Every single day, the number of network connections grows delivering smarter organisations, smarter cities and increased personal convenience. A good proportion of these connections comes from the rise of the Internet of Things, which includes the introduction of connected surveillance cameras and other physical security apparatus.
This convergence of the physical and cyber security worlds has expanded the responsibility of the Chief Security Officer and highlights why comprehensive vigilance remains the key to organisation-wide security.
It’s easy to find examples of what happens when gaps between the two emerge. Recently, a city in Florida was subjected to a ransomware attack thanks to such a vulnerability. The consequences were serious. Residents couldn’t pay for their services. City workers couldn’t do their jobs. Building permits weren’t issued. Half a million dollars was paid to the criminals responsible.
This was far from an isolated incident. Major security breaches are commonplace and involve any type of organisation (as this visualisation from Information is Beautiful demonstrates). In fact, in 2018, one estimate put the impact of cybercrime activities at US$1.5 trillion.
That’s why it is necessary to recognise the importance of security as a prerequisite for every connected device, which includes physical security systems including surveillance cameras, access control devices, and building management systems. This rabbit hole is a deep one, as even a lightbulb can have an IP-address.
Ransomware like that which took down Lake City in Florida can sneak in through a mobile phone. It can arrive on a USB thumb drive. It could come in an email to the receptionist. Or it could enter from an unsecured surveillance camera. In fact, this issue is so prevalent that there’s a dedicated website called Inseacam that demonstrates just how many cameras in Australia (and the rest of the world) are open to view.
The bottom-line? Regardless of what the ‘connected thing’ might be, the introduction of any new network device, or even a new smartphone, demands your attention.
Protect the everyday
Many of the well-publicised cyber security attacks involve government and large corporations. It makes for great headlines and, as more governments around the world roll out Smart City projects (like theone recently completed in Darwin) it raises the spectre of severe consequences.
But hackers don't only go for the big fish and in fact, small to medium sized businesses (SMB) are targets as well. IBM says 62% of all cyber-attacks —about 4,000 per day—target these smaller businesses. Bringing that a bit closer to home, Norton reported in 2017 that one in every four small businesses in Australia have fallen victim to some form of cybercrime. That’s not surprising as often, given the absence of formal policies or structured approaches to information security, the SMB is a juicier and easier target.
Yet SMB aren’t necessarily lagging when it comes to technology. Like big corporations and Smart Cities, they are increasingly rolling out IoT solutions, including IP-enabled security, and building management systems.
But all too many organisations aren’t securing things like security cameras with the same diligence as computers or routers. The Insecam website confirms that.
This demonstrates a truism with which most CSOs are all too familiar. Even the most sophisticated defences will do nothing to keep out attackers if the doors are wide open.
If it’s IP, protect it
So that’s the rub. As all these new devices are connected, there are more doors and there are more windows. And more potential points of attack. Yet these new devices are not for the facilities manager to consider. They are for you, the CSO.
Protect anything you connect.
Some of the largest data breaches of recent years are testimony to why this is so important. In 2013, Target Corporation suffered a huge breach (which led to the resignation of its CEO) which was traced back to its heating, ventilation and air conditioning system (HVAC) vendor whose system was compromised. It was an expensive oversight, which reportedly cost it $US 18.5 million in 2017 to settle investigations by multiple US states, not to mention the original cost of the breach. The HVAC company in question stated their belief that it was a linked billing system and not the HVAC controls which caused the issue, however researchers at Ben-Gurion University of the Negev, Israel have proven that attacks via an air conditioning system are in fact very possible.
The bottom line is an extraordinary level of vigilance must be applied to every single IP-enabled device on your network, even the physical security devices, ensuring they are all appropriately configured and protected. Just as everyone in your organisation from the CEO to the intern plays a role in ensuring comprehensive physical security, every device connected to your network must have the same level of attention and protection. A chain is only as strong as its weakest link, so make sure you have scrutinised the cybersecurity policies of all your IP enabled devices to ensure that they have acceptable protocols baked in. Ensure you are bringing the management of your physical security systems and connected devices in under the same ‘security management’ umbrella as your cyber security strategies. Only by exploring all potential weaknesses of all devices will you know just how strong your chain of security really is.