Top ten reasons why physical security is worthless without cyber security
We looked at the convergence of physical and information security before. We concluded that the trend was inevitable. But we also concluded that there were still many barriers to overcome to break down the organizational silos of traditional physical security and IT security. But we all know that our video surveillance, access control and other security systems use standardized computing and networking technology. Physical and information security systems are more and more entangled. We do see it in the content that is shared in our Security Industry Group on LinkedIn: more and more message involve best practices, cases, innovations and products that are related to cyber security. It appears that nowadays physical security systems can only be of value if the organization has also taken care of its cyber security. One could even argue that organizations that do not take good care about their information and network-security will have difficulties implementing any physical security system effectively. Here are our top ten reasons for that…
10. IP Convergence
It was the trend of the first decade of this century: security devices like surveillance camera’s, intercom stations and access panels all moved from proprietary networking topologies to standardized TCP/IP networks, making full use of segments of the corporate network. Server software was now running on corporate servers, managed by the IT-department. This trend started a ling time ago, and it may seem irrelevant now, but the transfer of devices to IP-networks is still happening as we speak. And with this trend, the dependency on the corporate IP-networks is still growing. And the commitment and support from the IT-department is needed to roll out any serious security system. And they will have to see to it that the IT-infrastructure is in place with sufficient bandwidth and that the service is not interrupted.
9. System Integration
Security systems of substance hardly ever run completely stand-alone. Access control systems are integrated with Identity Management and Time & Attendance Systems. Video surveillance systems are connected with alarm management systems and physical security information systems (PSIM). These systems rely on each other’s data to support security applications but also business applications. Ensuring that the data is up-to-date, complete and not tampered with is important. Making sure that the applications are available and that access to their service is not denied, is very important.
8. The rise of cloud based security
A recent trend is that security systems are moved to the cloud. You can debate whether that is is a good idea, but the trend is undeniably happening. People that approach it from the conservative side, will say this topology creates one massive single point of failure, putting the continuity of the organization at risk. People on the more progressive and innovative side, will say that running an application on a serious cloud platform like Amazon Web Services or Microsoft Azure will have a positive impact on the scalability, performance and security level of the application. No matter what topology you favor, it is clear that more and more access to the application and its data is demanded by users. Making sure there are no security vulnerabilities, is very important.
7. The rise of mobile access control
Using smartphones in access control can hardly be regard a new topic in our industry. But it is obvious that using smartphones is actually adding another layer of intelligent devices to your security system topology. And that intelligence can potentially bring security improvements, like using the biometric reader of the phone in access control. Or using it to enhance the communication with your system users. But some smartphones, especially when users can bring their own device (BYOD), may also require some extra attention to make sure their use is not adding vulnerabilities to your infrastructure.
6. IoT and Edge devices
Standardized IoT devices (like video cameras) that (wirelessly) connect in a pre-configured way to a cloud based security service seem to be increasingly popular. Easy to procure. Easy to install and deploy. And remotely managed. Using WIFI, LTE (4G), 5G (NB IoT) or LoRaWAN networking, these devices can deliver great value. But they are often installed on, what once was referred to as, the unsafe (public) side of the installations. Making sure to have implemented cyber security policies and measures is key in remaining protected against unavoidable vulnerabilities.
5. GDRP and privacy regulations
As an employer and supplier you always did have a responsibility and moral obligation to keep personal data from employees and clients safe and secure. GDPR and other privacy regulations now also increase your legal liability risks. Many organizations claim that they take the privacy of their customers very seriously. But not all companies act in a way that supports that statement. But you have to make sure you only store what you really must to be able to provide your service, you can only store it for the time that you need it and you have to make sure that data does not fall into the wrong hands. And when there is a leak you have to report it.
4. Enterprise security systems
Do you remember when, back in the day, we would buy security systems on a per-building-basis? Nowadays most security managers are considered to be enterprise risk managers that deal with security on an organizational level. Security systems have scaled up to support globally operating enterprise organizations with hundreds of buildings and thousands of users. A small but dangerous vulnerability at a local level may have serious consequences for the entire organization. If the IT-security is not in place at an architectural level and also at the level of local installations, organizational continuity may be at risk.
3. New ways of working
Most of us do not work only from 9 to 5 at the office. We use our smart devices to access business applications and their information in any place at any time. We expect that information to be available to us when we need it. And as users we expect to be able to roam across the estates of our employer and, actually, all across the world. The boundaries between our professional and private lives have become vague and less important. And we expect corporate systems to support us in our ways of living and working. This of course impacts security systems as well. It impacts the way we can secure our people and assets. And it also impacts the number of potential vulnerabilities in the infrastructure that is needed to support our users. Information security, networking security, cyber security or whatever you call it: it is getting more and more difficult in finding the balance between supporting the way people desire to work and keeping the company staff and assets secure at te same time.
2. The popularity of hacking
Ever since computers existed, there has always been a group of people that feel attracted to finding and exploiting weaknesses in IT systems. Sometimes you will encounter “script kiddies” that copy what is made available online. In other cases you may be engaged with serious ethical hackers or maybe you will run into ill-intended criminals that seek fame or fortune. There is a large group of people out there that spend a an awful lot of time finding vulnerabilities and exploit them. Don’t be naive: it will happen to you and your organisation as well. And better believe that physical security systems are on the radar of these hackers. Just have a look at what is presented at Blackhat, DEF CON and other conferences and similar gatherings. Or look at access cards that were hacked.
1. Social engineering vulnerability
Most people are aware of penetration testing in information security. And some of you may also be aware about red teaming or physical penetration testing. Whenever you speak to professionals in these lines of work and ask them what they would like to share with the industry, they usually will come up with two major findings from their experience. They will say that whoever seeks to do harm, does not look at systems like silos. Red teams will look at IT-systems, at physical security systems and at mechanical physical security objects, like locks, doors and constructions. People that seek to physically get into your building, will not hesitate to exploit your IT systems. And people that are looking for data or application access, will not hesitate to get physical access to the building if that is what is needed to achieve their goals. And the number one exploit in both cases, the greatest weakness in any security system, is always the people in your organization. Social engineering is the number one tactic for hackers that are trying to get unauthorized access. And many physical security specialists can still learn a great deal from cyber security specialists when it comes to protecting yourself against these attacks. But one thing is certain: if the IT topology of your physical security system is compromised, the security of your organization is compromised.
What is your experience with this? Share your ideas and comments below….