The cybersecurity of physical ­security

April 2018 Editor's Choice, Cyber Security

By now we all know of the dangers of cyber-attacks being launched through security devices that have been installed without the proper planning and cybersecurity precautions. The Mirai botnet attack was only one example of how hundreds of surveillance products (DVRs and cameras) could be used as part of a botnet to launch global distributed denial of service (DDOS) attacks on premium Internet properties.

Roger Truebody.
Roger Truebody.

Being aware of the dangers is one thing, but actually knowing what you need to look out for and do to secure your surveillance infrastructure, is quite another. And securing it is a must. Roger Truebody has often demonstrated to clients the simplicity with which a surveillance (or security) infrastructure can be hacked if not protected.

The issue is not about losing control of your cameras or losing video footage, although that is a serious consequence in high-security installations, even if the organisation has set up a separate network for surveillance there will almost always be a connection between the corporate and security infrastructure. The security breach will allow the hackers to worm their way into any part of the network and inflict damage or steal sensitive information or money.

Any weak link in the security infrastructure will be enough to allow them a foot in the door, and that is all they require. This is not a risk exclusive to security products, however, any IP-based device in the industrial control field can be the weak link that provides access to those with bad intentions.

The answer, Truebody says, is start your planning like you would in any other risk management scenario with good governance and making sure you have a clear view of what you want to accomplish. Your people, processes and technology (PPT) is the starting point.

Starting with an assessment

When starting with a risk assessment, you need to determine and illustrate all the risks you may face and the impact they could have on the physical security infrastructure as well as further into the organisation. As an example, Truebody says that hacking the cameras watching the platform at a train station may not be the highest security risk, but hacking the cameras of a cash centre would carry a significant risk.

“The impact of the risk drives the controls, reactions and budget assigned to mitigation,” he says. The awareness of what could happen and what mitigation processes are required are even more important as selecting the right technology for the job. Although, organisations need to be sure the technology they specify can meet their requirements effectively, across the board and in whatever situation risks manifest in.

Whether they run proof of concepts, shoot-outs or investigate other organisations that have made use of the same solutions, buying technology is not a matter of getting the best deal, but of getting the technology you know, will do the job. And he is referring to all technology, not only surveillance and security-related systems, but also the IT infrastructure, which includes your switches, servers, storage, and so on.

Truebody is also in favour of much more collaboration between the owners of the IT network and the physical security or camera network. Currently, the camera network in an enterprise is probably covered by the IT security policy – one hopes. However, this is where the collaboration normally ends and if the camera network is breached, the physical security guys will probably not know about it. More importantly, the IT network is now also at risk of attack from a supposedly trusted source.

Organisations therefore need to set accountability rules for both networks, setting clear rules of who is accountable for what, and how the networks are planned, implemented and managed. This also applies to organisations that keep both networks independent of each other; all hackers need is one weak point.

The people aspect must also be considered. You need to understand people and their motivations in order to get your employees on board the cyber defence wagon. As it become more difficult to break into systems, the insider is becoming a more valuable target for criminals. Employees need to understand about not clicking on random files they receive and how irresponsible online practices can be turned against them and their organisations. More companies are training employees to ­recognise this, but also adding punitive measures to their contracts if they do not apply their learning.

Then there is also the insider threat of employees who are working for syndicates, either willingly or unwillingly, and the damage they can cause. Visibility and accountability is key here. By this, Truebody means the network must be set up in such a manner that everybody knows that what they do on the network is recorded. Everyone has the freedom to do what they are

authorised to do, but they need to know that if something untoward happens they will be identified and be held accountable.

In areas of higher risk, employee screening should also be done pre- and potentially post-employment. The nature of the risk will determine the level of screening that is required.

Basic procedures

In addition to the above, Truebody is also a believer in ‘basic cyber hygiene’ as the foundation to ensuring your physical security infrastructure is as secure as it can be. Some of the issues to consider are:

• Aligning the security policies with your IT department’s security policies. Make use of IT’s experience in this regard and collaborate with them.

• Make sure you use strong passwords. Length of passwords is important, it takes only 15 minutes to crack a 4-character password.

• Keep your asset register up to date. Know what you have and when it was last patched.

• Keep access to the physical security network controlled. For example, nobody should be able to use an unauthorised USB device anywhere on the network.

• Ongoing maintenance is critical. This does not refer to software patches only, but actual physical maintenance that has someone looking at everything from the cameras to the access control readers to the network cables and switches etc.

• If you use remote monitoring, either an in-house service or from a third-party, conduct penetration testing from time to time to determine where the weak links are. Security is an end-to-end function; one weakness anywhere on the network is all the criminal needs.

In today’s digital world, it seems unlikely that any system will be 100% secure. However, by addressing the cyber risks from a PPT approach allows organisations to have a level of assurance that they have covered their bases and done what they can to secure their systems. Truebody concludes: “Make sure the fence is properly built before you start looking for holes.”

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Constructive CCTV contributions to research
September 2019, Leaderware , Editor's Choice, CCTV, Surveillance & Remote Monitoring
Study leads to understanding that we need more recognition and reward for constructive participation in society.

Ensuring a seamless ultra-wideband ecosystem
September 2019 , Editor's Choice, IT infrastructure
FiRa consortium ensures an interoperable ultra-wideband technology ecosystem across chipset, device and service infrastructure through standards and certifications.

Check Point appoints new regional director for Africa
September 2019 , News, Cyber Security
Check Point Software Technologies has appointed Pankaj Bhula as regional director for Africa.

ISO standard for protecting personal data
September 2019 , News, Cyber Security
Tackling privacy information management head on: first ISO standard for protecting personal data has been published.

The hunt for the Carbanak group
September 2019 , Editor's Choice, Cyber Security, News
Tomorrow Unlocked has released a free four-part documentary that tells the story of the notorious Carbanak APT group and its $1 billion bank heist.

Genetec to integrate CylancePROTECT
September 2019, Genetec , Editor's Choice, CCTV, Surveillance & Remote Monitoring, News
Genetec has announced it is partnering with Cylance, a business unit of Blackberry, to bring AI-based antivirus protection to its appliance customers.

Building automation vulnerable to hacks
September 2019 , News, Cyber Security
New vulnerability revealed in Internet-connected building automation devices at the DEF CON IoT Village that could impact critical building systems.

X-rays in 3D
September 2019, XPro Security Solutions , Editor's Choice, Security Services & Risk Management
Hi-Tech Security Solutions asked Greg Dixon, director of XPro, for some insights into X-ray scanning and its pros and cons in today?s volatile world.

Smart Inspection Unit developed by Roteck
September 2019 , Editor's Choice, Security Services & Risk Management
Roteck has announced a portable personnel and bag scanning unit that can easily be transported, set up and used in almost any location.

Keeping our changing environment secure
August 2019 , Editor's Choice, Security Services & Risk Management
For a crime to take place there needs to be a victim and a criminal who sees an opportunity. For a cybercrime to take place we need the same set of circumstances.