How to Prevent Your Physical Security System from Becoming Your Biggest Cybersecurity Threat

One of the fastest growing threats to organizations is being breached through cyber vulnerabilities in their IoT devices, specifically physical security systems. The number of attacks reach a record of over 3 billion in 2022, and 2023 is likely to be bigger still. Threat actors see physical security devices (like an IP camera) not based on what they do, but what they can do if exploited, since many IoT devices are complex, with the compute, storage and networking capabilities for malicious hackers to leverage.

Physical security systems don’t live in isolation. If you have heard about DDoS attacks (distributed denial of service attacks) you may be aware that they are increasing in both volume and velocity. Many DDoS attacks come from bots (or malware) placed on network-connected physical security devices, quietly lying in wait to be activated to launch attacks.

Their continued (and expanded) presence is a sign that the basic security needed to prevent the malware from being placed on the device is simply not there.

Ready to improve your organization’s cybersecurity around physical security? Here a few concepts that are useful in developing strategy and tactics:

  • Think of it as a “Security Journey” rather than arriving at a destination. Like most journeys there are stages you go through; reading an article like this shows you at least are aware of the problem and want to do something about it. Deploying an agentless asset discovery solution, followed by an automated agentless remediation solution suggests you are further along. Needing automated documentation to for audit and compliance purposes shows even further progress.
  • Also keep in mind that threat vectors and types of attacks may vary; what matters most is resilience and ability to stem damages and recover operations. Preventing all threats from ever occurring should not be the focus; having an active program that can adjust to changes is.
  • Going it alone is not effective; cybersecurity is a team sport, and there are partners both inside and outside your organization that need to be actively involved.

With these factors in mind, here are 10 steps you should be taking on your security journey specific to physical security:

  1. Avoid agent-based solutions; they are a dead end. Many cybersecurity solutions were designed for IT environments that use Windows or Linux by putting agents (software code) directly onto the IT device. In the physical security world, there are many different forms of operating systems, making the use of agents highly limited. In addition, the scale of physical security devices is often 10x that of IT, so you should never sign up for the overhead of putting and managing agents onto devices. Only use solutions that are agentless and don’t require putting software onto cameras or access control systems.
  2. Know what you have gotten by using an agentless asset discovery solution: the starting point for securing your systems is having a complete inventory. There are several agentless asset discovery solutions that can provide you with both asset inventory and which devices are vulnerable and in need of remediation.
  3. Think of your networks as layers of defense. Having a network dedicated to your physical security devices has always been a best practice, but there is more you can do. Using network access control allows you to block devices from network communication, a good initial strategy to limit a threat from progressing through your network.
  4. Mitigation is good in short term but needs to be followed by remediation in the form of firmware updating (or patching). When you mitigate threats by stopping network traffic you are also stopping the function of the devices (capturing video evidence or granting access).
  5. Focus on both remediation and repatriation. With IoT systems like physical security you remediate a vulnerability in a device but that needs to be followed by repatriation, where for audit and compliance purposes you need to show that the devices are functioning back in its overall workflow.
  6. Lifecycle management includes cyber hygiene. Just like regular maintenance and decommissioning devices that have reached their end of life, maintaining device firmware, passwords, and certificates should be thought of as part of overall lifecycle management.
  7. Key functions (firmware, passwords, certificates) must be automated because of both the scale and physical placement of video and access control devices. Studies performed on large fleets of devices (8,000+) has shown that there is an 80% or more reduction in both people and budget needed to perform required cyber hygiene functions.
  8. Use automation to enforce and audit corporate policies. Like the point above, the sheer scale of devices and applications requires automated methods of alerting and reporting to be able to manage the overall process. Especially if your organization holds a cyber insurance policy having a push-button mechanism to deliver detailed information about your cyber hygiene can make the difference in the insurer being willing to underwrite the risk or process claims.
  9. Work across organizational boundaries, especially procurement. The data held by physical security teams is an asset in working with other parts of the organization to appropriately set budgets, allocate headcount, and be able to plan and negotiate upcoming purchases. For example, providing your procurement team with a schedule of what devices are going end of life can help them negotiate and purchase systems more efficiently and with the proper cyber security as it is deployed.
  10. Managed services more than ever offer organizations flexibility to address cybersecurity issues without having to add permanent headcount and to be faster in reducing the attack surface from physical security. Not only are there highly skilled service providers who can extend your workforce, but they are likely to help expose your team to what the latest and most efficient and cost-effective methods for maintaining your cyber hygiene.

In summary, there is an imperative for physical security teams to improve their cyber hygiene. By focusing on the best practices listed here organizations will not only shrink their attack surface from physical security but also gain valuable operation data, reporting capabilities, and closer ties to other parts of the organization. The result is a physical security organization that is increasing its organizational value in numerous ways while making the organization safer and more resilient.

About the Author

Bud Broomhead is the CEO of Viakoo.

Featured

  • Maximizing Your Security Budget This Year

    The Importance of Proactive Security Measures: 4 Stories of Regret

    We all want to believe that crime won’t happen to us. So, some business owners hope for the best and put proactive security measures on the back burner, because other things like growth, attracting new customers, and meeting deadlines all seem more pressing. Read Now

  • Today's Enterprise

    Protecting servers and data has evolved rapidly over the past 15-plus years. Early on, concerns centered around the environmental conditions of where servers were housed within a building and the effects of humidity, temperature and air quality on their performance. This led to a better understanding of the need for a controlled environment to maximize equipment lifespan and capacity. It was also a driving force behind consolidating servers in a common space, i.e., the data center. Read Now

  • Study Proves It: Security Awareness Training Reduces Phishing Attacks

    Attackers are increasingly targeting human-based vulnerabilities to infiltrate organizations. Humans have direct access to insider systems and data – any threat actor can easily phish users, steal their credentials and secure keys to the kingdom without having to fight advanced cybersecurity defenses. Studies show social engineering attacks and human errors are behind 68% of all breaches.  Read Now

  • Security Questions Persist After Attempted Assassination Attempt of Donald Trump

Featured Cybersecurity

Webinars

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3