This October marks the 18th annual Cybersecurity Awareness month. Over that span, cybersecurity has gone from being a topic the IT department mostly worried about, to one that is top of mind for everyone from the CEO to the receptionist at most businesses. Increasingly, facilities are doing more education and awareness than ever before to help employees understand how to spot phishing, DOS, password theft and other threats.
Unfortunately cybersecurity attacks have also increased in both frequency and complexity in the past year, as more employees worked from home, using personal computers — or company equipment for personal reasons — and the rules and norms of the workplace became tougher to monitor and enforce.
According to the FBI’s 2020 Internet Crime Report, their Internet Crime Complaint Center received a record number of complaints of breaches in 2020 — nearly 800,000, with reported losses in excess of $4.1 billion. This is nearly double the average number of reports the center receives in a year.
Now more companies are bringing workers back (or preparing to very soon); but some experts suggest hybrid work may be here to stay.
What does this mean for enterprise security systems? For one thing, it means they may need updating or at the very least hardening. For example, some facilities have access control systems that use older technologies such as Wiegand-based protocols and proximity cards, which have been shown to be vulnerable and can be the weak spot in a security system. Cameras and other physical security devices can also be vulnerable, with default passwords and unsecured connections.
Just last week, Coleman Wolf, CPP, CISSP, presented a virtual session at GSX, “Hacking Building Controls for Fun and Profit: Security Risks to Cyber-Physical Systems,” that also touched on these threats — both to physical security and building controls.
What used to be primarily DDOS attacks (like the Mirai botnet in 2016) have evolved into even more sophisticated and profitable (for the hacker) attacks that can impact and even mimic important building or security controls and make you think they are working normally when they are not.
“Ransomware attackers are getting savvy about what to do and how to maximize the impact they have — whether attacking a particular time of day or a particular system,” he explained. “They will launch an attack when you most need the system, for example, or when you are least able to respond, such as a holiday.”
The good news is that manufacturers and products on both the building control and physical security side have gotten much better over the past few years at addressing cybersecurity issues and getting away from things like default passwords.
However, consumer IoT Devices still have a lot of these problems, Coleman explained. Consumers often value convenience over security.
With more remote workers, this may become a concern that goes beyond the workplace and muddies the field even more.
Last January the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released guidance the convergence of cyber and physical security that pointed to the growing risk physical security products pose. The report read, in part, “The adoption and integration of IoT and industrial IoT devices have led to an increasingly interconnected mesh of cyber-physical systems, which expands the attack surface and blurs the once clear functions of cybersecurity and physical security. Meanwhile, efforts to build cyber resilience and accelerate the adoption of advanced technologies can also introduce or exacerbate security risks in this evolving threat landscape.”
The guide includes a framework for aligning security functions, along with a set of convergence case studies.