Anyone paying attention to the security industry of the past decade can tell you that the way we implement and carry out our tactical security programs is very different today than it used to be.
Technology has brought massive changes into the physical security space, with smart cameras replacing eyeballs for surveillance, our cell phones and Bluetooth readers replacing office keys to access protected space, remote monitoring and deployed response drones replacing patrol officers, and smart buildings locking and unlocking themselves based on schedules controlled by the building computer systems.
All of this advancement has certainly made physically securing our assets much more distributed and often more convenient as we can manage these systems from anywhere at any time and remove the human bottlenecks that used to occur. But this shift has opened up a whole new world of risk considerations for those of us responsible for our organizations’ physical security—that is, the cybersecurity risk that all of our IoT/OT/IIoT systems are now exposed to.
1) What Is the IoT, IIoT, OT?
The security industry experienced a first wave of conversion to digital systems in the early 2000s, when analog devices such as access control panels and cameras started being encoded and placed on IP networks, which eventually led to devices becoming inherently IP-based (networked).
Today, operational, facilities, engineering, and, yes, security devices are increasingly becoming “smart”—including artificial decision-making support, alerting and automation of responses, and the collection and storage of terabytes of related data. The security industry is experiencing a second phase of industrial modernization often referred to as the Internet of Things (IoT)—or the Industrial Internet of Things (IIoT)—with operational technology (OT) now just as clearly at risk of cybersecurity incidents as IT has been for decades.
2) What Does This Have to Do With My Physical Security Systems?
This increase in connectedness of cyber-physical systems has also created a much greater attack surface for bad actors and increased risk to the organization. Bad actors now have two methods for breaking through a door. They can literally walk up to the door and break into it the old-fashioned way, or they can attack it through the access control software to open it electronically.
Connected cyber/physical assets are often targeted and exploited, resulting not only in compromises to your physical security (your door is now open), but additionally compromised systems due to the ability of cybercriminals to “jump” from system to system on the network once they have access to an entry point.
The lack of attention that is given to endpoint security when dealing with OT as with physical security, HVAC, and lighting systems has created a greenfield of vulnerabilities for many organizations. We, as physical security professionals, must understand this and be vigilant about what security devices we attach to our networks and ensure that proper cybersecurity risk mitigation steps are taken.
3) So What Do I Do About It?
Luckily, cybersecurity professionals have been ensuring the security of networks, hardware, and software for a long time now, and often we can simply use the basic tenets of good network security and software vulnerability management to ensure that we protect our security systems as strongly as other systems.
Some aspects of vulnerability management are the domain of network administrators and other IT experts. Partnering with those experts in our environment to ensure they understand how your systems need to be protected is a good first step.
But there are other things that you, as the business owner or operator of the physical security systems, can do as well. Here are some tips from the Security Industry Association (SIA) Cybersecurity Advisory Board.
Practice Good Password Hygiene
- Always change default passwords.
- Never reuse passwords.
- Use strong and complex passwords or passphrases (use a password manager to keep up with these “hard to remember” passwords—never write them down).
- Use multifactor authentication as much as possible (e.g., you get a text code to enter each time you log in to a system or use an authentication tool such as Google Authenticator or Duo).
- Deactivate user credentials on the system as soon as the user no longer needs them.
Patch Quickly and Often
Keep up to date on all the latest communications from your vendors regarding patches, and make sure your IT team knows about them and can implement patches and fixes as quickly as possible.
Have an Incident Response Plan
Knowing an attack is happening is only useful if your team knows what to do about it. Make sure you and your team have procedures in place to respond to and recover from any cybersecurity problems that come up.
Those are just three quick tips that you can adopt immediately to improve the cybersecurity of your physical security systems. The SIA Cybersecurity Advisory Board publishes articles, blogs, and tip sheets for physical/cyber converged security topics on a regular basis. Visit the advisory board’s webpage today for more.
Chuck Davis is Founder of Caveat Labs, Antoinette King is Founder of Credo Cyber Consulting, and Rachelle Loyear is Vice President of Innovation and Integrated Solutions at G4S.