Physical security systems at risk of cyber attack

Nearly every day brings the news of another data breach or ransomware incident in the public sector. Large or small, any government organisation, school district or higher education institution is vulnerable to a disruptive and costly cyber attack. How are these attackers gaining entry? Did an employee click on a link in a phishing email? Or was it through a forgotten, network-connected security camera in the parking lot?

Today it’s essential to recognise the cybersecurity risks that can exist in physical security devices such as cameras, door controllers and their monitoring systems.

An overlooked avenue for cyber attack

A lingering but erroneous view is that only limited threats can be made through a physical security device. For example, recognised threats often include the ability to remotely stop the video feed from a camera, open or lock a door, or disrupt critical building systems. Certainly, concern about the risks to people’s physical safety raised by these threats will increase interest in using technology to block them.

Yet most cyber attacks are not intended to compromise the physical safety of people or property. Instead, these attacks target applications, files and data managed by IT. An attack that originates in a camera can find its way through the network to block access to critical applications; lock and hold files for ransom; and steal personal data of employees, students, program clients and residents.

In 2021, security researchers discovered that a Mirai-based botnet, called Moobot, uses a technique to infect video surveillance devices made by the Chinese manufacturer Hikvision, which are embedded in many OEM solutions. This technique injects malicious code into the device, then checks the network to find additional devices to infect. Although a software patch is available to close this risk, IT teams may not know which installed cameras should receive it.

Cybersecurity risks in physical security systems

Many public sector facilities continue to use older models of security cameras and door controllers, replacing them only when necessary or when their capital cost has been fully amortised.

However, older devices, especially cameras, often present a significant cyber risk because of their limited security capabilities. Today, hackers know that certain cameras are easy to take over and used as an entry point to the connected network.

Several factors make cameras easy to breach, including: an outdated network design; inadequate maintenance; a knowledge gap; and vulnerable devices.

Joining physical security and cybersecurity

In many organisations, a long-held perspective is that IT and physical security are separate realms, and their work and concerns do not intersect. However, this perspective needs to change in light of the growing cyber risk that physical security technologies can present.

An integrated security team can produce an effective review of needed cybersecurity improvements across physical security devices and systems. This review should include several key areas of focus:

• Improve security monitoring. Ensure all network-connected physical security devices are monitored and managed by the IT tools for network and security management. Also check for features in the video management system (VMS) and access control system (ACS) that provide alerts or data for use by IT’s network and security monitoring tools.
• Strengthen protection measures. Look for ways to improve existing configurations and management practices for physical security devices.
• Implement encryption. End-to-end encryption offers the most security to protect video streams and data as they travel from the physical security device to a management system for viewing.
• Enhance access defences. Strengthen the security of user and device access with a multilayer strategy that includes multifactor access authentication and defined user authorisations.
• Improve update management. One management function that can be overlooked when teams are separate is installation of software updates and patches. When the teams are joined, define who has responsibility for maintaining awareness of when updates are available.
   

Planning a replacement program

After an assessment of current physical security elements, it may be clear that some devices — and perhaps the VMS or ACS — present a high cyber risk and should be replaced. Replacement priorities can also be determined by location, use case, device type or age.

When ready to issue an RFP, consider incorporating requirements that will support modernisation for both physical security and cybersecurity. These include: unification cybersecurity and physical security devices and software on a single platform, cybersecurity features such as data encryption, compliance with security standards, and vendor capabilities to support a solution lifecycle of up to 10 years.

By understanding that physical and cyber domains are closely tied, governments can implement the new technologies, new staff roles and new practices that will strengthen security overall.

Image credit: ©stock.adobe.com/au/Goodpics