You may have come to this site to learn how to protect your network and IT from the increasing attacks that happen each year. One of the key areas to consider in your IT risk assessment deals with physical security of IT assets.
We have helped companies find issues with cameras, mobile devices, thermostats, televisions, access control systems and other connected devices for over two decades.
We will talk about the Internet of Things (IoT), physical security and steps your business can take to be protected.
What to Know About Cyber and Physical Security
The Internet of Things (IoT) celebrated its 40th anniversary in 2022, and not much attention was paid to this historic milestone despite its significance in the world of cyber security.
In 1982, graduate students at Carnegie Mellon University connected a Coca-Cola vending machine to the nascent internet. This was done for the purpose of checking the machine’s stock status and the temperature of the soda bottles it dispensed from any internet-connected computer anywhere in the world. That Coke machine was the first IoT device. These days, there are more than 10 billion IoT devices, and each of these devices should be considered what is called an endpoint.
In the field of information security, endpoints are any devices that connect to data networks. To this effect, a desktop computer is an endpoint, just like an IP surveillance camera that you can access from your smartphone. Endpoints need to be protected at all times because hackers see them as attack vectors, which means that they consider them to be possible points of network intrusion.
IoT devices form part of the physical layer of the internet, which happens to be more vulnerable in terms of security than many business owners realize. This is a security concern that is complicated by the convergence of cyber and physical security.
The best way to illustrate this concern is as follows: Many IoT devices are installed for the purpose of augmenting security, which means that hackers could disable them, manipulate them, or use them to defeat existing security measures.
In September 2021, an independent cyber security specialist warned about a vulnerability in the popular HikVision IP surveillance cameras. The flaw in question was tied to the firmware of the cameras. They could be exploited to not only gain access to the network, but also redirect the video and audio feed to clandestine devices. In other words, a camera installed to play a role in physical security became a major cyber security risk.
The aforementioned HikVision camera vulnerability is one example of how cyber and physical security are intrinsically tied these days. Imagine if hackers are not able to breach your office network through IP cameras; if they can penetrate the server through other means, they might be able to take control of the camera and even review archived surveillance files. This is a situation in which both cyber and physical security end up getting compromised.
Network intrusion is not the only threat that can target the nexus of physical and information security. IoT devices can be passively conscripted into malicious networks known as botnets, which are often used to distribute spam, launch Distributed Denial of Service attacks against websites, and spread malware.
A single IoT device can bring down an entire data network if hackers are able to take it over. When our technicians conduct security audits, they take into consideration every computer, laptop, smartphone, tablet or IoT device used by a business organization. The key is to ensure that physical security is not being compromised by unsecured or vulnerable endpoints.
The State of Cyber-Physical Security in 2022
Business owners know that information security is just as crucial as physical security in terms of protecting their company assets and operations. If your office server stores sensitive client information, for example, you want to do more than just install a hardware firewall with strong password management. You also need to ensure that no one is able to break into the office over the weekend, with the intention of taking your hard drives for physical data extraction.
There has always been a nexus between cyber and physical security, but what we are seeing in 2022 is a full convergence. As a business owner, you should not ignore that certain aspects of physical security bleed into information security and vice versa. Think about the smart locks installed in many commercial spaces these days.
If one of their features enables remote unlocking and changing of passwords via a browser-based interface, hackers who break into your network may be able to take control of your locks. At the same time, if the locks connect directly to the Internet of Things (IoT), attackers may be able to exploit a vulnerability in order to sneak into a business network.
Need for Comprehensive Cyber-Physical Security Management
The scenario above is what defines the need for comprehensive cyber-physical security management. Smart locks are just one example of physical security devices that can increase the risk of network intrusion. There are also IP surveillance cameras, motion detection sensors, alarm systems and others. If they are not properly configured, IoT devices provide a false sense of security because hackers see them as attack vectors.
Every device that connects to your office network is an endpoint. Other endpoints include network printers, smart lighting systems, smartphones, tablets, the computers employees use when they work from home, and many others.
A tenet of information security is that poorly secured endpoints create substantial risks, particularly if they are tied to physical security. The last thing you want is to be surprised that hackers broke into your servers, because they exploited the connection between your Apple Watch and your office workstation. The same can be said about IP surveillance cameras turned off by hackers who broke into your network because of poor password management.
Part of our service is to do a risk assessment where we consider all the physical security factors, from security guards to restricted access areas to mobile device connectivity to these IoT devices.
Modern network audits pay special attention to cyber-physical security. As previously mentioned, every endpoint is a potential attack vector, and this risk is amplified when the endpoint is an IoT device, especially if it has been installed with physical security in mind. One of the problems we have seen in recent years is the plug-and-play approach to installing IoT devices right out of the box. If you do not bother to configure these devices with network security in mind, they become attack vectors.
Some business owners are able to manage their physical and cyber security separately. A convenience store owner, for example, may use traditional CCTV surveillance systems and private security guards who do not need to access the point-of-sale or office networks. The moment this store owner decides to access the POS back-end system from home, the presence of a new endpoint becomes a physical security risk that must be evaluated and properly secured.
We can help you consider your whole network from access control, physical access, unauthorized access, employee or public safety, and all aspects of your IT physical security plan. We are here to help and would love to work with your team on securing not only your network, but the current physical devices connecting to your network.