A few years ago at physical security industry conferences the word I heard the most was “convergence”. At that time the meaning of it was how Physical Security and IT were coming closer together, and it was a hot topic because analog technology was quickly giving way to IP-based approaches. With access control becoming tied to identity management, and surveillance being managed, stored, and analyzed on computer networks, it’s easy to see now why that convergence was critical for the industry and one that required rethinking old approaches.
There is another convergence happening right now, and like the prior one it’s critical for the industry’s future success that it be managed well. It’s the convergence of Physical Security and Cyber Security. I won’t rehash all the facts and figures, but when the Mirai botnet attack in September 2016 that brought down the internet for much of the East Coast was predominantly (>80%) launched from physical security systems (IP cameras and NVRs), the industry was on notice. When in 2017 Trend Micro found that 51% of camera devices they tested had one or more malware agents on them, the industry was on notice. And in 2019 while there are many efforts underway to create sustainable cyber-hygiene for physical security systems, most systems still use outdated firmware and don’t manage inventory and passwords well.
That years into knowing that physical security systems are attack surfaces for cyber-criminals, it’s clear that more focus needs to be given to the convergence of physical and cyber security. To be fair, there has been a lot of attention given to this convergence from one perspective – using physical security to augment or protect cyber security. Compliance standards such as PCI have built in more physical controls (e.g. having surveillance on point-of-sale terminals). However, more needs to be done from the opposite direction – protecting physical security systems from cyber threats.
Here’s a few key points to consider if your organization is seeking out ways to defend themselves (and their assets and constituents) from the growing number of cyber threats:
Convergence on cyber issues is happening, but more slowly because there are large differences in cyber-security and cyber-hygiene for physical security systems versus traditional computer and consumer device security. In the previous convergence, many commonly-used IT methods could directly be applied to physical security issues; examples include use of subnets and firewalls, tiered and RAID-configured storage for cost-effective data retention, and the adoption of service assurance techniques. Not necessarily with this convergence.
Some cyber security solutions can be adapted from existing approaches (e.g. virus and malware detection), but other solutions need to be crafted within and for the physical security industry (e.g. camera firmware updating). While the industry is actively creating solutions for these gaps it will take longer than many would like, because current solutions can’t be easily applied to the unique nature of physical security systems.
Taking firmware as an example, why can’t we use the same approaches that automatically keep my laptop on the latest revision of Windows or keep my anti-virus software up-to-date? In part it’s because those approaches were built and designed as closed-loop systems, where there could be trust given that the updates being made are themselves secure. In updating camera firmware, there are no such closed-loop systems. Camera device vendors are making good progress (such as being able to use a checksum to verify the file contents), but our industry is having to create it’s own mechanisms instead of adopting existing ones – and that will take time.
Convergence must also include the ability for all sizes of business to adopt these solutions. Solutions that only apply to large companies with big physical security teams is not convergence when it comes to cyber-hygiene. For convergence to genuinely happen there needs to be a mix of how solutions are delivered so that all organizations can adopt them. We are now seeing that early approaches to physical security cyber-hygiene are simply too manual for them to be deployed broadly or require expertise that smaller organizations might not have. In the coming year don’t be surprised if security integrators address this challenge by a mix of managed services, paid assessments, or training, in addition to solutions run by the user.
Finally, and this is where the vengeance comes in, with this convergence there are genuinely bad actors working hard at finding or creating cyber-vulnerabilities. Malware is growing, new attack vectors are being found, and more hackers are working on breaking down physical security’s defenses. That’s why regardless of where you are currently on addressing this crisis, taking action is critically important. From both the integrator and vendor communities there is help available to start taking action. Like the previous “convergence”, closer integration of physical and cyber security is inevitable and will drive the industry to vastly improved efficiencies and performance – it just may take longer.