Physical security and cybersecurity – are they so different?

Fred Juhlin

Who watches the watchmen? And who secures the security systems? It all seems very Catch-22 on the surface of it, but the idea of securing one’s security system does make very good sense.

When it comes to IP security cameras though – should you be more concerned about their physical security or their cyber vulnerabilities? And in the 21st Century, with the Internet of Things growing exponentially, is there much difference anyway?

From my perspective, as a senior cybersecurity analyst at a company that primarily develops physical security products that are connected to IP networks, the fundamental approach is going to be broadly the same. Whether you are responsible for your organization’s physical security or cybersecurity you still need to apply the same principles:

  • Identify your assets and resources and classify them (the what)
  • Identify the most plausible threats (the who and why)
  • Identify plausible vulnerabilities (the how)
  • Identify the expected cost of a successful attack (the how much)

In future blog posts I will go into more detail about each of these, but for now, let’s just flesh them out a little.

Identify your assets and resources

As far as cameras are concerned, other than the camera itself, the main assets involved are the video feed from the camera or any video stored locally or on a server. In most situations these video assets may be valuable to your company, but of little use to anyone else. However, you do need to think carefully about why an intruder might be interested in those assets. In addition to your video content, though, user credentials, information about network configuration and potential service interfaces could provide useful intelligence for other attacks.

Identify plausible threats

In this instance, there are a few credible threats to an IP camera system: physical sabotage (of the cameras themselves or the location the cameras are surveying; leaking the video content; or using the device as an intrusion point into your broader network. It’s also worth thinking about who could be a plausible attacker and what their motivation might be, the types of vulnerabilities that they might take advantage of, and then the kinds of security controls that might address them specifically.

Identify plausible vulnerabilities that could be exploited

Obviously no system is completely invulnerable – to be effective any network or device has to be exposed to the outside world in some way to be of use. But it is equally obvious that some vulnerabilities don’t need to be there. In the former category is the physical exposure of a camera, making it vulnerable to sabotage – which is why we do our best to ensure our cameras can withstand extreme physical conditions. In the latter category are things like exposed passwords/credentials to the video management system; not properly hardening your network and not properly maintaining it.

Identify expected cost of a successful attack

This stage is pretty important, because if you don’t know the cost of a successful attack then you won’t know how much to invest in securing your system in the first place. If your cameras are being used in a very mundane environment and there is no chance they could be used as an entry point into the rest of your network, then you may find that the cost of a breach is very low. But if your situation is more sensitive, or a breach of your network could expose your company to financial or reputational losses, then the costs will be much higher and you may want to invest more time and energy into securing your security system.

More information about what Axis does to increase cybersecurity.