Charlotte Geoghegan

Head of Content, IFSEC and FIREX

Author Bio ▼

Charlotte Geoghegan (nee Wright) is Head of Content for the Protection & Management portfolio, which includes IFSEC and FIREX live events and IFSEC Global.com
May 5, 2016

Sign up to free email newsletters

Download

Fire safety guides from FIREX International

Why Physical Security Professionals Need to Get to Grips with Cyber Security

‘Stop thinking cyber security is an IT problem, because it’s not; it’s a business problem’, advised industry expert, Mike Gillespie, at a recent NSI Summit.

Mike, who entered the cyber security business before computers had made their way into offices, went on to stress that IT managers cannot be expected to manage this epidemic alone. 40 billion devices will be connected to the internet by 2020 and if something has a computer attached to it, it has the potential to be hacked.  Cyber security poses the biggest threat to insurers’ balance sheets since 9/11, yet so many organisations have no real strategy to deal with it. The issue has to be taken on at board level, warned Mike, and security professionals have a huge role to play.

Security professionals making it easy for hackers

In today’s connected workplace, weak links in security systems can be the easiest way for hackers to get onto a network. Those culpable for inviting outsiders in sometimes include: manufacturers, who push out unsecured products until end-users stump up; installers, who leave systems running with default passwords; and end-users, who unknowingly open up networks, leaving their organisations vulnerable to attack.

A couple of examples…

Number one: Last year, news broke that hundreds of CCTV systems were live-streaming content across the internet. Nearly all of those systems, Mike explained, had been compromised because an installer had not changed the default username and password.

Number two: Mike identified a server on a client’s network, but couldn’t find it using schematics. The IT manager claimed to know nothing about it and, on paper, it didn’t exist. Eventually, the Facilities Manager admitted he had added it to the system, without communicating the change or being aware of the threat.

[mk_blockquote style=”line-style” font_family=”none” text_size=”12″ align=”left”]

“If we, security professionals, are the vector that allows that attack, what does it mean for our integrity?” – Mike Gillespie 

 

Mike Gillespie

[/mk_blockquote]

Calculating risks of cyberattacks

The problem is that many organisations have an armadillo model, with a hard outer shell but soft inner shell. In other words, once someone cracks into the network, they run riot.  What starts as a very simple approach, probably a phishing email, then opens out and expands into a far more complex and sophisticated attack as more systems are compromised. These could be any system, any network.

Many clients Mike comes across haven’t calculated the risk of cyberattacks and, in some cases, are unaware when a breach has even happened. So if they don’t know how much risk they are exposed to, there’s no way they can manage it as part of corporate governance.

‘Can you imagine any organisation without a CFO?’ Mike asked rhetorically. ‘No, so why do most organisations not have a Corporate Security or Risk Director? A cyber threat can be as crippling as any financial irregularity.’

EU regulations on Data Protection are changing and the penalties for a data breach that exposes personal information (think Target, Adobe, TalkTalk) could result in fines of up to 4% of global turnover. This, if nothing else, should be enough to force this issue the boardroom? Granted this relates to personal information, but how that information is handled is a reasonable indication of an organisation’s security posture.

What makes matters more difficult is a lot of organisations don’t recognise what equipment makes them vulnerable. Smart TVs with video conference over IP, for example, won’t always get locked down as corporate devices, but are a huge security threat, according to Mike. Essentially, anything with a back-end server or system controlling it – access control, air conditioning, logistics systems etc. – is hackable.

Real-life hacks

A major artery of Israel’s national road network was shut down after CCTV cameras were attacked by Trojan Horse.

A German steel mill was unable to shut down a blast furnace as normal after hackers accessed the mill’s control system through infected emails.

As recently as last week, Germany reported a nuclear power plant had been infected with malware.

A South Korean nuclear power plant was attacked via its operating systems.

Playstation’s network has been compromised three times. Hackers who claimed responsibility for the 2014 attack said they had done it simply ‘because they could’.

Jeep had to recall vehicles because someone got into a car’s management system and crashed it.

V tech enabled hackers to get into family homes through baby monitors. Did you know they’ve since changed their terms and conditions to now say if they get hacked again and you lose your personal details, it’s your fault?

Some people have had pacemakers turned off because they’re worried about assassination. This has even featured as a storyline in a popular TV show as the idea of the insecurity of the Internet of Things start to permeate our awareness.

IoT

Cyber bank heist

A particularly interesting attack that Mike brought to our attention was a recent case involving a bank. Hackers got into the CCTV network and sat there, undetected, until they were satisfied they had got to grips with the day-to-day running of the bank’s operations. Next, the crooks accessed bank accounts where they created money by artificially increasing bank balances. Finally, they withdrew the new cash from ATMs, leaving bank accounts with the original balance, which gave them even longer to go undetected in this unique crime – a bank robbery where the bank and its customers lost no money.

At the time Mike gave this presentation, the case was still ongoing and it left us to wonder: if the defendants were found guilty, how long would they get inside? Less, you might expect, than if they’d staged a hold up and/or killed a few people in their pursuit. Walk in to a bank robbery with a gun, get life. Walk in with a computer and get what? 8 years perhaps? The risk versus the reward is significantly reduced when cyberattacks replace physical attacks, so, as criminals wise up, we have to expect more of this to come.

Free tools for lazy hackers

The entry requirements for becoming an attacker are being lowered all the time, Mike explained. You don’t need to be an IT geek to get the hang of this, which is why there are now hundreds of thousands of attacks per day. There’s even a free tool you can download called Lazy Kali (Kali being the Hindu goddess of destruction) which lets you ‘point and hack’. It requires only a small amount of technical knowledge because it’s all drop-down boxes and selection menus – not that different from an online food shop. Simply choose the networks you want to attack, when you want to attack and Lazy Kali takes care of the rest.

Mike Gillespie’s cyber security takeaway

The key advice for attendees at the NSI Installer Summit was ‘stop thinking “I’m not a big corporate, this doesn’t matter to me”’.

This is impacting real, physical environments and it has the potential to cause widespread chaos. It’s not just the lazy hackers who are after us, but also well-resourced, capable people – sometimes state-sponsored, sometimes terrorists.

Cyber terrorism is increasingly rising up the government agenda and, as security professionals, we have the ability and responsibility to protect our partners, customers and our own integrity.

Mike Gillespie will be at IFSEC International 2016, taking part in a panel discussion on How the relationship between physical security and IT is evolving. The panel takes place on 22nd June at 11.00 and will also have speakers from ASIS Interntaional, Pelco and Noord-Group.
Click here to register for IFSEC International 2016

Free Download: Security sector insights in the age of terror and the cyber-attack

This round-up of articles, which distills several presentations from IFSEC 2017 to their key tips and insights, focuses on counter-terror and cybersecurity – especially regarding physical security
systems – as well as drones, access control trends and CCTV procurement.

Click here to download now

Related Topics

Leave a Reply

5 Comments on "Why Physical Security Professionals Need to Get to Grips with Cyber Security"

Notify of
avatar
Sort by:   newest | oldest | most voted
Advent_IM_MD
Guest

CLWright42 glad you enjoyed it. Lots more on Advent_IM website, blog and youtube channel ☺

rossbale
Guest

Gerry_Dunphy ifsecglobal How about IT Security professionals getting to grips with physical security as well?

Faith Moraa Ombongi
Guest
Great article, too true a reality, unfortunately. From what I’ve seen, security vendors don’t really want the hassle of anything that is too IT related in their SOW. Vendors don’t have an InfoSec department /personnel and Layer 2 switches are implemented for security systems even in highly tech organizations. Security operators will just leave it up to the vendor to handle any problems – unknowingly, in their ignorance (forgive the term) they could expose the organization to these third parties. But IT seems to be “avoiding” the risks from physical security systems by keeping them on separate physical networks and… Read more »
CLWright42
Guest

rossbale Gerry_Dunphy ifsecglobal Very good point! Sounds like a good follow-up article

Jared Jake
Guest

In the business sector many number of computers are there and the IT manager doesn’t have enough time to check every computer. And as there are so many important data present so there is the chance of data stolen by the hackers. Your system also affected by the virus. So the physical security professionals need get grips cyber security. And thanks to you for your valuable information given in this blog its really helpful to the business owners.

wpDiscuz