Physical security systems and devices that are connected to the network are endpoints that can potentially introduce significant cyber risk into an organization.
Physical security systems and devices that are connected to the network are endpoints that can potentially introduce significant cyber risk into an organization. Physical security devices are often overlooked by IT departments and oftentimes, are not properly patched, updated, or managed.
“These devices are typically configured with default passwords, open ports, and protocols, and they run legacy firmware versions with known vulnerabilities,” explained Kevin Sheridan, Director of Financial Institution Services for Convergint. “Hostile actors can exploit these vulnerabilities, allowing them to gain an initial foothold into an organization’s network. These compromised devices can then be used as a foothold within the network to pivot to other devices or systems.”
Properly hardening camera, card reader, video management, and other connected systems prior to their initial deployment, and properly managing them throughout their lifecycle, will significantly reduce the attack surface that can be exploited, thereby reducing risk.
Major factors to consider
According to James Somerville-Smith, Global Customer Marketing Leader – End-User Programs at
Honeywell Commercial Security, there are four key considerations to bear in mind when integrating cyber and physical security systems:
- You must ensure that all physical hardware components are cyber secure in their own right
- All intelligence and data must be protected behind a strong and comprehensive firewall
- Access to sensitive areas such as data rooms needs to be protected by multi-layered accreditation
- Systems in sensitive areas are protected via local security so that personnel is not able to access systems unless they have properly badged into the restricted area. This will avoid giving system access to personnel in areas that they have got into illegally (e.g., by tailgating), with any breaches being flagged immediately to a central control room so that a response team can be sent to check the breach
Sheridan added that besides properly managing the cybersecurity of the actual physical security devices deployed at a client’s site, it is also imperative that the integrator itself has a strong internal cybersecurity program to ensure the integrator is not the vector for sensitive client data to be compromised.
From technology to a process
Martin Koffijberg, Director, Business Development, Banking and Finance at
Axis Communications is of the opinion that the concept of cybersecurity should be looked at as a process rather than a technology. You can have the best security-related features built into technology, but if they haven’t been enabled or set up correctly your investment in this is lost and the associated risk increased.
This is no different for physical security technologies than any other IT device connected to a network. This has recently been highlighted by the UK Surveillance Camera Commission’s Secure by Design, Secure by Default certifications for manufacturers.
Balancing costs and efficiency
It’s not unusual for global banks to now hand over their technical physical security deployments to ICT departments. Cybersecurity risks are making convergence happen in some sectors, including banking, far more rapidly than the advent of IP surveillance did. It’s not unusual now to see surveillance decisions made by heads of IT and cybersecurity (or those people at least being major influencers on purchasing decisions) but this trend is occurring more in the west than elsewhere.
“However, these set-ups are out of the reach of many banks and are seen as too expensive to implement and maintain,” Jun said. “This is compounded by the fact cybersecurity experts in some parts of the world are hard to come by.”
Jun stressed on the importance of cost-efficiency, concluding that banks need the most cost-effective local NVR and centralized server-based solutions available, and ones that use proprietary protocols and custom file structures which make them unfamiliar to cybercriminals and therefore very difficult to hack. Plug-and-play solutions could also play a key role, as they are easier to install compared to traditional systems.