The cybersecurity of physical ­security

CCTV Handbook 2018 Editor's Choice, Information Security

By now we all know of the dangers of cyber-attacks being launched through security devices that have been installed without the proper planning and cybersecurity precautions. The Mirai botnet attack was only one example of how hundreds of surveillance products (DVRs and cameras) could be used as part of a botnet to launch global distributed denial of service (DDOS) attacks on premium Internet properties.

Roger Truebody.
Roger Truebody.

Being aware of the dangers is one thing, but actually knowing what you need to look out for and do to secure your surveillance infrastructure, is quite another. And securing it is a must. Roger Truebody has often demonstrated to clients the simplicity with which a surveillance (or security) infrastructure can be hacked if not protected.

The issue is not about losing control of your cameras or losing video footage, although that is a serious consequence in high-security installations, even if the organisation has set up a separate network for surveillance there will almost always be a connection between the corporate and security infrastructure. The security breach will allow the hackers to worm their way into any part of the network and inflict damage or steal sensitive information or money.

Any weak link in the security infrastructure will be enough to allow them a foot in the door, and that is all they require. This is not a risk exclusive to security products, however, any IP-based device in the industrial control field can be the weak link that provides access to those with bad intentions.

The answer, Truebody says, is start your planning like you would in any other risk management scenario with good governance and making sure you have a clear view of what you want to accomplish. Your people, processes and technology (PPT) is the starting point.

Starting with an assessment

When starting with a risk assessment, you need to determine and illustrate all the risks you may face and the impact they could have on the physical security infrastructure as well as further into the organisation. As an example, Truebody says that hacking the cameras watching the platform at a train station may not be the highest security risk, but hacking the cameras of a cash centre would carry a significant risk.

“The impact of the risk drives the controls, reactions and budget assigned to mitigation,” he says. The awareness of what could happen and what mitigation processes are required are even more important as selecting the right technology for the job. Although, organisations need to be sure the technology they specify can meet their requirements effectively, across the board and in whatever situation risks manifest in.

Whether they run proof of concepts, shoot-outs or investigate other organisations that have made use of the same solutions, buying technology is not a matter of getting the best deal, but of getting the technology you know, will do the job. And he is referring to all technology, not only surveillance and security-related systems, but also the IT infrastructure, which includes your switches, servers, storage, and so on.

Truebody is also in favour of much more collaboration between the owners of the IT network and the physical security or camera network. Currently, the camera network in an enterprise is probably covered by the IT security policy – one hopes. However, this is where the collaboration normally ends and if the camera network is breached, the physical security guys will probably not know about it. More importantly, the IT network is now also at risk of attack from a supposedly trusted source.

Organisations therefore need to set accountability rules for both networks, setting clear rules of who is accountable for what, and how the networks are planned, implemented and managed. This also applies to organisations that keep both networks independent of each other; all hackers need is one weak point.

The people aspect must also be considered. You need to understand people and their motivations in order to get your employees on board the cyber defence wagon. As it become more difficult to break into systems, the insider is becoming a more valuable target for criminals. Employees need to understand about not clicking on random files they receive and how irresponsible online practices can be turned against them and their organisations. More companies are training employees to ­recognise this, but also adding punitive measures to their contracts if they do not apply their learning.

Then there is also the insider threat of employees who are working for syndicates, either willingly or unwillingly, and the damage they can cause. Visibility and accountability is key here. By this, Truebody means the network must be set up in such a manner that everybody knows that what they do on the network is recorded. Everyone has the freedom to do what they are

authorised to do, but they need to know that if something untoward happens they will be identified and be held accountable.

In areas of higher risk, employee screening should also be done pre- and potentially post-employment. The nature of the risk will determine the level of screening that is required.

Basic procedures

In addition to the above, Truebody is also a believer in ‘basic cyber hygiene’ as the foundation to ensuring your physical security infrastructure is as secure as it can be. Some of the issues to consider are:

• Aligning the security policies with your IT department’s security policies. Make use of IT’s experience in this regard and collaborate with them.

• Make sure you use strong passwords. Length of passwords is important, it takes only 15 minutes to crack a 4-character password.

• Keep your asset register up to date. Know what you have and when it was last patched.

• Keep access to the physical security network controlled. For example, nobody should be able to use an unauthorised USB device anywhere on the network.

• Ongoing maintenance is critical. This does not refer to software patches only, but actual physical maintenance that has someone looking at everything from the cameras to the access control readers to the network cables and switches etc.

• If you use remote monitoring, either an in-house service or from a third-party, conduct penetration testing from time to time to determine where the weak links are. Security is an end-to-end function; one weakness anywhere on the network is all the criminal needs.

In today’s digital world, it seems unlikely that any system will be 100% secure. However, by addressing the cyber risks from a PPT approach allows organisations to have a level of assurance that they have covered their bases and done what they can to secure their systems. Truebody concludes: “Make sure the fence is properly built before you start looking for holes.”





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Standards for fire detection
SAQCC (Fire) Editor's Choice Fire & Safety Associations
With the increased number of devastating fires reported throughout South Africa, adequate and suitable fire detection cannot be overstated. SAQCC Fire will publish a series of articles in SMART Security Solutions to provide insight into fire detection requirements and importance.

Read more...
Taking fire safety seriously
G2 Fire Editor's Choice Fire & Safety Security Services & Risk Management
To gain insights into how fire systems must be designed, installed and maintained, SMART Security Solutions asked Nichola Allan, MD of G2 Fire, for some insights into the local fire market.

Read more...
The best of local and international
Technoswitch Fire Detection & Suppression Editor's Choice
SMART Security Solutions speaks to Technoswitch’s Managing Director, Brett Birch, to learn more about the company and how it serves the fire safety market in South and sub-Saharan Africa.

Read more...
Surveillance on the perimeter
Axis Communications SA Hikvision South Africa Technews Publishing Editor's Choice Perimeter Security, Alarms & Intruder Detection
Cameras have long been a feature in perimeter security, with varying reports of success and failure, often dependent on the cameras’ planning, installation and configuration, as well as their integration with other perimeter solutions and centralised management platforms.

Read more...
Onyyx wireless alarm
Technews Publishing Editor's Choice Smart Home Automation
IDS has introduced Onyyx, a wireless alarm system engineered to provide complete system control via the Onyyx app or keyring, as well as seamless installation.

Read more...
Visual verification raises the security game
Technews Publishing Inhep Electronics Holdings Videofied SA Editor's Choice Perimeter Security, Alarms & Intruder Detection
Incorporating alarm signals with live surveillance footage, visual verification enables a human observer in a control room (onsite or offsite) to gain a clear understanding of the situation, thereby facilitating informed decision-making.

Read more...
The AX Hybrid PRO Series offers reliable wired and wireless protection
Hikvision South Africa Editor's Choice Perimeter Security, Alarms & Intruder Detection Products & Solutions
Hikvision has announced the launch of a new AX Hybrid PRO alarm system with innovative Hikvision ‘Speed-X’ transmission technology. This system offers reliable wired protection while delivering expanded flexibility with seamless wireless integration.

Read more...
A critical component of perimeter security
Nemtek Electric Fencing Products Gallagher Technews Publishing Stafix Editor's Choice Perimeter Security, Alarms & Intruder Detection Integrated Solutions
Electric fences are standard in South Africa, but today, they also need to be able to integrate with other technologies and become part of a broader perimeter security solution.

Read more...
SMARTpod talks to The Risk Management Forum
SMART Security Solutions Editor's Choice News & Events Security Services & Risk Management Videos Training & Education
SMART Security Solutions recently released its first SMARTpod podcast, discussing the upcoming Risk Management Forum Conference 2024, which will be held on 26 September 2024 at the Indaba Conference Centre in Fourways, Johannesburg.

Read more...
There is a SaaS for everything, but at what cost, especially to SMEs?
Editor's Choice Information Security Security Services & Risk Management
Relying on SaaS platforms presents significant cybersecurity risks as the number of providers in your landscape increases, expanding your attack surface. It is important to assess the strength of the SaaS providers in your chain.

Read more...