It’s ironic that the same threats to our everyday personal or work devices also afflict the security systems deployed to protect people, places and things. Despite advancements in network security, regular breaches happen in sectors such as banking, credit monitoring, hospitality, media, and government. These breaches often occur months or years before ever being reported to the public.
If this is true of systems and products used by IT professionals, how much more vulnerable are networks that have been traditionally isolated and are just now coming online? Industrial Control Systems (ICS) that support critical infrastructure are becoming more connected and networked. Physical security systems are adding more and more Internet of Things (IoT) devices such as IP cameras.
Securing these systems effectively requires not only a successful convergence of IT and physical security but also automation. First, here’s a look at the cyber weaknesses of these increasingly interconnected physical security systems.
Physical Security’s Cyber Problem
With the advantages of network-capable devices also come vulnerabilities: Hackers can use unsecured IoT devices to infiltrate corporate networks, launch attacks on the public Internet or disrupt the video surveillance system.
The growth in IP cameras alone is cause for concern. IHS Markit forecasts that more than 180 million professional video surveillance cameras will be shipped in 2019 (up from just under 10 million in 2006). IP cameras have eclipsed the sale of analog ones: 62 percent of all security cameras shipped in 2017 were network cameras.
Lack of expertise and cybersecurity tools further exacerbates these vulnerabilities. Securing, monitoring, and maintaining hundreds or thousands of installed devices against evolving risks is a great challenge. Human hands alone cannot handle the myriad tasks required.
IT departments may be responsible for cybersecurity, but they often don’t have adequate visibility into the physical security system and other IoT assets. They don’t typically monitor site-specific endpoints such as cameras and access control, and neither do their access layer switches.
This means that security managers often don’t know when these units are compromised, go off-line, stop streaming video or audio, reboot, or are just missing. Many physical security pros themselves do not have the time, budget, or knowledge to properly ‘harden’ cameras and other IoT devices.
Many camera manufacturers in collaboration with US-CERT (United States Computer Emergency Readiness Team/DHS) provide vulnerability threat alerts with appropriate responses. Unfortunately, the number of devices and the lack of traditional IT oversight/intracompany collaborations can be a problem, even with the appropriate guidelines from a camera manufacturer. These cameras can still fall prey to would-be hackers who are actively scanning networks for any possible opening.
To further emphasize how easy it is to gain access to cameras online, several groups such as Insecam.org and Shodan provide listings by geography, manufacturer, and model. These open-access cameras can be used to accommodate criminal endeavors, or they can be part of a large-scale network attack.
Mirai is an example of malware that exploited improperly secured IoT devices (300,000 of them) by scanning large blocks of the Internet for open communication ports using default passwords. In so doing, it amassed a botnet army used in large-scale network attacks against popular websites. Mirai variants are still being used today to target enterprise devices.
The same types of ransomware that impact non-security platforms can also interrupt fall enrollment at universities or wreak havoc to video servers used to guard presidential inaugurations.
Physical and Logical Convergence
Physical security and IT have got to do a better job at collaborating on cybersecurity. In addition, convergence requires new thinking from those previously isolated departments found in loss prevention, ICS, operational technology (OT), and others. They can take control using automation to secure their security systems.
By using automation technologies, physical security pros can apply cyber best practices without being cybersecurity experts. Automation should enable them to do three things for a properly secured system:
- See all assets: An effective system automatically detects what devices are connected to the network 24×7.
- Secure all assets: Automation should protect or ‘harden’ legitimate devices with best practices, and block or lock out rogue or unnecessary devices.
- Monitor all assets: Automation should passively monitor all assets 24×7 down to the IoT device, generate alerts, and take corrective actions when needed.
At the urging of groups such as SIA (Security Industry Association) and numerous government agencies in private or public collaboration (InfraGard, DHS, NIST), many physical and logical security providers like Razberi Technologies and Milestone Systems are leading this convergence.
For example, the Razberi CameraDefense™ cybersecurity solution integrated with the Milestone XProtect video management software (VMS) provides a unified interface for operators to be notified and take action if CameraDefense detects any cyber threats. By automating, streamlining, and simplifying best practices, Razberi and Milestone make the deployment of complex systems more manageable and robust, delivering trust through solutions that are not only friendly but network responsible.
The physical security industry needs more of these automated tools to defend against cyber and other security threats. Hopefully more will be coming online soon, but it’s important to take action now to defend your surveillance realm.
by Mig Paredes, Director of Partner Development for Razberi