Fifteen years ago, cybersecurity wasn’t much of a thought for many in the physical security industry. Security systems were relatively simple — the integrator installed them as quickly as possible and moved onto the next job. But now that security technologies are advancing and everything is connected, cybersecurity should be a consideration for everyone.

“Cybersecurity and physical security are intrinsically connected,” says Jon Williamson, director, cyber experience, global product security, Johnson Controls, Milwaukee. “The convergence has been happening for years, and failure within one area can impact the other. Now more than ever the world is experiencing security threats both cyber and physical, which have been exacerbated by the current world pandemic.”

According to the FBI’s 2020 Internet Crime Report, their Internet Crime Complaint Center received a record number of complaints of breaches in 2020 — nearly 800,000, with reported losses in excess of $4.1 billion. This is nearly double the average number of reports the center receives in a year.

“The question isn’t if cybersecurity will impact your business,” says Josh Cummings, vice president of technology at VTI Security, Burnsville, Minn. “The question is when cybersecurity will impact your business, and will you be ready for it? Cybersecurity and physical security will continue to move closer together until you cannot distinguish them — similar to how IP and physical security are now intertwined.”

The U.S. Cybersecurity & Infrastructure Security Agency released a report on the convergence of cyber and physical security this year that pointed to the growing risk physical security products pose. The report reads, “The adoption and integration of IoT and industrial IoT devices have led to an increasingly interconnected mesh of cyber-physical systems, which expands the attack surface and blurs the once clear functions of cybersecurity and physical security. Meanwhile, efforts to build cyber resilience and accelerate the adoption of advanced technologies can also introduce or exacerbate security risks in this evolving threat landscape.”

It’s important to remember that physical security devices are network devices and must be protected like any other network device, says Wayne Dorris, business development manager, cybersecurity, Axis Communications, Chelmsford, Mass.

“Many times cybersecurity for physical devices is overlooked by the end customer internally, often due to organizational or ownership issues between physical security and IT security,” Dorris explains. “Additionally, from an external standpoint, integrators are sometimes not comfortable bringing up this subject due to lack of expertise in this area. In short, the physical security industry needs to better train the channel on cybersecurity in order to engage in these crucial discussions, which are necessary to put cybersecurity protections in place before an incident occurs.”

Training and education on cyber issues has improved recently, says Mathieu Chevalier, lead security architect at Genetec, Montreal — but it’s still far from enough.

“The industry has improved if we compare the current state [to] where it was five years ago,” Chevalier says. “However, the industry is still lagging far behind in terms of cyber compared to other high-tech industries. From an outsider’s point of view, the physical security industry might be perceived as shockingly immature in that respect.”

The past year, especially, has done a great deal to raise awareness of cyber risks, Dorris adds. “Several significant events have raised awareness and changed behaviors around cybersecurity. First, COVID-19 forced customers to change the way they remotely manage the protection of their facilities. Also, several front page news stories about major cyber breaches have encouraged everyone to reevaluate their security supply chain. Finally, enforcement of laws, like Section 889 of the National Defense Authorization Act (NDAA), has brought to light the importance of how and where products are manufactured and produced.”

 

What’s the Problem?

Why exactly is the physical security industry struggling so hard with cybersecurity? There are a few reasons, but the core of many of them is the separation of IT and security.

“Physical security devices are network devices and thus must be protected like any other network device,” Dorris says.

When deploying IP security systems on an IT network, there are precautions that need to be taken, explains Michael Ruddo, chief strategy officer of Integrated Security Technologies in Herndon, Va., featured on this month’s cover.

“Today’s physical security systems are connected to an IT network, making cybersecurity a foundational element of any on-site security protocol,” Ruddo says. “There are specific ways to deploy IP security systems on an IT network, and it has to be done within the security protocols of the IT network itself. At the same time, businesses need to harden their hardware security to maintain the security system’s integrity.”

When not deployed properly, security systems can be a dangerous gateway into a company’s network, as hackers only need a single access point to instigate a cybersecurity incident.

“Currently a majority of physical security devices are considered edge devices,” says David Brent, senior cyber and data security technical trainer, Bosch Security and Safety Systems, Fairport, N.Y. “In a majority of cases, security devices are based on an open Linux Kernel and are typically an afterthought by some IT departments. The current estimated number of IoT devices on the web is estimated at 39.5 billion and is expected to double in the next five years.”

As the number of IoT, or edge devices, increases, so will the attacks on those devices, Brent says. And while video is often seen as the biggest cyber risk in the physical security system, it’s not the only risk.

“We’ve heard a lot about video cameras being an entry point for potential hackers, but other IoT devices such as access control devices and other sensors can also present the same level of risk,” Chevalier says. “Access control systems must have a strong cyber defense or companies could be opening themselves up to increased cyber risk — and more worryingly, to actual physical threats of doors being opened or locked without their permission.”

This is why it’s important to look at the whole security system when considering cyber risks.

“Misconfiguration and not designing the installation as a whole system for protection against attack are a few challenges faced by the industry,” Williamson says.

“While a datasheet could list some important safeguards, such as encryption, those alone may be insufficient without proper application. Integrators must deploy according to hardening guide recommendations to only enable the functions and network ports that are required.”

 

The Impact of Recent Cyber Breaches

Cyber-attacks are a very real and dangerous threat to physical security systems. And as many employees moved to a remote work environment, and others were made desperate for cash after mass layoffs, the last year presented even more of a threat than usual.

“The global pandemic and unrest have seemingly emboldened cybercriminals, and we have seen a definitive uptick in major newsworthy cybersecurity breaches and ransomware attacks that have severe societal and business impacts,” says SIA’s Don Erickson. “While the root causes of these incidents have seldom been traced back to physical security, the increased attention should be a catalyst for the industry to up our game on cybersecurity issues.”

Josh Cummings of VTI Security, a member of PSA’s Cybersecurity Committee, says that the past year revealed the cyber gaps in the physical security industry.

“[These breaches] exposed our industry’s slow adoption of cybersecurity,” Cummings says. “In reality, if companies like Solarwinds, LinkedIn and Microsoft are getting hacked, it reiterates that everyone is vulnerable. There isn’t a switch we can flip to make our system cyber-secure. It comes down to process, procedure and configuration on an ongoing basis to consistently protect our solutions to the best of our ability.”

Even though the above mentioned breaches were not caused by physical security system vulnerabilities, they have fueled an increase in concerned customers for physical security professionals.

“With the rise of cyberattacks the number of issues that our incident response team has had to investigate has also increased,” says Johnson Controls’ Jon Williamson. “These can be general issues that arise from wide sweeping attacks and vulnerabilities, such as the Solarwinds attack that impacted multiple industries, or issues reported by the customer themselves.”

The attacks made on security systems of course raise the most questions, though.

“Every time a security system hack hits the news, we are inundated with questions from concerned clients wanting to know if the incident will impact them,” says IST’s Michael Ruddo. “Fortunately, because we harden their devices per the company’s network security protocols, they remain protected.”

Mathieu Chevalier of Genetec says that the Mirai botnet attack that took down much of America’s internet in 2016 was the first of these public breaches that caused people to take the cybersecurity of their physical security systems more seriously.

“One of the most impactful camera hackings was the one related to the Mirai botnet hack back in 2016,” he says. “In retrospect, this seems to have served as a wakeup call for a lot of customers. Starting from there we saw a lot more interest in the need for cybersecurity. Following that event, we also started to see customers asking questions about our secure development practices, cyber certifications and so on.”

Just this year, Verkada, a cloud-managed and edge-based enterprise security software company, was victim to a data breach that allowed an international group of hackers to gain access to 150,000 security cameras.

“I think most of us can agree that the physical security industry needs to take cybersecurity more seriously,” says Salient’s Sanjay Challa. “The topic has risen to some prominence of late with headline news on Verkada’s admin credentials getting leaked, allowing attackers access to live and previously recorded video across Verkada’s client base.”

Due to the attention they bring to the issue of cybersecurity, these breaches can be seen as a sort of positive for the industry.

Wayne Dorris says that Axis saw a huge uptick in Vendor Risk Management Surveys from customers due to the breaches, which revealed much more meaningful, in-depth details on the cybersecurity posture of the organizations they are doing business with. Plus, he says that evaluations of customer supply chains went beyond products and deeper into production processes and software development practices, as well as determining where components are purchased and other supply chain risks.

“Recent hacking incidents made many customers reevaluate their camera systems and consider them more private and sensitive in nature,” Dorris says. “Many times people think of cameras as a device that just looks at parking lots and lobbies, so what’s the big deal? However, when one of their cameras is exposed or becomes available on the internet, then the story changes.”

Considering cyber risks is especially important due to the nature of IP cameras, according to David Brent of Bosch.

“[These breaches] made customers more aware that they are hanging devices on their network that need to have a vulnerability scan performed,” Brent says. “There is no anti-virus software for IP cameras. They are starting to realize that devices may need to be locked down based on network specifications.”

And all of these realizations mean a boost in business for security professionals ready to assist.

“In the big corporate world, a lot of companies were very big on keeping cameras until they broke instead of looking at it as a life cycle where every year certain cameras need to be replaced,” says Aaron Saks of Hanwha. “So the perception has changed of what that life cycle is, and some people are now looking at other types of business models where products are leased, or a service with RMR instead of buying everything outright, so if tomorrow there’s a problem we can rip it out and not lose a ton of expenses.”

 

Hardening guides offered by manufacturers aren’t always enough either, though. Physical security professionals should take it upon themselves to become proficient in cybersecurity.

“[There needs to be] better cybersecurity education and awareness throughout the entire industry,” Dorris says. “Most people are aware of cybersecurity but uncomfortable talking about it in depth — some people lack training on basic cybersecurity hygiene methods. Regardless of whether or not the devices are properly configured and protected on the network, if a person is unfamiliar with the basics and unknowingly clicks on the wrong link in an email, it can defeat all of the protection put in place. Investment in training the ‘human firewall’ on good cybersecurity practices is paramount in keeping businesses safe from cyberattacks.”

Aaron Saks, product and technical manager at Hanwha Techwin America, Teaneck, N.J., points to two other obstacles to becoming cyber-secure: the cost of more advanced, cyber-secure solutions, and the mindset of security systems being made up of different, separate pieces, rather than a comprehensive solution. And things become even more complicated with the number of vendors often involved in a single installation.

“Often you don’t just have a single vendor doing everything, so you might have an access control platform, VMS, all these different parts and pieces, and they may be talking to each other, but you have to make sure that connection is secure,” Saks says. “We’ve seen this with a lot of the different data breaches over the years — people leaving things open to make connections to different systems. And leaving firewall doors open — those can really affect a lot.”

Don Erickson, CEO of the Security Industry Association (SIA), Silver Spring, Md., also points to the supply chain as a major challenge.

“There is complexity involved throughout the security value chain — very few manufacturers are the original equipment manufacturers of all of the components of their products, so they must ensure the cyber hygiene of all hardware and software components,” Erickson says. “Integrators must ensure that the products within their solutions portfolios are cyber-hardened and configured in deployment environments correctly. End user environments add additional complexity as physical security systems interface with other equipment and systems and day-to-day operator risk is introduced to the system. Coordinating and agreeing on cybersecurity responsibilities throughout the value chain can be challenging.”

The plethora of outdated legacy equipment still in use certainly doesn’t help prevent cyber-attacks, either.
“If you utilize shodan.io, you will see there are thousands of older devices on the internet, all with active vulnerabilities that can be accessed easily,” Brent says. “It’s like putting a Windows 98SE2 machine on your network. All of these devices can be turned into bots or used for lateral movement. Customers need to start replacing older devices, as a system is only as strong as its weakest link. One of the most valuable targets to any hacker is just a platform that has bandwidth, and there are a lot of them out there.”

 

What’s the Solution?

Different members of the supply chain can point fingers at who they believe is truly ‘responsible’ for cybersecurity, but if the industry wants to solve its cyber problem, there will have to be action from everyone.

“While there has been some shift in perception, there needs to be more action,” says Sanjay Challa, chief product officer at Salient Systems, Austin, Texas. “Bid specifications need more thorough cybersecurity components. End users and integrators need to not just insist on products that have proper cybersecurity capabilities, but actually take the time to install, configure and use those capabilities.”

Communication amongst different departments is also essential.

“Decision makers must look at the entire picture across the organization to be successful,” says Greg Gatzke, president, ZAG Technical Services, an IT consulting firm and managed services provider in San Jose, Calif., “Operating in silos can be detrimental to an organization, so there has to be a focused effort to make sure IT professionals are involved when physical security investments are being made to make sure the network is protected.”

It is absolutely crucial to understand that cybersecurity is a shared responsibility, says Genetec’s Chevalier.

“All parties involved in the system development, implementation and operation have a critical role to play,” he explains. “It is important that manufacturers, integrators and end users embrace this fact and work together to address this risk. Given the nature of the technology used to implement physical security systems today, and the fact that these systems are more connected now than ever to achieve various business goals, it is imperative for physical security professionals to partner with IT/InfoSec experts. In this way they can work to ensure the technology used to implement the physical security system is designed and developed by a manufacturer that leverages cybersecurity best practices in making products and that the system is implemented according to those best practices and proper cyber hygiene.”

David Lathrop, vice president, utility strategic business unit, Unlimited Technology, Chester Springs, Pa., recommends automated risk detection tools in order to stop hackers in their tracks.

“The cybersecurity industry requires constant attention and adaptation to stay ahead of evolving threats,” Lathrop says. “A healthy and robust cybersecurity profile includes constant monitoring of external and internal attacks as well as a health-based monitoring platform. In today’s rapidly changing cybersecurity world, successful programs start with proactive automation tools. Proactive automation is a must-have due to the growing sophistication and sheer number of machine-on-machine attacks that we faced in 2020.”

Security integrators should consider offering cyber services to ensure the long-term safety of their solutions.

“The security industry needs to help companies achieve holistic security, including in digital spaces,” Ruddo says. “IT staff augmentation, managed services, digital hygiene best practice training and security system installs with a defensive posture in mind are key to achieving better outcomes for clients. … Developers are beginning to distribute hardening guides that empower dealers to install physical security systems that are cyber secure. At the same time, dealers and integrators need to follow these guidelines while equipping businesses to enact long-term cybersecurity best practices.”

Along with offering these services, integrators should put forth the effort to educate end users on why cyber hygiene is so important, says Dean Drako, founder and CEO of Eagle Eye Networks, Austin, Texas.

“It’s awareness, training, vendor selection and then installation,” Drako explains. “And there’s the education of the customer, or collaboration with the customer if they’re very cyber-aware. But sometimes they aren’t so aware, and then we have to take ownership and be responsible.”

To aid in education, SIA has created a Cybersecurity Advisory Board that provides guidance for cybersecurity strategies and solutions. “This leadership enables SIA to prepare industry stakeholders for challenges related to the wider adoption of the Internet of Things and the use of secured networked devices for security,” Erickson says.

In addition, SIA’s Membership Code of Ethics states that SIA member organizations and their employees must monitor and mitigate risks as much as reasonably possible, which includes securing and hardening networked solutions against cyber threats in accordance with industry best practices.

And in partnership with PSA Security Network and Security Specifiers, SIA recently developed the Security Industry Cybersecurity Certification (SICC) for physical security professionals. “We believe [the SICC] could become the gold standard for our industry,” says Ric McCullough, president of PSA Security, Denver.

“This program and certification process has been released and is ready for consumption.”

PSA also has its own cybersecurity committee, and has been preaching the importance of cybersecurity and cyber services for the past decade.

These industry associations will be especially useful in helping security integrators navigate future laws that might go into effect regarding cybersecurity.

U.S. President Joe Biden issued an executive order on improving the nation’s cybersecurity in May of 2021 — though it’s unclear what sort of impact it will have, since every president since Bill Clinton has issued a similar order. Core tenets of the order include applying the latest data encryption standards and bringing uniformity to cybersecurity standards.

“Cybersecurity will continue to be an ongoing challenge,” says Chris Peckham, chief operating officer,  Ollivier Corp., Los Angeles, and member of PSA’s Cybersecurity Committee. “Technical requirements are being issued in some areas by federal and state governments, and those will extend into commercial markets in the future. IoT regulations will impact the industry as well. Awareness and training are very important as solutions are developed and implemented.”

Before the government takes matters into their own hands, it would be in the best interest of the industry if physical security professionals create cybersecurity standards, says Axis’ Dorris.

“As a collective industry, it’s important that we develop our own cybersecurity standards, requirements and baselines,” he says. “We should not wait for these requirements to be pushed down from government via laws and regulations. … Cybersecurity is a complicated topic, but really it boils down to good documentation and solid processes for installing and maintaining devices on the network. The governance, regulation and compliance aspects of network devices are all geared around having clear procedures and security controls, and the same should hold true for physical security devices.”

 

10 Best Practices for Cyber Resilience

More and more, end users are coming to physical security systems integrators with questions and concerns surrounding cybersecurity. Avoid feeling tongue tied by becoming familiar with cybersecurity best practices, and how to ensure the physical security systems you deploy are secure. Here are 10 steps to start with on your journey to becoming cyber-proficient.

  1. Conduct a thorough risk assessment — Knowing what cyber risks are out there, and how they might impact your environment are the first steps in understanding how to best protect your organization. This can range from identifying gaps in your perimeter security to defining IT best practices and cyber hygiene for your business applications and physical security systems. You can then build a detailed cybersecurity strategy with targeted measures that minimize the likelihood of a breach.
  2. Reduce human error with clear IT policies — Educating your people on IT policies must also be factored into your cybersecurity strategy. This can start with teaching employees simple tips on how to create strong passwords and how to identify phishing scams in emails.  
  3. Change device passwords — If you haven’t already updated the default passwords on your security cameras or access control devices, start there. Most default manufacturer passwords on security devices become commonly known, which puts your organization in a vulnerable position. Schedule regular updates for your device passwords to ensure ongoing protection.
  4. Prioritize software and firmware updates — Many software and firmware updates come with the latest fixes for known vulnerabilities. The longer you delay these updates, the more at risk your organization is. That’s why it’s important to handle your physical security system and device updates with urgency.
  5. Choose technologies with built-in defenses — Having multiple layers of defense built into your physical security solutions is critical. For instance, encryption helps you hide and protect data from unauthorized users and secures the communication between clients and servers. Authentication is another tool that determines if an entity is who it claims to be and verifies if and how that entity should access your system.
  6. Use strong authorization and privacy methods — While encryption and authentication are great tools for protecting data, they cannot stop unauthorized access to a network. By using authorization capabilities, you can restrict the scope of activity within your systems by giving specific access rights to groups or individuals for resources, data or applications. You can also blur out people in a video frame to protect their privacy and identity.
  7. Stay compliant with new legislation — As cybercrime escalates, new privacy and data laws are evolving to keep businesses accountable. For example, how you manage and store captured video and data from your physical security systems must comply with new mandates such as the General Data Protection Regulation (GDPR). Staying informed about these new laws can not only help you strengthen cyber resiliency but also avoid the costly penalties for non-compliance should a breach occur.
  8. Consider the benefits of cyber insurance — Cybercriminals are getting savvier by the minute. Even when you do everything right, your organization may still be at risk. Cyber insurance gives you financial support to remediate and recover in the event of a breach.
  9. Re-evaluate your risks and policies on a regular basis — Cyber threats are constantly evolving. What works for you today might not work for your tomorrow. Taking time to re-assess your risks and policies, including those that pertain to the security of your video and access control systems, is needed to stay protected in the long run. You can also conduct regular penetration testing on your systems and strategies to identify opportunities for improvement.
  10. 10.Get involved in the discussion on cybersecurity — Relying on integrators or other service providers to deploy effective security practices is not enough. And sometimes, IT is too busy to help. Security professionals who become more involved in creating and deploying cybersecurity practices are usually in a better position to help mitigate risks.— By Mathieu Chevalier, Genetec

 

The Future of the Industry

Security leaders and associations have been begging physical security professionals to take cybersecurity seriously for years. Now, if you haven’t already started educating yourself on best practices, you need to start now — before it’s too late.

“Cybersecurity issues will unfortunately worsen in the future,” says Salient’s Challa. “The industry can prepare by embracing cybersecurity as a core requirement and with wholesale investment across the supply chain into cybersecurity.”

Dorris predicts that the risk to IoT devices, especially, will grow worse in the near future.

“Currently there are 50 billion connected devices globally — that’s more than six devices for every person,” Dorris says. “In contrast, there is a shortfall of 3-6 million cybersecurity jobs currently. There are not enough IT administrators and cybersecurity personnel to protect what we have now, so we’re on a dangerous trajectory. Due to the overwhelming number of devices, and the dependency that our society has on being connected, the attack surface and number of vulnerabilities are endless. Clearly, we need to make up lots of ground in order to mitigate risk and prevent potential attacks that can be costly to companies and their customers.”

Chevalier of Genetec believes that while awareness around cybersecurity is improving, the severity of the attacks will likely worsen in the future.

“The impact and magnitude of attacks tend to increase over time,” he says. “It is likely that more high impact hacks will happen with real-life consequences. So, the industry will mature and get better but there will be more value for hackers to extract by attacking security systems.”

Largely because of a push from end users, most manufacturers are preparing for this future.

“In the last few years, we are seeing more manufacturers realize that they have to make the cyber investment, or their product will not be specified in major products,” says Bosch’s Brent. “While some are only designing higher end models with cyber in mind, we are at least seeing a shift in mindset.”

So while the industry may not be quite where it should be in terms of cybersecurity, it is moving in the right direction, Erickson says.

“We should be optimistic as an industry because, working together, we have been able to solve challenges that have threatened security in the past,” he explains. “Through information sharing, developing and adopting standards and best practices in physical and information security, we will learn as an industry to mitigate the current threats and be better prepared as cybersecurity threats evolve.”