Could a Cyber Attack Breach Your Corporate Email or Disrupt a Vital Utility through a CCTV or Access Control Vulnerability?

The CPNI recently published guidance and a video demonstrating how a hacker can exploit vulnerabilities in IP CCTV and access control systems and highlights the need for physical security managers to work more closely with IT security teams.

I urge you to watch it below:

It is a real problem for some organisations but we must ask ourselves: “Is it relevant to us in our own business?” I have had the personal privilege of spending valuable time with many colleagues in the cyber security field over the last 10 years and the issue of vulnerabilities in physical security devices and systems has been a regular topic of conversation.

It has even reached the dizzy heights of LinkedIn in various groups and there are a few leading security professionals who agree that attackers can exploit these systems.

As most of us know, the criminal or terrorist will look for the easiest way into a building or a network. He or she will want either information or the ability to disrupt a facility’s controls, thereby causing potentially catastrophic damage.

My question for the reader is: do you manage networked CCTV or access control systems? Are you certain that the system and devices themselves are secure from a hacker’s attack? IP cameras are mini computers, which should be firewalled and protected in depth on a company’s IT infrastructure.

Converged strategy

It is the view of many of my colleagues that most businesses do not conduct a cyber security risk assessment on these systems. This is where a converged security strategy helps an organisation as a team approach will lead to such issues being examined and resolved.

Unfortunately our research shows that it is still only about 35% of companies which operate in this way (ASIS/ISAF European Convergence Survey 2012). This means that often the physical security team have to manage these complex systems without regular contact with the Cyber security team.

It maybe that it was set up with the knowledge of IT but the Physical team is left to ensure it is protected from cyber attack. But as with some IT systems the password is not even changed. This view is supported by CPNI and leading Penetration Testers.

In others passwords are easily compromised and there is a reliance on the supplier to update and maintain the system. Sadly manufacturers and vendors are often not committed to providing secure systems and devices.

In a similar way the IT industry has called for improvements in software security over many years.

Critical national Infrastructure and other businesses are vulnerable to attack with potential catastrophic consequences. The CPNI clearly do think it is an issue.

Who then, are we to continue to ignore the threats? It is my conviction that company security managers need to ask for a meeting with their colleagues in the cyber security area and consider how they can test their physical security systems and assure the business that a hacker will not be able to penetrate them.

There are some excellent consultancies that can help you with converged security strategies and there are a few first class teams currently operating in our industry that could help you identify system vulnerabilities and work out how you can remediate them. So if your own company lacks the expertise then seek them out and make sure you don’t become the next victim of a hack.

Sometimes I think that we, as an Industry, are more interested in the Cybermen of Dr Who than the real threats posed by hackers. Cyber is on the door of Physical Security and many of us are just not prepared.

Ask yourself if the senior management will keep you on if it is discovered you  have failed to effectively secure the CCTV or Access control system and the CEO’s personal email has been leaked to the press.