printer friendly version

Cybersecurity in the physical security world

Hi-Tech Security Solutions hosted a round table discussion in partnership with Milestone Systems on the topic of cybersecurity in the physical security world. A panel of experts from various companies in the cyber, physical security and IoT (Internet of Things) markets was asked to discuss what the real cyber risks we face today are, as well as looking at best practices for dealing with them efficiently without hampering the value and intelligence these systems deliver.

The reason for this particular topic is that security products today are more advanced and more connected than ever before and are basically lumped into the same category as any IoT device – albeit devices with far more technology and capabilities than traditional IoT devices. These devices, however, transmit more information than most IoT devices, especially when it comes to surveillance. This means they are just as vulnerable as your laptop, servers and mobile phones, but without the protection these devices have come to accept as normal. This lack of protection makes these security and IoT devices especially vulnerable if not designed, installed and maintained correctly.

Naturally, we are seeing leading manufacturers of physical security hardware and software putting much more effort into designing security into their solutions, but just like any technology, there is no 100% guarantee that these systems are cyber secure. In addition, just because security is built in on the manufacturing side does not mean users can use them without a care. Security requires everyone to play their role in securing devices, networks and so forth, from the manufacturer to the system integrator as well as the customer and the end users themselves.

The main trends

To start off, we asked each person on the panel to introduce themselves and highlight what, from the perspective of their business focus, the main trends in cybersecurity they have observed and experienced out in the field are.

George Psoulis, sales manager, Africa for Milestone Systems, noted that there is a definite drive to incorporating edge devices (devices at the edge of the network) into management platforms, or to be more accurate, to bring in the vast amounts of data created by these devices into management platforms for analysis and processing. While Milestone develops an open VMS that allows partners to develop almost any plug-ins, the platform is increasingly being used to cater for non-video data and even non-security data. In this respect, he confirms that security devices such as cameras are also being viewed as IoT devices.

With all this data being integrated from local and wide-area networks, Psoulis says there is a great need for cybersecurity to ensure the devices are not hacked and infiltrated by cybercriminals. The real threat in these cases is not so much losing a device, but that it can be used to infiltrate corporate networks to steal information or launch a ransomware attack and commit other nefarious activities.

Ian Shak is the principal solutions architect and information officer at Saicom, a company that offers VoIP (voice-over-IP) and a range of hosted and cloud solutions. The company has long been working on securing VoIP systems, but he says that today there is a more intense focus on the area of compliance, especially PoPIA in South Africa. While compliance is, as Shak notes, seen as the more boring cousin of security, it is a necessary step in making both service providers and consumers more secure.

Charl Ueckermann, CEO, AVeS Cyber Security, sees ‘virtual anywhere’ as the most pressing cybersecurity problem at the moment. With people being dispersed all over the world, especially during lockdowns where remote work surged in a very short period of time and there is a significant problem of not having the necessary security layers in place to protect people and companies from the risks out there. The lack of the relevant layers of security is one of the causes for the surge we’ve seen in ransomware attacks over the past year.

Marcel Bruyns, sales manager, Africa for Axis Communications, notes that although people generally recognise Axis as the IP camera company, it has been expanding its focus over the past few years into areas such as access control and audio solutions. He adds to what Psoulis said, noting that surveillance cameras are no longer only being used for transmitting video, today there are many applications that can be loaded and run directly on the camera, as well as a variety of information that can be sent back to servers and management platforms.

Moreover, Bruyns adds that along with the growth of artificial intelligence (AI) and the intelligence that can be extracted from video footage, there is also the trend to storing this information in the cloud and this opens another pathway through which people can gain access to devices and the network, as well as the information that is being generated and transmitted.

Richard Frost, head of product for network and endpoint security at Vox, says that while the company has specialised in networking from an IT and communications perspective in the past, Vox is seeing many more IoT devices on networks and has launched its own IoT division that incorporates products and services for a variety of needs. It covers a range of products in its IoT endeavours, from surveillance cameras to elder care (panic buttons etc.).

In its cybersecurity services to clients, Vox has done penetration testing on client networks and Frost says there are a number of instances in which they found unsecured surveillance cameras, allowing the testers to access the cameras and view the footage being recorded and even get into the company’s network. As noted, cameras today contain much more data than ever before in terms of video and analytical information, making them critical information assets.

This has a direct impact on PoPIA preparedness in companies as people’s personal information, such as their faces and even the ability to identify people by facial recognition could be compromised by unsecured cameras and insecure links to cloud servers, for example.

Dévique Barkley is a specialist engineer heading up the security department at Cipher Engineering, a company specialising in physical security and safety projects, including automation.

The risks he has seen are varied, but often are the result of integration between security products. In the effort to gain more useable information for security decision makers, integration is critical to be able to collect and collate data from various systems. The problem, Barkley says, is that in the integration process one often places different security processes and users and roles (user permissions) into the same server, which tend to create vulnerabilities unless each user and his/her permissions are evaluated according to what they and the organisation actually require.

In addition, while we are all aware of phishing emails that are used to try to persuade people to click on a link and enter personal information or open an attachment which loads malware onto the user’s system, Barkley says there is also a problem of how people are exploited to get past physical barriers and gain access to physical switches and other critical equipment, which means that simply by being in a certain location (which should be a secure location) these individuals have managed to bypass many of your cybersecurity controls.

There were many more questions and discussion points during the round table discussion and readers are invited to view the full video at www.securitysa.com/*CyberRT (a redirect to www.youtube.com/watch?v=0nNdblXw5BI). Alternatively, simply scan the QR code on this page with your mobile device and it will take you to the YouTube video.

For more information contact:

• Milestone Systems, +27 82 377 0415, [email protected], www.milestonesys.com

• AVeS Cyber Security, +27 11 475 2407, [email protected] , www.aves.co.za

• Axis Communications, +27 11 548 6780, [email protected], www.axis.com

• Cipher Engineering, [email protected], www.ciphereng.co.za

• Saicom, +27 10 140 5000, [email protected], www.saicom.io

• Vox, +27 87 805 0000, [email protected], www.vox.co.za

Share this article:

Further reading: