Cybersecurity, Facility Security, Policies and Training

How Government Organizations Can Protect Their Physical Security Systems from Cyber Risk

It might seem ironic that a physical security solution designed to protect people and property can provide an entry point for cybercriminals. However, because these systems—video surveillance, access control, alarms, communications, and more—are increasingly connected to networks and IT infrastructure, they can be quite vulnerable.

Nearly every day brings the news of another data breach or ransomware incident in the public sector. Large or small, any government organization, school district, or higher education institution is vulnerable to a disruptive and costly cyberattack.

Today it’s essential to recognize the cybersecurity risks that can exist in physical security devices such as cameras, door controllers, and their monitoring systems. That risk has increased with greater use of these devices during the COVID-19 pandemic.

“Fewer people working in buildings means you need more technology to maintain physical protections,” says Morgan Wright, a Center for Digital Government (CDG) Senior Fellow. “Yet when it comes to protecting those physical security devices, too often the worry is about damage or theft, not that they can be used as an entry point for ransomware.”

An Overlooked Avenue for Cyberattack

A lingering but erroneous view is that only limited threats can be made through a physical security device. For example, recognized threats often include the ability to remotely stop the video feed from a camera, open or lock a door, or disrupt critical building systems.

Yet most cyberattacks are not intended to compromise the physical safety of people or property. Instead, these attacks target applications, files, and data managed by IT. An attack that originates in a camera can find its way through the network to block access to critical applications, lock and hold files for ransom, and steal personal data of employees, students, program clients, and residents.

For example, the Mirai botnet continues to disrupt systems and networks by attacking them with internet-connected devices, including cameras. To find vulnerable devices, the botnet had previously relied on trying to log in with factory-default usernames and passwords and has now evolved to exploit unpatched vulnerabilities.

An analysis by Genetec found that too many security cameras offered this opening for attack. According to the study, nearly seven in 10 cameras had out-of-date firmware.

In 2021, security researchers discovered that a Mirai-based botnet, called Moobot, uses another technique to infect video surveillance devices which are embedded in many original equipment manufacturer (OEM) solutions. This technique injects malicious code into the device, then checks the network to find additional devices to infect. Although a software patch is available to close this risk, IT teams may not know which installed cameras should receive it.

“Security cameras and access control systems need to be considered critical network devices,” says Wright. “They need to receive a high level of protection and monitoring for operations and cybersecurity.”

This view is gaining acceptance within IT organizations as two issues become clearer and more compelling. First is the increasing crossover of network attacks from internet-connected security cameras and door controllers. These devices often give cyberattackers easy network entry, and IT has limited visibility until after the fact. Second, the rising volume of cyberattacks inherently increases the risk level of any network-connected device that is not adequately secured.

Cybersecurity Risks in Physical Security Systems

Many public-sector facilities continue to use older models of security cameras and door controllers, replacing them only when necessary or when their capital cost has been fully amortized.

However, older devices, especially cameras, often present a significant cyber risk because of their limited security capabilities. This risk may be a consideration behind the plans of many governments to upgrade their fixed surveillance systems in the near term. Today, hackers know that certain cameras are easy to take over and use as an entry point to the connected network. Several factors make cameras easy to breach:

An outdated network design. In the past, the physical security industry did not need to maintain a strong focus on cybersecurity, creating a lag in feature and technology integration. These devices were typically connected in a closed network design, which does not reflect the different and higher security demands of internet, WiFi, or cellular connections.

Inadequate maintenance. Physical security management does not always incorporate common procedures and best practices for cybersecurity, such as frequent changes to passwords. Many physical security devices still in use are aging and no longer receive updated firmware from the manufacturer.

Knowledge gap. Employees who installed and managed physical security systems may have retired or left the agency, leaving a gap in knowledge about devices, configurations, and maintenance.

Vulnerable devices. Some governments around the world are already discouraging the use of certain vendor products, claiming ethical concerns as well as possible trust and security vulnerabilities. There is growing concern regarding high-risk video surveillance equipment, and certain manufacturers have been restricted from selling their products in North America because of questionable ethical and cybersecurity practices.

At-risk cameras may be particularly hard to detect if they were built into private-label systems sold by video surveillance solution providers. The following steps can help identify devices of concern:

  • Create an up-to-date inventory of all cameras and control systems connected to the network, including via Wi-Fi or cellular connection.
  • Verify the inventory with in-person, on-premises checks to detect devices that may have been forgotten.
  • Maintain detailed information about each physical security device (e.g., age, manufacturer, model, and firmware version).
  • Identify the types of encryption and cybersecurity capabilities supported on each device or firmware version.
  • Verify the source and legitimacy of each software update before installation; an update may be used to install malicious code.
  • Check device inventory against published information about manufacturers and models that have identified security risks. Determine if these devices should be prioritized for early replacement.

Another, albeit bigger, step to take: Bring physical security and cybersecurity together into a single team with integrated operations.

Joining Physical Security and Cybersecurity

In many organizations, a long-held perspective is that IT and physical security are separate realms, and their work and concerns do not intersect. However, this perspective has started to change in light of the growing cyber risk that physical security technologies can present.

The change comes from a new view of how to best structure security management across all systems and devices. It begins when the IT and physical security teams combine focus on a comprehensive security program based on a common understanding of risk, responsibilities, strategies, and practices.

Improving the Cybersecurity of Physical Security

An integrated security team can produce an effective review of needed cybersecurity improvements across physical security devices and systems. This review should include several key areas of focus:

Improve security monitoring. Ensure all network-connected physical security devices are monitored and managed by the IT tools for network and security management. Also, check for features in the video management system (VMS) and access control system (ACS) that provide alerts or data for use by IT’s network and security monitoring tools.

Strengthen protection measures. Look for ways to improve existing configurations and management practices for physical security devices, including:

  • Using secure protocols for connecting the device to the agency network
  • Disabling access methods that support a low level of security protection
  • Verifying configurations of security features and alerts
  • Replacing defaults with new passwords that are changed on a regular and verified schedule

Implement encryption. End-to-end encryption offers the most security to protect video streams and data as they travel from the physical security device to a management system for viewing. Also, ensure that encryption protects these files and data while in storage.

Enhance access defenses. Strengthen the security of user and device access with a multilayer strategy that includes multifactor access authentication and defined user authorizations.

Improve update management. One management function that can be overlooked when teams are separate is the installation of software updates and patches. When the teams are joined, define who has responsibility for maintaining awareness of when updates are available. Then, define who has responsibility for vetting, deploying, and documenting updates on all eligible devices and systems.

Planning a Replacement Program

After an assessment of current physical security elements, it may be clear that some devices—and perhaps the VMS or ACS—present a high cyber risk and should be replaced. Replacement priorities can also be determined by location, use case, device type, or age.

When ready to issue a request for proposals (RFP), consider incorporating requirements that will support modernization for both physical security and cybersecurity. These include:

  • Unification of cybersecurity and physical security devices and software on a single platform, with centralized management views and tools. An open architecture system will support a cloud-based or hybrid deployment of security solutions, as well as flexible integration options for future devices and management systems.
  • Cybersecurity features, such as data encryption, that are built into the device firmware and management software.
  • Compliance with security standards and audits for all suppliers and system integrators involved in providing the solution (i.e., the supply chain). Include a list of prohibited vendors for equipment and software components.
  • Vendor capabilities to support a solution life cycle of up to 10 years, including ongoing availability of updates for device firmware and management system software.

By understanding that physical and cyber domains are closely tied, governments can implement the new technologies, new staff roles, and new practices that will strengthen security overall.

Stay tuned for a companion article, titled “Improving the Cybersecurity of Physical Security,” which includes a brief checklist.

Justin Himelberger joined Genetec in 2009 and is currently the Enterprise Systems Business Development Manager, working specifically with the U.S. Department of Defense and other federal agencies. As a trusted security advisor for the federal government, he provides support with his expertise and knowledge of the company’s security software and hardware solutions.