In an increasingly interconnected world, where the boundaries between the physical and digital realms continue to blur, the imperative of cybersecurity has become paramount. Nowhere is this more evident than in the design and deployment of physical security products and systems, where the very technologies that are supposed to protect us are under constant threat from the hidden world of cyber adversaries.
Manufacturers and security integrators find themselves at the forefront of this battle, tasked not only with delivering cutting-edge security solutions but also with fortifying their products against relentless cyber threats. The stakes could not be higher. Cybersecurity Ventures estimates the cost of global cybercrime will hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025. This amounts to the greatest transfer of economic wealth in history, is exponentially larger than the damage inflicted from natural disasters in a year, and will be more profitable than the global trade of all major illegal drugs combined, according to the publication’s 2022 Cybercrime Report.
Ahead, security professionals from across the ecosystem explain the multifaceted cybersecurity issues that permeate the physical security industry. They uncover the proactive steps and innovative strategies being employed to navigate the ever-evolving terrain of industry-specific regulations, emerging technologies, shifting customer expectations and more.
Sizing Up Cybersecurity Best Practices
As they install, configure and manage security systems, security integrators face the arduous responsibility of ensuring that the technologies they deploy are not the weak links in the security chain. More than anything, it’s the design and segmentation of the network itself and its nodes that can create or mitigate vulnerabilities, explains Carey Boethel, president Allied Universal Technology Services, Irvine, Calif.
“On many occasions, IIoT (Industrial Internet of Things) devices, such as surveillance cameras and HVAC controllers, have been used as attack vectors into a corporate network to create distributed denial of service (DDoS) attacks, and the associated damages have been immense,” he says.
“More than anything, it’s the design and segmentation of the network itself and its nodes that can create or mitigate vulnerabilities.”
— CAREY BOETHEL, Allied Universal Technology Services
Boethel, who is featured on this month’s cover, says Allied’s best practices include segmenting and hardening the network itself; using strong passwords when configuring IIoT devices; selecting equipment that uses signed certificates for encryption whenever possible; configuring the system software such that administrative rights are clearly defined and partitioned; and ensuring that there is an accurate log of equipment installed so that patches and updates can be effectively administered down the road.
“We are also very keen on sharing ideas and best practices so that we stay in front of today’s ever-evolving threat environment,” Boethel says. “Rachelle Loyear, vice president of integrated solutions for Allied Universal, sits on SIA’s Cybersecurity Advisory Board, which has made tremendous strides in improving the cyber-resiliency of the physical security industry. We follow their guidance and fully endorse their efforts.”
Allied is also a big proponent of involving its clients’ IT departments in the design and implementation of the solutions they provide. “Most end-customers usually insist on this, but in the event they don’t, we always recommend it. As simple as that sounds, we feel it is critical,” Boethel adds.
Dean Drako, founder and CEO of Eagle Eye Networks, Austin, Texas, strongly advises that integrators establish absolute clarity with the end customer on who will take responsibility for cybersecurity measures. For example, if multiple Windows servers are installed at the customer site, who is going to make sure the equipment is constantly patched to safeguard the OS? There is also the necessity of making sure the antivirus software and other licenses are updated on all the servers.
How responsibility is assigned can vary depending on the project. An end user with a strong IT department will often keep cyber hygiene duties in-house, electing to follow their own policies and procedures. But other customers may say, “You installed this, you need to maintain it,” Drako says.
If the integrator assumes responsibility, then that obligation must be taken seriously. “And they need to charge the customer money for it,” Drako says. “It’s not something you can do once and be done. It requires continuous attention. There may be a firewall involved. Who configures the firewall? Who upgrades the firewall? Who maintains the firewall? Who makes sure that nobody makes changes to the firewall and puts vulnerabilities in it? It is a whole other area of agreeing who has responsibility — the IT department or the reseller?”
Wayne Dorris, program manager, cybersecurity, Axis Communications, Chelmsford, Mass., also invokes establishing responsibility as a key best practice for integrators. Along with firmware and software updates, another important aspect is vulnerability updates. Integrators, he says, must establish who is responsible for informing whom and have a plan in place if the patch update will need to occur outside of the normal update/change plan.
“Each end customer is different, so ensuring you are following their required polices is a good place to start,” Dorris says. “Some things to consider when building a strategy with your customer are pre-deployment user account and password policies; security controls like which encryption standards (AES 256, RSA 2048, etc.) and which TLS level are supported on the network; and which protocols on devices should be on or off (SSH, discovery protocols, etc.).”
Because physical security systems are becoming more and more similar to IT systems, as a general rule IT security best practices are therefore becoming more applicable for physical systems, says Mathieu Chevalier, principal security architect & manager, Genetec, Montreal.
“It’s critical that physical security practitioners understand that any application connected to the internet or to a broader network requires critical attention as it poses a potential risk to their organization,” Chevalier says. “IoT edge devices, such as cameras or card readers, are a known attack surface and organizations need to put solid governance in place with this knowledge in mind.”
As part of a testing and assessment regimen for their product deployments and integration processes, integrators should have some understanding of how to perform basic vulnerability scanning, says Chris Peckham, COO of Los Angeles-based managed security provider Ollivier Corp.
“Depending on how the products are specified or selected, many times known risks will need to be mitigated by deployment options as components are installed,” Peckham explains. “Ideally, vulnerability testing and pen testing for the software and user interface can be performed. However, the costs and skills necessary for some of these tasks cannot be supported by the integrator and other partners or OEM vendors need to be brought into the process.”
“Each end customer is different, so ensuring you are following their required polices is a good place to start.”
— WAYNE DORRIS, Axis Communications
A “secure framework” in the context of cybersecurity typically refers to a structured and comprehensive set of guidelines, best practices and principles that organizations can follow to enhance their security posture. Following a secure framework — such as the NIST Cybersecurity Framework and ISO 27001 — can give integrators a solid foundation of practices to put in place, says Will Knehr, senior manager of information security and data privacy for i-PRO Americas, Houston. This includes how to deal with that ever vexing issue of password administration.
“What I would recommend for integrators is get a password vault,” Knehr says. “Get something that generates and stores passwords for you. That way you don’t have to memorize them all.”
He also suggests referencing manufacturer hardening guides as a best practice. Especially beware of deploying devices without applying good cyber-hygiene. Knehr says too many devices are essentially installed as-is straight out of the box, which can lead to dangerous vulnerabilities.
“Many of these devices have services like SSH (Secure Shell protocol), ONVIF and SNMP (simple network management protocol). A lot of times these services are turned on the device that don’t really need to be because they aren’t actively using them. An attacker can take advantage of them,” Knehr says. “I look at services like windows on a house or doors on a home. You only want to unlock the ones or leave open the ones that you absolutely need; otherwise, you’re creating all of these different avenues for someone to break into your house. Lock those devices down as much as possible.”
Need for Secure Installation & Integration
What are the top considerations for security integrators when installing and integrating physical security equipment to ensure cyber secured environments?
For starters, Chevalier advises, begin with a thorough assessment of potential physical and cybersecurity threats specific to the installation site. Identify potential risks, including physical threats, cyberattacks and insider threats.
“Develop and enforce clear security policies and procedures for the installation, operation and maintenance of all security equipment,” he says. “Establish protocols for incident response, access control and data handling.”
Chevalier also suggests the following:
- Choose reputable vendors that prioritize cybersecurity and provide equipment with built-in security features. Verify vendor compliance with industry standards and best practices.
- Use multifactor authentication (MFA) where possible to enhance authentication.
- Use strong encryption protocols for communication between security devices and central systems.
- Ensure that security equipment uses strong, unique passwords and secure authentication mechanisms. Regularly change default passwords and credentials.
- Establish a process for monitoring and applying firmware and software updates to address vulnerabilities. Test updates in a controlled environment before deployment.
- Ensure compliance with relevant industry regulations and standards and conduct regular audits to assess compliance with security policies and regulations.
- Regularly back up critical data and configurations.
- Conduct penetration testing and vulnerability assessments to identify and remediate weaknesses in the security infrastructure. Test the system’s resilience to various attack scenarios.
When integrating multiple systems together, it’s important to understand — as well as track and record — each component’s current version and the project update or upgrade frequency.
“Each manufacturer will continue to update and correct vulnerabilities in their latest releases, but in an integrated system all systems may not be able to support the newest updates, which could cause interoperability among the systems to break,” Dorris explains. “If this happens, and systems cannot be upgraded to the most recent release, it’s important to address vulnerabilities in an alternative way.”
Planning for future updates and patch management begins prior to installation and culminates with accurate record documentation at the completion of the installation, Boethel explains. Prior to deployment, Allied undergoes a patch compatibility check to mitigate the risk of introducing new issues to the environment. This phase ensures that patches are not only effective in addressing vulnerabilities, but also compatible with the current systems. Also as part of this planning, Allied develops a comprehensive rollback plan in case unforeseen complications arise during the deployment phase.
“Documenting physical security assets is a critical step in ensuring that future patches and updates are systematically implemented and that legacy vulnerabilities cannot be exploited,” Boethel says. “Only by knowing which devices are operating on specific versions of software and firmware will the end customer be able to identify potential vulnerabilities.”
Continuous monitoring and scanning tools can also be implemented to help identify vulnerabilities that might have been missed in routine updates, he adds. “This proactive approach to updates and patch management helps our client stay ahead of potential threats, reduce the risk of attacks and maintain optimal systems performance.”
Communication between the integrator and the end customer must play a central role if a cyber-secured environment is to be achieved. It’s an area of project planning that Drako finds sometimes lacking.
“I think what the channel could and should be doing better is discussing cybersecurity with their customer. So, first question: ‘We are bidding on the system and we’re putting this in. … How concerned are you about cybersecurity?’
“If the customer says they aren’t too worried about it, then you understand what you’re dealing with,” Drako says. “Most customers that are a reasonable size are going to say, ‘I'm concerned about it.’”
The integrator can then inform the customer that in order to ensure the system deployment is cyber-secured and remains secured, there will be a cost associated with achieving as much. Pose the question: ‘Would you like to take that cybersecurity responsibility? Or, do you want us to assist with it?’
“You can then talk about do we do some penetration testing on this? Do we do some SOC audits on it? Do we do password checks, password audits, etc.?” Drako suggests. “Getting to have a discussion about cybersecurity with the customer is an important missed opportunity and needs to be done.”
Justin Stearns, vice president of Syracuse, N.Y.-based Chimera Integrations, retells a conversation with a hospital end customer to emphasize the importance of communication and educating the client as a key part to cyber-secured systems.
“I asked the customer, ‘How do you handle your RFID credentials?’ He answered, ‘Well, that’s facility’s responsibility, not IT.’ I said, ‘OK, but there’s a policy right? If you fire an employee, you turn their credential off?’”
Stearns continues, “But those two worlds aren’t talking. And this is the back-and-forth pendulation that is the issue right now — it’s, whose responsibility is it? Is it the MSP, the MSSP or the integrator to talk about best practices as it pertains to cybersecurity, when all of these networks are all communicating through the same internet.”
Chimera Integrations sees an opportunity to assist in defining the scope of work on its projects, increasing its value to end users.
“We’re trying to be forward thinking and trying to help solve those problems and get those facilities directors and the IT directors to speak because it’s all the same thing,” Stearns says. “It’s all the same best practice. But integrators haven’t been educating their customers on best practices for cybersecurity because we’ve been quite ignorant on cybersecurity up until recent years.”
Password Admin & Other Common Pitfalls
Security integrators navigate a complex landscape where the missteps they make can introduce vulnerabilities in the very systems they endeavor to protect. There are common pitfalls to be vigilantly avoided.
For starters, never assume devices are set at the ideal configurations, especially when using multiple manufacturers for cameras, access control, VMS, etc., says Aaron Saks, senior technical marketing and training manager, Hanwha Vision America, Teaneck, N.J.
“Each vendor will have their own best practices, which may not all align perfectly. Don’t assume that just because you have a router and firewall that you are protected,” he says. “Use secure cloud services or VPNs instead of port forwarding for remote access.”
Saks also notes that advanced network intrusion detection systems can determine if activities outside normal behaviors are occurring and provide reporting along with remediation. “Make sure to talk to your insurance company about cybersecurity insurance and mitigation costs. Finally, keep firmware and software versions up to date and replace end-of-life products.”
Dorris of Axis Communications also stresses that keeping firmware and software on devices up-to-date — particularly on networks where large numbers of devices are deployed — is one of the most important things an integrator and end customer can do.
“Unfortunately, at times the ‘if it isn’t broke, don’t fix it’ mentality is used. This means devices can get many revisions behind — even months or years — which only makes the process of updating longer and more difficult when updates are eventually required to operate,” Dorris says. “In most cases, you can’t just update from a really old firmware or software to a new one, as along the way new software subcomponents are added or removed. Keeping to a quarterly or semi-annual schedule is much better.”
Dorris underscores another mistake is not consulting with an end customer on cybersecurity hardening if no direction is provided. “While this doesn’t usually happen in the enterprise space, it can happen both there and in the small and medium business space. In these cases, it’s an opportunity for integrators to differentiate themselves and provide additional value to their customers.”
Peckham of Ollivier Corp. notes that threats are always evolving and the techniques that were used in the past may not work against newer threats. Hence, staff training is something that should be kept up-to-date as the threats change. “Integrators must always be learning and working to stay abreast of recent industry announcements. When discussing opportunities and issues with customers, the cybersecurity aspect of the environment should not be ignored.”
Chevalier of Genetec cites a similar refrain. “Neglecting cybersecurity altogether or not considering it as a significant aspect of the project can be a common pitfall. It’s important to realize the fundamental importance of cybersecurity and make it an integral part of the project from the beginning,” he says.
Chevalier cautions not to fall into the trap of concentrating too much on sophisticated cyber threats and disregarding basic security fundamentals. It’s important to prioritize getting the foundational security measures right before dealing with advanced threats. And never believe that once security measures are implemented, the system remains secure indefinitely.
“Systems integrators should recognize that cybersecurity is an ongoing process that requires continuous monitoring, updates and adaptation to evolving threats. Security should evolve with the threat landscape,” he adds.
Based on the collective opinion of sources interviewed for this story, the mother of all common pitfalls would have to be the application and management of passwords. To suggest that password administration is a royal pain in the backside would be an understatement.
Drako of Eagle Eye Networks illustrates the industry’s lament: “I have to install 100 cameras. Do I put the same password on them? Or do I put 100 different passwords? What do you think the installer is going to do? I have 100 customers where I’ve installed a video management system. My techs have to go out there and work on the systems, but I have 10 techs. Am I going to have 100 different systems with 10 different techs each, and so 1,000 different passwords that I have to track and monitor? Do I have those passwords changed every month or every six months, every year? So, it is complicated.”
“What I’m learning as I’m diving into this world of cybersecurity is that the biggest vulnerability is the human engineering — how easy it is to compromise somebody’s password.”
— JUSTIN STEARNS, Chimera Integrations
Chris Maulding, a security engineer and CTO of Plattsburgh, N.Y.-based AlchemyCore, a managed security service provider (MSSP), emphasizes the widespread reuse of passwords on multiple systems. Like Drako, he’s sees this shortcoming all too often.
“One technician sets up 10 fire systems and uses the same password on all of them. Or there’s a corporate specific password that is used as soon as everything is installed, and they forget to change it when they’re onsite or it’s used for backdoor access,” Maulding says. “And those are not typically strong passwords; people don’t want to remember all that. They want something easy, quick, pop it in and be gone. So reusing passwords on multiple clients systems is a huge failing.”
Maulding is partnering with integrators, including Chimera Integrations, to help mitigate, if not solve, the integrator’s password quandary.
“What I’m learning as I’m diving into this world of cybersecurity is that the biggest vulnerability is the human engineering — how easy it is to compromise somebody’s password,” says Stearns.
With the help of AlchemyCore, Chimera Integrations has begun applying a software tool that can run a data leak check instantly on any domain, scanning the dark web and the regular internet. Chimera is leveraging the software in sales presentations, as well as a continuous monitoring tool.
“I was going into a large hospital network to sell them on some of this stuff and I ran their scan before the meeting; within five minutes I had passwords for their C-level executives — the exact passwords, not encrypted at all,” Stearns describes. “[I also had] their credit card numbers for their organization, and the hospital they worked for. It took me five minutes. This is what I’m getting at: the biggest risk right now in cybersecurity is the human element.”
In an effort to button down its own operations, Chimera now provides all of its employees with logins to all of the different systems they install. “I’ve got technicians that have logins to do the programming side of it, which often gives them access to the video. They have security logins, the pins. How do you how do I protect all of those keys?”
Having a policy is step one, Stearns says, but that’s still not enough. Chimera is working with AlchemyCore to build out what is essentially a virtual machine with access only granted via IP verification and dual authentication. The technicians log into the virtual machine and only through it can they access any of the other systems, and only from the right IP address and with two-factor authentication. Technicians have no rights to add or subtract users from any system.
In Stearns’ view, Chimera’s biggest vulnerability to its customers is they control the passwords and the access to the systems they’re installing for remote access.
“That’s the only way I can think of to protect the hundreds or thousands of passwords for different systems and customers,” he says. “One customer has six different systems from us. That’s six different passwords times however many users times however many of my people have it. At least we are securing our touch points.”