Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

1/14/2021
11:00 AM
James Willison, founder of Unified Security Ltd
James Willison, founder of Unified Security Ltd
News
50%
50%

Who Is Responsible for Protecting Physical Security Systems From Cyberattacks?

It's a question that continues to engage debate, as the majority of new physical security devices being installed are now connected to a network. While this offers myriad benefits, it also raises the question: Who is responsible for their cybersecurity?

In recent years it has become more obvious that physical security systems are dependent on IT and vulnerable to cyberattacks.

In 2007, the movie Live Free or Die Hard showed how a group of criminals were able to control traffic systems and bring Washington DC and the stock market to a standstill. In the film Johnny English Strikes Again (2018), all the trains in the UK are directed to Bristol.

These movies are very much based in reality. In 2016, the BSIA warned us of the risks and recommended that "end users of IP connected CCTV systems should also ensure that they have comprehensive cyber security and information security policies in place." In 2019 a Norwegian company spent £45 million to restore its computer systems, factory machinery and building systems following a ransomware attack on its 170 sites and over 35,000 staff.

While these were operational technology systems, the 2019 BBC series The Capture demonstrated how CCTV could be hacked to convince police and security services' investigations that a lead suspect was guilty by adjusting the time frame in the system. Once again, this television 'drama' is now the unfortunate reality. The "IFSEC Global Video Surveillance Report 2020" found that 76% of respondents were concerned about the cybersecurity of surveillance systems.

For those who haven't noticed this issue, it would be wise to take stock. It is now likely that the physical security system can be attacked. As far back as 2014, the UK CPNI stated that it was possible. Cybersecurity has progressed very rapidly since then, hence a physical security lead should be engaging with the cybersecurity team to work with them — and vice versa.

Whose Responsibility Is It?
But who is responsible for protecting them from these attacks?

Is it the owner of the system? For some this is clearly the physical security lead. After all, they or their predecessor purchased or recommended it, didn't they?

But now they have a problem as they have heard the systems are not secure. Are they accountable to the business if an attacker gains access through the CCTV system to the IT corporate email and convinces the finance director to authorize an invoice costing thousands of pounds?

Or is the head of IT who authorized the CCTV system and gave responsibility for its day-to-day management to the head of physical security responsible? Or perhaps it is the head of cybersecurity who is an expert in the field and has implemented a range of controls on the network to mitigate cyberattacks? Surely this person is the one who is responsible?

Well, maybe.

A poll I conducted in November with a small group of 14 security professionals indicated 69% think physical security systems are cyber. When a ransom attack is mounted and successful, whose job is then at risk — the CEO/CIO/CISO or CSO? The board may decide that one or more people should be fired.

When you want to pay a ransom — who does it? This is a gray area, but once these systems are hacked the responsibilities will become clearer and some will lose their jobs.

Are there easy answers? Is one person responsible? Or, as some would argue, isn't everyone responsible for security?

In risk management there are RACI (Responsible, Accountable, Consulted, Informed) tables which indicate that one person is responsible for performing the work effort and management of the risk. This is usually the system or business unit owner. But that might be hard to identify for some people in large organizations.

Other business functions are meant to support that person and offer their expertise and technological services. If you occupy any of these roles, then it is important to ensure you are protecting the systems from attack, whether you are directly responsible or not. If you see a person in need of help it is vital to work with them — for their sake and the success of the business.

Whoever you believe is the most responsible for protecting physical security systems from cyberattacks, ultimately it must be a cross-functional team effort.


(Column continues on next page--see link below.)

IFSEC Global, part of the Informa Network, is a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, ... View Full Bio
 

Recommended Reading:

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
li'l ciso
50%
50%
li'l ciso,
User Rank: Strategist
1/14/2021 | 12:46:30 PM
Fortune 1000 has a name for this
In the United States, companies that make 1 Billion USD or more annually are often in the Fortune 1000. These large Enterprises should (most do) have a Corporate Security team

I prefer using the Corporate Security banner because this includes Corporate Security Intelligence (i.e., threat intelligence, trusted insider threat prevention, etc), while the private security industry or the perimeter security business units are often focused away from issues such as stolen property or high-grade or even hybrid threats
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...