.

Digital Certificates
Public key encryption based on digital certificates is the strongest known form of encryption, and increasingly used in IoT systems. In a network-based IoT system, such as a security video surveillance system, digital certificates are used for:

  • Identification of each specific device
  • Authenticating that the device is not an impostor
  • Allowing the secure exchange of encryption keys

For a strong protection strategy, digital certificates should be set to expire at intervals that make sense based on their use. If a certificate has been compromised without discovery, expiration shortens the length of time that the compromise can be used to advantage by an attacker. Many organizations with strong security postures rotate their certificates frequently to minimize their risks – and again, automating certificate management is a protective strategy for the effective management of large scale intelligent device deployments with hundreds or thousands of devices.

Moving Forward
We encourage every business, and every security provider, to review their security stance and move forward to improve their processes to make use of available security and management automation. Automation can be used to efficiently and effectively manage firmware, certificates, and passwords at scale – these are the critical linkages between physical and cyber security that can either deny hackers access, or provide an easy entry point. Increasing your attention and proactive prevention efforts on these linkages will not only improve your safety and security, but also provide a path for easily showing that these devices are in compliance to cyber security protocols.


  • ISC West Is Two Months Away

    ISC West Is Two Months Away

    The annual “vacation” to Las Vegas is less than two months away. I anticipate it will be an amazing show, and furthermore, I expect the show hall to be teeming with interested security professionals. Read Now

    • Industry Events
  • Security Today Launches 2023 Government Security Awards

    Security Today Launches 2023 Government Security Awards

    Security Today is proud to announce the launch of the 2023 Government Security Awards. The Govies honor outstanding government security products in a variety of categories. For this year’s awards program, participants can choose from 38 different categories to enter their product(s) into. Read Now

  • Back to the Basics

    Back to the Basics

    Security is a continuous evolution of practices and procedures. The developments in technology and advancements in threats make security difficult at times. Although security from one location may look different from another location, there is a common goal applied to security measures. The common goal is protection. Read Now

  • The Top Three Security Trends in 2023

    The Top Three Security Trends in 2023

    As security technology has become more widely used, the interest in new capabilities and increased security measures has increased. As we head into 2023, these three trends will shape the security landscape. Read Now

Featured Cybersecurity

New Products

  • Pivot3 Surety

    Pivot3 Surety

    Pivot3 has announced Surety, a new intelligent software framework to simplify the management and monitoring of physical security environments. 3

  • ALTO Neoxx Electronic Padlock

    ALTO Neoxx Electronic Padlock

    Built to withstand all access control needs, the tough new SALTO Neoxx electronic padlock takes security beyond your expectations. 3

  • SAFR® from RealNetworks

    SAFR® from RealNetworks

    A unique feature in SAFR version 3.4 is its ability to automate alerts to security personnel when a spoofing attempt or a fraudulent attempt to gain access is detected. 3