Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

1/14/2021
11:00 AM
James Willison, founder of Unified Security Ltd
James Willison, founder of Unified Security Ltd
News
50%
50%

Who Is Responsible for Protecting Physical Security Systems From Cyberattacks?

It's a question that continues to engage debate, as the majority of new physical security devices being installed are now connected to a network. While this offers myriad benefits, it also raises the question: Who is responsible for their cybersecurity?

In recent years it has become more obvious that physical security systems are dependent on IT and vulnerable to cyberattacks.

In 2007, the movie Live Free or Die Hard showed how a group of criminals were able to control traffic systems and bring Washington DC and the stock market to a standstill. In the film Johnny English Strikes Again (2018), all the trains in the UK are directed to Bristol.

These movies are very much based in reality. In 2016, the BSIA warned us of the risks and recommended that "end users of IP connected CCTV systems should also ensure that they have comprehensive cyber security and information security policies in place." In 2019 a Norwegian company spent £45 million to restore its computer systems, factory machinery and building systems following a ransomware attack on its 170 sites and over 35,000 staff.

While these were operational technology systems, the 2019 BBC series The Capture demonstrated how CCTV could be hacked to convince police and security services' investigations that a lead suspect was guilty by adjusting the time frame in the system. Once again, this television 'drama' is now the unfortunate reality. The "IFSEC Global Video Surveillance Report 2020" found that 76% of respondents were concerned about the cybersecurity of surveillance systems.

For those who haven't noticed this issue, it would be wise to take stock. It is now likely that the physical security system can be attacked. As far back as 2014, the UK CPNI stated that it was possible. Cybersecurity has progressed very rapidly since then, hence a physical security lead should be engaging with the cybersecurity team to work with them — and vice versa.

Whose Responsibility Is It?
But who is responsible for protecting them from these attacks?

Is it the owner of the system? For some this is clearly the physical security lead. After all, they or their predecessor purchased or recommended it, didn't they?

But now they have a problem as they have heard the systems are not secure. Are they accountable to the business if an attacker gains access through the CCTV system to the IT corporate email and convinces the finance director to authorize an invoice costing thousands of pounds?

Or is the head of IT who authorized the CCTV system and gave responsibility for its day-to-day management to the head of physical security responsible? Or perhaps it is the head of cybersecurity who is an expert in the field and has implemented a range of controls on the network to mitigate cyberattacks? Surely this person is the one who is responsible?

Well, maybe.

A poll I conducted in November with a small group of 14 security professionals indicated 69% think physical security systems are cyber. When a ransom attack is mounted and successful, whose job is then at risk — the CEO/CIO/CISO or CSO? The board may decide that one or more people should be fired.

When you want to pay a ransom — who does it? This is a gray area, but once these systems are hacked the responsibilities will become clearer and some will lose their jobs.

Are there easy answers? Is one person responsible? Or, as some would argue, isn't everyone responsible for security?

In risk management there are RACI (Responsible, Accountable, Consulted, Informed) tables which indicate that one person is responsible for performing the work effort and management of the risk. This is usually the system or business unit owner. But that might be hard to identify for some people in large organizations.

Other business functions are meant to support that person and offer their expertise and technological services. If you occupy any of these roles, then it is important to ensure you are protecting the systems from attack, whether you are directly responsible or not. If you see a person in need of help it is vital to work with them — for their sake and the success of the business.

Whoever you believe is the most responsible for protecting physical security systems from cyberattacks, ultimately it must be a cross-functional team effort.


(Column continues on next page--see link below.)

IFSEC Global, part of the Informa Network, is a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, ... View Full Bio
 

Recommended Reading:

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
li'l ciso
50%
50%
li'l ciso,
User Rank: Strategist
1/14/2021 | 12:46:30 PM
Fortune 1000 has a name for this
In the United States, companies that make 1 Billion USD or more annually are often in the Fortune 1000. These large Enterprises should (most do) have a Corporate Security team

I prefer using the Corporate Security banner because this includes Corporate Security Intelligence (i.e., threat intelligence, trusted insider threat prevention, etc), while the private security industry or the perimeter security business units are often focused away from issues such as stolen property or high-grade or even hybrid threats
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...
CVE-2021-3197
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.