Strategies to Help Navigate the Cyber-Physical Security Dilemma

March 7, 2022
Formulating a cyber-physical security plan begins by defining what assets need to be protected

With all the recent news reports of cyber threats and vulnerabilities and successful attacks associated with physical security endpoints and IoT devices, you would think that the industry at large would be paying very close attention to network security where these systems reside. Unfortunately, for reasons unbeknownst to a large population of cyber-physical security professionals, it simply ain’t so. Just recently, a critical vulnerability affecting as many as 100 million video cameras worldwide was unveiled by a white-hat hacker. That’s a whole lot of cameras residing in what we can safely assume to be some very high-security venues and applications. Fortunately, a resolution to the problem has been quickly identified and a solution made available.

Now the challenge is to implement the solution before the now widely publicized vulnerability is exploited by any number of mischievous hackers or some truly bad players who can wreak havoc on potentially thousands of organizations’ networks and assets with severe liabilities. In systems with dozens if not hundreds of cameras, detecting the affected devices and remediating the problem requires automation to expedite the process as soon as possible. But perhaps the larger problem at hand is that many organizations don’t even have a plan in place to address such imminent threats.

Cyber-Physical Security Governance and Enforcement

Networked security and surveillance systems represent the vast majority of IoT systems deployed around the world today. They’re flexible, scalable and in most cases, quite cost-effective given new video data and power transmission technologies that reduce the overall costs of installation. Although some organizations’ systems run on closed networks that are not connected to the Internet, they still pose some degree of risk if just one unmanaged and undetected IoT device finds its way onto the network. The reality of the situation is that nothing can be taken for granted, and even closed networks should have some degree of cyber-security protections in place to help ensure network security.

The proliferation of purpose-built IP devices like surveillance cameras, access/intercom readers and controllers and the myriad IoT devices deployed to support them like printers, environmental/fire safety sensors and more can be tough to manage. It is very common for many devices to simply be added to a network without being thoroughly vetted for security integrity. At any given time, there can be a multitude of unauthorized IoT devices plugged into a physical security network that pose a significant threat due to poor password management, indiscriminate or lack of firmware updates or any degree of certificate management.  

Assess, Detect and Protect

Formulating a cyber-physical security plan begins by defining what assets need to be protected, assessing how bad actors may gain access to those assets, and evaluating what types of attacks can bypass your network security protections already in place.

Begin with the notion that bad actors see your network as one interconnected attack surface. This makes the ability to establish pervasive visibility into every device in your environment a critical need. Thus, the first step is to detect and identify everything that resides on your security network to create a true inventory of IoT devices so you can determine where all your potential problems reside and what needs protection. This can be a tedious and all time-consuming manual process based on the size of your network, but there are solutions available to automate this cumbersome task, ensuring that nothing is overlooked. It only takes one small device, even a USB memory stick, to produce a crack in your network armor, so this is an essential process.

There’s an extensive range of sensory-focused IoT devices commonly deployed across a physical security network environment to monitor sound, motion, direction, vibration, temperature, presence, object detection and more. Many of these devices are typically self-configuring without huge amounts of processing power at the edge so that they don’t put too much stress on a network. As a result, they all require an application to effectively function, where there are some established levels of trust between the application and these IoT devices. All these devices are prone to vulnerability, placing the application and server destinations they rely on most at risk. This dramatically increases the attack surface for hackers.

Hackers can use a variety of tactics to attack both existing and new IoT devices that may be added to your security network over time. This calls for a well-planned lifecycle management process for both existing and new IoT devices. The lifecycle management process ideally needs to begin at acquisition of each new device, run through implementation and management of the device over its lifecycle and conclude with the deposal of the devices at the end of its lifecycle.

You also need to pay attention to decommissioned devices that may have been physically removed from your network, but that may have left a software footprint somewhere on your network. Such deep provisioned systems also present ideal target surfaces for hackers since no one is actively monitoring network activity associated with these otherwise non-existent resources. It is most important to have a process in place to deal with IoT devices at the end of their lifecycle. This also includes staging sites for various devices and applications – which often remain buried on system servers long after their useful lifecycles.

Creating a Cyber-Physical Security Governance Model

Developing a cyber-physical security governance model starts with anticipating threats across the enterprise and all aspects of business operations. List all the major risks your organization needs to be concerned with such as people’s safety, facility access and availability, critical systems and operations, the supply chain and product integrity.  Once a comprehensive list of anticipated threats is developed and prioritized, the next steps include defining IoT device vulnerabilities, a process for remediating the vulnerabilities on each device and application and implementing network status and reporting with measurable metrics. The latter is most important to implement governance with accountability so that policies can be actively enforced. Without accountability, there can be no enforcement! Automated remediation solutions like the Viakoo Action Platform provide device management, and compliance with video assurance to ensure your physical security network is secure from cyber-attacks and is performing properly.

Another critical consideration when formulating a cyber-physical security governance program deals with exemptions – of which there should be NONE. Employing a zero-trust policy, whereby all possible network applications and access points have risk potential, precludes all exemptions. This includes all trusted partners who may have network access for remote maintenance and operations. Ironically, networked physical security systems and administrators with various levels of access are often “exempted” from enterprise level IoT governance programs providing the perfect attack surface for hackers. The rash of successful and well-publicized cyberattacks on physical security networks are undeniably documented. No exceptions mean no exceptions to your cyber-physical security governance model.

Lastly, there need to be well-defined response mechanisms in place in the event a cyber attack takes place. This should include means for quick intervention, organization resiliency, loss reduction processes and business agility to change the course of operations. These will all vary based on the nature of your specific operations and business model. Training on how to implement these mechanisms is important so that affected parties across various aspects of your organization can act immediately and in concert to minimize liabilities.

The IoT has changed the nature of how critical systems such as physical security are designed, deployed and operate delivering new levels of performance and protection. As with all new technological breakthroughs, new capabilities foster new challenges which require new solutions. Cyber-physical security is a perfect example.

About the author: Bud Broomhead is the founder and CEO of Viakoo. The southern California company features the agentless Viakoo Action Platform that keeps distributed unmanaged and IoT environments secure and continuously operational at the lowest risk and cost. Visit Viakoo.com for information on automating IoT management across your physical security network environment.

About the Author

Bud Broomhead

Bud Broomhead is CEO of Viakoo