The fight against cyber liability is a constantly shifting battlefield in the war to protect businesses of all types and sizes, and security integrators are on the front lines. However, vulnerabilities arising from unsecured cameras, outdated access control systems and other physical security measures can put end users at risk, and plugging these security gaps is a must.
Montreal-based Genetec Inc. recently conducted a survey that found cybersecurity remains a top concern for physical security professionals from around the world going into 2023, with almost half the organizations surveyed having activated an improved cybersecurity strategy in 2022, and more than a third looking to invest in cybersecurity-related tools to improve their physical security environment in the next 12 months.
Of the many capabilities related to cybersecurity and data protection deployed by physical security teams in the last year, cyber-hardening of physical security hardware and access control management were the most popular, with 40 percent of respondents implementing new measures targeting those capabilities, the Genetec survey finds.
“The products that we deployed in the past don’t meet our customers’ compliance requirements of today regarding cybersecurity and it is driving them to replace panels, cameras, intercoms, etc., before they have failed,” says Josh Cummings, executive vice president, technology, at Paladin Technologies, a PSA Security Network member based in Vancouver. “Legacy devices are not able to handle the latest TLS [transport layer security] protocols, encryption, communication standards and so on.”
Manufacturers are fighting back against cyber risk with tools like Genetec’s Security Score widget, a dynamic hardening tool that checks system cybersecurity in real time, laying out guidelines and monitoring whether the different elements of the system comply. // IMAGE COURTESY OF GENETEC
Ensuring cybersecurity is a two-way street: security integrators need to adopt their own internal preventative measures as well. According to the 2022 Verizon Data Breach Investigations Report, supply chain attacks accounted for 62 percent of system intrusion incidents in 2021. And security integrators are essentially a part of this supply chain, says John Szczygiel, chief operating officer at Brivo, Bethesda, Md. “For integrators, this means they must get better with what they do,” he says. “If they go to a customer location with a laptop, logging onto a customer’s system, they represent a risk to a customer if they have access to the customer network. They should look internally and make sure they’re doing things [for cybersecurity] for their own companies.”
This means integrators need to have their own cybersecurity programs and guidelines like issuing and monitoring computers in a structured way and conducting background checks on employees, he says. “The biggest trend in 2023 and beyond is that entities will become very rigorous in how they vet suppliers because they can’t just give them access to the IT network without ensuring that they won’t bring in some risks.”
Security integrators who want to help keep their customers (and themselves!) safe from the ever-present risk of cyber exposures should stay current on emerging vulnerabilities, work with their manufacturers to deliver turnkey solutions, and educate themselves on cybersecurity requirements so they can add that expertise to their solution portfolio. These tips and others are the advice provided by the sources we spoke with on how to help strengthen end users’ cybersecurity.
More Tech, More Risk
While video surveillance and access control systems can be used to protect valuable physical assets, they’re also a frequent target for today’s cybercriminals, especially with the proliferation of the Industrial Internet of Things (IIoT) elements such as video cameras, says George Ajine-Basil, security engineering manager at LenelS2, Pittsford, N.Y. “Malicious actors are continuously evolving their methods to target these physical security technologies more frequently to exploit high-value targets,” he says.
In the past, cameras were especially vulnerable, especially since some devices were shipped from the manufacturer with default passwords that were never changed at installation, says Matthew Fabian, national director for sales engineering for Genetec.
Even today, IP cameras continue to be a risk due to older vulnerabilities not being patched by some vendors and users, as well as the use of default usernames and passwords, says Chris Peckham, chief operating officer of Ollivier and Smart Site in Los Angeles.
However, many camera manufacturers now produce cameras that prevent access without the end user first providing an updated password. Authenticating such devices helps prevent “man in the middle” (MITM) attacks, where an attacker secretly intercepts and relays messages between two parties who believe they are communicating directly with each other — in this case, a camera, Fabian says.
And cameras aren’t the only potential entry point for bad actors, especially with more security devices coming online, he adds. The fact that today’s electronic security systems include more devices — not just cameras and doors, but everything from gunshot detection to temperature sensors — means more potential access points for cybercriminals. “The largest attacks come from people taking over these devices and using them as a bot attack to run DOS attacks,” Fabian says. “A trend we’re seeing is securing these devices and making sure the security system isn’t the weak link in cybersecurity, especially on the IoT side.” This includes forcing secure passwords, using a security communication protocol like TLS, and practicing more cyber hygiene.
In today’s integrated world, any device with an IP address is vulnerable to a security breach, says Michael S. Ruddo, chief strategy officer at Integrated Security Technologies Inc., Herndon, Va. “I would say the operating system is at the top of the list,” he says. “Ensuring the OS is kept patched to the current security level is key. However, really any device as a part of the overall system with an IP address needs to be secured. Ranking them [by vulnerability] may be unfair as everything within the system environment including the network infrastructure must be cybersecure; otherwise, bad actors can obtain access to the system and that infrastructure to wreak havoc from there.”
With today’s multitude of interconnected devices, continued attention to cybersecurity threats and updates to protecting against them is critical. // IMAGE COURTESY OF ASSA ABLOY
System servers, client access controllers and some door interfaces are now IP-network attached, so keeping those systems up to date is a critical, basic requirement to ensure cyber risks are minimized and remediated, Ajime-Basil says. Some mitigation work, for example, will be handled within the operating systems of those platforms, so lack of cybersecurity maintenance there will result in a larger attack surface.
Mike Kobaly, vice president of engineering at AMAG Technology, Hawthorne, Calif., says, “I think it is difficult to choose the biggest source [of cyber risk] when one really needs to look at the entire ecosystem. If there is an outdated operating system on the network with a zero-day vulnerability, then those are easy to compromise,” he says. “Similarly, as more intelligent devices get added to the network, most of those come with some type of API [application programming interface]. API security is a growing risk and could expose clients to attacks they have not seen in the past. It’s critically important to ensure all devices and operating systems are patched with the latest firmware and security updates.”
And while patches are important, cybercrooks are constantly finding ways around them. “What’s changed over the past few years are geopolitical circumstances, which have spawned sophisticated and more dastardly cyberattacks from international players and from criminals, both domestically and abroad,” says Peter Boriskin, chief technology officer at ASSA ABLOY, New Haven, Conn. “In addition, the pandemic opened up more time for troublemakers to develop new schemes, and work-from-home scenarios unintentionally exposed some WFH systems to vulnerabilities. Fortunately, companies and users are now keenly aware of the impact and taking the necessary steps to strengthen their cybersecurity for hybrid work situations. But it’s still a learning process that needs ongoing attention.”
Cybercriminals are seeking to leverage the resources and processing power of any vulnerable system or component within their accessible attack surface landscape, Ajine-Basil says. “These computing resources can be exploited for malicious purposes, such as creating a botnet. Both MooBot and the Mirai botnets are examples of when insecure IP-based cameras were leveraged by cyberattackers.”
Both security dealers/integrators and IT professionals view cyber liability as a top concern for 2023. // IMAGE COURTESY OF GENETEC
But although it’s the sophisticated scams that make headlines, it doesn’t take a criminal mastermind to hack into a system that’s poorly secured to begin with. On the access control side, “The No. 1 (threat) is use of insecure, non-encrypted credentials,” says Szczygiel of Brivo, with 125 KH low-frequency readers being especially vulnerable to hacks, and the creation of duplicate, unauthorized key fobs and cards. “You can go to a grocery store 400 yards away and find a machine you can use to copy credentials and make as many copies as you want,” he says. “If you go to CloneMyKey.com, you have the same ability there. The biggest risk in physical security now is using completely insecure credentials that can be duplicated and the readers that go with them.”
Add to this the reality of poor lock installation practices and a lack of maintenance, and you have a perfect storm for cyber-liability. “Locks secure doors, but lots of things go into a proper installation, such as shielding,” Szczygiel says. “If you’re using an infrared detector for free access, it’s convenient, but the problem is there are many ways to trip those detectors from outside. … You can blow smoke through a crack in a glass door and trip the detector, and be in someone’s office in five seconds. And there’s no alarm, because the access control system believes the request was tripped by someone exiting from inside.”
And as always, human error is still one of the most significant contributors to cyber exposure. “I would say the biggest source of risk for electronic security is the people,” says Cummings of Paladin Technologies. “Social engineering, along with poor cyber hygiene, contribute to a large portion of our risk. We need to become more aware, better trained and focused on deploying the technology in a secure manner to reduce this risk.”
This is why more businesses are moving toward a zero trust approach when it comes to cybersecurity, Kobaly says. “Zero trust is becoming the new buzzword, especially as customers move to a hybrid or multi-cloud deployment and software bill of materials (SBOMs) have been made famous by the White House’s executive order to improve the nation’s cybersecurity,” he says.
Advice to Integrators
What’s a top tip for integrators who want to help their customers tighten up their cybersecurity? Use appropriate physical security products and services. Keep it simple, Cummings advises. “Look for easily deployed products to start with,” he says. “Don’t jump into the deep end with services that require a lot of uplift and skilled labor to deploy. Look for products that have prebuilt services that you can resell and deploy and work your way up to the more complex offerings and capabilities.”
This means developing or enhancing a good working relationship with manufacturers, says Fabian of Genetec. “Work with your manufacturers to deliver turnkey solutions. Something secure and hardened and ready to deploy is an easy way to make sure your system isn’t an attack vector.”
The growth of cloud-based products also means integrators must be continually aware of any vulnerabilities among the three major cloud providers (Amazon Web Services, Microsoft Azure and Google Cloud Platform), Kobaly says. “Clients are offloading IT responsibilities to the cloud, so knowing best practices and how the cloud providers handle security, authentication and authorization is critical,” he notes. “Get familiar with known exploits to understand how they work so you can educate your customers. As you become more familiar with top threats, you then become a resource for your customers on how to best prevent these attacks. Help them with best practices and software solutions to help prevent them.”
Finally, integrators should invest in growing their own organizational cybersecurity capabilities, says Ajine-Basil of LenelS2. “While integrators need not try to be broad-based cybersecurity domain experts, they should be the expert within their own domain as it relates to the cyber requirements for the job at hand,” he says. “Maturing these narrowly focused cyber capabilities in-house will enable integrators to become more self-sufficient, with internal resources that can be leveraged across the entire business, benefitting all their customers and helping to grow and sustain their business. In today’s market, this value-add capability can be a key differentiator.”