Don’t Be the Weakest Link

Security, IT Departments Must Work Together to Reduce Vulnerabilities

The physical security industry has generally not received a lot of attention when it comes to cybersecurity issues, breaches and threats to data. However, with the shift from analog to IP devices, and with a more converged network of devices, many organizations have found themselves face-to-face with the issue of data security as it applies to physical security equipment. How can they best formulate robust policies and strategies to protect against network threats?

Think back to the 2001 film “Ocean’s Eleven,” in which a team of thieves and con men carried out an elaborate scheme to rob three Las Vegas casinos. As part of the heist, a video surveillance system was hacked and the feed was replaced in order to mislead the owner of the casinos. While this, of course, was just a movie, the plot point demonstrates the dangers that come with having elevated levels of connectivity without proper security protocols.

Today’s technology marketplace is full of connected devices – the smart home, apps that allow security managers to view video from various locations, remote access control devices and more. The thinking has shifted from the possibility of attack to the probability of one or more occurring. Bad actors are attempting to circumvent security on network devices for a variety of purposes, ranging from using the devices deployed in a physical security installation in an attack against another Internet-connected device or service, or degrading and breaching the security system itself, as was the case in the movie. As networks converge, it is unfortunately inevitable that more attempts to circumvent physical security systems will occur.

There are ways to protect IT networks, however, including identifying possible weaknesses in technology and policies, learning from colleagues in the enterprise IT realm, and following industry standardization of products.

Technology and Policies

There are two elements to ensuring the safety of corporate data: the right technology and the right policies.

Some connected security technologies have been found to have vulnerabilities and to adhere to less-than-ideal security practices. The good news is that manufacturers are working to fix these problems. It is imperative to address possible concerns with data security before products are released to the public.

Additionally, it is important for manufacturers to educate end users on how to protect themselves from breaches – for example, by changing the default usernames and passwords on cameras once they are installed.

Second – and arguably more important – companies and organizations utilizing physical security equipment must have cybersecurity policies in place that outline proper procedures for handling sensitive information and data. Training employees in security principles by establishing best practices, such as requiring strong passwords and establishing appropriate Internet use guidelines, is critical. In addition, users should ensure that they do the following:

• Update security software
• Provide a firewall for Internet connections
• Create a plan for the use of mobile devices
• Back up important data using secure means
• Secure WiFi networks
• Require employees to use strong passwords and authentication
• Implement policies for controlling access to equipment
• Train employees to watch for social engineering tactics such as:
  • Pretexting
  • Phishing
  • Baiting

In today’s ever-evolving market, it is not just about how manufacturers can protect end users, but also about how end users can best utilize the security technology that manufacturers provide.

Learning from the Enterprise IT Model

The physical security industry can learn a significant amount from the enterprise IT sector. When IT first began seeing a shift to a more secure environment, many businesses were on their own network – the printer network, if you will – and hacks were performed on a smaller scale. At that time, there were not many instances of “attacks” being malicious. Fast forward to today’s connectivity, and the threat of harmful IT breaches has increased at an alarming rate.

In the healthcare sector, security experts dubbed 2015 as the year of the healthcare hack. In January 2015, 11 million Premera Blue Cross customers were affected by a large-scale breach. This was followed by a breach at Anthem that affected nearly 80 million current and former customers in February. A UCLA Health System breach in July affected 4.5 million people, and in September, Excellus BlueCross BlueShield in upstate New York had the records of as many as 10 million people exposed by hackers. And this is just a sampling of incidents. In total last year, there were more than 112 million health records breached in 253 incidents, according to the Department of Health and Human Services.

Then, early this year, hackers held the records of patients at Hollywood Presbyterian Medical Center hostage until a ransom was paid – 40 Bitcoins (equivalent to $17,000).

The health care industry is particularly susceptible to these attacks because the shift to electronic medical records has increased the need for access to previously non-electronic data, as well as because of the sheer amount of information collected, including Social Security numbers, credit card numbers and sensitive medical information. The industry is learning the hard way that investing in a stronger cybersecurity plan to prevent and combat breaches is crucial to the overall health of the organization.

Recent breaches have prompted IT departments across a wide variety of markets to take a firmer stance on how information is shared, how networks are built and how devices can be used on a company’s property. The connected enterprise contains a lot of crossovers, and large corporations have to adhere to strict IT policies on how devices within these networks can be used. Employees must be educated on proper usage in order to protect the data being shared between devices.

Merging Physical and IT Security

The physical security industry has long developed cutting-edge technology that pushes the boundaries of innovation, but it has not always fully addressed the details of IT vulnerabilities. As more manufacturers develop wireless and cloud-based systems, special attention must be paid to the security of the devices. This means that the previously separate IT security and physical security departments must collaborate to ensure the safety of data across the enterprise organization and beyond.

Today’s security manager must be mobile, and this requires access to data from anywhere at any time. App development for video management systems is booming, allowing the flexibility to access critical data through web-based platforms. But it is imperative that security leaders work closely with IT departments to discuss possible weaknesses in access points and communicate effectively on how to overcome these issues. Security managers must be agile and in tune with this notion of protecting critical data and access points, which reaches far beyond traditional physical security borders.

Threats to data security happen when hackers target the weakest link in the chain, and without the appropriate technology and policies, the risk that the security system will be that weakest link is real.

For example, if a wireless camera is broadcasting an entry point to a building and its feed is not secured, attackers could gain access not only to the video feed, which they could use to determine who enters and exits a facility and at what time, but also to the corporate network itself.

The possibility that security equipment could be used as an entrance to the greater enterprise network is a cruel irony that poses a significant threat to any organization.

Standardizing Video Surveillance Data Collection

Several alliances have been formed to work on automation and communication protocols to help organizations prepare for the increase in IoT devices “talking” to one another. This standardization of communication protocols is critical to the success of business in an IoT world.

IoT will require physical and IT security manufacturers to work together to establish baseline standards that allow physical security systems to work with devices outside the industry, similar to how ONVIF worked across manufacturers to elevate the usability of video surveillance products. ONVIF, in fact, recently published the Profile Q standard to provide “out-of-the-box interoperability” for IP devices. Similarly, both the PSA Security Network and the Security Industry Association have created advisory boards focused on addressing IT security issues in the physical security space. This demonstrates that the industry is taking the steps necessary to address these concerns and implement the proper procedures by which to regulate these matters.

Encryption and cryptographic methodologies, such as security certificates and electronic data signatures or watermarking, are critical tools manufacturers use to ensure that the data being collected over a network is kept secure. Deploying these technologies along with a strong cybersecurity policy is an important first step to ensuring the protection of the system, its data and the network as a whole.

There is no need for manufacturers to develop new cryptographic technologies; the cryptography technology available today is mature, robust and thoroughly tested. At the center of cryptography is some very hard math, and there are researchers around the world validating and probing the technology on a continuous basis. It is not a good practice to try to come up with something new cryptographically and keep it a secret, as security through obscurity is not security at all. It is a best practice for manufacturers to use established and tested methodologies, and, most important, to describe the methodologies that are used.

The Future of Connectivity

Consumers of modern technology have certain expectations, such as being able to use mobile phones or devices in a connected home quickly and simply. Security and ease of use are often in conflict, though. The easier it is to use something, in many cases, the less secure it becomes. It is necessary, then, to find a middle ground for protecting valuable information while maintaining convenience by bringing together key players from the physical security and IT sectors to standardize the relationship between security and IoT functionality. Without that cooperation, organizations will face unacceptable risks to their data.

---

Stuart Rawling (stuart.rawling@schneider-electric.com) is director of business development for Pelco by Schneider Electric (www.pelco.com).