How to Harden Security Infrastructure Against Attacks
Let’s be clear: physical security infrastructure is the target of many cyber criminals. IP cameras, access control systems, visitor kiosks, and related systems are by their nature attractive targets because they have compute, storage, and networking (as traditional IT systems do).
But because they are Internet of Things (IoT) devices, the solutions used to secure IT systems simply won’t work for them. Once breached, physical security systems can enable many other forms of attack on an organization, including planting ransomware, launching Distributed Denial of Service (DDoS) attacks, exfiltrating sensitive data, and potentially putting control of security systems in the hands of criminals.
Especially as the ability to create deepfakes based on real video footage becomes more sophisticated, ensuring that physical security data is untampered and suitable to be used as evidence adds to the focus on hardening physical security systems.
During the last few years, studies and industry security alerts have shown that most organizations do not sufficiently harden and protect physical security systems. Just ask yourself: Are all your camera devices on the latest and most secure version of firmware? Are your device passwords maintained and unique in accordance with your corporate policies? Are any of your devices authenticated using 802.1x certificates, or having traffic between devices encrypted using TLS/SSL certificates?
If you answered no to most of these questions, it suggests that you’re at high risk of your physical security systems being breached and exploited.
Hardening physical security systems is hard! The starting point is identifying all the devices on your network, something that many security teams struggle with because of the scale of devices, their locations, and the long-lived nature of IP cameras. Whether using an IoT security platform that can do it for you, or by using a dedicated asset discovery solution, a complete inventory will drive all efforts in hardening those systems.
Another factor that makes physical security systems more difficult to protect is the heterogenous nature of such systems. Very few organizations have just one make or model for cameras; most have several types, all with unique mechanisms for updating and securing them. Also complicating hardening devices is how they are often on isolated—or segmented—networks.
Reaching across multiple network segments to access the devices requires specialized technology, otherwise a lot of manual effort is consumed securing devices one network segment at a time.
Despite the barriers listed above, there are now more automated and purpose-built solutions to harden physical security—and in general IoT/OT—devices. The key functions of these automated systems are to:
- Implement firmware updates. To remediate a known vulnerability, new firmware must be installed on cameras or access control devices at scale. Typically, this will need to be done multiple times per year as new vulnerabilities are detected and patches are rolled out.
- Enforce password policies. As numerous CISOs have said before, “hackers don’t break in, they log in.” Preventing threat actors from exploiting default or easily guessed passwords means having a policy and method for ensuring strong, unique passwords are created and changed when necessary.
- Manage certificates. Many organizations are moving to a Zero Trust approach, where independent authentication of the device is done to know whether to trust it. Certificates like 802.1x are used alongside a Certificate Authority to extend Zero Trust to physical security devices. This process needs to implemented and maintained.
- Assure service. A functioning physical security system is critically important in stopping breaches; physically breaching an organization to plant malware or gain access to critical systems is a major organizational threat. Ensuring your physical security systems are always working will help reduce this risk.
Building a Team
One advantage physical security teams have in implementing more rigorous methods for hardening their devices is that those systems are the most prolific and widespread IoT/Operational Technology (OT) devices in most organizations. As IoT/OT security becomes more visible at all levels of the organization, it is an opportunity for physical security organizations to take the lead corporatewide on IoT/OT security.
Since cybersecurity is a team sport, who should your teammates be? One best practice is to form an IoT Committee within your organization, with members from the CISO/CIO staff, as well as departments that manage IoT/OT devices like manufacturing, facilities, and logistics.
Organizations who have already formed such teams have also found an important side benefit: the processes used to monitor and harden physical security systems provide important data to other parts of the organization (compliance and audit, cyber insurance negotiations, public reporting, and so forth), increasing the strategic value of the physical security team.
By 2024, more than 75 percent of CEOs will be personally liable for cyber breaches, according to predictions and analysis from Gartner. Keeping your CEO and board of directors informed and aware of the efforts to harden physical security and IoT/OT systems will help to ensure that resources are made available to be successful in preventing cyber criminals from exploiting these systems.
Finally, consider making hardening your physical security into an industry issue: engage with others in your industry who share these same problems. During the last few years, several industry-level organizations—both existing and new—have made sharing best practices and information on threats more efficient and robust.
For example, the Real Estate Cyber Consortium publishes detailed information and guidelines on hardening and securing physical security and IoT systems specific to the commercial real estate business. Check within your industry if that exists or consider forming one because the types and methods of attacks will be similar across the industry and collectively the sector will be more resilient from that effort.
Whether through deploying automated cyber hygiene and service assurance solutions, documenting and sharing best practices, or fostering internal coordination across multiple departments, now is the time to take action.
Bud Broomhead is the CEO and founder of Viakoo, an enterprise IoT applications management company providing performance, security, and compliance.