IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Colin Bodbyl is the founder of Zeecure.com and Chief Technology Officer at Sonitrol of South Central Ontario. He has over 10 years' experience in the security industry specializing in the design and installation of physical security, IP CCTV, video analytics, and access control systems. In 2012 Colin developed Zeecure.com to connect with other integrators and end users through his unique video blogs.
Most physical security experts have not known much about cyber security. However, as physical security continues to merge with the IP world, cyber security training should be on the agenda for each and every one of us.
Google Australia recently felt the pain of using security technicians who were not trained in cyber security. Google’s Wharf 7 office was hacked using default login credentials to gain control of the building’s access control system. The company that had installed the system connected it to the Internet to allow for remote access, but it left the administrator login as the default. Researchers easily hacked into the system and gained access to confidential floor plans and control of all the doors.
It is an embarrassment for the physical security industry, but how can we prevent this from happening again?
You do not have to connect everything to the Internet. I have been to countless sites that have devices connected to a network or to the Internet simply because they can be connected. The end user may never access the system remotely, but the integrator (with every good intentions) connected it to the network anyway. If the client does not need remote access or decides not to use it, disconnect the system from the network.
Keep the software up to date. Google’s access control system was easily hacked because of a flaw in the software that prevented anyone from changing the system’s default password. However, the ultimate failure in this case was not the default password lock, but the fact that there was a software patch to fix the flaw. The patch, of course, had not been installed. Keeping software up to date is a critical yet simple step in protecting against cybercrime.
Communicate with IT. Communicate with your client’s IT staff. Many security professionals avoid this step. It is not out of ignorance but out of intimidation. In-house IT professionals have a wealth of knowledge. Some will gladly share their knowledge with you, while others will not. But it never hurts to ask. Let them know what you are doing, and ask if there are any specific security measures their organization uses. Educate yourself on the most common Internet security practices, so that you will be able to follow the conversation. In doing so, you will earn their trust. If a hack should ever occur, they will have confidence that you are not to blame.
As physical and digital security continue to overlap, integrators and installers need to educate themselves on the basics of cyber security. By developing installation practices built around cyber security, along with a simple understanding of the threats, physical security professionals can avoid being embarrassed by events like this one.
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
Physical Security Experts Must Understand Cyber SecurityMost physical security experts have not known much about cyber security. However, as physical security continues to merge with the […]
Colin Bodbyl
IFSEC Insider | Security and Fire News and Resources
Related Topics
Firestopping training course launched by ASFP for installers
Two new Experienced Worker Assessment routes approved for fire and security industry
Amthal expands accredited fire and security training to consultant and specifier customers
Subscribe
24 Comments
Oldest
NewestMost Voted
Inline Feedbacks
View all comments
safeNsane
July 10, 2013 8:07 am
“Communicate with IT.”
I can’t even begin to describe how important this is with modern security systems. Everything is IP enabled now and leaving a system setup the way the average implementer leaves it is asking for trouble. I was brought into the physical security realm for this exact reason, systems left open and no one really understood the IT side of how they should be handled.
JonathanL
July 10, 2013 9:08 am
Ease of access has been a thorn in the side of security from day one. You want your product to be easy to use and connect to because you want your customers coming back to you instead of looking for something that is less cumbersome than your product. The problem with that is that in opening the doors to the people you want to have an easy time using it you open the doors for everyone else as well. Just because something can go on the internet doesnt mean that it should necessarily, the example you gave for your article… Read more »
I feel no matter what type of security it’s still a risk to the business and should be all taken into account. Cyber security is one of the main concerns for most companies we speak to. The problem is companies are not doing their best to protect their data and systems.
I think in the case of small companies it’s a bit tougher than that. While they would say that they want to keep systems secure and that they know it is important they don’t have the resources to stay up on systems security. When you have an accounting clerk handling your network security because he “knows computers” keeping up to date is much easier said than done.
safeNsane I agree, you can have people working on your system that believe it is safe just because they only have a limited knowledge of the subject. It is not that they are purposely avoiding or ignoring some threat they just honestly do not know it does not exist.
MMCsecure
July 17, 2013 12:24 pm
The author clearly does not understand the difference between a physical security system and a building control automation system – HVAC. The system that was breeched at Wharf 7 that hosts Googles headquarters was a Tridium product (JACE) that utilizes Niagara framework to manage and control the environmental systems. NOT PHYSICAL ACCESS CONTROL that would control physical access doors to the facility. While the Tridium offering does have physical security extensions they were not in use in this case. ACU nomenclature on the floor diagrams stand for Air Conditioning Unit. The Cylance researchers were very clear that this was an… Read more »
SunitaT
July 22, 2013 1:00 pm
Its hard to give cyber security training to a security guard. As everything is now connected with internet, some cyber security expert could be hired in Physical security department to avoid this type of incident in future.
@Mike Clauss – It’s a must for physical security experts to know about cyber security as most of the physical security devices used are connected to the systems.
@Jonathan Lipscomb –As you said physical security and cyber security needs to merge to get the best out of it. We are much more strong when both these teams work as one.
@N De Silva – I think we need to understand the logic behind these two teams, the existence of both the teams is to create a secure environment for the business. This could be virtually or physically.
@Mike Clauss – An accounting clerk cannot handle the security aspect of the business as they are two separate job roles. Anyone who knows the basics of computer cannot handle the security aspect of the entire business.
@Jonathan Lipscomb – yes having people who don’t have the knowledge is a great risk to the business, especially when it comes to physical or cyber security teams.
@sunita tirlapur – yes it’s hard to give the entire knowledge to a physical security personal, but at least you could teach him the basics. This will help him understand the security better.
@Shehan Ahamed that was my point but you might be surprised how often that happens in small businesses. I’ve gone in circles with people who were named the “tech guy” because they were better with a computer than a few others in the office but was still doing their regular job at the same time. For many small businesses an IT staff is not affordable and local service providers aren’t much better so they tag someone in the office and make them responsible for everything IT. It doesn’t usually turn out well but they keep doing it anyway.
Sunita I agree with your point there. Cyber security and physical security are two different entities and have total different conotations. In here, the physical security expersts need to have some physical standars to qualify while cyber security needs to have IQ standards or education to qualify. I feel that we need to keep these two entities completely separate.
Hmm.. I don’t think that a merger is necessarily in order, although a collaboration of sorts would no doubt be beneficial. More like an integrated system of physical and cyber security, if you will.
@Shehrbano Kamran, yes, they’re really different entities, but with a common goal. They vary in implementation, especially and I do think it’s highly important to train security experts in both before you can actually call them “security experts.” Does that make sense?
@Mike Clauss, part of what you said just reminds me of how it’s not really good at all to work with people who put their ego first. Like, really, there are some people who want to be known as the “tech guy”? How about they do their jobs really well and not care about the titles? After all, it’s not the labels but the job output that matters.
@Shehan Ahamed, you’re right. Providing people with the basic knowledge is key. This is why security education–in all aspects–is so important. Knowledge is power, especially in security.
ITs_Hazel, I agree to your point partially but feel that if soemone is good in IQ or cyber security and bad in his outlook like mispalcement of ergonomics (you know what I mean), we cannot leave him just beacause he is not falling under the standards for physical security.
What do you say?
I kind of fall into that category that doesn’t care what my title is or what people call me as long as they agree that I’m doing my job and doing it well. In smaller companies though I see a lot of people making sure they bring a lot of value to the company because if money gets tight in a small company people are usually the first place to cut.
right on the money… as economy is still in recovery… Co. try to survive on the skeleton crew… and to be on this crew you need to wear many hats… so to say.. same for me in my youth days for CBC I did security and work as Security Manager but my title was Sen. Security Officer… my extra duties never get reflected in my paycheck.
agree, but this days it never ending process as technology changing each 6-12 months, training/re-training need to follow… same way… this days each security device have an IP address… it only normal process for security… as security technology get internet/cloud connected/developed…
“Communicate with IT.”
I can’t even begin to describe how important this is with modern security systems. Everything is IP enabled now and leaving a system setup the way the average implementer leaves it is asking for trouble. I was brought into the physical security realm for this exact reason, systems left open and no one really understood the IT side of how they should be handled.
Ease of access has been a thorn in the side of security from day one. You want your product to be easy to use and connect to because you want your customers coming back to you instead of looking for something that is less cumbersome than your product. The problem with that is that in opening the doors to the people you want to have an easy time using it you open the doors for everyone else as well. Just because something can go on the internet doesnt mean that it should necessarily, the example you gave for your article… Read more »
I think anyone understands what it is but the issue with most of them is that they do not understand how to prevent or block it.
I feel no matter what type of security it’s still a risk to the business and should be all taken into account. Cyber security is one of the main concerns for most companies we speak to. The problem is companies are not doing their best to protect their data and systems.
I think in the case of small companies it’s a bit tougher than that. While they would say that they want to keep systems secure and that they know it is important they don’t have the resources to stay up on systems security. When you have an accounting clerk handling your network security because he “knows computers” keeping up to date is much easier said than done.
safeNsane I agree, you can have people working on your system that believe it is safe just because they only have a limited knowledge of the subject. It is not that they are purposely avoiding or ignoring some threat they just honestly do not know it does not exist.
The author clearly does not understand the difference between a physical security system and a building control automation system – HVAC. The system that was breeched at Wharf 7 that hosts Googles headquarters was a Tridium product (JACE) that utilizes Niagara framework to manage and control the environmental systems. NOT PHYSICAL ACCESS CONTROL that would control physical access doors to the facility. While the Tridium offering does have physical security extensions they were not in use in this case. ACU nomenclature on the floor diagrams stand for Air Conditioning Unit. The Cylance researchers were very clear that this was an… Read more »
Its hard to give cyber security training to a security guard. As everything is now connected with internet, some cyber security expert could be hired in Physical security department to avoid this type of incident in future.
@Mike Clauss – It’s a must for physical security experts to know about cyber security as most of the physical security devices used are connected to the systems.
@Jonathan Lipscomb –As you said physical security and cyber security needs to merge to get the best out of it. We are much more strong when both these teams work as one.
@N De Silva – I think we need to understand the logic behind these two teams, the existence of both the teams is to create a secure environment for the business. This could be virtually or physically.
@Mike Clauss – An accounting clerk cannot handle the security aspect of the business as they are two separate job roles. Anyone who knows the basics of computer cannot handle the security aspect of the entire business.
@Jonathan Lipscomb – yes having people who don’t have the knowledge is a great risk to the business, especially when it comes to physical or cyber security teams.
@sunita tirlapur – yes it’s hard to give the entire knowledge to a physical security personal, but at least you could teach him the basics. This will help him understand the security better.
@Shehan Ahamed that was my point but you might be surprised how often that happens in small businesses. I’ve gone in circles with people who were named the “tech guy” because they were better with a computer than a few others in the office but was still doing their regular job at the same time. For many small businesses an IT staff is not affordable and local service providers aren’t much better so they tag someone in the office and make them responsible for everything IT. It doesn’t usually turn out well but they keep doing it anyway.
Sunita I agree with your point there. Cyber security and physical security are two different entities and have total different conotations. In here, the physical security expersts need to have some physical standars to qualify while cyber security needs to have IQ standards or education to qualify. I feel that we need to keep these two entities completely separate.
Hmm.. I don’t think that a merger is necessarily in order, although a collaboration of sorts would no doubt be beneficial. More like an integrated system of physical and cyber security, if you will.
@Shehrbano Kamran, yes, they’re really different entities, but with a common goal. They vary in implementation, especially and I do think it’s highly important to train security experts in both before you can actually call them “security experts.” Does that make sense?
@Mike Clauss, part of what you said just reminds me of how it’s not really good at all to work with people who put their ego first. Like, really, there are some people who want to be known as the “tech guy”? How about they do their jobs really well and not care about the titles? After all, it’s not the labels but the job output that matters.
@Shehan Ahamed, you’re right. Providing people with the basic knowledge is key. This is why security education–in all aspects–is so important. Knowledge is power, especially in security.
ITs_Hazel, I agree to your point partially but feel that if soemone is good in IQ or cyber security and bad in his outlook like mispalcement of ergonomics (you know what I mean), we cannot leave him just beacause he is not falling under the standards for physical security.
What do you say?
I kind of fall into that category that doesn’t care what my title is or what people call me as long as they agree that I’m doing my job and doing it well. In smaller companies though I see a lot of people making sure they bring a lot of value to the company because if money gets tight in a small company people are usually the first place to cut.
right on the money… as economy is still in recovery… Co. try to survive on the skeleton crew… and to be on this crew you need to wear many hats… so to say.. same for me in my youth days for CBC I did security and work as Security Manager but my title was Sen. Security Officer… my extra duties never get reflected in my paycheck.
agree, but this days it never ending process as technology changing each 6-12 months, training/re-training need to follow… same way… this days each security device have an IP address… it only normal process for security… as security technology get internet/cloud connected/developed…