Starting with What is Already in Place
The first step towards better protecting a physical security system against cyberattacks is conducting a current posture assessment, which will help identify specific devices of concern. The assessment process allows an integrated IT and physical security team to focus on • creating an up-to-date inventory of all network-connected cameras,
door controllers, and associated management systems
• performing a thorough vulnerability assessment of all connected physical security devices to identify models and manufacturers of
concern
• consolidating and maintaining detailed information about each
physical security device, including connectivity, firmware version,
and configuration
• improving network design as needed to segment older devices and
reduce potential for crossover attack
•identifying all users who have knowledge of physical security devic-
es and systems and then documenting that knowledge for broader use and retention.
Once the assessment is complete, the team can then move to reviewing the necessary changes that need to be made.
The Next Phase in Protecting Network Security
After assessing an organization’s current physical security, the team should produce a review of required improvements for individual devic- es as well as the entire system. These improvements can include ensuring that all network-connected devices are managed by IT network and security monitoring tools as well as implementing end-to-end encryp- tion that protects video streams and data in transit and in storage.
Organizations can also think about strengthening protection mea- sures by improving existing configurations and management prac- tices for physical security devices. This could require using secure protocols for connecting devices to the network, disabling access methods that don’t support a high level of security protection, verify- ing configurations of security features and alerts, and replacing defaults with new passwords that must be changed on a regular and verified schedule.
Song_about_summer/Shutterstock.com
Another option for protecting network security is to enhance access defenses with a layered strategy that includes multifactor access authentication and defined user authorizations. Organizations can also improve update management by defining who is responsible for tracking updates availability; and for vetting, deploying, and doc- umenting updates on all eligible systems and devices.
Developing a Replacement Strategy
Ultimately, this review can help determine which devices and systems should be replaced because they present a high cyber risk. When it comes to developing replacement programs, organizations in the pub- lic sector need to prioritize strategies that support modernization for both physical and cybersecurity. One effective approach is to unify physical and cybersecurity devices and software on a single, open architecture platform with centralized management tools and views.
Replacement programs can also focus on cybersecurity features, including data encryption and anonymization, that are built into a device’s firmware and management software. Another important con- sideration is looking at a vendor’s capabilities to support a solution lifecycle of up to 10 years, including ongoing availability of updates for firmware and management system software.
In the U.S., federal funding may be available to help cover some of the costs associated with replacement programs. The 2021 Investment and Jobs Act includes $1 billion in funds, managed by the Depart- ment of Homeland Security, designed to help state and local govern- ments modernize their cybersecurity.
With the number of cyberattacks increasing around the world, it is becoming clear that the public sector needs to implement effective cybersecurity improvements to their IT networks. An important step towards reducing the cybersecurity risks associated with physical security devices is to integrate physical security and IT and develop a coordinated strategy for hardening systems.
Justin Himelberger joined Genetec in 2009 and is currently the Enterprise Systems Business Development Manager, working specifi- cally with federal agencies and the Department of Defense.
MAY/JUNE 2022 | campuslifesecurity.com 35