How Cyber Secure Are Your Physical Security Devices

How Cyber Secure Are Your Physical Security Devices?

Protecting the network with your sensitive business data

  • By Vince Ricco
  • May 01, 2015

Are your physical security devices attached to the same network as your sensitive business data? Then, you had better take as much care to cyber secure those devices as you do your wireless access points, printer connections, scanners and other traditional networkattached technology. Any network node left unprotected could become a potential threat to overall network security.

What you need to do to harden your network connections depends on your risk assessment. First identify what assets need protection. Then investigate what threats or vulnerabilities pose a risk to those assets. Once you have that information in hand you can decide whether those risks are worth mitigating. For organizations handling credit card payments and/or patient data, the physical security of stored data—whether in the cloud or an in-house data center—is mandated by law and the financial penalties for non-compliance are significant. For some business owners, the consequences of unauthorized system breaches might be minimal which would influence how much they spend on protection technology.

Sometimes, the solution is as simple as network segmentation either through physical wiring or a VLAN. Separating network resources that shouldn’t interact or have no need to interact with each other increases overall network protection levels and assists in optimizing resource management.

Breaches Aren’t Always the Result of a Frontal Attack

The convergence of so many new technologies on the same network infrastructure has placed an enormous burden on IT departments to pay particular attention to the cyber security of a plethora of non-traditional network-attached devices. Due diligence must be paid to the security configuration of these devices to eliminate exploitation—whether the devices are heating, ventilation and air conditioning (HVAC) controls and monitors; intelligent building automation devices such as smart thermostats, Smart Grid power monitoring and control devices; or networked surveillance cameras and IP-based access control systems.

One recent, highly publicized and massive retail customer data breach stemmed from the hijacked login credentials of a thirdparty HVAC service provider. Typically the HVAC services company would remotely log into the retail stores’ HVAC monitoring systems for maintenance. Cyber hackers followed the same protocol, logging into the system using the stolen services company’s login credentials to gain access to the network. From there they were able to tap into the retailer’s point of sale systems which resided on the same physical network infrastructure. As a result confidential customer data was compromised.

The moral of the story? Keep a close eye on all network connected systems. They could be your Achilles Heel when it comes to securing sensitive corporate and client data. Once you understand what impact a successful breach might have on your business—financial penalties, loss of company reputation and market share, or perhaps negligible repercussions—you can plan your security spending accordingly.

Strategies for Protecting Network Ports

With more companies migrating to IPbased video surveillance and access control systems, both IT and physical security departments need to educate themselves on best practices for protecting these potentially vulnerable network nodes. To help you decide which security mechanisms, policies and procedures to deploy let’s look at how a typical IP-based video system is configured.

Video cameras and access control devices attach over the network to a video and/or access control server. Or, the system can contain multiple servers for load sharing and redundancy. The video can be stored to a local hard drive, a networkattached storage device (NAS), or a server storage array located at a remote data center or in the cloud. The network can also contain video viewing clients that can access video directly from the cameras or through a VMS.

To cyber-harden these physical security component, you need to focus on three areas: user/administrator credential management, physical port security, and video and data flow protection.

User/Administrator credential management: Credential management can be as simple as making sure that default logins and passwords are changed from factory defaults. IT professionals already do this as a default installation and maintenance best practice for networking hardware and attached devices. You can add another layer of protection by creating separate user and administrative logins, passwords and privileges.

IT can install other credential security measures such as multi-factor authentication if the camera/access control manufacturer supports this feature. Many of the major VMS application platforms can help you automate the setup and maintain those attached device credentials.

Physical port security: There are a number of measures you can employ to prevent a device’s removal from the network and the attachment of a laptop or other device configured to spoof the MAC or IP address of the camera or access control pad in order to gain access to the network and network assets. Depending on the capabilities of your network hardware management software, this can be as simple as a port-based MAC address lockdown that requires manual provisioning when a port link is lost and then recovered. This does not address cable tapping, however. In that case more rigorous measures are needed such as onboard credential authentication.

When it comes to defending against network port hijacking, there are a number of network standard authentication measures you can deploy. It all depends on which ones are supported by the cameras and access control devices you’ve installed. For instance, many cameras support basic .X or RADIUS client for edge device authentication. Some camera manufactures support PKI or token-based resident certificate authentication.

The bottom line is that you should include port-based/edge-connection cyber security on all your network edge devices no matter what they are. And the cyber security of those devices should align with the high security standards your company already has in place to protect other devices and data residing on the network.

Video and data flow protection: Protecting the transmission of video or data focuses on preventing the wrong people from putting eyes on or having access to your organization’s video. You can just imagine how tactical it can be for “bad guys” to have visibility inside the walls of your business or what a PR or legal nightmare you’d have on your hands if certain sensitive video footage showed up on YouTube.

The goal is to protect the data flowing from end to end: from the camera or access control device through the network to the server and ultimately the storage device. To achieve that, your first step would be to define the protection scheme you want to deploy and then search out components that can readily integrate into that scheme. For instance, some video system manufacturers support a variety of encryption schemes from edge devices to servers. Other system components support encryption from the servers to the viewing client PCs, laptops and smartphones.

Network camera and access control system encryption generally adhere to IT methodologies standards such as .x, SSL/ TLS, HTTPS, and PKI certificates. There are also appliance-based heavier encryption methods available. But because video transmissions are extremely sensitive to transmission latency, anything short of zero latency encryption will likely disrupt recoding capabilities.

Before you make any decisions about encryption, research what your camera and VMS suppliers recommend. Then, to ensure compatibility across the board, surveillance and physical security decision makers should closely align themselves with IT to confirm that the hardware and software products they plan on deploying will meet IT standards for cyber security.

Know What Security Options are Out There

To keep abreast of what encryption and other physical security technologies are on the horizon and what are currently available on the market, you can surf online content from camera and server manufacturers, participate in physical security seminars and trade shows held in the US and around the world, as well as attend traditional IT tradeshows and events where a sizable number of physical security companies participate as well.

The point is to educate yourself and get involved in cyber-security issues early in the vendor selection process whether you own the solution or are supporting the solution on your company’s network infrastructure.

This article originally appeared in the May 2015 issue of Security Today.

Featured

  • Maximizing Your Security Budget This Year

    Perimeter Security Standards for Multi-Site Businesses

    When you run or own a business that has multiple locations, it is important to set clear perimeter security standards. By doing this, it allows you to assess and mitigate any potential threats or risks at each site or location efficiently and effectively. Read Now

  • ISC West 2024 is a Rousing Success

    The 2024 ISC West security tradeshow marked a pivotal moment in the industry, showcasing cutting-edge technology and innovative solutions to address evolving security challenges. Exhibitors left the event with a profound sense of satisfaction, as they witnessed a high level of engagement from attendees and forged valuable connections with potential clients and partners. Read Now

    • Industry Events
    • ISC West

  • Live From ISC West: Day 2

    What a great show ISC West 2024 has been so far. The second day on Thursday was as busy or even more hectic than the first. Remember to keep tabs on our Live From ISC West page for news and updates from the show floor at the Sands Expo, because there’s more news coming out than anyone could be expected to keep track of. Read Now

    • Industry Events
    • ISC West

  • A Unique Perspective on ISC West 2024

    Navigating a tradeshow post-knee surgery can be quite the endeavor, but utilizing an electric scooter adds an interesting twist to the experience. While it may initially feel like a limitation, it actually provides a unique perspective on traversing through the bustling crowds and expansive exhibition halls. Read Now

    • Industry Events
    • ISC West
Most   Popular

Featured Cybersecurity

New Products

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3