Tim Compston, Guest Features Writer at Security News Desk, investigates how the line between cyber and physical security is fast disappearing as convergence takes hold.
In our connected Internet of Things (IoT) world it is becoming increasingly difficult to define, in many cases, where physical security ends and cybersecurity begins. Given the dynamics at play here, it is perhaps not too surprising to see IT professionals having an ever-greater influence on the decision-making process when physical security devices are being connected and integrated. These fast-moving developments have also, sadly, left many old-school security integrators, installers, and managers scrambling to keep up.
Bridging the Skills Gap
For his part, David Aindow, Product and Technology Director at Synectics, agrees that there is still a huge skills gap to contend with: "I think that part of the issue here is the sheer pace of change in the IP world." He goes on to explain that when Synectics first started deploying security systems on IP networks the things that were difficult for integrators and installers to get their heads around are now well understood, such as: IP addressing, subnets, and multicast addresses. The problem, sadly, is that the IP world has moved on even further: "They are always a step behind because of the cost to a business of keeping their engineers at the very forefront of the education that is coming from IT vendors," says Aindow.
To put things into perspective, he reflects that to be fully Cisco approved may require sending each engineer on weeks of training every year, just to keep them updated: "It needs a certain skillset to even understand what is on those training courses and those people [engineers], (because of the salary difference in the IT world versus the security world), are expensive," explains Aindow. The fact is, he says, that many security integrators and installers cannot, necessarily, afford the type of resources that they really need to ensure they are deploying systems properly.
Aindow goes on to say that larger-scale integrators are better placed to respond to these challenges: "We deal with major integrators on our oil and gas projects, such as Nokia and General Dynamics, and people like that, and they have the financial clout to afford those skills. But then you go down to your more local type integrators - your regional integrators in the UK - and the best that they can afford is a young graduate who has got an appetite to learn, and some baseline capability, but certainly is not the kind of person that you would want in a network of 3,000 cameras, 50,000 alarm points, 50 user workstations, and lots and lots of databases and file servers."
Are there any answers here? Well, according to Aindow vendors, like Synectics, can help to alleviate the issues associated with the skills gap: "We try and help as much as we can. We've actually decided to bring network expertise in-house so we have got Cisco certified engineers working for Synectics." He explains that, if there are scenarios where the integrator and installer simply do not know what to do, then Synectics can help and advise them: "In certain situations, because of the level of qualifications our Cisco guys have, we can purchase and deploy the network on the customer's behalf. The best example of that would be our casino marketplace where, over 60 percent of the projects we have delivered over the last two years, we have also sold and delivered a network," says Aindow. He confirms that selling and delivering a network, which takes the issue away of a system not working due to a factor outside of Synectics' control, is less normal in smaller systems although Synectics has done this on a handful of occasions.
Asking Aindow if he is worried that, in some cases, a skills deficit is opening up security vulnerabilities, in terms of cameras and other infrastructure, he tells me that to shore things up vendors like Synectics are now taking proactive steps to make their solutions more installer-friendly and secure: "We have certainly built-in some of the basics within our system. When you power the system or device up, the first thing it is asking you to do is to change the defaults. At least we are trying to make sure that people don't leave those publicly available user names and passwords open."
Historically, Aindow says that Synectics was also quite fortunate that many customer sites did not allow connectivity to the outside world: "Their networks were closed off." However, he explains that that situation is changing as more and more things are becoming connected due to the nature of the projects: "When you look at the data sources that some of our customers want they are most readily available on the Internet to actually mine so you then have to go through a whole host of system hardening type processes."
Drilling down to some of the specifics on system hardening, Aindow says that this can include: making sure that there are suitable firewalls in place; password changing policies; strong passwords; and that the communication between devices is encrypted to a respectable level. He concludes by stressing the need to educate people about on configuration-type risks: "Where is your data? How secure is your datacentre? How are you protecting yourself from possible internal cybersecurity threats with people maliciously destroying data and things like this?"
The Drone Threat
Even the soaring number of drones in our skies illustrates the extent of convergence between cyber and physical security. The ground-breaking Drone Tracker - from vendor Dedrone - is one answer that is gaining traction when it comes to meeting the drone detection requirement. Essentially, Drone Tracker is a multi-sensor drone warning system which reflects the reality that the size, speed, and shape of drones makes identification extremely difficult for a single monitoring method.
Speaking to Jörg Lamprecht, Co-Founder and CEO at Dedrone, about the nature of the threat here, he says that at the start with Drone Tracker the demand was around sites with obvious physical security needs like stadiums or prisons: "That brought a lot of business enquiries, whereas in the recent two quarters it has been more datacentres, headquarters, and design centres, once the news came out about the threat from 'flying hacker laptops'." Lamprecht characterises these as basically drones equipped with networking gear that, when flown close enough, can be used to hack into corporate networks and capture data: "I think that the underlying thing we are seeing is the merger of physical and cybersecurity."
Adding Value at the Door
Stepping back for a wider view of physical security market matters, in the opinion of Philip Verner, Regional Sales Director, EMEA at CEM Systems/Tyco Security Products, people are now demanding more than just security from their physical security devices: "At a bigger level you are seeing buzz words like the Internet of Things coming to the forefront. I am not tying in what we do with that, currently, but it is a trend generally where the security system needs to perform more than its traditional function. That is where you bring in things like our emerald reader or other devices like our handheld reader where you are going beyond just the security elements."
Pressed on the reasons for these demands, Verner puts them down to several factors: "The end user has become much more aware and more savvy in what they are buying." He goes on to point out that IT departments are much more involved and they are looking for the justification around any system: "Security is just another one of their systems going on to their network," says Verner.
More generally, Verner reckons that the consumer world is raising up expectations: "Technology in the world has exploded so people are looking for more. People are using a smartphone and it does much more. It is not just a phone, it is a computer in their hand and it does apps and music." The point stressed by Verner is: why would security or access control, be any different from the technology that is used elsewhere? "If that is a reader on a wall, why is it just a reader? Think of what we have done with emerald, it is an electronic device and we can do much more with it. The concept about our reader, our controller, intercom, room booking, and all the apps, is very much in keeping with the world we live in. People want more from things because that is adding value to the cost of that device," concludes Verner.
Time To Be Vigilant
Addressing head-on much-publicised security questions associated with the blurring of the lines between cyber and physical security, IndigoVision, a leading developer of end-to-end video security solutions, offered a glimpse of CyberVigilant - its upcoming cybersecurity product - at the recent ISC West 2017 show in Las Vegas. The vendor is promoting CyberVigilant as a solution that builds on the fact that data flows in predictable ways and by monitoring that flow, working with Control Center - IndigoVision's tiered VMS platform - is designed to detect hacking, or performance-affecting anomalies, and so help keep data safe.
Shining more light on the thinking behind CyberVigilant, Jon Isaacson, a Sales Engineer at IndigoVision, emphasises that the vendor is coming at things from a strong engineering and IT base: "We are an engineering focused company. Our first product was hardware, an IP H264 video encoder back in the day, so we have never been an analogue company, we have been an IP company since we started in 1994." This backstory, and the fact that the vendor has tended to recruit people from IT, computer science, computer engineering type fields, means, explains Isaacson, that IndigoVision has a deep understanding of how video flows across the network and, crucially, what legitimate video traffic is supposed to look like.
Isaacson says that CyberVigilant is partly a response to specific cybersecurity concerns that have emerged in the context of cheaper, less secure, IP cameras: "There are [Chinese] cameras coming into the market - dominating the market - that are bringing unknown risks into the network environment." He contrasts the challenges presented by IP cameras with analogue cameras which in his words are basically 'a dumb piece of equipment': "Traditional CCTV was very, very simple. From a technical security perspective, the simpler the equipment, the less likely it is for a hacker to find a way to take advantage of it."
Now with IP cameras, Isaacson points out that you have this Linux-based computer which, ironically, is the operating system of choice for most hackers who are looking to do 'bad things': "You might have thousands of these cameras around your campus or city or casino, whatever it is, and if any of these are left unsecure or if somebody finds a vulnerability in one of these devices an attacker now has a capable computing platform that they can use to launch attacks on the rest of your system," says Isaacson.
Intrusion Detection and Data Flows
On the specific thinking behind CyberVigilant, Isaacson remarks that it is not simply about reinventing the wheel: "People came and said [at ISC West] are you just making an intrusion detection system because IT has tons of intrusion detection systems, these are mature products. We 100 per cent agree and at the end of the day much of the guts behind CyberVigilant is going to be based on that type of software." According to Issacson, the distinction lies in the way that IndigoVision is seeking to take its knowledge of what legitimate IP video traffic looks like, and then to apply that to intrusion prevention principles: "This is to help installers and integrators secure their customer's networks in the easiest way possible."
He also notes that other vendors are taking action too: "If you look at things like what Axis is doing, where they are actually embedding software in the cameras to watch for intrusions, I think that is a great idea. As a security professional, it is all about layering your approach and putting as much in place as you possibly can because you can never 100 per cent protect yourself."
What CyberVigilant brings to the table for enhanced cybersecurity, explains Isaacson, is the fact that it sits on the network between the workstations and the cameras and the NVRs: "It is able to monitor the traffic going back and forward to these devices. It is in a great position to detect anomalies by looking at traffic that doesn't make sense and alerting the end user, the administrator, integrator, if an anomaly has occurred on their network."
Isaacson emphasises that measures like CyberVigilant work together with best practice on secure configuration: "Our configuration hardening guide gives advice to properly configure your cameras, your NVRs, and your network, so that way you can be as safe as possible." Isaacson feels that CyberVigilant has the potential to reinforce these principles: "If you have an integrator that installs five new cameras and they leave the password to default, CyberVigilant will start sending alerts out. This will make it easier for the end user to ensure that their installers, and system integrators, are doing the right thing and trying to keep them secure," concludes Isaacson.
Cliff Wilson, an Associate Partner in the IBM Security Business Unit (UK and Ireland), is well placed to provide a perspective on skills and cybersecurity threats from a non-video surveillance vendor perspective. He starts by reflecting on the entire security chain: "From the physical perimeter of the building to the security cameras, the locks on the doors, the vibration panels on the windows, that whole chain is only as strong as its weakest link." Wilson continues that it is, ultimately, about trying to protect the enterprise at all levels from the physical right up to the intellectual capital at the top. Within this, he says, it needs to be remembered that there are skills layers or boundaries: "You wouldn't expect a bunch of guys who are skilled at climbing ladders 50 or 80 feet in the air, who put cameras up on walls, to be cybersecurity experts. What you would expect is that the technology that is being installed is, in and of itself, secure in some way.”
Wilson confirms that there is a realisation after the massive DDos attack last October on Dyn – a DNS host - that when video cameras and other devices which are physical things, down at the Internet of Things (IoT) layer are compromised, it can be problematic to secure them with 'external add-ons': "What was interesting about the Dyn DNS scenario was that it attacked the capability of the Internet to provide a service. The attackers used the Mirai botnet to target a variety of DNS sources on the Internet such that the Internet wouldn’t be able to work the way that it was designed to," says Wilson.
In the aftermath of the Dyn DNS situation, Wilson says it was discovered that many of the video cameras, and other devices involved, had small pieces of hardware - circuit boards - that had been bought in from Chinese or Taiwanese companies. The issues this threw-up, according to Wilson, was that many of these had 'no inherent security in them' or if they did the security was 'relatively easy to circumvent': "In some cases even where you were able to change the password the moment that you switched that device off, and switched it back on again, the password reset itself to a publicly known original password so the device wasn't secure at all."
Given this reality, Wilson reflects that there is a strong onus on the providers of equipment to demonstrate that their solutions are secure from the off: "If you buy an electric device today like a hairdryer or a Hi-Fi, whatever it might be, there will be a CE mark and that CE mark gives you, the consumer, the understanding that if you plug this device in and switch it on it is not going to electrocute you, it is not going to kill you."
Wilson reveals that several cybersecurity experts, including himself, are positing that the same thing should happen for devices like video cameras, and anything else that is going to be connected to the Internet: "So the concept won't be a CE mark, it will be the security equivalent. The idea being if you look at the bottom of the device, or the advertising about this device, you can see it conforms through what I like to call ‘the IoT security mark’. Then you know, with some degree of certainty, that when you put that device onto the Internet, and start to make use of it, it is not going to be easy to hack and you are going to be able to control passwords etc. on the device."
Ultimately, Wilson reflects that, without a scheme like the ‘IoT security mark’ in place, the question remains of how are you are going to find out whether the device that you are buying online - or is being supplied and installed by your third-party contractor - is secure or not: “All you will know is they [the cameras] provide a decent colour picture. To reiterate, the theory is that we should be having a similar thing to the CE mark for the security of IoT devices," he says.
A second remediation step proposed by Wilson to tackle the security risks associated with Internet of Things devices, like cameras, is monitoring by SIEM (Security Incident and Event Monitoring) tooling: "Those devices are monitoring security endpoints, servers, software - the normal IT world - but it is obvious that SIEM is going to have to work in the Internet of Things world."
Facing The Challenge
With the distinction between physical and cybersecurity meaning less and less, as convergence takes hold, this dynamic is also presenting new challenges from the security of security systems, to skills gaps amongst more traditional security installers and managers. It will be interesting to see how things develop here in the year ahead and whether any of the potential remedial measures suggested gain traction.
Interested in Attending Intersec 2018?