Physical systems do not enjoy the same regular attention that corporate networks do

Problems caused by physical systems in terms of cyber-attack are quite extensive, damaging systems and assets 

Security experts of various disciplines agree that physical systems are increasingly being leveraged in attacks on organizational networks and supply chains. Many manufacturers maintain that security (including that of security systems) is the responsibility of the end user, which would be fine if they were only expected to maintain security and not create the security in the first place.

End users probably feel it is the responsibility of the manufacturer or installer, and the attackers don’t care who is responsible as long as the door is left open and unguarded for them to exploit the vulnerability created by the confusion and lack of cohesive response.

Need For A Change In Approach

Our organizational structures in terms of Security, Risk, IT and Information Security are not helping this situation. In many organizations there is a lack of board room oversight; control is still sitting in silos and Information Security is potentially even on a different Risk Register. Clearly this creates even more risk, but sometimes it is hard to see the wood for the trees and the necessary culture change has to start with behavioral change first; the behavior then creates a new and more resilient culture.

Problems caused by physical systems in terms of cyber attack are quite extensive and the results might be damage to systems or other assets or sometimes in a data breach, an exfiltration of valuable information, possibly intellectual property. As an example, imagine an internal CCTV system in a banking chain. It isn’t protected by corporate network security as that is focused on the user system and emails etc. It isn’t protected by the same network as the exterior either but it is web-enabled and sitting on a network somewhere. Because it falls outside of the remit of IT security, it hasn’t been patched or firewalled and it has certainly never been penetration tested to check that it is secure.

Why Are Firewalls And Anti-Malware Important?

Because physical security falls
outside of the remit of IT security,
it hasn’t been patched or firewalled
and it has certainly never been
penetration tested to check that it
is secure

Let’s imagine that this system is then attacked, probably by using a phishing email to a staff member who unwittingly allows attackers to access this internal CCTV. The attackers then spend months harvesting login credentials and studying normal system behavior in order that they can emulate it at a later date, using the stolen logins. At the same time, having breached the network, they hack a selection of ATMs in a variety of countries. At a predetermined time, they create money and add it to a variety of accounts in a manner and at a time that their research has shown them would be considered normal and not attract unwanted attention. They then turn that invented money into cold hard cash by ejecting it at a predetermined time out of the predetermined and compromised ATMS into the hands of the gang who are waiting to collect.

Without the access to the CCTV, this could not have happened. But the important aspects of this scenario actually happened. And it happened in more than 30 countries and more than one billion dollars was created and removed in this way. The accounts they used to filter this created cash were largely unscathed and the game ran for a long time.

Another example might be a blast furnace in Germany in December 2014. The Industrial Management System was compromised and the furnace was unable to be shut down. The damage was extensive and risk to life and limb very real. Details on this are scant and we do not know if the exploit continued into the corporate network or whether the target was the furnace system itself. But this is a cyber attack on a physical system and our physical systems do not enjoy the same regular attention that our corporate networks do. This could just as easily be an attack on an air filtration system, remotely managed from a centralized platform or a heating system or even a door entry system; locking down an entire site.

So firewalling and protecting with anti-malware is a must. So are regular health checks and penetration testing but few of these systems get that attention. Many systems are built on legacy platforms never intended to be called into web enabled service and are not really fit for that purpose; no longer supported with security patching such as XP for instance.

Being the inadvertent cause of
a breach at a supply chain
partner could be cataclysmic
for organisational reputation
and can lead to lawsuits

Mitigating Cyber Attack Risk

How do we approach mitigating the risk that our continued lack of attention is creating? Well, the impact of culture is huge and unavoidable. Culture starts from the top and the right board room attitude goes a long way to embedding a security culture into an organization. Our security and risk functions need boardroom oversight and organizations need to step away from a project-based approach to security. Installers and maintainers need to understand the implications that physical systems can have on the resilience of their organizations and therefore training needs to be available to those disciplines. The training needs to be practical, targeted and relevant; focused on the impacts from installers and managers.

Regular testing and patching needs to be brought within oversight of IT security so it forms part of other corporate network securing cycles. Risk needs to encompass the security functions including information security and how resulting data from physical systems, such as CCTV or entry systems, needs to be securely managed through its lifecycle.

Supply Chain Cyber Threats

Supply chains also need to be considered as a potential security vulnerability. If you need an example of why, then take a look at the Target mega breach. This was enabled by a phishing attack on their air conditioning contractor. An employee clicked on a link which delivered the malware that in turn gave them access to the managed maintenance portal - used to upload and manage tasks. If an attacker can find an easy way in through a less secure underbelly, they will naturally take it. Being the inadvertent cause of a breach at a supply chain partner could be cataclysmic for organizational reputation and can lead to lawsuits. Add in potential financial penalties and a breach has the potential to close a business.

Summing up, I would say we need to change our approach to securing our organizations to protect all of the assets in a joined-up, blended approach. Everything we do should be informed by this, and that means opening lines of communication, understanding and training between disciplines.

Download PDF version Download PDF version

Author profile

In case you missed it

What Are New Trends In Residential Security?
What Are New Trends In Residential Security?

Residential security and smart homes are rapidly changing facets of the larger physical security marketplace, driven by advances in consumer technology and concerns about rising crime rates. During the COVID-19 pandemic, many people spent more time at home and became more aware of the need for greater security. As workplaces opened back up, returning workers turned to technology to help them keep watch over their homes from afar. We asked this week’s Expert Panel Roundtable: What are the trends in residential security in 2021?

How Businesses Can Protect Their People In The New Age Of Work
How Businesses Can Protect Their People In The New Age Of Work

Ensuring employee health and safety remains a key priority for organizations this year, especially as we see COVID-19 cases continue to rise in different areas of the world. As an ongoing challenge, COVID-19 has shifted the priorities of many organizations. In fact, “improving health and safety for employees” is the top strategic goal this year of manufacturing and logistics organizations in the U.S. and U.K., according to research conducted by Forrester on behalf of STANLEY Security. But as we think about reopening and as hybrid workforce models and “workspace-on-demand” approaches rise in popularity, leaders need to consider implementing the right technologies to help ensure a safe return to the office. This means investing in health, safety, and security solutions that can help leaders protect their people. The intersection of security technology and health and safety There’s no doubt that the scope of security has expanded in the wake of the global pandemic. What was once an area governed by a select few security or IT professionals within a business has now become a crucial company investment involving many key stakeholders. The role of security has expanded to encompass a broader range of health and safety challenges for businesses Additionally, the role of security has expanded to encompass a broader range of health and safety challenges for businesses. Fortunately, security technologies have made significant strides and many solutions, both existing and new, have been thrust forward to address today’s biggest business challenges. Investment in security technology It’s important to note that businesses are eager to adopt tech that can help them protect their people. Nearly half (46%) of organizations surveyed by Forrester report that they’re considering an increasing investment in technology solutions that ensure employee safety. Technologies like touchless access control, visitor management systems, occupancy monitoring, and installed/wearable proximity sensors are among some of the many security technologies these organizations have implemented or are planning to implement yet this year. Facilitating a safe return to work But what does the future look like? When it comes to the post-pandemic workplace, organizations are taking a hard look at their return-to-work strategy. Flexible or hybrid workforce models require a suite of security solutions to help ensure a safer, healthier environment More than half (53%) of organizations surveyed by Forrester are looking to introduce a flexible work schedule for their employees as they make decisions about returning to work and keeping employees safe post-pandemic. Such flexible – or hybrid – workforce models require a suite of security solutions to help ensure a safer, healthier environment for all who traverse a facility or work on-site. One of the central safety and security challenges raised by these hybrid models is tracking who is present in the building at any one time – and where or how they interact. Leveraging security technology With staggered schedules and what may seem like a steady stream of people passing through, it can be difficult to know who’s an employee and who’s a visitor. Access control will be key to monitoring and managing the flow of people on-site and preventing unauthorized access. When access control systems are properly integrated with visitor management solutions, businesses can unlock further benefits and efficiencies. For instance, integrated visitor management systems can allow for pre-registration of visitors and employees – granting cellphone credentials before people arrive on-site – and automated health screening surveys can be sent out in advance to help mitigate risk. Once someone reaches the premises, these systems can also be used to detect the person’s temperature and scan for a face mask, if needed.  We will likely see these types of visitor management and advanced screening solutions continue to rise in popularity, as 47% of organizations surveyed by Forrester report that they’re considering requiring employee health screening post-pandemic. Defining the office of the future A modern, dynamic workforce model will require an agile approach to office management. It’s imperative to strike the right balance between making people feel welcome and reassuring Businesses want to create an environment in which people feel comfortable and confident – a space where employees can collaborate and be creative. It’s imperative to strike the right balance between making people feel welcome and reassuring them that the necessary security measures are in place to ensure not only their safety but also their health. In many cases, this balancing act has created an unintended consequence: Everyone now feels like a visitor to a building. Protocols and processes With employees required to undergo the same screening processes and protocols as a guest, we’ve seen a transformation in the on-site experience. This further underscores the need for seamless, automated, and tightly integrated security solutions that can improve the employee and visitor experience, while helping to ensure health and safety. Ultimately, the future of the office is not about what a space looks like, but how people feel in it. This means adopting a “safety-always” culture, underpinned by the right technology, to ensure people that their safety remains a business’ top priority. 

Access The Right Areas - Making A Smart Home Genius With Biometrics
Access The Right Areas - Making A Smart Home Genius With Biometrics

Household adoption of smart home systems currently sits at 12.1% and is set to grow to 21.4% by 2025, expanding the market from US$ 78.3 billion to US$ 135 billion, in the same period. Although closely linked to the growth of connectivity technologies, including 5G, tech-savvy consumers are also recognizing the benefits of next-generation security systems, to protect and secure their domestic lives. Biometric technologies are already commonplace in our smartphones, PCs and payment cards, enhancing security without compromising convenience. Consequently, manufacturers and developers are taking note of biometric solutions, as a way of leveling-up their smart home solutions. Biometrics offer enhanced security As with any home, security starts at the front door and the first opportunity for biometrics to make a smart home genius lies within the smart lock. Why? Relying on inconvenient unsecure PINs and codes takes the ‘smart’ out of smart locks. As the number of connected systems in our homes increase, we cannot expect consumers to create, remember and use an ever-expanding list of unique passwords and PINs. Indeed, 60% of consumers feel they have too many to remember and the number can be as high as 85 for all personal and private accounts. Biometric solutions strengthen home access control Biometric solutions have a real opportunity to strengthen the security and convenience of home access control Doing this risks consumers becoming apathetic with security, as 41% of consumers admit to re-using the same password or introducing simple minor variations, increasing the risk of hacks and breaches from weak or stolen passwords. Furthermore, continually updating and refreshing passwords, and PINs is unappealing and inconvenient. Consequently, biometric solutions have a real opportunity to strengthen the security and convenience of home access control. Positives of on-device biometric storage Biometric authentication, such as fingerprint recognition uses personally identifiable information, which is stored securely on-device. By using on-device biometric storage, manufacturers are supporting the 38% of consumers, who are worried about privacy and biometrics, and potentially winning over the 17% of people, who don’t use smart home devices for this very reason. Compared to conventional security, such as passwords, PINs or even keys, which can be spoofed, stolen, forgotten or lost, biometrics is difficult to hack and near impossible to spoof. Consequently, homes secured with biometric smart locks are made safer in a significantly more seamless and convenient way for the user. Biometric smart locks Physical access in our domestic lives doesn’t end at the front door with smart locks. Biometrics has endless opportunities to ease our daily lives, replacing passwords and PINs in all devices. Biometric smart locks provide personalized access control to sensitive and hazardous areas, such as medicine cabinets, kitchen drawers, safes, kitchen appliances and bike locks. They offer effective security with a touch or glance. Multi-tenanted sites, such as apartment blocks and student halls, can also become smarter and more secure. With hundreds of people occupying the same building, maintaining high levels of security is the responsibility for every individual occupant. Biometric smart locks limit entry to authorized tenants and eliminate the impact of lost or stolen keys, and passcodes. Furthermore, there’s no need for costly lock replacements and when people leave the building permanently, their data is easily removed from the device. Authorized building access Like biometric smart locks in general, the benefits extend beyond the front door Like biometric smart locks in general, the benefits extend beyond the front door, but also throughout the entire building, such as washing rooms, mail rooms, bike rooms and community spaces, such as gyms. Different people might have different levels of access to these areas, depending on their contracts, creating an access control headache. But, by having biometric smart locks, security teams can ensure that only authorized people have access to the right combination of rooms and areas. Convenience of biometric access cards Additionally, if building owners have options, the biometric sensors can be integrated into the doors themselves, thereby allowing users to touch the sensor, to unlock the door and enter. Furthermore, the latest technology allows biometric access cards to be used. This embeds the sensor into a contactless keycard, allowing the user to place their thumb on the sensor and tap the card to unlock the door. This may be preferable in circumstances where contactless keycards are already in use and can be upgraded. Smarter and seamless security In tandem with the growth of the smart home ecosystem, biometrics has real potential to enhance our daily lives, by delivering smarter, seamless and more convenient security. Significant innovation has made biometrics access control faster, more accurate and secure. Furthermore, today’s sensors are durable and energy efficient. With the capacity for over 10 million touches and ultra-low power consumption, smart home system developers no longer have to worry about added power demands. As consumers continue to invest in their homes and explore new ways to secure and access them, biometrics offers a golden opportunity for market players, to differentiate and make smart homes even smarter.