Physical security professionals have seen changes over the last year regarding the cybersecurity aspects of managing video surveillance and access control.
Those changes are all driven by the perception (and reality) that the most easily breached part of any organization is the Internet of Things (IoT)/operational technology (OT) devices they operate.
Cyber vulnerabilities in security technology
According to the Palo Alto Networks Unit 42 research group, IP cameras are the most easily breached devices in the enterprise, followed by printers and access control systems. The high degree of risk to the organization is why internal physical security and IoT/OT leadership need to embrace new business models — and the sooner, the better for all involved.
There are several reasons why physical security, specifically IoT/OT in general, is a focus for threat actors. Look at an IP camera — it’s a Linux server with powerful computing, network and storage capabilities (and sometimes hangs outside a building with exposed ports).
All too often, physical security and IoT/OT devices use default or easily guessed passwords and lack recent firmware security updates, making them exploitable. Another reason is that many IoT/OT devices use open-source software components, which have had a significant increase in vulnerabilities present in them over the past year. In areas like physical security, where there is a mix of makes and models in any deployment, open-source vulnerabilities can be hard to remediate because the devices may depend on multiple manufacturers developing firmware updates to remediate the vulnerability.
Having IoT/OT devices that live on past their supported “end of life” date (and that never receive another firmware update) also makes businesses targets. Since IoT/OT devices are often sprawled across the organization physically, it takes longer to get to and update them, further extending the vulnerability window.
It’s not only the inherent insecurity of physical security and IoT/OT devices driving change, but also the advisory and regulatory environment. Last year, Gartner predicted that CEOs would be personally liable for cyber breaches within a few years. Industry-level organizations ranging from telecommunications, energy, real estate and others have added specific controls and measures around cybersecurity. The Cybersecurity and Infrastructure Security Agency (CISA) has delivered mandates to federal civilian agencies requiring patching and remediation within weeks for urgent vulnerabilities.
This has led to several changes inside organizations. Leadership boards are now being encouraged to have cyber experts as board advisors. CEOs and risk and compliance officers are asking for physical security and other IoT/OT device operators to ensure that they comply with overall corporate information security policies (or get specific exemptions from them). Many organizations are bringing together their IT and line of business managers in “Security Councils” or “IoT Committees” to map out strategies and best practices on cybersecurity.
This means that physical security teams need to have information available about their systems and how cyber hygiene is being performed on them (not to mention that data from physical security systems needs to be available and ready for auditors).
Moving forward with secure technology
Now is the time to address these new needs at the intersection of physical and cybersecurity. Two key elements to that are internal coordination and having the proper tools to manage security. As mentioned above, companies have started to bring together IT and the line of business owners of IoT/OT to promote communications around IoT/OT security.
The advantage of this approach is when disaster strikes, the team is already used to working together and exchanging relevant information. In addition, many industries are starting to have cross-company efforts to share information and best practices.
In addition to forming a community around IoT/OT security, the right automation tools are also needed, such as asset discovery tools. If a vulnerability is being exploited, having a network access control solution that can block traffic from the device can help mitigate the exploit.
However, it’s critical to follow mitigation with actual remediation of the vulnerability — because taking IoT/OT devices offline usually cripples the business or the business purpose of the device operating. For an IoT/OT security platform, the key functions are firmware patching/updating (for remediation) as well as being able to enforce the organization’s password policies; for organizations who have embraced zero trust architectures, having certificate management is also needed to extend zero trust to IoT/OT devices.
One area that is often overlooked is the need for automated service assurance. With IT systems, there are multiple ways to ensure that system’s operations — with IoT/OT devices, there are not. Therefore, ensuring that the IoT/OT devices perform as they should is a foundation for IoT/OT security and can provide very useful data. For example, seeing an IP camera’s onboard memory start to spike could indicate that the device is being used to distribute ransomware. Historical performance records can also assist in the forensic audit performed when a breach occurs.
Having both an established internal security community and tools and systems to manage IoT/OT security not only helps organizations today, but it sets the stage for what will likely be increased focus and requirements put onto physical security specifically and IoT/OT systems in general. Looking ahead, the need to embrace enterprise-wide security policies will drive physical security teams to operate systems within the context of those policies, whatever they may be: multi-factor authentication, zero trust architectures, biometrics, audit and compliance reporting, supply chain requirements, etc. The list will continue to grow and develop to make a better, safer world, especially at the intersection of physical and cybersecurity.