With all the recent the news from the cyber threats and vulnerabilities and successful attacks associated with physical security endpoints and IoT devices, one would think that the industry as a whole is paying very close attention to network security where these systems reside. Unfortunately, for reasons unknown to most cyber-physical security professionals, this is simply not the case. Most recently, a critical vulnerability affecting up to 100 million video cameras around the world was exposed by a white hat hacker. This represents a large number of cameras residing in what we can safely assume are very high security locations and applications. Fortunately, a solution to the problem was quickly identified and a solution made available.
Now the challenge is to implement the solution before the now widely publicized vulnerability is exploited by a number of malicious hackers or outright bad players who can wreak havoc on potential networks and assets of thousands of organizations. with serious responsibilities. In systems with dozens or even hundreds of cameras, detecting affected devices and resolving the issue requires automation to speed up the process as soon as possible. But perhaps the biggest problem is that many organizations don’t even have a plan in place to deal with these impending threats.
Governance and enforcement of cyber-physical security
Networked security and surveillance systems represent the vast majority of IoT systems deployed in the world today. They are flexible, scalable and, in most cases, quite cost effective given new video data and power transmission technologies that reduce overall installation costs. Although some organizations’ systems operate on closed networks that are not connected to the Internet, they still pose some degree of risk if a single unmanaged and undetected IoT device ends up on the network. The reality of the situation is that nothing can be taken for granted, and even closed networks should have some degree of cybersecurity protections in place to help keep the network secure.
The proliferation of purpose-built IP devices, such as surveillance cameras, readers and access/intercom controllers, and the myriad of IoT devices deployed to support them, such as printers, sensors environmental/fire safety etc. can be difficult to manage. It is very common that many devices are simply added to a network without being thoroughly checked for security integrity. At any time, there can be a multitude of unauthorized IoT devices connected to a physical security network that pose a significant threat due to poor password management, lack of firmware updates or any degree of certificate management.
Assess, detect and protect
Formulating a cyber-physical security plan starts with defining what assets need to be protected, assessing how malicious actors can access those assets, and evaluating what types of attacks can bypass your network security protections already in place.
Start with the idea that malicious actors see your network as an interconnected attack surface. This makes the ability to establish ubiquitous visibility across every device in your environment a critical need. So, the first step is to detect and identify everything residing on your security network to create a true inventory of IoT devices so you can determine where all your potential problems reside and what needs to be protected. This can be a cumbersome and tedious manual process depending on the size of your network, but there are solutions available to automate this tedious task, ensuring that nothing is overlooked. It only takes a small device, even a USB flash drive, to produce a crack in your network armor, so this is an essential process.
There is a wide range of sensor-driven IoT devices commonly deployed in a physical security network environment to monitor sound, motion, direction, vibration, temperature, presence, object detection, etc. . Many of these devices are generally self-configuring without huge amounts of processing power at the edge, so they don’t put too much strain on a network. Therefore, they all require an app to operate effectively, where there are levels of trust established between the app and these IoT devices. All of these devices are prone to the vulnerability, which puts the applications and server destinations they rely on most at risk. This greatly increases the attack surface for hackers.
Hackers can use a variety of tactics to attack existing and new IoT devices that may be added to your security network over time. This requires a well-planned lifecycle management process for existing and new IoT devices. The lifecycle management process should ideally begin with the acquisition of each new device, move through the implementation and management of the device throughout its lifecycle, and end with the disposal of devices. at the end of its life cycle.
You also need to watch out for decommissioned devices that may have been physically removed from your network, but may have left a software footprint somewhere on your network. These deep-provisioned systems also present ideal target surfaces for hackers because no one is actively monitoring network activity associated with these otherwise non-existent resources. It is very important to have a process in place to deal with IoT devices at the end of their life cycle. This also includes development sites for various devices and applications, which often remain buried on system servers long after their useful life cycle.
Creation of a cyber-physical security governance model
Developing a cyber-physical security governance model begins with anticipating threats in the enterprise and in all aspects of business operations. List all major risks your organization needs to address, such as life safety, facility access and availability, critical systems and operations, supply chain, and product integrity. Once a comprehensive list of anticipated threats is developed and prioritized, next steps include defining IoT device vulnerabilities, a process to remediate vulnerabilities on each device and application, and implementing network health and reports with measurable measures. The latter is most important to implement governance with accountability so that policies can be actively enforced. Without accountability, there can be no enforcement! Automated remediation solutions such as Viakoo share platform Provide device management and video assurance compliance to ensure your physical security network is protected against cyberattacks and functioning properly.
Another key consideration when formulating a cyber-physical security governance program is exemptions – of which there should be NONE. The use of a zero-trust policy, whereby all network applications and all possible access points have the potential for risk, excludes all exemptions. This includes any trusted partners who may have access to the network for remote maintenance and operations. Ironically, networked physical security systems and administrators with varying levels of access are often “exempted” from enterprise-level IoT governance programs, providing the ideal attack surface for hackers. The eruption of successful and well-publicized cyberattacks on physical security networks is undeniably documented. No exceptions means no exceptions to your cyber-physical security governance model.
Finally, well-defined response mechanisms must be put in place in the event of a cyberattack. This should include rapid response capabilities, organizational resilience, loss reduction processes, and business agility to change the course of operations. These will all vary depending on the nature of your specific operations and your business model. Training on how to implement these mechanisms is important so that parties involved in various aspects of your organization can act immediately and in concert to minimize liability.
The IoT has changed the nature of designing, deploying and operating critical systems such as physical security, providing new levels of performance and protection. As with all new technological breakthroughs, new capabilities create new challenges that require new solutions. Cyber-physical security is a perfect example.