Physical security and cybersecurity – are they so different?

Large organizations will typically have a physical security team and a separate IT team focused on cybersecurity.  Both teams protect the organization’s assets and resources.  So it is natural that one may think that this would make them great friends.

The challenge is that the assets and resources are different.  Protection is an obstacle designed to reduce the risk of a specific threat. When you do not understand the risks, carrying out protection is seen as an annoyance. An extra process that makes your daily work harder. It adds costs.  This is often the collision between OT (Operation Technology) and IT (Information Technology). A common difference is that OT will often prioritize availability before confidentiality and integrity. IT will often prioritize confidentiality.

What cybersecurity can learn from physical security

For most people it is easy to understand physical security risks. An unlocked door will increase the risk of unauthorized people entering.  Valuable goods that are visible could be easily taken.  Mistakes and accidents may cause harm to people, property and things.

I’m a senior cybersecurity analyst, at a company that primarily develops physical security products that are connected to IP networks. So, from my perspective, the way physical security and cybersecurity is tackled is going to be broadly the same. Whether you are responsible for your organization’s physical security or cybersecurity, you still need to apply the same principles:

  • Identify and classify your assets and resources (what to protect)
  • Identify plausible threats (who to protect it from)
  • Identify plausible vulnerabilities that threats may exploit (the likelihood)
  • Identify the expected cost if bad things happen (the consequences)

The risk is often defined by the probability of a threat multiplied with harmful result.  When you have the answer, you must ask what you are willing to do to prevent the negative impact. Let’s look more closely at each principle.

Be aware of your assets and resources

As far as video systems are concerned, the obvious resource is video feed from the camera.  The asset is the video recordings in the Video Management System.  Access to these are typically controlled by user privileges.  Apart from video, other assets to consider is user accounts/passwords, configurations, operating system, firmware/software and devices with network connectivity. All have different classifications depending how critical and exposed they may be.

Be aware of the common threats

Hand turning a knob up to the maximum security level

The biggest threat to any system can be described as deliberate or accidental misuse by those who have legitimate access to the system.  Poor protection may result in employees accessing video they are not authorized to view, or trying to “fix” things, resulting in a reduction of the system’s performance.

Hardware failure is also a common cybersecurity threat. Surveillance systems are likely to be sabotaged by individuals who do not like being surveilled.  Internet exposed services may fall victim to pranksters manipulating computer systems for entertainment. Terrorists and nation-states may try to weaponize devices inside a specific organization’s network.  These threats are not different from physical threats, as the impact and value for adversary is the same. Systems need both physical and cyber protection.

Be aware of the common vulnerabilities

In physical security, doors and windows are vulnerabilities – a way of entrance to a building.  The defenses, walls and fences also have vulnerabilities as people can still force themselves through or over them.

The same idea applies to software. The risk depends on the difficulty exploiting a specific vulnerability and what the negative impact may be. Protection may either add obstacles to reduce the risk (e.g. encryption) or a way to reduce the recovery costs (e.g. data backup).

When most people think of cybersecurity they think of the sophisticated attacks they read about in the media.  Most concerns I encounter are related to flaws in a device interface – mainly due to we are a device manufacturer.    However, the biggest vulnerabilities relates to an organization lack of internal awareness, policies, processes and procedures.  You need to get them in place and you should audit your suppliers cyber maturity before evaluating their products or services.

Be aware of the negative impact

Video systems do not process financial transactions nor hold customer data.  This means a video system may be hard to monetize on and thus have limited value to organized cyber criminals.

Looking at the other plausible threats indicates the potential cost.  Employees may access authorized video or reduce the system performance. Sabotage by disgruntled insiders and external activists may result in operational downtime. Leaked video outside the organization may lose trust. A compromised system may become a threat to other systems.  Estimating costs is hard.  Unfortunately, in many cases organizations learn the hard way.  Protection is like quality, you get what you pay for. And if you buy cheap, it may end up costing you much more in the long-run.

Download the Axis Cybersecurity eMagazine for more cybersecurity insights and inspiration.

Axis Cybersecurity eMagazine