The cybersecurity risk of physical security technology

Steven Kenny

Although some may view physical security and cybersecurity as two very different practices, at their core they both achieve the same thing: protecting people, assets, brands and reputations. One of the cornerstones of doing this successfully is ensuring effective risk assessments are undertaken.

Not only are physical security and cybersecurity similar in their aims, but the two once discrete industries are beginning to converge. There is an undeniable cybersecurity risk when utilising physical security systems, especially following the rise of network cameras, open access control and IP audio. The proliferation of connected IoT devices, as well as the increasing sophistication and ability of hackers, has meant the levels of risk continue to rise.

That is why now is the time for physical security practitioners, whether consultants, installers or end users, take a step back and properly risk assess what the potential cybersecurity issues are when designing, specifying, installing and operating physical and electronic security systems.

When physical security creates a cybersecurity headache

Businesses invest vast sums to deploy physical security technology. However, it is now an unfortunate truth that these systems designed to ensure physical safety can be a back door into IT networks. The very same systems designed to keep us safe can actually be the prime security risk to a business.

We have seen examples where insecure security systems have given intruders access to live video feeds. It was recently reported that an Australian casino’s CCTV system was hacked allowing the perpetrators to view camera footage and relay messages to associates on the casino floor based on what cards people were playing. Whilst this sounds like an incident from a Hollywood movie, this was a real-life event that allowed the criminals to walk away with millions of dollars.

There have also been numerous examples of access control systems being hacked, granting intruders unauthorised access to a facility. The ramifications of this could be significant; what would happen if the perpetrators were able to deactivate an intruder alarm system and prevent it from functioning correctly? This would make it almost impossible to know if someone had broken into a building.

2018: the year of change

As the topic of cybersecurity hit the headlines, last year saw a lot of regulatory change to counteract the threat. The General Data Protection Regulation (GDPR) began being enforced, as did the Directive on security of network and information systems (NIS Directive).

Both directives impose the same substantial financial penalties for non-compliance. Large monetary fines have the potential to debilitate businesses, so it is imperative that the relevant companies undertake due diligence in meeting its requirements.

We have already witnessed GDPR fines being imposed across the UK and EU related to the deployment of CCTV systems. It was recently reported that hackers in the UK broke into schools’ CCTV systems and streamed footage of pupils live on the internet. Understandably, this gained a lot of negative publicity; after all, we send our children to school with the expectation that they will be safe, and the security systems are there to protect them rather than put them at risk.

Why selecting the right technology partners is critical

In our converging security landscape, selecting the right technology partner has never been so important. The first step for security practitioners is to acknowledge that cybersecurity isn’t just an IT issue and understand the associated cybersecurity risks to a business related to the deployment of physical and electronic security systems.

Then, it is critical a business performs its due diligence on the company that manufacturers the technology it is looking to procure. What policies and procedures does each vendor have in place to demonstrate its cyber maturity and understanding of the associated risks?

It is also worth clarifying if that equipment is being purchased from the manufacturer or an approved partner. There is an increasing number of manufacturers that OEM and ODM equipment from others. Whilst there are advantages to this approach, it does create difficulties when addressing a security vulnerability should one occur.

The main lesson is that honesty and transparency is really important in a technology vendor. It is imperative to work with a business that proactively identifies vulnerabilities and releases a Common Vulnerabilities and Exposures (CVE) list with a fix. This is a vital component to safeguard deployed physical security systems.

Finally, the commissioning process in hardening a system is key. Manufacturers should support those installing systems and provide documentation that follows Critical Security Controls for effective cyber defence. This is just a starting point and there are many other areas to consider, especially education.

To learn more about cybersecurity challenges and regulations download my latest technology paper:

Cybersecurity Technology Paper