Internet connectivity is an important means of delivering business and security value, not just a recreational vehicle and a consummate aggregator of attention.
THERE’S a common belief in the security industry that remote access, internet connection, and external connections are bad; and in the wake of the Mirai bot net and near daily IoT security warnings, it’s not all that surprising that we want to keep security systems air-gapped.
While unarguably well intentioned, this line of thinking will have physical and electronic security providers relegated to the realm of tin foil hat wearers as businesses and users continue to demand more and more efficiency from their systems. Does that mean that we should plug everything in, open everything up, and embrace a fully connected ecosystem – certainly not. It’s all about benefit and risk.
In the realm of operational security, technology is a force multiplier, or a means to an end rather than an end in and of itself. CCTV cameras allow a single guard to view many areas at once as well as providing evidence after the fact. Access control systems allow for the policing of access in restricted areas without requiring the physical presence of a guard. Intrusion detection systems allow for the monitoring of one or many sites without needing any human presence.
Why are we so adverse to connecting these systems to the internet? Let’s begin by reviewing a few facts about the current state. We’ve been connecting alarm systems to phone lines and remotely programming them for years. While they may require some special software, it’s usually authenticated based on a device serial number of 4-digit code with no rate limiting or alerting on failed login attempts, and poor, if any logging.
The industry is using Ethernet and GPRS alarm communication devices more and more frequently; usually on dialler capture and without any back-up path. These systems send their messages across the internet to a bank of computers, many parts of which may be vulnerable. Security systems using Ethernet devices (cameras, door controllers, card readers etc) are put onto poorly secured IT networks, often installed by the integrator and left on factory default settings.
Many monitoring stations and control rooms are remotely accessible, so have the potential to act as a gateway from the outside world into the security networks. When you consider the above, the security industry may not be as secure or as isolated as it likes to think it is.
Why would we want to have our systems remotely accessible? In many cases, connected systems can provide a real benefit. Sending push alarms notifications and video to guards in the field allows them to be more efficient and respond more rapidly. Remote diagnosis and servicing allows integrators to service systems more rapidly, hopefully at lower cost to the client.
There are many legacy practices in the security industry that don’t add value yet we tolerate them. Late to Close events on alarm systems still rely on an operator to call the site and get a stand down password to authorise someone who is already on site to work later. This could easily be replaced by an app (suitably secured) with a push notification allowing a user to extend the closing time by another hour.
We can all argue for the status quo and that current ways of thinking, working, and deploying security are still the best. However, individuals and organisations will continue to seek additional features and functionality, and lower total cost of ownership – if we don’t deliver that, someone else will.
Simon Pollak
So how do we go about connecting our systems? As with all security measures, there's a secure way and a non-secure way. Plugging in something you bought on eBay then port forwarding your router is not secure and will most likely have your system get pwned. Deploying enterprise grade equipment behind a firewall with robust security controls including as an update and patching process, can deliver security and functionality with limited risk of compromise. If the remote functionality becomes mission critical, redundancy needs to be considered as well.
How to suitably secure systems is one of the challenges the security industry is finally making headway with. There are some excellent hardening guides from assorted vendors. I would also suggest reading some of the critical infrastructure hardening guides such as The SANS Institute’s Critical Control System Vulnerabilities Demonstrated – And What to Do About Them. Integrators who work on network connected or server based security systems should ensure they understand how to suitably secure these systems.
Finally, it’s time that manufacturers produced systems that configure themselves to the highest security levels rather than the lowest. There’s no good reason that a video management system shouldn’t set a complex password and configure SSL tunnelling when adding a camera. With global players, such as Amazon, Google, and Apple seeking to increase their foothold into the connected building ecosystem, industries who cling to isolated technologies risk losing relevance. ♦
* The views expressed in this article are those of the author only and do not represent those of any organisation, or necessarily reflect the position or policies or any organisation or entity.
Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology). Simon contributes to SEN discussing all things cyber and converged security. Follow him on https://twitter.com/SimonPollak or https://au.linkedin.com/in/simonpollak
