The introduction of IP technology has made physical security systems – video surveillance, access control and alarm systems – susceptible to cyberattacks.
The introduction of IP technology has made physical security systems – video surveillance, access control and alarm systems – susceptible to cyberattacks. However, the major risk lies not in an intruder seizing control of camera operations, but rather in their use of the physical security system as a stepping stone to obtain sensitive information inside the organization.
Risks associated with IP migration
Switching from analog to digital IP-based video surveillance systems can make systems more open. Although this move can benefit the users in many ways, the resulting system can pose as a threat to the organizational network. The reason is that IP-based security systems, whether it’s for video surveillance or access control, can run partially or entirely within the corporate network; thus, an unprotected system can become a “jumping board” for hackers to get into the private system.
This risk is not limited to the intruder taking control of the physical security system, but also includes the damage that can be inflicted when they gain access to the larger IT system. The risk and potential damage of an intruder exploiting the vulnerabilities inherent in a camera or VMS to gain access to other IT systems is the most serious aspect of cybersecurity as far as physical security systems are concerned.
Inadequate security system protection
It is a paradox, but in many cases, operators neglect their physical security systems, making it less secure compared to other endpoints in the network. But if we take employees’ personal computers as an example, they are usually password-protected and the IT department makes it a point to regularly update security patches or change passwords.
On the other hand, it is not uncommon to discover that the password for the video surveillance system is still the default one, one that can sometimes be easily accessed via a simple Google search. For IP cameras, an intruder can even walk up to the camera and use relatively simple technical tools to find out network details like IP addresses, user names, passwords and more.
Security tightened in various sectors
Governments and several other “high risk” sectors, such as finance, healthcare and the energy sector, have already started introducing cybersecurity standards and policies. The US Federal Government updated their cybersecurity practices by putting the Federal Information Security Modernization Act of 2014 into effect.
This act delegated authority to the Department of Homeland Security (DHS) to manage the implementation of information security policies for the different federal government branches, which includes providing technical assistance and deploying relevant technologies. Europe is also introducing corresponding legislation on cybersecurity and data privacy.
Important risk factors to keep in mind
There are several common risk factors that should be addressed to protect against cybersecurity intrusion. Many of these risk factors go back to one fundamental issue: lack of cyberthreat awareness from the different stakeholders involved, such as the manufacturers, integrators and end users.
For an attack, cyber criminals need to find information about the target first. Therefore, one thing enterprises can do to protect their systems is to make sure that they don’t expose any information that might enable an attack, such as unintentionally disclosing technical information through LinkedIn or other social media accounts.
Other steps that can be taken include proper configuration of the security system and making sure that passwords are changed, edge devices are secure, the operating system is up to date, etc.
A major risk factor is web applications for VMS and access control systems. Manufacturers, integrators and users all need to make sure to secure these by encryption methods. Alternatively, they can implement other built-in measures that can enhance security, for example, session logoffs, enforced password complexity, password expiry dates or the use of passphrases instead of passwords. Systems should also have different authorization profiles for users and a clear audit trail. This will only allow authorized actions and limit the risk of damage caused by a careless or disgruntled employee.
Industry’s role in cybersecurity
The physical security domain is still not very up-to-date when it comes to cybersecurity. It is the industry’s responsibility to advise clients on how to secure their systems and make sure they follow relevant best practices to avoid vulnerabilities. It is vital to protect the client's assets but also to prevent any possible damage to the manufacturer or integrator's reputation if the system gets compromised. Awareness and commitment are the most essential factors for successful cyber protection.