JamesWillison-20

Project & Engagement Manager, IoT Security Foundation

Author Bio ▼

James Willison MA, is a recognised International leader in Security Convergence and Enterprise Security Risk Management. In 2020 IFSEC Global listed James #8 in the top 20 Cyber Security Thought Leaders across the world. Shortlisted in Security Serious Unsung Security Heroes Awards 2018, as a Security Leader/mentor. James is Co Chair, Smart Buildings Working Group, Internet of Things Security Foundation and a member of the ASIS International ESRM Steering Committee. He is founder of Unified Security Ltd, a Vidsys consultant, works with AXIS Communications on cyber security and advises on the IFSEC Converged Security Centre. James was awarded the Imbert Prize for an ‘outstanding contribution to the Security Industry in 2011’ for his work on convergence with ASIS Europe and the Information Security Awareness Forum. He has more than 20 years of management experience in the physical and information security industry, including posts as Advisor on Convergence to the Mitie TSM Board, Senior lecturer in Security Management at Loughborough University and Digital Security Expert with the European Union. He has co-authored three White Papers and a series of new articles with Sarb Sembhi, sponsored by AXIS Communications, on ESRM, GDPR and Smart Buildings and Cities’ Security.
January 15, 2015

Download

Whitepaper: Enhancing security, resilience and efficiency across a range of industries

Could a Cyber Attack Breach Your Corporate Email or Disrupt a Vital Utility through a CCTV or Access Control Vulnerability?

The CPNI recently published guidance and a video demonstrating how a hacker can exploit vulnerabilities in IP CCTV and access control systems and highlights the need for physical security managers to work more closely with IT security teams.

I urge you to watch it below:

It is a real problem for some organisations but we must ask ourselves: “Is it relevant to us in our own business?” I have had the personal privilege of spending valuable time with many colleagues in the cyber security field over the last 10 years and the issue of vulnerabilities in physical security devices and systems has been a regular topic of conversation.

It has even reached the dizzy heights of LinkedIn in various groups and there are a few leading security professionals who agree that attackers can exploit these systems.

As most of us know, the criminal or terrorist will look for the easiest way into a building or a network. He or she will want either information or the ability to disrupt a facility’s controls, thereby causing potentially catastrophic damage.

My question for the reader is: do you manage networked CCTV or access control systems? Are you certain that the system and devices themselves are secure from a hacker’s attack? IP cameras are mini computers, which should be firewalled and protected in depth on a company’s IT infrastructure.

Converged strategy

It is the view of many of my colleagues that most businesses do not conduct a cyber security risk assessment on these systems. This is where a converged security strategy helps an organisation as a team approach will lead to such issues being examined and resolved.

Unfortunately our research shows that it is still only about 35% of companies which operate in this way (ASIS/ISAF European Convergence Survey 2012). This means that often the physical security team have to manage these complex systems without regular contact with the Cyber security team.

It maybe that it was set up with the knowledge of IT but the Physical team is left to ensure it is protected from cyber attack. But as with some IT systems the password is not even changed. This view is supported by CPNI and leading Penetration Testers.

In others passwords are easily compromised and there is a reliance on the supplier to update and maintain the system. Sadly manufacturers and vendors are often not committed to providing secure systems and devices.

In a similar way the IT industry has called for improvements in software security over many years.

Critical national Infrastructure and other businesses are vulnerable to attack with potential catastrophic consequences. The CPNI clearly do think it is an issue.

Who then, are we to continue to ignore the threats? It is my conviction that company security managers need to ask for a meeting with their colleagues in the cyber security area and consider how they can test their physical security systems and assure the business that a hacker will not be able to penetrate them.

There are some excellent consultancies that can help you with converged security strategies and there are a few first class teams currently operating in our industry that could help you identify system vulnerabilities and work out how you can remediate them. So if your own company lacks the expertise then seek them out and make sure you don’t become the next victim of a hack.

Sometimes I think that we, as an Industry, are more interested in the Cybermen of Dr Who than the real threats posed by hackers. Cyber is on the door of Physical Security and many of us are just not prepared.

Ask yourself if the senior management will keep you on if it is discovered you  have failed to effectively secure the CCTV or Access control system and the CEO’s personal email has been leaked to the press.

Free Download: The Video Surveillance Report 2023

Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!

Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.

VideoSurveillanceReport-FrontCover-23

Related Topics

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments