It doesn’t take a genius to recognise that the physical security industry is undergoing what is arguably its most significant, and most rapid period of disruption and transformation; and if the industry fails to recognise, react, and respond, it will be subsumed IT and cyber security providers.
PHYSICAL security’s survival offers the opportunity for some robust debate over whether this is a good or a bad thing, however, I’m going to suggest that an equal partnership between physical and cyber security will provide the best outcome. Every physical security conference and most presentations I’ve attended in recent years has had some focus on cyber security, however the level of cyber security expertise in the physical security industry remains poor at best.
I speak with IP video trainers and vendors and almost every one of them laments that half their training courses are spent teaching installers about IP addressing and basic networking rather than the how to best configure, deploy, and secure their systems. Cyber security is now a board-level issue sitting at or near the top of an organisation’s risks, yet it’s not being responded to with the maturity of other foreseeable business risks. In the cyber security arena, those making decisions and setting budgets frequently lack the skills and knowledge to make these decisions.
Dr Ian Levy, the chief technical director of GCHQ’s National Cyber Security Centre, recently commented: “If you call it an advanced persistent threat, you end up with a narrative that basically says ‘you lot are too stupid to understand this and only I can possibly help you – buy my magic amulet and you’ll be fine’. It’s medieval witchcraft, it’s genuinely medieval witchcraft.”
I received an invitation the other week to a vendor presentation titled “How XXXXX moved to a risk-based approach for vulnerability management”. I, and I suspect most security professionals, immediately pondered the question
“Well if you weren’t basing your approach on risk, what were you basing it on? Astrology, how you felt on the day, or perhaps on whose solution had shiny bells and whistles”
Physical security has been managing risk to both individuals and organisations in a mature, well considered manner for many years. You may have noticed by now that these 2 facets of the security function have relatively non-overlapping skill sets which is a little surprising. People in the physical security industry seem to be failing to recognise that they are security professionals. They often have many years’ experience in protecting assets from those who would do them harm; in designing and deploying resilient security systems, and employing defence in depth.
While I’m not going to suggest that there is a complete transferability of skills from physical to cyber security, the skills in which security professionals are seasoned do serve them in very good stead when considering cyber security. That’s the good news. The not so great news is that the physical security industry has been resistant to change, and extremely slow in acquiring the skills and knowledge they require to transfer their ability to the cyber security arena. It astounds me how often systems are left on default credentials, without any network security, or exposed to the internet without being adequately secured.
The Mirai Bot Net and Bricker Bot are just 2 examples of how easily these systems can be compromised. Much of the security industry continues to operate in an analogue paradigm while installing more and more IP-based equipment. Over the last few years, manufacturers have become aware that cyber security is important, but are still well behind the bell curve in their response, compared to the IT industry. Their advanced security features often require a single-vendor system and often come out of the box with the least rather than the most secure configuration. This then requires significant additional work by the integrator to deliver a robust security posture, assuming it’s even possible.
When connecting a camera to a VMS, there’s no valid reason that it shouldn’t generate a unique, complex password that doesn’t need to be known given most, if not all, camera configuration can be done via the VMS. Better yet, have cameras generate mutual authentication certificates. If the installer needs to carry out additional configuration on the camera, then they should be able to retrieve that one password, or use pass-through authentication to do so.
I’m not going to argue that this doesn’t introduce additional work for the VMS vendors and camera manufacturers, however, suggesting that your product is superior because it has been tested by this lab or that company does not equate to better security in a real-world ecosystem.
From my experience, people installing IP-based security systems typically come from one of 2 backgrounds. Those from an electronic security background, most of whom learnt their trade in an analogue world, and those from an IT background who acquired security skills at a later stage. As the descriptions suggest, the former often have an IT skills gap, and the latter, a potential gap in security design and methodology. There are certainly providers who are skilled in both realms, however, these are the exception rather than the rule.
So where do we go from here? It seems there are 3 possible futures for the physical security industry:
Option 1 – Get our act together. Through a combination of determination, skill, and education, get to the point that we can deploy secure systems that achieve the required security outcome in a cyber secure fashion.
Option 2 – Hand the whole steaming mess over to IT to fix. If we don’t fix due to lack of skill, care, or capability, the IT departments will take these systems over. The security outcome may not be to the level that we could have accomplished, but at least the systems won’t be getting hacked.
Option 3 – Work with IT departments to deliver both parts of the required solution. This requires a level of co-operation that we’re not used to, but will deliver the best outcome now.
I expect readers will have different opinions on which outcome is preferable, so the following is my opinion only. I believe it will take 2–4 years to develop the maturity for option 1, so it’s not feasible right now, I don’t think we want option 2 as it sends the physical security profession the way of scribes, milliners, and many other professions that have been automated.
That leaves option 3. We need to start working with IT departments and providers to deliver secure systems.
At the same time, we need to send a clear message along the supply chain to make security easy and enabled by default. This needs to be the case regardless of camera, VMS, and configuration. With physical security frequently being responsible for as much, if not more, IT than IT departments, we need to recognise that the world is changing and act.
By Simon Pollak*
The views expressed in this article are those of the author only and do not represent those of any organisation, or necessarily reflect the position or policies or any organisation or entity.
*Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology). Simon contributes to SEN discussing all things cyber and converged security. Follow Simon at https://twitter.com/SimonPollak and https://au.linkedin.com/in/simonpollak