Companies have gradually started to change the architecture of their solutions in order to avoid cyberthreats. One approach is to change the security solution architecture in a way that will minimize the number of potential breach points.
Companies have gradually started to change the architecture of their solutions in order to avoid cyberthreats. One approach is to change the security solution architecture in a way that will minimize the number of potential breach points.
In access control systems, the distributed control panels are the main vulnerability. “For example, if you have 160 doors with PoE, these are 160 points of potential breach,” explained Scott Sieracki, CEO of
Viscount Systems. In addition, since each panel manufacturer uses proprietary technology, the IT department’s conventional IT protection systems can’t deal with it. “We changed our architecture in 2011 to eliminate the risk factor of proprietary control panels sitting outside the system. What we have done is to reduce cyber vulnerabilities by eliminating the access control panel. Instead we have an encryption board that encrypts the data from the door and sends it over to the access control software. This software can be ‘hardened’ and combined with the other enterprise resources to protect against cyber breaches,” added Sieracki. Video surveillance as a service and cloud technology offer similar benefits. “In our cloud-based system the video feed is sent to the cloud directly from the camera using tunneling, so there are no open ports that can be a potential breach. On top of that there is no point of failure such as an NVR or DVR,” explained Cohen-Martin. Dean Drako, CEO and President of Eagle Eye Networks, pointed to other benefits of cloud systems.
“Cloud-based physical security systems in particular are built for maximum cybersecurity. Using a surveillance system from a cloud vendor, end users can take advantage of the economies of scale that the cloud vendor’s dedicated security team can offer.”
Drako further explained, “Because cloud data centers are a shared resource across multiple companies, the cloud vendor has the infrastructure to apply a higher level of dedicated cybersecurity resources in a continuous manner. This includes features such as data encryption, active monitoring for cyberthreats, detecting network anomalies which might indicate an attack, and faster response times in case something goes wrong. The team can immediately update the cloud-managed physical system with the appropriate security patches. Further, cloud-managed video surveillance systems, even on premise ones, effectively act as a ‘firewall’ to the cameras — with no open ports, and no on-site operating system to be hacked into.”
Limited suitable solutions
With so much hype regarding cybersecurity and the rich scene of cyber startups popping up around the world, it is surprising that physical security systems have limited choices of available solutions.
Theoretically, the same solutions that exist for the regular IT infrastructure can be adapted for use with physical security systems. However, these IT solutions are expensive and not necessarily tailored to the bespoken networks of security systems.
“A more grave concern is that they require a high degree of expertise and are too complicated to operate by the physical security team. That is why the most common approach is to just ignore the issue,” said Hagai Katz, Senior VP of Business Development and Marketing at
Magal Security Systems. “In other cases end users might add basic technology (e.g., firewall) to their deployment but with no holistic view of cyberthreats or just prefer analog technology (e.g., analog cameras) altogether since they have no suitable solution for protection.”
Magal is one of the few companies offering a dedicated cyber solution for the physical security vertical. Magal offers an industrial Ethernet switch, specifically designed for physical security networks, SCADA-based systems, and safe city applications with embedded cybersecurity capabilities. The switch acts like a flow guardian and can detect abnormal or irregular behavior in the physical security system. Unlike IT networks, which are extremely dynamic, security networks are far more static and their information flows much more routine (e.g., camera 1 streams information from point A to node B and to server C). This enables the switch to detect deviations from the baseline which might indicate someone is trying to tap into the system. For example, connecting a new network element or disconnecting an existing one, changes in MAC address or IP address, changes in data flow or data direction, and abnormal bandwidth or PoE consumption.
The solution: combining technology and personnel
From the interviews we conducted with different manufacturers, one recurring point is worth mentioning: the human factor is the cornerstone for successful cyber protection. Even through simple-to-implement measures, such as choosing strong passwords or not connecting external media (e.g., USB stick) to the internal network, cyber-aware employees can greatly reduce the risk of a security breach. Determined attackers will always find a way to breach the line of defense. Therefore, end users should design their cyber protection from a comprehensive perspective that will combine both threat prevention through employee awareness and proper system architecture, threat detection to identify breaches as early as possible, and protection — to minimize damage and quickly take corrective action.