As physical security systems increasingly resemble the architecture of an IT (information technology) network, the cybersecurity risks are increasing. Sometimes hacks in physical security go unrecognised because of poor detection. Here's part two of our Cybersecurity series.
Going forward, the physical security industry should adopt the same principles as the information security market, embracing new elements such as risk assessment and certifications. A change in culture is needed to align and embrace cybersecurity and make necessary improvements, says Terry Gold of D6 Research.
Independent testing and access control
There are signs of progress. Increasingly, access control systems today are designed to be more cyber-resilient and are tested extensively to discover and address any vulnerabilities.
For example, the latest version of Tyco’s C-Cure 9000 undergoes independent testing to discover and address any critical vulnerabilities, and new firmware and software updates are tested to ensure they do not open any ‘back doors.’ Tyco’s Cyber Protection Program is part of the company’s ‘holistic approach’ to supplying customers with quality solutions.
If cybersecurity is managed properly, the new wave of access control systems are as secure as previous systems. In some cases, more secure. For example, the new generation of smart cards, such as MiFARE DesFIRE EV1 or EV2 and HID iCLASS SEOS, use protocols that are much safer than the last generation Wiegand systems. New secure protocols such as OSDP version 2 are a better alternative to Wiegand.
| The new wave of access control systems are more secure than previous systems and use protocols that are much safer than the last generation |
Protocols for wireless electronic locks
Wireless electronic locks use security protocols such as encryption and authentication that prevent cybercriminals from accessing the network to get data and intercept commands. In short, the information in an IP-based access control system is at no greater risk than any other information being transmitted over the network, as long as smart decisions are made on how systems are connected and data is transmitted and stored.
Standards are one approach to ensure a minimum level of cybersecurity for physical security products and systems. For example, Underwriters Laboratories (UL) seeks to work with manufacturers to up their game on cybersecurity and to certify compliance to a minimum level of cybersecurity ‘hygiene.’
Requirements for software cybersecurity
The UL Cybersecurity Assurance Program (CAP) has developed the UL 2900-1 standard, which offers General Requirements for Software Cybersecurity for Network-Connectable Products. It was published in 2016 and in July 2017 was published as an ANSI (American National Standards Institute) standard.
The standard was developed with cooperation from end users such as the Department of Homeland Security (DHS), U.S. National Laboratories, and other industry stakeholders. UL 2900-2-3 – the standard that focuses on electronic physical security/Life Safety & Security industry, was published in September 2017.
| Cybersecurity should be an element in physical security as the risk for data to be physically removed from a building is greater than ever |
Physical security integral to cybersecurity
Not only should cybersecurity be an element in physical security, the reverse is also true: Physical security should be seen as integral to cybersecurity. Looking at the intersection of cybersecurity and physical security from this opposite angle uncovers a world of opportunity to make the enterprise safer.
Physical risks to cybersecurity include insider and outsider threats, poor or non-existent screening, and the presence of a seemingly innocent personal item. Off-the-shelf devices such as SD cards, external hard drives, audio recorder and even smart phones can be used to transport audio, video and/or computer data into and out of a building.
For the private and public sectors, the risk for data to be physically removed from a building is greater than ever, and physical security systems can protect against this vulnerability.
Missed part one of our Cybersecurity series? Click here.
Part three, coming soon.