nizations cannot see, such as network cam- eras, sensors, cloud-based video and mobile devices, Windows-based video management systems, and Ethernet networks that extend to hallways and parking lots.
Neither IT nor their access layer switches typically monitor site-specific endpoints such as cameras and access control. Unfortunate- ly, this means that security managers don’t know when these units are compromised, go off-line, stop streaming video or audio, re- boot, or are just missing.
In general, many organizations don’t know just how many devices they have. For instance, business units are deploying many IoT devices with some help from IT but few consultations with physical security experts. According to a survey by the Ponemon In- stitute and Shared Assessments, just 15 percent of organizations have an inventory of most of their IoT devices and less than half have a policy to disable those that pres- ent a risk.
IT and Physical
Security Systems
Increasingly Linked
While organizations across the globe are gravely concerned about cybersecurity, the relationship between IT and physical securi- ty can be blurry. It’s challenging to safeguard all physical and digital assets when there’s lit- tle communication, collaboration, or shared understanding between these teams. IT man- agers often “solve” the problems by asking the physical security team to create separate networks for cameras and other physical se- curity devices.
While such arrangements may give IT managers a sense of security, rarely is there a complete, clean break between the enterprise network and the physical security network. For example, even well-protected and iso- lated “camera only” networks can have both intentional and unintended connections that link to the main corporate network. Deploy- ing just one IP-based camera or other IoT device at a remote site can open an organi- zation’s corporate network to a cyber threat.
Lack of Expertise on Both Sides
IT is struggling to secure the elements in its traditional domain, and expertise is a scarce commodity on both sides. The (ISC)2 Cy- bersecurity Workforce Study cites a global shortage of three million cybersecurity pro- fessionals, with 500,000 of those in North America. Nearly two-thirds of those sur- veyed said their organizations lack enough cybersecurity staff, and this puts them at risk of attack.
In Kasperky Lab’s 2018 “The State of the Industrial Cybersecurity” report, survey
respondents listed their top challenges as hir- ing employees with the right skills, securing new IoT systems, finding dependable part- ners and service providers for implementing cybersecurity solutions, and increasing inter- connectedness with corporate/enterprise IT.
Many physical security pros do not have the time, budget, or knowledge to properly harden cameras and other IoT devices. Se- curing these endpoints often requires a de- tailed understanding of network operations and a labor-intensive process. Then there’s the challenge of monitoring and maintaining hundreds or thousands of installed devices against evolving risks.
Automation to the Rescue
Even if the industry had enough profession- als in the right positions—or could find the right partners—humans alone cannot handle the myriad tasks required to secure, monitor, and maintain these systems. CSOs know well the challenges of identifying credible threats hidden among billions of daily security events. They’ve been investing in automa- tion technologies to do things such as threat hunting, alert triage, event management, in- cident response, and user management.
Physical security teams should do the same. Instead of see no evil, hear no evil, speak no evil, operators should explore au- tomation tools that enable them to see all as- sets, secure all assets and monitor all assets.
See all assets. The fundamental first step to securing the security network is knowing what is connected to it. An effective system automatically detects what devices are con- nected to the network. This “device” scan should be continuous, discovering when new
devices are placed on the network.
For instance, have new network cameras been added or broken cameras replaced? Have other devices been added to the net- work ports either unintentionally or mali- ciously? Newly detected devices should not be allowed to communicate with the network until they are acknowledged and bound to the network port with MAC binding or with
a certificate.
A complete, real-time inventory of con-
nected devices can help identify potential threats and weaknesses. In addition to iden- tifying devices by type such as camera, access control device, IP phone, and laptop, the in- ventory should include manufacturer, model, and firmware version.
Secure all assets. Once devices are detect- ed, automation should protect or “harden” legitimate ones with best practices. Rogue or unnecessary devices should be automatically blocked or locked out.
IoT hardening is usually unique to the IoT device type. For example, camera hardening is different from IP phone hardening. Automa- tion can correctly identify the device type and guide the installer through the hardening pro- cess that is appropriate for that device.
Automation tools can also configure best practices such as enabling a protected VLAN for the security system, changing a camera’s default login credentials, and bind- ing a camera’s MAC-ID to the network. This ensures that rogue devices are not plugged into exposed Ethernet ports on the perimeter of the network.
Other key hardening practices that can be automated include closing unused ports, removing unneeded network services,
40
0419 | SECURITY TODAY
CYBERSECURITY
Rawpixel.com/Shutterstock.com