Modern organisations use a range of smart physical security solutions to keep their people and assets safe – but it’s important that they also acknowledge that these security tools can be an entry point for threat actors to gain access to corporate networks. Christian Morin, Chief Security Officer and Vice President Integration and Cloud Services, Genetec Inc, outlines the steps enterprises can take to counter this threat.
Genetec recently surveyed more than 1,500 physical security professionals across Europe, the Middle East and Africa to understand some of their greatest challenges and their strategic priorities for 2021. If you are interested in seeing the full report findings you can check them out here in the report State of Physical Security 2021 – EMEA.
In my role as CSO and lead on cloud solutions here at Genetec, I was particularly interested to see the results of the survey related to cybersecurity. With the onset of the pandemic, concerns about cybersecurity increased around the world with many organisations exposing themselves to a greater number of attack vectors given the global move to prioritise work from home. All companies had to immediately contend with an increase in risk and needed to pivot quickly to reduce the likelihood of falling victim to cyberattacks capitalising on the pandemic. What’s more, the cyberbreaches we were witnessing were also the result of a rise in state-sponsored cyberattacks, rather than alone threat actors.
In an industry where cybersecurity was not always top of mind, the results of the survey demonstrate that respondents are recognising that these cyberthreats are real and their physical security systems are a potential attack platform. We are seeing 67% of respondents planning to prioritise the improvement of their cybersecurity strategy in 2021 which contrasts with what was reported in the Genetec worldwide State of Physical Security report released in late 2020, where just 31% of the 1,074 responding end users were prioritising cybersecurity initiatives (note: sample included Genetec end users).
Although this finding in the EMEA report is very promising, more needs to be done to ensure every organisation across the global physical security supply chain understands and acts upon the critical importance of privacy and security in the design, development, implementation and operations of security systems.
Cybersecurity threat to physical security systems
Physical security solutions are an entry point threat actors are using to gain access to networks of large and small enterprises. It might seem counterintuitive that physical security tools designed to keep people and assets safe can be the focus of a cyberattack but devices such as video surveillance cameras, access control readers and alarms panels are IoT devices. These devices are simply small computers that run software and that may contain cybersecurity vulnerabilities that can be exploited by attackers as a beachhead for all kinds of malicious actions.
To counter the threat, physical security professionals must proactively partner with their counterparts in information security to better understand the true limits of the security perimeter and work to develop strong governance and processes to avoid or mitigate cyberattacks. This requires solidifying a resilient cyberphysical security framework, to ensure only trusted devices are integrated in the network and subsequently configured, updated and managed throughout their operational life.
Cybersecurity best practices
As many physical security teams are prioritising cybersecurity, many organisations are still neglecting the basics. According to Verizon, over 80% of successful cyberattacks are the result of weak or vulnerable passwords. This includes a recent cyberattack on a well-known hybrid cloud video security provider, where attackers compromised a ‘super admin’ password and were granted unfettered access to 150,000 surveillance cameras at customer sites.
This included feeds into an automotive manufacturing facility, as well as a variety of sensitive installations including hospitals, prisons and schools. This incident demonstrates that parties involved in the supply chain to end users must be required to prioritise cybersecurity as part of their business and manufacturing practices and ensure they are operating in a framework of governance and best practice.
Unfortunately, another fallout of this attack may be contributing to fears about moving to cloud-based solutions. Our report’s findings prior to this attack pointed to almost two thirds (64%) of physical security respondents having somewhat (51%) or greatly (12.5%) accelerated their cloud strategy during the pandemic.
This is encouraging as including cloud in all or part of a physical security deployment can positively contribute to an organisation’s cybersecurity stance. Cloud services typically have cybersecurity features, monitoring and updates built-in, ensuring implementations have policies, controls, procedures and technologies that work together to protect the system and, by extension, the network.
The cloud is often perceived as insecure, however one in three breaches is caused by unpatched vulnerabilities on the network demonstrating that real challenge relates to organisations’ ability to keep software deployments up-to-date. An illustrative example of this includes the recent hack carried out by Hafnium, a group reportedly backed by the Chinese Government, which infiltrated the network of over 30,000 organisations across the US, ranging from SMEs to local governments.
This was the result of on-premises servers not being appropriately configured or updated when they should have, leaving them exceptionally vulnerable. As security solutions evolve in the new normal, it is critical that businesses not lose sight of the simplest yet most important part of cyber hygiene – ensuring that all IoT devices and on-premises servers are running the most secure version of the firmware that is available.
Cybercrime is a universal challenge and it is one that the report indicates EMEA-based physical security practitioners are beginning to address in earnest. While there’s nothing companies can do to make themselves completely impervious to a breach, every effort must still be made to reduce susceptibilities. The key here is to invest in the right expertise, ensure best practices such as cyber hygiene are prioritised and only integrate trusted devices on to the network.
Click below to share this article