Cyber Security of Electronic Security Networks
Protecting security electronics networks is a fundamental and open-ended challenge.
As electronic security solutions become more dependent on network infrastructure, the ability to secure them from cyber security attacks becomes more pressing. The challenge for installers, integrators and end users entirely embracing the fact that cyber security, like physical security, is an operational imperative that never ends, explains Bosch’s James Layton.
ACCORDING to James Layton of Bosch Security Systems, poor cyber security and the risk of cyber-attacks is one of the least understood and largest threats against electronic security systems.
“There are really 2 key facets to consider when talking about the risks that these elements place on security systems,” Layton explains. “First is that fact that modern security systems are built around the understanding and requirements that the data collected and stored by the device is maintained to a certain degree of integrity.
“We have systems in place to ensure that camera footage is time-stamped, watermarked, and free from digital modification, to use an example. Some cyber-attacks are designed around the intention of compromising the integrity of this data, if not the data itself. Even an attack which fails to remove the data itself, may alter it in such a way that it is no longer considered contemporaneous and would therefore be inadmissible in a legal hearing.
“The other point to consider is that electronic security systems are often tied at a high level to other operational functions. Many systems run concurrently on corporate networks and are accessed by high-risk users such as management, human resources, and local security. Some cyber security attacks target not the system itself, but other network or corporate resources that can be accessed past a poorly defended electronic security system, such as confidential files, and potentially banking or billing records.”
According to Layton, the biggest cyber security threat today is poorly informed, or lazy users.
“Humans generally seek comfort and convenience, and too many of us are given to using the same password for multiple systems, or not paying attention to the exact email we are responding to, or the exact file extension we are opening,” Layton says.
“It’s truly amazing how unsophisticated some successful cyber-attacks have been. Many have been built around the concept of social engineering – for example an email that elicits a response because of an emotionally-charged message like “final warning”, and often looks like an official document from an organisation known to the victim.
“The truth is that cyber security systems themselves are often better than the humans that are implementing them. But they can only be effective if the user follows best practice guidelines, remains informed of developments within that technology spectrum, and engages in the iterative nature of cyber safety.”
When it comes to the key steps installers and end users should take to secure a CCTV solution, an access control solution, or an integrated solution from cyber security threats Layton says the best way forward is to engage with the cyber security defences of the system in question.
“Manufacturers have long been aware of the risks associated with cyber security,” he explains. “Failure to protect a system may not just result in loss of the function of that system, but potentially compromise of other key end-user systems that will incur substantial costs. For this reason, most top tier products in the security market already include strong cyber security elements including data encryption, multiple form factor authentication, etc.
“What the installers and users need to do is ensure that these systems are properly utilised. This starts with identifying common security failures such as overused and unchanging passwords, and establishing corporate systems that require operators to work under more secure guidelines. The other often forgotten component is that a functional security system requires regular updates as the shape of the risk environment is always in flux and there are always new threats around the corner.
“Finally, in a market where there is always a drive to save a little money, we need to be careful that what we are not paying for with cash, we don’t pay for with risk. There’s are no shortage of cheap security systems available in the world that would potentially fail to meet even the most basic cyber security check.”
Layton agrees cyber security is a process and that procedures must be put in place to manage that process – you can never stop and say “we’re secure now, we don’t have to do this anymore”.
“Like a real virus, cyber threats are constantly evolving, and new exploits are regularly being found in software previously thought to be secure,” Layton says. “The only way to truly have the peace of mind that your security system has the lowest level of threat, is to ensure that you have a system in place to deploy iterative updates to the product. It’s something of a conundrum for many people in our industry – some installers may be loath to always install the latest firmware for a product on the basis that they feel it may be untested, or subject to bugs, yet to deliberately hold a system back to a prior version will begin to increase the risk of a successful cyber-attack.
“These sorts of issues have existed in the information technology market for decades, and here technicians have learned to regularly seek updates – few IT installers would use the firmware that comes on the disc in the box with a new piece of hardware, most would go straight to the website for the latest version.”
Some users think it’s viable to disconnect systems from the internet then assume they are protected but Layton is not completely convinced.
“Physical separation is often a very effective way of increasing security… I mean how can a person break in to a house that has no windows and no doors?” he asks. “It’s not the be all and end all of course, but this methodology is likely to make your system much less easy to compromise and thus the attacker is going to move on to the next system. After all, most cyber-attacks are opportunistic, not targeted.
“That said, just like the house with no windows and no doors, an electronic security system that is completely disconnected from the outside world is going to have other major limitations. Most users these days expect to have remote access to their security systems – through apps for example, or to be able to link disparate systems across multiple geographic locations – things that are entirely impossible when a system is physically isolated.
“You’re basically getting in to a situation where managing the risk is starting to invalidate the value of the system you set out to use in the first place. It’s far better in my opinion to have a system with connectivity working to its full potential, while at the same time actively and consistently managing cyber security threats than to have a limited, standalone solution.”
According to Layton, cyber security should be part of any installation and ongoing maintenance agreement and represents an opportunity for enterprising integrators.
“In our industry, we basically sell peace of mind products – you install them, and you hope that you are never in a situation where you have to use them,” he says. “Cyber security is no different. A well-maintained and secure system should never give you the impression that its integrity has been tested. Just as we sell the benefits of a system that is designed to mitigate the risk of physical penetration of a secure environment, we need to also sell the benefits of a system that protects itself from electronic and data penetration.
“From the point of view of installers and integrators, there’s a need to sell the customer on the activities that they need to engage in to ensure this protection, and to get involved in the ongoing service of maintaining this level of protection. There is certainly a commercial opportunity involved in the active maintenance of electronic security systems to ensure that they continue to limit the risk to the end user. Everybody buys a car under the expectation that it will require regular preventative maintenance that will also incur a cost – the same logic needs to apply to our industry in light of cyber threats.”
According to Layton, mobile device security might be less of an issue than many assume.
“It’s not uncommon to look at a mobile device and assume that it presents a much larger level of risk,” he explains. “These devices usually exist outside of the secure environment; they are highly portable, and thus easily stolen or misplaced; and we spend a lot of time using these devices in our daily lives. The truth is, however, that mobile device manufacturers are not blind to the risks created by their devices.
“Mobile devices these days include some of the highest level of data security technology incorporated into their design. Consider, for example, that the iPhone series of products has had biometric verification of some kind included in the last 4 generations of product – something that is still relatively uncommon in physical security installations.
“Ultimately, we need to apply the same rules across all device types. If the passcode for your mobile phone is less secure than the password for your electronic security system, and that phone has access to the system, then yes, you are creating additional risk through that mobile device. However, if you use the same level of risk management with your mobile devices as you do with the security technology itself, then the mobile device becomes just one more weapon in your security arsenal and doesn’t compromise your system.”