Discussions in our industry about cyber-threats to physical security systems, including IP video, often center around hypotheticals. How might a hacker gain access to a video camera feed? How might he or she enter the larger enterprise system through a software vulnerability related to physical security? We all know assessing threats often involves considering the hypothetical, of course, but we should also seek to learn from actual events in the past.

In relation to vulnerabilities of video surveillance systems to cyberattack, a historic event from seven years ago provides plenty of food for thought. It was in the news at the time, but the role of cybersecurity wasn’t known then, and, in our market, it has not been widely reported. The event isn’t a usually cited example of the dangers of insufficient cybersecurity in physical security systems; however, it should be. Even seven years later, the lessons of the Turkish pipeline explosion in 2008 couldn’t be timelier.

The Turkish government reported it as a mechanical failure. However, in 2014, Bloomberg reported that hackers had shut down alarms, cut off communications and super-pressurized the crude oil in the line

Cyberattack Incident

The Baku-Tbilisi-Ceyhan (BTC) pipeline runs 1,099 miles from the Caspian Sea to the Mediterranean, following a route through the former Soviet Union. On 7 August 2008, there was an explosion on the pipeline near Refahiye, Erzincan, a town in eastern Turkey. Cyber-attackers entered the operational controls of the pipeline to increase oil pressure without setting off alarms. The high pressure may have caused the explosion; no physical bomb was ever found.

The explosion caused more than 30,000 barrels of oil to spill and cost millions of dollars a day in transit tariffs during the two and a half weeks the pipeline was down. The Turkish government reported it as a mechanical failure. However, in 2014, Bloomberg reported that hackers had shut down alarms, cut off communications and super-pressurized the crude oil in the line. Some believe the Russian government was behind the explosion.

The hackers took down the system of sensors and video cameras that monitored the pipeline in the area, so there was no signal of the explosion. News of the event first came 40 minutes later from a security worker who saw the flames. There was 60 hours of video footage erased by the hackers. In fact, the only existing footage related to the event was provided by a single (offline) thermal camera that showed two men with laptop computers walking near the pipeline days before the explosion.

Consequences Of Ignoring Physical Security System Vulnerabilities

Previously, basking in the productive and beneficial glow of networked systems, we have denied cyber-vulnerabilities; we have ignored the “elephant in the room”

There is a specific reason that this incident should be of great interest to the security marketplace: Because hackers entered the computer system through a software vulnerability that was part of the video surveillance system. Hackers gained entry using vulnerability of the cameras’ communication software and then moved deep into the internal network.

Far from theoretical, in this instance, the cyber-vulnerability of a physical security system provided a means to deploy a massively destructive attack – a cyberattack with physical consequences. The cameras supposedly watching the site were not only useless (after the hacker erased their video feeds), but that very camera system provided entry for the attackers into the systems.

In addressing the cybersecurity vulnerabilities of IP systems, you could say our industry is late to the party. As the Turkish pipeline explosion suggests, we are at least seven years late.

Now, we are playing catch-up with the recent spate of cybersecurity programming at industry shows, and manufacturers are now addressing cybersecurity vulnerabilities in their systems. Previously, basking in the productive and beneficial glow of networked systems, we have denied cyber-vulnerabilities; we have ignored the “elephant in the room.”

More to the point, we have ignored a large open door inviting the bad guys in.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Larry Anderson Editor, SecurityInformed.com & SourceSecurity.com

An experienced journalist and long-time presence in the US security industry, Larry is SecurityInformed.com's eyes and ears in the fast-changing security marketplace, attending industry and corporate events, interviewing security leaders and contributing original editorial content to the site. He leads SecurityInformed's team of dedicated editorial and content professionals, guiding the "editorial roadmap" to ensure the site provides the most relevant content for security professionals.

In case you missed it

The Post-Pandemic Mandate For Entertainment Venues: Digitally Transform Security Guards
The Post-Pandemic Mandate For Entertainment Venues: Digitally Transform Security Guards

As the COVID-19 pandemic wanes and sporting venues open-up to full capacity, a new disturbing trend has hit the headlines - poor fan behavior. Five NBA teams have issued indefinite bans on fans, who crossed the line of unacceptable behavior, during the NBA playoffs. Major League Baseball stadiums have a recurring problem with divisive political banners being strewn over walls, as part of an organized campaign, requiring fan ejections. There was a brawl between Clippers and Suns fans after Game 1 of their playoff series. And, the U.S. vs. Mexico Nations League soccer game over the Fourth of July weekend had to be halted, due to fans throwing objects at players and screaming offensive chants. Cracking down on poor fan behavior Security directors are consistently reporting a disturbing uptick in poor fan attitude and behavior With players across all major sports leagues commanding more power than ever before, they are demanding that sports venues crack down on poor fan behavior, particularly when they are the targets of that behavior. Whether it’s an extension of the social-media divisiveness that’s gripped society, or people unleashing pent up negative energy, following 15 months of social isolation, during the COVID-19 global pandemic, security directors are consistently reporting a disturbing uptick in poor fan attitude and behavior. They’re also reporting a chronic security guard shortage, like many businesses that rely on relatively low-cost labor, finding candidates to fill open positions has been incredibly difficult. Low police morale To add the third component to this perfect storm, many police departments are struggling with morale issues and officers are less likely to put themselves into positions, where they could wind up in a viral video. According to the Police Executive Research Forum, police officer retirements in the U.S. were up 45% in the April 2020 - April 2021 period, when compared to the previous year. Resignations were up 18%. In this environment, officers may be less likely to undertake fan intervention unless it’s absolutely necessary. This can seem like the worst of times for venue security directors, as they need more staff to handle increasingly unruly patrons, but that staff simply isn’t available. And, because the security guard staffing industry is a commoditized business, companies compete almost solely on price, which requires that they keep salaries as low as possible, which perpetuates the lack of interest in people participating in the profession. Digital Transformation There is only one way out of this conundrum and that is to make security personnel more efficient and effective. Other industries have solved similar staffing and cost challenges through digital transformation. For example, only a small percentage of the total population of restaurants in the U.S. used to offer home delivery, due to cost and staffing challenges of hiring dedicated delivery personnel. Advent of digital efficiency tools But with the advent of digital efficiency tools, now virtually all restaurants can offer delivery But with the advent of digital efficiency tools, such as UberEATS and DoorDash, now virtually all restaurants can offer delivery. Likewise, field-service personnel are digitally connected, so when new jobs arise, they can be notified and routed to the location. Compare this to the old paper-based days, when they wouldn’t know about any new jobs until they picked up their work schedule at the office, the next day and you can see how digital transformation makes each worker significantly more efficient. Security guards and manned guarding The security guard business has never undergone this kind of digital transformation. The state-of-the-art ‘technology’ has never changed - human eyes and ears. Yes, there are video cameras all over stadiums and other venues, but behind the scenes is a guard staring at a bunch of monitors, hoping to identify incidents that need attention. Meanwhile, there are other guards stationed around the stadium, spending most of their time watching people who are doing nothing wrong. Think about all the wasted time involved with these activities – not to mention the relentless boredom and ‘alert fatigue’ from false-positive incident reporting and you understand the fundamental inefficiencies of this labor-based approach to security. Now think about a world where there’s ubiquitous video surveillance and guards are automatically and pre-emptively notified and briefed, when situations arise. The fundamental nature of the security guards profession changes. Instead of being low paid ‘watchers’, they instead become digitally-empowered preventers. AI-based screening and monitoring technology This world is happening today, through Artificial Intelligence-based screening and monitoring technology. AI-powered weapons-detection gateways inform guards, when a patron entering the venue is carrying a gun, knife or other forbidden item. Instead of patting down every patron with metal in their pockets, which has been the standard practise since walk-through metal detectors were mandated by sports leagues following 9/11, guards can now target only those who are carrying these specific items. Video surveillance and AI-based analytics integration Combining surveillance video with AI-based advanced analytics can automatically identify fan disturbances Combining surveillance video with AI-based advanced analytics can automatically identify fan disturbances or other operational issues, and notify guards in real time, eliminating the need to have large numbers of guards monitoring video feeds and patrons. The business benefits of digitally transformed guards are compelling. A National Hockey League security director says he used to have 300 guards manning 100 walk-through metal detectors. By moving to AI solutions, he can significantly reduce the number of scanning portals and guards, and most importantly redeploy and gain further operational efficiencies with his overall operational strategy. Changing staffing strategy This changes the staffing strategy significantly and elevates the roles of guards. Suddenly, a US$ 20-per-hour ‘job’ becomes a US$ 40-per-hour profession, with guards transformed into digital knowledge workers delivering better outcomes with digitally enabled staffs. Beyond that, these digitally transformed guards can spend a much higher percentage of their time focused on tasks that impact the fan experience – whether it’s keeping weapons out of the building, pro-actively dealing with unruly fans before a broader disruption occurs, or managing business operations that positively impact fan patron experience. Digitally transforming security guards Perhaps most important, digitally transforming security guards elevates the profession to a more strategic level, which means better pay for the guards, better service for clients of guard services, and an overall better experience for fans. That’s a perfect storm of goodness for everyone.

Climax Releases The GX-Cubic2 Series Smart Care Medical Alarm For The Healthcare Industry
Climax Releases The GX-Cubic2 Series Smart Care Medical Alarm For The Healthcare Industry

Rapid aging population, high healthcare costs, and physician shortages are creating an increasing demand for care at home, especially for seniors with long-term health conditions. The GX-Cubic2 Series Smart Care Medical Alarm from Climax Technology Co., Ltd. (Climax), features an LCD display that shows clock time, temperature, GSM signal strength, and sensor faults, to keep users fully informed at all times. GX Smart Care Medical Alarm GX Smart Care Medical Alarm is an all-in-one wellness and personal safety medical alarm solution GX Smart Care Medical Alarm is an all-in-one wellness and personal safety medical alarm solution, bridging medical health monitoring and emergency alarm, to keep seniors safe in their own homes. GX is compatible with Bluetooth medical devices, like blood glucose/blood pressure monitors, pulse oximeters, etc., to track medical data and remote monitoring directly from caregivers/physicians, and also has telecare alarm features, including voice recognition, emergency monitoring, inactivity monitoring, voice control, and home automation capabilities, in order to assist seniors to have a more secure and healthy living. Some of the major features of the GX-Cubic2 Series include: Bluetooth Medical Device Pairing GX is compatible with Bluetooth Medical devices, like blood pressure/blood glucose monitors, pulse oximeters, thermometers, etc., to track health and medical data, and allow care-givers/physicians to remote monitor and provide treatment as needed. Smart Home Automation ZigBee, Z-Wave, and/or Bluetooth automation devices incorporated into GX creates a smarter and safer home, by auto-turning on hallway lights at night, to decrease the chance of a fall, or auto-turn on the heater, if there is a sudden temperature drop. Voice Recognition GX has built-in voice recognition and can activate an emergency all to CMS by preset vocal commands or keywords. Allowing seniors to receive emergency attention even in situations where they are unable to seek help manually. Location Tracking GX can be paired with BRPD-1 Bluetooth pendant, a small wearable panic button that partners with a smartphone application for GPS location reporting and trigger help alarm with one button press, whether the user is at home or out for a walk. Voice Control GX is compatible with Google Home and Amazon Alexa voice control to control home electronic devices, allowing seniors to use their voice to make their environment more suitable without lifting a finger. Visual Monitoring and Verification GX can integrate Camera PIR Motion Sensors to deliver real-time visual monitoring and verification. When an emergency occurs, alerts are immediately sent to family members and Monitoring Center to verify the event and sending immediate assistance as required. Pivotell Advance Automatic Pill Dispenser GX is compatible with Pivotell Advance Automatic Pill Dispenser, keeping secure of all pills, remind users to take their medication, keep track of their medicine intake, and allow caregiver/physician to monitor pill taking results/record and keep an eye on user’s needs. Safety & Inactivity Monitoring GX can support wireless sensor devices, allowing users to add in smoke detectors, water leakage sensors, and gas sensors to monitor emergencies, and motion sensors, door contacts, sensor pad transmitters for inactivity monitoring, to build a healthier, safer independent living. Voice over Internet Protocol (VoIP) & DECT GX’s built-in VOIP function allows users to initiate two-way voice calls to contact CMS and family members during alarms and emergency. With the optional add-on of DECT, GX can pair with voice extenders, talking pendants, call points, etc. placed around the home, to create a safety net and peace of mind. Color Lighting Function GX also has an LED nightlight featuring both multi-color adjustment and light level button control for a pleasant ambiance.

ASSA ABLOY’s Code Handle Protects Fylab Physiotherapy Practice With Secure PIN-Operated Handles
ASSA ABLOY’s Code Handle Protects Fylab Physiotherapy Practice With Secure PIN-Operated Handles

In all medical settings, people are coming and going all day. Therapists leave their personal belongings in changing rooms, patients want privacy in consulting rooms, open or unlocked doors can be an invitation to opportunists. Yet keeping track of mechanical keys can be a tiresome task for a small practice. There is a solution: the Code Handle PIN lock from ASSA ABLOY. In Irun, in Spain’s Basque country, Fylab sought easy electronic door security for their consulting rooms. These rooms house expensive specialist equipment for the various therapeutic disciplines offered by Fylab. Requirements were straightforward: a simple, secure, keyless access solution designed to work in a facility that gets a lot of daily traffic from professionals and the public. They needed a locking device that is easy to retrofit and incorporates a contemporary device design to match with Fylab’s modern medical workplace. Adding electronic security to room doors The Code Handle PIN-locking door handle added electronic security to three consulting-room doors at FylabThe Code Handle PIN-locking door handle added electronic security to three consulting-room doors at Fylab – without wires or cables. Two screws fit a Code Handle to almost any interior door (between 35mm to 80mm thick). One doesn’t even need to change their existing door cylinder. “I am no artist or handyman, but I managed to fit the handles within 10 minutes,” says Fylab founder, Borja Saldias Retegui. Code Handle adds electronic security to almost any interior door without disrupting its aesthetics. If one needs to secure a door facing a public space, Code Handle does it subtly and with zero hassle. At Fylab, Code Handle devices locks both wooden and glass doors, keeping equipment and therapists’ personal belongings safe. Allows up to 9 different PIN numbers “We like the solution a lot because we can do away with keys,” adds Borja. Code Handle removes the need to track cumbersome keys or install expensive access control. Because every Code Handle allows up to 9 different PIN numbers (4 to 6 digits), all authorized staff at Fylab can have their own security code. Two standard batteries (CR2) slot inside the handle, typically lasting 30,000 lock/unlock cycles before replacement The practice manager cancels or amends PINs at any time using the master PIN. Two standard batteries (CR2) slot inside the handle, typically lasting 30,000 lock/unlock cycles before replacement. It’s simple. “Code Handle is unique in comparison to common code door locks: it has the code function and battery incorporated inside its handle, so you don’t need to make extra modifications to your door,” explains Lars Angelin, Business Development Manager for Code Handle at ASSA ABLOY EMEA. Auto-Locking feature of Code Handle Auto-locking is another helpful feature. When the door closes, Code Handle locks it automatically. One doesn’t need to put down whatever they are carrying, and no one can open it from the outside while they are not looking. To keep the door open briefly, one can simply hold Code Handle down for 5 seconds and it remains temporarily unlocked. For convenience, Code Handle always opens freely from the inside. “Code Handle provides the simplest solution for access control in a small facility,” says Borja. To learn more about Code Handle please visit: https://campaigns.assaabloyopeningsolutions.eu/codehandle