The cybersecurity of physical security
April 2018, This Week's Editor's Pick, Cyber Security
By now we all know of the dangers of cyber-attacks being launched through security devices that have been installed without the proper planning and cybersecurity precautions. The Mirai botnet attack was only one example of how hundreds of surveillance products (DVRs and cameras) could be used as part of a botnet to launch global distributed denial of service (DDOS) attacks on premium Internet properties.
Being aware of the dangers is one thing, but actually knowing what you need to look out for and do to secure your surveillance infrastructure, is quite another. And securing it is a must. Roger Truebody has often demonstrated to clients the simplicity with which a surveillance (or security) infrastructure can be hacked if not protected.
The issue is not about losing control of your cameras or losing video footage, although that is a serious consequence in high-security installations, even if the organisation has set up a separate network for surveillance there will almost always be a connection between the corporate and security infrastructure. The security breach will allow the hackers to worm their way into any part of the network and inflict damage or steal sensitive information or money.
Any weak link in the security infrastructure will be enough to allow them a foot in the door, and that is all they require. This is not a risk exclusive to security products, however, any IP-based device in the industrial control field can be the weak link that provides access to those with bad intentions.
The answer, Truebody says, is start your planning like you would in any other risk management scenario with good governance and making sure you have a clear view of what you want to accomplish. Your people, processes and technology (PPT) is the starting point.
Starting with an assessment
When starting with a risk assessment, you need to determine and illustrate all the risks you may face and the impact they could have on the physical security infrastructure as well as further into the organisation. As an example, Truebody says that hacking the cameras watching the platform at a train station may not be the highest security risk, but hacking the cameras of a cash centre would carry a significant risk.
“The impact of the risk drives the controls, reactions and budget assigned to mitigation,” he says. The awareness of what could happen and what mitigation processes are required are even more important as selecting the right technology for the job. Although, organisations need to be sure the technology they specify can meet their requirements effectively, across the board and in whatever situation risks manifest in.
Whether they run proof of concepts, shoot-outs or investigate other organisations that have made use of the same solutions, buying technology is not a matter of getting the best deal, but of getting the technology you know, will do the job. And he is referring to all technology, not only surveillance and security-related systems, but also the IT infrastructure, which includes your switches, servers, storage, and so on.
Truebody is also in favour of much more collaboration between the owners of the IT network and the physical security or camera network. Currently, the camera network in an enterprise is probably covered by the IT security policy – one hopes. However, this is where the collaboration normally ends and if the camera network is breached, the physical security guys will probably not know about it. More importantly, the IT network is now also at risk of attack from a supposedly trusted source.
Organisations therefore need to set accountability rules for both networks, setting clear rules of who is accountable for what, and how the networks are planned, implemented and managed. This also applies to organisations that keep both networks independent of each other; all hackers need is one weak point.
The people aspect must also be considered. You need to understand people and their motivations in order to get your employees on board the cyber defence wagon. As it become more difficult to break into systems, the insider is becoming a more valuable target for criminals. Employees need to understand about not clicking on random files they receive and how irresponsible online practices can be turned against them and their organisations. More companies are training employees to recognise this, but also adding punitive measures to their contracts if they do not apply their learning.
Then there is also the insider threat of employees who are working for syndicates, either willingly or unwillingly, and the damage they can cause. Visibility and accountability is key here. By this, Truebody means the network must be set up in such a manner that everybody knows that what they do on the network is recorded. Everyone has the freedom to do what they are
authorised to do, but they need to know that if something untoward happens they will be identified and be held accountable.
In areas of higher risk, employee screening should also be done pre- and potentially post-employment. The nature of the risk will determine the level of screening that is required.
In addition to the above, Truebody is also a believer in ‘basic cyber hygiene’ as the foundation to ensuring your physical security infrastructure is as secure as it can be. Some of the issues to consider are:
• Aligning the security policies with your IT department’s security policies. Make use of IT’s experience in this regard and collaborate with them.
• Make sure you use strong passwords. Length of passwords is important, it takes only 15 minutes to crack a 4-character password.
• Keep your asset register up to date. Know what you have and when it was last patched.
• Keep access to the physical security network controlled. For example, nobody should be able to use an unauthorised USB device anywhere on the network.
• Ongoing maintenance is critical. This does not refer to software patches only, but actual physical maintenance that has someone looking at everything from the cameras to the access control readers to the network cables and switches etc.
• If you use remote monitoring, either an in-house service or from a third-party, conduct penetration testing from time to time to determine where the weak links are. Security is an end-to-end function; one weakness anywhere on the network is all the criminal needs.
In today’s digital world, it seems unlikely that any system will be 100% secure. However, by addressing the cyber risks from a PPT approach allows organisations to have a level of assurance that they have covered their bases and done what they can to secure their systems. Truebody concludes: “Make sure the fence is properly built before you start looking for holes.”