Security Professionals Focus on Hardening Physical Systems to Increase Cybersecurity
With more physical security devices online than ever before, the chances of cyber criminals hacking into a customer’s system is higher than ever.
anyaberkut/iStock / Getty Images Plus via Getty Images
While security integrators and dealers are on the front lines of protecting their customers against cyber liability, their products can also be a point of entry for bad actors. Here’s how to protect end users and yourself.
By Laura Mazzuca Toops, SDM Content Editor
The fight against cyber liability is a constantly shifting battlefield in the war to protect businesses of all types and sizes, and security integrators are on the front lines. However, vulnerabilities arising from unsecured cameras, outdated access control systems and other physical security measures can put end users at risk, and plugging these security gaps is a must.
Montreal-based Genetec Inc. recently conducted a survey that found cybersecurity remains a top concern for physical security professionals from around the world going into 2023, with almost half the organizations surveyed having activated an improved cybersecurity strategy in 2022, and more than a third looking to invest in cybersecurity-related tools to improve their physical security environment in the next 12 months.
Of the many capabilities related to cybersecurity and data protection deployed by physical security teams in the last year, cyber-hardening of physical security hardware and access control management were the most popular, with 40 percent of respondents implementing new measures targeting those capabilities, the Genetec survey finds.
“The products that we deployed in the past don’t meet our customers’ compliance requirements of today regarding cybersecurity and it is driving them to replace panels, cameras, intercoms, etc., before they have failed,” says Josh Cummings, executive vice president, technology, at Paladin Technologies, a PSA Security Network member based in Vancouver. “Legacy devices are not able to handle the latest TLS [transport layer security] protocols, encryption, communication standards and so on.”
Ensuring cybersecurity is a two-way street: security integrators need to adopt their own internal preventative measures as well. According to the 2022 Verizon Data Breach Investigations Report, supply chain attacks accounted for 62 percent of system intrusion incidents in 2021. And security integrators are essentially a part of this supply chain, says John Szczygiel, chief operating officer at Brivo, Bethesda, Md. “For integrators, this means they must get better with what they do,” he says. “If they go to a customer location with a laptop, logging onto a customer’s system, they represent a risk to a customer if they have access to the customer network. They should look internally and make sure they’re doing things [for cybersecurity] for their own companies.”
Manufacturers are fighting back against cyber risk with tools like Genetec’s Security Score widget, a dynamic hardening tool that checks system cybersecurity in real time, laying out guidelines and monitoring whether the different elements of the system comply.
IMAGE COURTESY OF GENETEC
This means integrators need to have their own cybersecurity programs and guidelines like issuing and monitoring computers in a structured way and conducting background checks on employees, he says. “The biggest trend in 2023 and beyond is that entities will become very rigorous in how they vet suppliers because they can’t just give them access to the IT network without ensuring that they won’t bring in some risks.”
Security integrators who want to help keep their customers (and themselves!) safe from the ever-present risk of cyber exposures should stay current on emerging vulnerabilities, work with their manufacturers to deliver turnkey solutions, and educate themselves on cybersecurity requirements so they can add that expertise to their solution portfolio. These tips and others are the advice provided by the sources we spoke with on how to help strengthen end users’ cybersecurity.
How to Stay Current on the Latest Cybersecurity Trends
Experts agree that security integrators and dealers need to stay current on changes in the cyber liability landscape, and that education is key for both them and their end users. Fortunately, there are many sources where they can turn for information, including:
Industry resources. SIA’s Security Industry Cyber Security Certification (SICC) and trade news organizations that provide related information are great resources for integrators to stay abreast of the latest developments in cyber risk, says Michael Ruddo of Integrated Security Technologies Inc. PSA Security Network is another great resource as the organization has put a lot of focus on educating the industry on cybersecurity, adds Josh Cummings, Paladin Technologies. “There are many organizations doing the same,” he says. “The key is to get involved and educate yourself on what is happening both inside and out of our industry.”
Public sites. Sources like the Common Vulnerabilities and Exposures (CVE) database, launched in 1999 and maintained by a network of software partners, provides a wealth of information on the latest vulnerabilities, says Chris Peckham of Ollivier and Smart Site. The SANS Institute, established in 1989 and offering training and certification on cybersecurity, is another good resource, adds Mike Kobaly of AMAG Technology.
Security manufacturers. Sign up for manufacturer and vendor security updates to get the latest product information, says Matthew Fabian of Genetec. “Transparency is important,” he says. “We have a trust center where integrators can get the latest information sent directly to their inbox.”
Government sources. The U.S. Department of Homeland Security and the Cybersecurity & Infrastructure Security Agency (CISA) both have training for critical infrastructure customers and for organizations that provide solutions and support to that sector, says Peter Boriskin of ASSA ABLOY. “We urge integrators and customers to check out CISA’s Shields Up section, which provides guidance for organizations. Given the Ukraine-Russian conflict, the U.S. government has seen an uptick in attacks against practically everyone, so they’re providing resources and updates regularly to help with security preparedness.”
More Tech, More Risk
While video surveillance and access control systems can be used to protect valuable physical assets, they’re also a frequent target for today’s cybercriminals, especially with the proliferation of the Industrial Internet of Things (IIoT) elements such as video cameras, says George Ajine-Basil, security engineering manager at LenelS2, Pittsford, N.Y. “Malicious actors are continuously evolving their methods to target these physical security technologies more frequently to exploit high-value targets,” he says.
In the past, cameras were especially vulnerable, especially since some devices were shipped from the manufacturer with default passwords that were never changed at installation, says Matthew Fabian, national director for sales engineering for Genetec.
Even today, IP cameras continue to be a risk due to older vulnerabilities not being patched by some vendors and users, as well as the use of default usernames and passwords, says Chris Peckham, chief operating officer of Ollivier and Smart Site in Los Angeles.
The biggest trend in 2023 and beyond is that entities will become very rigorous in how they vet suppliers because they can’t just give them access to the IT network without ensuring that they won’t bring in some risks.
— John Szczygiel, Brivo
However, many camera manufacturers now produce cameras that prevent access without the end user first providing an updated password. Authenticating such devices helps prevent “man in the middle” (MITM) attacks, where an attacker secretly intercepts and relays messages between two parties who believe they are communicating directly with each other — in this case, a camera, Fabian says.
And cameras aren’t the only potential entry point for bad actors, especially with more security devices coming online, he adds. The fact that today’s electronic security systems include more devices — not just cameras and doors, but everything from gunshot detection to temperature sensors — means more potential access points for cybercriminals. “The largest attacks come from people taking over these devices and using them as a bot attack to run DOS attacks,” Fabian says. “A trend we’re seeing is securing these devices and making sure the security system isn’t the weak link in cybersecurity, especially on the IoT side.” This includes forcing secure passwords, using a security communication protocol like TLS, and practicing more cyber hygiene.
In today’s integrated world, any device with an IP address is vulnerable to a security breach, says Michael S. Ruddo, chief strategy officer at Integrated Security Technologies Inc., Herndon, Va. “I would say the operating system is at the top of the list,” he says. “Ensuring the OS is kept patched to the current security level is key. However, really any device as a part of the overall system with an IP address needs to be secured. Ranking them [by vulnerability] may be unfair as everything within the system environment including the network infrastructure must be cybersecure; otherwise, bad actors can obtain access to the system and that infrastructure to wreak havoc from there.”
System servers, client access controllers and some door interfaces are now IP-network attached, so keeping those systems up to date is a critical, basic requirement to ensure cyber risks are minimized and remediated, Ajime-Basil says. Some mitigation work, for example, will be handled within the operating systems of those platforms, so lack of cybersecurity maintenance there will result in a larger attack surface.
Mike Kobaly, vice president of engineering at AMAG Technology, Hawthorne, Calif., says, “I think it is difficult to choose the biggest source [of cyber risk] when one really needs to look at the entire ecosystem. If there is an outdated operating system on the network with a zero-day vulnerability, then those are easy to compromise,” he says. “Similarly, as more intelligent devices get added to the network, most of those come with some type of API [application programming interface]. API security is a growing risk and could expose clients to attacks they have not seen in the past. It’s critically important to ensure all devices and operating systems are patched with the latest firmware and security updates.”
With today’s multitude of interconnected devices, continued attention to cybersecurity threats and updates to protecting against them is critical.
IMAGE COURTESY OF ASSA ABLOY
Cybersecurity Trends in 2023 & Beyond
Increased network cyber hygiene. Customers want more assurance and guidance that they are operating with proper cyber hygiene related to their security systems to include the network infrastructure, says Michael Ruddo of Integrated Security Technologies Inc. “I’m not convinced the requirements have changed other than the normal course of updates related to the current landscape, but I do believe there is much more attention to cybersecurity than there has been in the past,” he says. “This is a very good thing.”
Chris Peckham of Ollivier adds that many larger customers are deploying networks that will be used for operational technology (OT) to include access control and video surveillance. These customers are using encrypted channels between sites to increase security of any traffic passing across the internet. “The discussion around cyber policies and how networks are being deployed, as well as remote access, have changed over the last few years,” he says. “Many customers are requiring their policies to be used across all networks within their environments.”
“Red teaming” physical security solutions. Many businesses are hiring third-party teams to test the integrity of their security systems, and they begin in the physical environment, says John Szczygiel of Brivo. “There are implications on that for integrators, both in the way they’ve designed and installed systems, as well as the technology they elected to use,” he says. “In some cases, red teams can get through those technologies pretty quickly. It can be embarrassing for both the customer and the integrator.”
More cybersecurity accountability from integrators. The increasing overlap between physical security and IT is another reason why cybersecurity is more critical than ever, Szczygiel says. “Ten or 20 years ago, security was its own segment and IT didn’t pay too much attention to it,” he says. “But security platforms on the network, related to corporate risks, must come into focus. We’ve seen a big increase in vendor and product due diligence, which can take the form of an extensive questionnaire or in-person interviews with the team, with end customers evaluating a solution in many cases brought to them by integrators. The intersection is that the integrator may get documentation from prospects to fill out that they don’t know what to do with since they’ve never been exposed to the process. That’s been a big change.”
An increased focus on zero trust. “The growth of zero trust security will become more prevalent,” says Mike Kobaly of AMAG. “Under this model, all resources [users, devices, etc.] will be required to be authenticated, authorized and always validated using just-in-time credentials. Assume no device, even on a private secure network, is trusted.”
Automatic updates. “End users are going to require products to update regularly and automatically in the future,” says Josh Cummings of Paladin Technologies. “Cloud has helped move this effort forward, but there is still a huge gap when it comes to the enterprise on-premises solutions.”
Matthew Fabian of Genetec adds that end users increasingly want “micro updates to systems so security patches are up to date and they don’t have to worry about it. They’re shifting the risk away from themselves and allowing manufacturers to do what they do best and manage those appliances.”
Security best practices. “End users will want assurances that the products and devices they are running on their network and in the cloud are secure,” Kobaly says. “Internally they will place more emphasis on implementing security best practices. With that, they will start asking vendors for software bill of materials (SBOM) and refrain from vendors that can’t provide them.”
George Ajine-Basil of LenelS2 adds, “Customers now more commonly require a SBOM as a key support element in their own planning for risk management.”
More comfort with cloud. Genetec’s “State of Physical Security 2022” finds that “the future of cloud is hybrid: Many organizations envision a blend of on-premises and cloud-based solutions for their physical security deployments as they look to optimize their infrastructure investments and leverage hybrid options to save costs and increase efficiency.” Fabian adds, “Customers have gotten more comfortable with cloud-based solutions and putting their video and access control systems in the cloud. This mostly comes with trust in their manufacturing and channel partners. … End users will ask for more of this, even if they have an on-prem system; they’re looking for cloud-managed applications from manufacturers.”
More vulnerability transparency. “Customers will likely require greater levels of transparency when it comes to vulnerabilities and cybersecurity issues that may impact their environments,” Ajine-Basil says. “Prompt and clear notification of known issues, with mitigation plans, is in high demand. What is changing is the speed at which customers require this information.”
And while patches are important, cybercrooks are constantly finding ways around them. “What’s changed over the past few years are geopolitical circumstances, which have spawned sophisticated and more dastardly cyberattacks from international players and from criminals, both domestically and abroad,” says Peter Boriskin, chief technology officer at ASSA ABLOY, New Haven, Conn. “In addition, the pandemic opened up more time for troublemakers to develop new schemes, and work-from-home scenarios unintentionally exposed some WFH systems to vulnerabilities. Fortunately, companies and users are now keenly aware of the impact and taking the necessary steps to strengthen their cybersecurity for hybrid work situations. But it’s still a learning process that needs ongoing attention.”
Cybercriminals are seeking to leverage the resources and processing power of any vulnerable system or component within their accessible attack surface landscape, Ajine-Basil says. “These computing resources can be exploited for malicious purposes, such as creating a botnet. Both MooBot and the Mirai botnets are examples of when insecure IP-based cameras were leveraged by cyberattackers.”
But although it’s the sophisticated scams that make headlines, it doesn’t take a criminal mastermind to hack into a system that’s poorly secured to begin with. On the access control side, “The No. 1 (threat) is use of insecure, non-encrypted credentials,” says Szczygiel of Brivo, with 125 KH low-frequency readers being especially vulnerable to hacks, and the creation of duplicate, unauthorized key fobs and cards. “You can go to a grocery store 400 yards away and find a machine you can use to copy credentials and make as many copies as you want,” he says. “If you go to CloneMyKey.com, you have the same ability there. The biggest risk in physical security now is using completely insecure credentials that can be duplicated and the readers that go with them.”
Add to this the reality of poor lock installation practices and a lack of maintenance, and you have a perfect storm for cyber-liability. “Locks secure doors, but lots of things go into a proper installation, such as shielding,” Szczygiel says. “If you’re using an infrared detector for free access, it’s convenient, but the problem is there are many ways to trip those detectors from outside. … You can blow smoke through a crack in a glass door and trip the detector, and be in someone’s office in five seconds. And there’s no alarm, because the access control system believes the request was tripped by someone exiting from inside.”
Both security dealers/integrators and IT professionals view cyber liability as a top concern for 2023.
IMAGE COURTESY OF GENETEC
And as always, human error is still one of the most significant contributors to cyber exposure. “I would say the biggest source of risk for electronic security is the people,” says Cummings of Paladin Technologies. “Social engineering, along with poor cyber hygiene, contribute to a large portion of our risk. We need to become more aware, better trained and focused on deploying the technology in a secure manner to reduce this risk.”
This is why more businesses are moving toward a zero trust approach when it comes to cybersecurity, Kobaly says. “Zero trust is becoming the new buzzword, especially as customers move to a hybrid or multi-cloud deployment and software bill of materials (SBOMs) have been made famous by the White House’s executive order to improve the nation’s cybersecurity,” he says.
Cybercriminals Stay a Step Ahead of Security
Keeping track of the latest cyber scams can be challenging, especially since bad actors are constantly developing workarounds to security measures. Here are a few of the most recent scams spotted by our sources.
In operational technology environments, an increasing number of malware threats are the result of malicious USBs, says George Ajine-Basil of LenelS2. “Since many systems are isolated within large OT ecosystems, a malicious USB attack is an attractive method to an attacker who wants to achieve a wide reach and touch many assets with a limited investment,” he says. “This type of cyber-attack is designed to outmaneuver network defenses, engineered to thwart network-based attacks and air gaps within OT environments. Once an unsuspecting victim connects with a USB into even a well-defended environment, the malware can be delivered to any number of devices on the network well beyond the originating computer.”
Mike Kobaly of AMAG Technology points out that Ransomware-as-a-Service (RaaS) is actually now a successful business model that nefarious entities are using to extort businesses. “Also, during the holidays and political elections, it’s very important to know what you are clicking on your browser,” he adds. “Cybercriminals are targeting keywords knowing people are looking for deals or more information about a political event. Those ads can be malware trying to trick end users and thus compromising their computer,” he says. “End user education is critical these days.”
The growth of interconnected devices, including wearables and every other thing connected to a network, can also increase risk, says Peter Boriskin of ASSA ABLOY. “For instance, there are cybercriminals who have been creating fake applications with malware and putting them into app stores. While not so much a problem in the Apple store, this has been a headache at times in the Android marketplace. These bad actors are essentially manipulating the signatures of the application, so they look like the real application when they’re not.”
Advice to Integrators
What’s a top tip for integrators who want to help their customers tighten up their cybersecurity? Use appropriate physical security products and services. Keep it simple, Cummings advises. “Look for easily deployed products to start with,” he says. “Don’t jump into the deep end with services that require a lot of uplift and skilled labor to deploy. Look for products that have prebuilt services that you can resell and deploy and work your way up to the more complex offerings and capabilities.”
This means developing or enhancing a good working relationship with manufacturers, says Fabian of Genetec. “Work with your manufacturers to deliver turnkey solutions. Something secure and hardened and ready to deploy is an easy way to make sure your system isn’t an attack vector.”
I would say the biggest source of risk for electronic security is the people. Social engineering, along with poor cyber hygiene, contribute to a large portion of our risk.
— Josh Cummings, Paladin Technologies
The growth of cloud-based products also means integrators must be continually aware of any vulnerabilities among the three major cloud providers (Amazon Web Services, Microsoft Azure and Google Cloud Platform), Kobaly says. “Clients are offloading IT responsibilities to the cloud, so knowing best practices and how the cloud providers handle security, authentication and authorization is critical,” he notes. “Get familiar with known exploits to understand how they work so you can educate your customers. As you become more familiar with top threats, you then become a resource for your customers on how to best prevent these attacks. Help them with best practices and software solutions to help prevent them.”
Finally, integrators should invest in growing their own organizational cybersecurity capabilities, says Ajine-Basil of LenelS2. “While integrators need not try to be broad-based cybersecurity domain experts, they should be the expert within their own domain as it relates to the cyber requirements for the job at hand,” he says. “Maturing these narrowly focused cyber capabilities in-house will enable integrators to become more self-sufficient, with internal resources that can be leveraged across the entire business, benefitting all their customers and helping to grow and sustain their business. In today’s market, this value-add capability can be a key differentiator.” SDM