As automated building systems become more dependent on shared network infrastructure, I.T. (Information Technology) Directors and CISO’s (Chief Information Security Officers) are beginning to realize these systems are adding significant vulnerabilities and risks to their network and sharing this realization with other corporate executives. This seems to be driving two very interesting emerging trends:
- I see more Security Budgets moving away from Enforcement and Facility Operations and becoming funded by Technology Budgets.
- Technology Budgets are moving under management of CISO and CIO executives.
What Has Changed?
What seems to be driving these changes? In talking with I.T. contacts, there appears to be growing concern regarding network data vulnerabilities in the private sector. For many large companies, successful network attacks can cost the equivalent of years of operational budgets. We don’t hear about this kind of activity for obvious reasons – the idea of at-risk sensitive data is toxic to employees / partners / customers.
The importance and influence of Data Security roles is growing. They are being viewed as critical positions and being asked to oversee and even manage technology functions within companies. So an interesting question might be: Why are more organizations seeing a correlation between cybersecurity and physical security design and operations? Today, this question hits closer to home than you might think…
Network addressable equipment of ANY kind is at risk, especially when the equipment can be physically accessed by a third-party. Think IP Surveillance Cameras and IP Card Access Controllers…
Scenario #1 – DDoS Attacks
See Computer World article authored by Lucian Constantin at this link:
DDoS attacks overload and bring down large networks by adding more traffic than the network can support. No hacking of security passwords and such, just network failure due to moving massive amounts of data. In this piece, the author emphasizes that in 2013 a researcher was able to successfully launch a DDoS botnet attack hijacking 420,000 IoT (Internet of Things) devices, including thousands of IP Addressable Security Cameras. I am sure very few physical security professionals have considered designing a video surveillance system around defending against that kind of attack! Many strategies can help, such as: address filtering, traffic monitoring apps, restrictive network permissions, etc.
Scenario #2 – Data & Digital Identity Vulnerabilities
As I noted in a previous post (link: Physical and Logical Security Convergence), Access Control and Intrusion Systems generally utilize un-encrypted data transmission… even though there are technologies available (see link above) to close that gap and eliminate the vulnerability. Intercepting data from Physical Security Systems can allow individuals to gain access to facilities that house mission critical processes. Eliminating opportunity is a key element in deterrence here.
It is possible to utilize certificate based identity authentication in a card access environment today. Formats such as Microprocessor Based Credentials (cards), Edge Controllers and virtual Mobile Credentials can manage encrypted certificate information. See these links: Mobile Keys / SEOS / PoE Locks. These safeguards have the ability to verify the status of certificates (expired/revoked), proof of possession and more. Most physical security professionals think of Identity Management as printing a current photo on an access control badge. Safeguarding identity information on the credential is important, but just as critical is the the security of that data as it moves from the credential to the reader and reader to controller.
When designing systems with Host-Client architecture these concerns become even greater. Client applications typically can permit full access to the server core. Safeguarding identity information and verifying authenticity is critical, before allowing administrator access to your core via a client connection.
The obvious safeguard is often overlooked. Today, IP Cameras and IP Controllers are intelligent devices with enough processing power on board to be a laptop computer five years ago. These devices frequently offer password protected access features and NO, default passwords are not acceptable.
Every layer in system design usually has at least a few built-in data safeguards. In physical security, we are so focused on physical unauthorized access and intrusion events, we forget that the security systems themselves must be designed with Cybersecurity in mind (defend data). Commissioning of security systems just took on a whole new level of importance in the deployment process. Consider adding a line item to your project Gantt Chart for commissioning of data security safeguards. You will make a CISO somewhere very happy!
Scenario #3 – 3rd Party Access to Switches and Servers
Does your company house a blade rack containing servers and switches in an electrical, telco, or I.T. closet (IDF Room) OUTSIDE your data center? Are 3rd party contractors permitted to physically access these spaces? How is the rack secured? With some $15 cam lock that can be broken with a screwdriver? There is a fantastic new product that can add a card reader directly to blade racks to manage access, provide alarm signaling AND audit trail. See this link: Server Rack Card Reader Lock.
Douglas Levin is a consultant employed by ASSA ABLOY, Inc. Please contact him on LinkedIn for more information on this topic.