In an increasingly digital world, it’s critical to have a security strategy to protect your systems against both physical and cyber threats. Cameras, door controllers and other physical security devices and systems are smarter and more interconnected than ever. To help you better understand the nuances and responsibilities involved in keeping your systems safe, we’ve prepared this list of 4 reasons why your cybersecurity and physical security should go hand-in-hand.
1. Physical security systems face cyber threats
A poorly secured camera, unencrypted communications between a server and client application, or out-of-date firmware can all be exploited by cybercriminals. The problem is obvious – the protection of security systems can’t only be physical. Cyber threats are pervasive as well.
In 2016 a major manufacturer of IP cameras, using the open source operating system Linux on its cameras, had over a million of its cameras hacked and used to carry out distributed denial of service (DDoS) attacks. In 2014 one of the largest manufacturers of video surveillance equipment globally had its digital video recorders (DVRs) hacked and used to mine bitcoin.
In August 2019 The Guardian reported that the fingerprints of over 1 million people, as well as facial recognition data, unencrypted usernames and passwords were discovered on a manufacturers publicly accessible database, used by customers including London’s Metropolitan Police force.
Because physical security devices, like cameras and card readers used for access control, and security management applications, like Video Management Systems (VMS) and IP Access Control Systems (which can be integrated with logical access systems like Active Directory), are on networks and connected with other business systems they’re a platform for cyber risk.
Although some physical security teams are working with their IT departments and security system integrators to prioritise cybersecurity, many organisations are still neglecting it.
2. Hackers are helped by poor employee cyber hygiene
Let’s qualify what we mean by this. Your employees are prime targets for cyber threats. Their passwords, email accounts and mobile apps are potential access points into your network. The strongest encryption can’t defend your system against weak or compromised passwords.
That’s why it’s important for management to set clear guidelines and implement proper processes, i.e. requiring staff to change – and not duplicate – passwords regularly, and put cyber security training programs in place. Employees need to be educated about IT best practices, and the potential social engineering techniques they face. For example, starting with simple tips on password creation, and ways to identify phishing emails from legitimate communications, will help mitigate cyber risks. Similarly, failing to install a security update by leaving it to the discretion of an employee is also a risk. Adopt the mindset that you’re constantly under threat and train your employees how to look out for suspicious actvity and how to react when a breach occurs. Cyber criminals don’t need to spend time cracking codes when poor employee cyber-hygiene makes it easy to take them.
3. Cyber breaches can affect physical security systems
Nowadays, most building services are connected and managed on a network. There’s a good chance that your heating, ventilation, and air conditioning (HVAC), elevator systems, lighting, perimeter access control, and communication systems are on network infrastructure. Unfortunately, this also means that your facilities’ physical security systems are reliant on the strength of your cyber defences.
Physical security solutions are an entry point that are being used to gain access to the networks of large and small enterprises. It might seem counterintuitive that physical security tools designed to keep people and assets safe can be the focus of a cyberattack but devices such as video surveillance cameras, access control readers, and alarms panels are IoT devices. These devices are simply small computers that run software and that may contain cybersecurity vulnerabilities that can be exploited by attackers as a beachhead for all kinds of malicious actions.
To counter the threat, physical security professionals must proactively partner with their counterparts in information security to better understand the true limits of the security perimeter and work to develop strong governance and processes to avoid or mitigate cyberattacks.
This requires solidifying a resilient cyber-physical security framework, to ensure only trusted devices are integrated in the network and subsequently configured, updated and managed throughout their operational life.
Professional system integrators understand this, and should work with you to plan against cyber attacks on your network dependent physical security infrastructure.
4. Hacker Exploits & Vulnerabilities
Beware – not all cameras are the same. A poorly secure camera or a camera running out-of-date firmware is an entry point for a cyber attack. The example of a camera is simple in its elegance, because cameras are so ubiquitous, and after all how could something so familiar to us be used to mount a cyber attack?
In the United States the federal government has banned the purchase of IP cameras from certain manufacturers for US government video surveillance systems, for US government-funded contracts and possibly for ‘critical infrastructure’ and ‘national security’ usage because of well known cybersecurity vulnerabilities. The risks are even greater because of an equipment manufacturing practice known as OEMing, which means that manufacturers offer their products to resellers who then reskin the cameras with their own branding. It’s been reported that the 2 companies who’ve been banned from selling to US government entities were also providing their products to at least another 80 other companies globally. So what’s the point of this example? It’s the easiest to understand example of why physical security devices and cybersecurity go hand-in-hand and how that relationship can go awry if not protected properly. A physical security device, a camera, needs to be cyber hardened to eliminate it being used against you.
Ask your security system integrator questions about the cybersecurity of the cameras that they’re offering you. What’s their approach to cyber hardening? What are your responsibilities when physical security devices are put on the network? With greater connectivity of systems over the Internet, a vulnerable camera can become a gateway to your organization’s data and sensitive information.
Cybersecurity and physical security are closely related, and the protection of your security systems is enhanced through the use of successive layers of physical and logical security. Businesses’ reliance on IT to power commerce and the requirement to have this infrastructure physically protected means we stand to lose a lot more than email access in the event of an attack.
JD Security excels at providing world-class service to Australian organisations in our modern world. We make it a point to stay agile, and maintain a constant awareness of the changing physical security security landscape. The result is a guarantee of expert security that covers all your bases.
Contact us today to learn more about how we can work with your organisation to adapt to the changing times, or to inquire about our various services — tech-related or otherwise.
Call us on (02) 6372 9047 or email firstname.lastname@example.org to learn more.