“Our cybersecurity posture is good.”    

“Our IT department has the network locked down, so we are in a secure environment and don’t need to secure everything.”   

“We secured our recording server and the cameras are all installed with tamperproof hardware.”   

These statements from actual customers are some of the reasons many security and IoT systems are inherently not secure in a world where they really should be.  

Many large critical infrastructure customers I have worked with over the years take a somewhat lackadaisical stance when it comes to their cybersecurity because their compliance process doesn’t directly call out requirements, so they apply what is on the checklists and move on.  

The reality is that cybersecurity is just as important, and required, as any other means to physically secure infrastructure (servers, network switches, network cabling) and endpoints (access control devices, intrusion panels, cameras, sensors, and even network audio) — possibly even more critical because of the ability for a remote attacker anywhere in the world to use any vulnerability they can to exploit and bypass these systems.  

NIST is one of the mainly accepted frameworks for cybersecurity throughout the U.S. and is also included in other countries as a contributing source, even if it is not specifically legally required. Adopting a cybersecurity framework such as NIST provides something to measure and provides useful metrics and guidelines to use for a successful cybersecurity program. NIST expanded its scope of what it defines as operational technology (OT) in September 2023 in the document NIST SP 800-82 Rev. 3 to explicitly list physical access control systems (PACS) among the items that require attention to properly secure them under this guideline.  

With the addition of security systems in the NIST definition of an OT network, this further enhances our responsibility and liability as security integrators and installers to do the right thing and lead customers and clients down the path of a secure and compliant system. So, what exactly does this mean for the security industry? This inclusion into what has historically been an IT-only framework provides every party involved in the process for a PACS system — and by extension video management systems (VMS), as well as sensors such as radars, perimeter detection solutions, gunshot detection systems, and safety systems that may integrate or contribute to the functionality of PACS systems — with documentation to assist with the process of deploying a cybersecure solution. As an industry, many times there is interest in cybersecurity compliance, but when there are added costs and often project delays, this is one of the first items in the scope of work to be removed or rescheduled for “later.”   

The NIST SP 800-82 Rev. 3 document is a helpful starting point to start on solid footing with a new project, even listing out how to make the business case justifications for including cybersecurity in the project. 

Another welcome inclusion in this standard is the Industrial Internet of Things (IIoT), which are quickly becoming entrenched in security systems to provide data, function as sensors, and even for varying levels of data transmission. Often, IIoT sensors themselves are generally not incredibly cybersecure devices, mostly because they lack the authentication and compute power to effectively use methods like encryption to secure their data payload. The use of edge computing platforms to route IIoT data through authenticated edge gateways so traffic is encrypted is allowing this data to become secured for transport and usage and should be a consideration when using IIoT devices and systems within a PACS or VMS solution. As they say, “a chain is only as strong as its weakest link,” so it’s important to only let secure systems interact with a PACS or VMS system.  IIoT is becoming an important piece of a converged solution, so don’t let it be the weak link. 

This brings us to the key point: cybersecurity is not optional. No company wants to be highlighted on the news or social media for being the one with weak or complacent policies to allow a cybersecurity attack or pay substantial fines (or ransom in outlying cases) when there is a successful attack or compliance issue. The reputational or financial hit from even a minor breach is something that many companies or individuals will never recover from.  

There are some clear steps we can all take to be as compliant as possible with our own employers as well as our customers. These steps include educating ourselves and customers about the solutions we are providing and where the potential vulnerabilities are present. Spoiler alert: it’s usually the people that are the biggest vulnerability. Continuing education is also critical to ensure that personnel are updating their skill sets and becoming more cyber-aware of current threats. Another step is to form a cybersecurity team within your organization, even if your team consists of only a few people. It’s important to have like-minded individuals to discuss requirements and outcomes with. The actual deployment itself can be improved through following industry and manufacturer best practices, and if you are collaborating with vendors and manufacturers that don’t publish their best practices, it may be time to find alternatives who do. Sustainment is the final piece of the equation. Firmware updates, password management, continuing education and awareness, as well as running vulnerability scans on an ongoing basis, can contribute to the overall security of a solution.