Connected physical security equipment, like networked surveillance cameras and smart access control systems, offer many advantages for facility and safety managers responsible for securing the premises of retail, industrial, government, and other organizations. Integrated IP-video recording systems with cloud-based recording and administration features are popular among users with little time to purchase and integrate different camera, cabling, and video storage hardware.
Research on this physical security slice of the Internet of Things (IoT) device market and real world events, however, show adoption of these systems introduces complex cyber risk issues.
In 2020, our Forescout Research Labs team set out to identify the top 10 riskiest IoT devices as part of an exhaustive study analyzing 8 million devices across more than 500 enterprise deployments. We looked at factors like the frequency and severity of vulnerabilities discovered in these platforms and unique risks posed by where and how they are typically installed. Physical access control systems were the riskiest class of devices. Building HVAC systems came in second, and connected camera systems came in third. The fact that in-demand physical security and camera systems claimed two of the top three categories shows the scale and stakes of cyber risk management around these systems.
These risks must be assessed and handled jointly, typically by otherwise very different teams focused on the safety of employees and facilities versus the security of corporate networks and data. Here are a few crucial principles to bear in mind.
A well-managed deployment is a secure deployment.
Who Will Own the Devices—and Their Attack Surface?
Physical and cybersecurity professionals need to collaborate more than ever because they are both accustomed to the relentless change and consequences of risks to business operations, particularly more than a year into the COVID-19 pandemic.
Connected cameras are a great example of where these worlds collide. A facility manager might have the authority to evaluate, purchase, and deploy cameras—working almost exclusively with the camera vendor to take delivery of the devices, install them via Wi-Fi on the network, and set-up credentials to remotely administer the system’s footage and recordings.
While this sounds like an isolated project, in reality each of those cameras add new computing devices to the network with their own operating system, IP stack, and other software features. Any of these can contain vulnerabilities or otherwise expand the total digital attack surface falling under cybersecurity teams’ responsibility.
A well-managed deployment is a secure deployment, so establish up-front who is responsible for data and imagery these devices gather, versus their security footprint. In practice, this means physical and cybersecurity teams identifying where cameras will be physically be installed and ensuring they have a grasp of which networks the cameras will need to access as part of the deployment. It is important to make sure network segmentation is in place isolating cameras and other IoT devices away from more sensitive facility equipment and IT assets.
Keep an Eye on Third-Party Risk
Today, the reality with connected cameras and other physical security controls is you are seldom buying just a camera, badge reader, metal detector, or other hardware. There is usually a private cloud or other networked function embedded by the equipment’s manufacturer. Sometimes, this connectivity is an active feature set—like the ability to view and manage devices on the fly from a mobile app. Other times, connectivity is more hidden. A vendor may require the device to access the Internet through your network for things like warranty eligibility or product updates.
The common denominator is you end up opening your network to an entire third-party ecosystem, whether you realize it or not. Users ignore this risk at their peril; it cannot go unmanaged.
In the case of the recent Verkada camera breach, for example, an intruder was able to obtain login credentials that let them access Verkada’s independent back-end cloud platform. This, in turn, meant the intruder could peer into the video feeds of numerous Verkada camera systems deployed around the world—unbeknownst to those customers.
Users ignore this risk at their peril; it cannot go unmanaged.
Verkada is simply one high-profile case. These types of cloud-powered camera systems are used everywhere and have clear deployment, usability, and performance advantages. Do not lose sight of the fact that you inherently shoulder increased third-party risk when you bring service providers on your network, meaning you need to understand how you and the vendor will handle things like credentials and data storage.