COMNET ADVICE

How to harden your hardware cybersecurity

Iain Deuchars

Business Development Manager, ComNet

Author Bio ▼

Having served an engineering apprenticeship with the Ministry of Defence and read for his degree in electronic systems at the Royal Military College of Science, Iain Deuchars worked for a number of years on satellite communications projects for the UK military. Following this he moved to the commercial sector and became involved in optical communications primarily in the security and surveillance markets. Iain has held senior positions in a number of electronic communication companies and is currently Business Development Manager for ComNet, where he is involved in both technical and commercial aspects for the Company.
May 24, 2018

Sign up to free email newsletters

Download

The Intruder Alarm Report 2020

Our comprehension of cybersecurity is based around the global internet where software attacks threaten our working days and everyday lives.

What we fail to relate cybersecurity to, is the threat to autonomous computer networks, where a third party physically breaks into a system via its infrastructure devices.

Due to their nature, IP security and surveillance networks put physical network connections in both secure and unsecured locations. Vulnerable positioning provides ample opportunities for the would-be attacker, so due care and attention must be paid to equipment protection.

However, installers must also treat secure sites in exactly the same way. The point of attack could originate from a source fully entitled to be within an area. No chances can be taken.

An Ethernet network comprises both active (needs electrical power to operate) and passive (does not require power) equipment.

Active equipment includes Ethernet switches (we’re focusing on Layer 2 Ethernet switches based on MAC addresses, not Layer 3 devices that can switch on  IP or MAC address) and media converters, and the passive, a combination of cables, connectors and management such as cabinets, which might also include additional active equipment, for example environmental conditioning and monitoring systems.

The security threat to the network at this level results from a third party physically connecting to the active network devices, or by removing an edge device from the network and attaching unauthorised equipment in its place.

The connection could be to an optical port, but that would require the third party to have the correct optical interface. So for opportunistic reasons, it tends to be a connection via an electrical interface.

Electrical Ethernet ports are based around an industry standard, so connecting to these is relatively simple and as every laptop today has such a connection, the probable weapon of attack is readily available.

Active equipment defence

Ethernet switches are available in managed or unmanaged forms, where the managed platform has many more features and allows the user to configure and remotely monitor the device. The unmanaged unit has no such facilities, it simply does the basic job based on its shipped configuration. Media converters tend to be in an unmanaged format only.

Where security is concerned, managed units offer a number of facilities to prevent unauthorised entry to the network, whereas unmanaged forms do not, thus managed Ethernet switches should be used throughout your network.

It tends to be the case that the simplest features offer the best security, and with Ethernet managed switches, that persists. The ability to disable a switch port that’s not being used in the current network configuration, through the management interface, might seem an obvious security feature but it is one that a lot of network operators fail to employ and may not even know exists on their devices.

If the port is not being used, then disable it, so no unwarranted party can plug directly in to your network

The rules, as you can imagine, are straightforward: if the port is not being used, then disable it, so no unwarranted party can plug directly in to your network. If the port needs to be used for legitimate traffic in the future, then simply open it via the management system.

And while we’re talking about the simplest features being the best, the default username and password that every managed Ethernet switch is shipped with, to enable you to gain access, should be changed to a username and password, commensurate with your security policy.

There is no point in applying all this security, if it could be changed by our attacker connecting to the comms port of the switch (serial data comms port that allows local access to  management configuration once a correct username and password are entered) and gaining access simply by reading the manual!

Once a link has been established between two active units in the network, a LINK acknowledgement (normally an LED indication) is generated and dropped immediately the link is broken. This simple Layer 1 hardware-based trigger has been utilised by Comnet in their unique Port Guardian feature and can be used to shut a port down on the basis that a loss of link is a potential attack.

The feature can be further expanded to shut down ports in the event that power is lost to the active device – just in case our attacker has the smart idea of switching connections once the switch is powered down. If any units are deployed in unsecured locations, then the port receiving communications from that site should be activated with this feature to counter link breaks in these areas.

Passive equipment security

Security should be applied to the passive components of the network as well as the active ones. How many times have you walked along the pavement and observed the door of a utilities company street cabinet hanging off, or even the access flap open on a lamppost?

If any part of the network is housed within an enclosure, some form of sensor must be on the door to tell you if it is open or closed

The reason is, that for most cases, the system owner or operator has no idea that the door of their cabinet is open and their system is not secure! If any part of the network is housed within an enclosure, some form of sensor must be on the door to tell you if it is open or closed.

If the door is open and you are not aware of it you provide an easy target for any attacker and, at the same time, allow the elements to damage your enclosed equipment. And remember, it doesn’t just need to be active equipment. If the enclosure simply houses cable management that could be an opportunity to break in to the network. This requirement is an absolute must in unsecured locations!

Conclusion

To guard against attacks, managed Ethernet switches should always be used as the active building blocks of the network as they offer the maximum level of security when configured correctly. Managed units will also provide users with the ability to remotely control and monitor network devices, and will generate automatic warning signals if an issue arises.

Any managed, Ethernet switch must be configured based on the security levels and operational requirements of the site to ensure correct operation.

Those who ignore the basics of network security and opt instead for cheaper, unmanaged devices, are exposing their networks to the risk of hackers. Hackers who can very quickly turn a sophisticated security network to their own advantage.

And with the safety and protection of critical infrastructure, data and communications at stake, are you prepared to take that risk? It seems an irresponsible risk to take.

IFSEC International takes place between 19-21 June 2018, ExCeL London.If you want to visit Comnet and discuss more about cybersecurity and securing Edge devices. Register here and visit them at stand E420.

Free Download: Cybersecurity and physical security systems: how to implement best practices

Discover the five-step process for strengthening your cyber and physical security systems with this free resource from Vanderbilt. Learn how to choose the right equipment to stay diligent and protect your systems against cyberattack, and learn what cyberattacks mean in an interconnected world.

Related Topics

Leave a Reply

avatar
  Subscribe  
Notify of
Topics: