What’s new in cybersecurity for physical security systems?
Editor Introduction
A sad irony in the physical security industry has been the lax attention paid historically to the cybersecurity elements of our industry’s systems. However, the picture has improved starkly in recent years as manufacturers have stepped up to meet the cybersecurity challenges and awareness of the issue has become much higher. We asked this week’s Expert Panel Roundtable: What's new in cybersecurity for physical security systems?
Cybersecurity vulnerabilities found in several popular physical security systems are resulting in more customers demanding proof manufacturers take cybersecurity seriously. Increasingly, that proof means independent verification that systems are cyber-secure, such as compliance testing to national cyber security standards and software releases tested by independent penetration test labs. It also means manufacturers must demonstrate strong cybersecurity practices in their product development lifecycle process. This can include staff cyber security induction and education programs, design reviews and automated code testing during development, penetration testing prior to release, and ongoing vulnerability fixes post-release. That last point is perhaps the greatest change in the physical security industry. Customers need to be sure their physical security manufacturer will continue to invest in their installed systems’ security, publishing Common Vulnerabilities and Exposures (CVEs) found in their products and frequently producing updates to their software to keep them protected from changing cybersecurity threats.
Due to the remote access, storage, and management of video surveillance data that cloud technology provides, cybersecurity is crucial. Cyber threats such as hacking, data breaches, and malware attacks can leave cloud services vulnerable. Therefore, implementing cybersecurity measures is essential to protect sensitive data such as video footage and access logs from unauthorised access, and to ensure data privacy and protection. It's also important to comply with regulations such as GDPR and HIPAA to maintain regulatory compliance. Moreover, SOC 2 Type 2 certification is significant as it guarantees that cloud service providers have implemented effective controls to protect the security, availability, processing integrity, confidentiality, and privacy of their customer's data. SOC 2 Type 2 certification provides customers with the confidence that their cloud service provider has taken appropriate measures to protect their sensitive data and thus helps attract and retain customers who prioritise data security.
When it comes to cybersecurity for physical security systems, one of the chief priorities today is ensuring the authenticity and safety of data as it is captured and transferred from camera to cloud to server. This is essential in maintaining trust in the overall value of physical security systems, especially as more and more organisations are being targeted by hackers aiming to make the next big breach. Additionally, an increasing number of technology vendors and manufacturers are taking a more proactive approach to cybersecurity, sourcing help with identifying vulnerabilities via “bug bounty” programs meant to incentivise the external uncovering and reporting of software bugs. It’s also important to note that new legislation concerning cybersecurity will impact how organisations approach it in the coming years, as changes will likely need to be made to ensure compliance with whatever ends up getting passed officially.
When you look at how physical security is moving more toward the Internet of Things (IoT) realm, you have new ways of facilitating edge computing. For example, AWS IoT Greengrass edge devices connect to devices without having to be in the same location. There are also a number of security advances with IoT devices: cameras are becoming more secure, and access control is far more secure as they shift into the cloud. As we look forward, we can expect more connectivity as device manufacturers take advantage of cloud services, strengthening security configurations and security posture across these devices. What I hope to see is more collaboration between infosec and physical security moving forward, which means being in the same room when decisions are made, budgets are created, and security is viewed in an increasingly holistic manner.
A security framework called zero trust is quickly gaining adoption worldwide to address the vulnerabilities of connected network devices. With zero trust, all users, whether inside or outside an organisation’s network, must be authenticated, authorised, and continuously validated for security confirmation and posture before being granted access to applications and data. The central idea behind the zero-trust model is to "never trust, always verify,” which states that devices and users should not be trusted by default, even if they were previously verified on a permissioned network. Through a recent executive order, the U.S. White House has mandated federal compliance with zero-trust architecture and design by 2024. This will result in a huge federal shift in U.S. policy for 2023 with ripple effects on any organisation doing business in the United States. As the past has shown us, others soon follow where the federal market goes.
To protect sensitive video data, modern video management systems require essential cybersecurity measures. These include access control through strong passwords, multi-factor authentication, and role-based access control. Encryption is important to protect video data during transmission and at rest. Firewalls and network segmentation are critical to prevent unauthorised access to the system from external networks. Regular software updates and patches are necessary to address security vulnerabilities and stay up to date with the latest security features. Logging and auditing are also important in monitoring access to the system and detecting any unauthorised access attempts. By implementing these measures, organisations can ensure that their video data is protected from cyber threats.
There are several new developments in cybersecurity for physical security systems that are worth noting. One of the key trends is the move towards more integrated and interconnected security systems. This means that not only are physical security systems becoming more sophisticated, but they are also being combined with other technologies such as cloud computing, machine learning, and artificial intelligence. Another trend is the increased use of encryption and other security measures to protect data and prevent unauthorized access. This is especially important given the growing amount of sensitive data that is being collected by physical security systems. There is also a greater emphasis on training and educating employees and other stakeholders on best practices for cybersecurity to ensure that they are aware of potential risks and vulnerabilities. The field of cybersecurity for physical security systems is constantly evolving, and it is important for businesses and organisations to stay up to date with the latest trends and best practices to ensure that their systems are secure and protected from potential threats.
We see a growing awareness of the cybersecurity of physical security systems. As more organisations implement enhanced cybersecurity measures, they are needing ways to implement these at scale. Manufacturers who are committed to cybersecurity are now building tools to streamline the maintenance and updates of their systems. They are facilitating the implementation of strong cybersecurity protocols across the entire organisation. Likewise, with the increased adoption of cloud or hybrid solutions also comes additional layers of cybersecurity designed not only to protect against malicious actors but also human error. With cloud solutions, organisations have access to the latest built-in cybersecurity features, including privacy controls, strong user authentication, and various system health monitoring tools. As soon as the latest updates are available, they are pushed immediately into the system. This helps physical security systems remain protected against vulnerabilities and stay actively monitored to detect and defend against cyberattacks.
One of the more interesting state regulations related to cybersecurity for physical security systems came out of Kentucky in 2022. Two separate bills, covering insurance data and investment advisors, require insurance providers and investment advisors to both establish and implement physical security and cybersecurity policies and procedures. While many of the requirements may feel like common sense to cybersecurity professionals, it’s important to bear in mind that not everyone considers how cybersecurity incidents can stem from physical intrusions. Risk evaluation criteria are also incorporated, requiring covered entities to assess the effectiveness of controls and adjust as required. This should help licensees to maintain the confidentiality and integrity of covered data.
The increasing integration of security systems with other technologies makes cybersecurity progressively critical in the physical security world. Intercoms and unified communications systems are essential components of physical security infrastructure that enable effective communication and coordination during emergencies or security incidents. However, they also create new cybersecurity risks that require the implementation of appropriate cybersecurity measures such as firewalls, intrusion detection and prevention systems, encryption, and access controls. In addition, training employees on cybersecurity best practices is crucial to ensure they are aware of potential risks and how to mitigate them. For instance, a cyber-attack on an intercom system could allow an attacker to gain access to sensitive areas or disable the system, while an attack on a unified communications system could lead to the theft or manipulation of sensitive information, compromising the security of the entire physical security infrastructure. To address these risks, it is crucial to implement appropriate cybersecurity measures such as firewalls, intrusion detection and prevention systems, encryption, and access controls.
Secure application programming interfaces (APIs) have become increasingly important in recent years for physical security access control systems, alongside other advancements in cybersecurity such as encryption and two-factor authentication. APIs enable different systems and devices to communicate, which is crucial for access control systems that rely on multiple devices and software applications, or to integrate with third-party systems. However, secure communication is necessary to prevent unauthorised access to sensitive information. Additionally, compliance with industry standards and regulations such as PCI DSS and GDPR is crucial, and secure APIs can help ensure that. By using secure APIs, data breaches can be prevented, and the privacy of individuals can be protected, as only authorised users can access sensitive information.
Cybersecurity strategies, like zero trust, that are applied to protect digital resources and assets, can and should be applied to physical security as well. Zero trust based on the concept of “Never Trust, Always Verify” has three key principles, namely, Verify Explicitly, Least Privilege Access, and Assume Breach. While zero trust principles have gained acceptance and adoption in the digital world, the framework is also applicable to physical security. Ensuring only verified and authorised users have access to the areas and resources they need, can help protect against physical threats and theft that may include digital resources stored on physical systems. By ensuring access to physical locations is segmented based on role and responsibilities, high-value assets are secured by multiple layers of security, and key infrastructure like servers and laptops are encrypted and set up with appropriate backup and disaster recovery processes to limit damage from a breach.
The field of cybersecurity rarely stands still and that is very much the case now. For example, there are changes and updates taking place to ANSSI certifications and qualification criteria for manufacturers and suppliers in the French market. It is essential that any business operating in this market understands these and ensures that its products meet the updated rules. There are also changes taking place to CPNI certification for access control in the UK, along with new CAPSS criteria which again need to be properly understood and considered. Overall, there needs to be a realisation that cybersecurity is more important than ever and must be addressed by all manufacturers and integrators in the physical security space.
The delivery of end-to-end security is at the very heart of what we provide customers with today. It’s a key area of focus. We ensure that the data and communications are completely secure from the credential – irrespective of whether it’s a physical card or virtual token to the readers, controllers, and all the way to the host software where the access control system is installed. Implicit in this is that Personally Identifiable Information is protected along the chain via a series of data encryption mechanisms using protocols such as OSDP and 802.1x. In terms of recent developments, cloud-based access control management is maturing as confidence in the “cloud” has shifted from innovators and early adopters to business as usual. Interest has grown given cloud solutions offer a perfect mix of cost, maintenance, and deployment efficiencies. Using a software-based approach to manage credentials over their lifecycle makes it far simpler to issue, revoke or suspend them in real time. You just can’t do this with physical cards. If someone walks out with a plastic badge and it’s not deactivated, it still works, presenting an obvious security risk. Another key driver pushing cloud adoption is support for mobile access integrated with Apple Wallet. You’ll see this in landmark projects like 22 Bishopsgate in the City of London where office workers can use their Apple iPhones or Apple Watches to enter the building simply by holding their device near any NFC-enabled door reader given their employee badges are stored directly in Apple Wallet. The “knock-on” effect is ensuring security is guaranteed. Cloud-based access control solutions should meet SOC Type 2 compliance assessments along with ISO 27001 certification so that end-users can be totally confident that the latest standards are met.
Editor Summary
New concepts such as zero trust are helping to drive new levels of cybersecurity protection for today’s physical security systems. Also promoting more attention to cybersecurity are regulations such as GDPR and certifications such as SOC 2 Type 2. In addition to the specifics, there is more commitment by manufacturers to do their part for cybersecurity, starting with product design and extending beyond installation in the field. Best of all, there is broadly more awareness among all parties, including integrators and end users, of the eternal challenges of keeping data and systems safe in the physical security world.
- Related links
- Axis Communications CCTV software
- Axis Communications Access control software
- Axis Communications Digital video recorders (DVRs)
- Genetec CCTV observation systems & accessories
- Genetec Access control software
- Genetec CCTV software
- HID Access control software
- Salient Systems CCTV software
- TDSi Access control systems & kits
- TDSi CCTV software
- TDSi Access control software
- Axis Communications Access control readers
- HID Access control readers
- TDSi Access control readers
- TDSi Electronic locking devices
- Axis Communications Network video recorders (NVRs)
- Genetec Network video recorders (NVRs)
- HID Access control cards/ tags/ fobs
- Salient Systems Network video recorders (NVRs)
- TDSi Access control cards/ tags/ fobs
- TDSi Network video recorders (NVRs)
- TDSi Electronic keypads
- Axis Communications Video signal devices & accessories
- Related categories
- Access control software
- CCTV observation systems & accessories
- Digital video recorders (DVRs)
- CCTV software
- Access control systems & kits
- Access control readers
- Electronic locking devices
- Electronic keypads
- Network video recorders (NVRs)
- Access control cards/ tags/ fobs
- Video motion detectors
- Video signal devices & accessories