Why Physical Security Practitioners Need to Care About Cyber Security
Most physical security and life safety systems are now connected to the Internet, making them vulnerable to cyber security attacks. How are you protecting them?
It seems like practically every week, some organization is reporting it has experienced a cyber security issue. Yahoo’s 2013-2014 data breach affected about 3 billion accounts, while the 2017 Equifax incident affected about 143 million people, reports CSO. Last year, Los Angeles Valley College paid $28,000 to ransomware hackers to restore its data. In 2016, the Horry County School District in South Carolina paid about $8,500, while Hollywood Presbyterian Medical Center paid $16,664 to a hacker.
But for law enforcement, traditional security and emergency management professionals who are more accustomed to being responsible physical the physical safety security of their campuses, they might think they don’t have to worry about cyber security. They should think again.
The threat is very real, especially now that so many devices are connected to the Internet, including security cameras, communications equipment, access control, fire systems, intrusion detection solutions, lighting systems, heating, air conditioning and ventilation systems, televisions and more. Physical security practitioners would be wise to start caring about data breaches.
To find out more about this issue, Campus Safety magazine (CS) spoke with Chuck Davis, who is Hikvision’s director of cyber security. He is also an adjunct professor at the University of Denver where he teaches cyber security best practices.
In this exclusive interview, Davis talks about the importance of cyber security, as well as the devices and systems that could be vulnerable if a hospital, school or university doesn’t take the necessary steps to make their internet-connected equipment more secure.
CS: Why is maintaining cyber security in a video surveillance system so important?
Chuck Davis: Video surveillance systems, just like all systems that are part of the internet of things (IoT), are actually computers, so we tend to forget that all of these devices that we’re connecting to IP networks and they’re adding all this great functionality to allow us to remotely monitor or control them are actually computers. They have operating systems and they will have vulnerabilities, and so if we don’t take our proper due diligence and protect those things and really apply cyber security best practices, we put them at risk of being attacked and could be the way that a campus or an organization is attacked through the internet.
CS: So if a security camera or some other component of a security surveillance system is hacked, what can happen after that? What are some of the vulnerabilities? We’ve heard about ransomware. We’ve heard about malware. What’s going on with that? How does that affect a hospital, school or university?
Davis: It can be a pivot point, so the way that attackers typically work is they try to gain access internally to at least one device. A lot of times that comes with malware, using phishing attacks, which could be an email with an attachment or an instant message or a text message, just trying to get somebody to click on a link or open the wrong file to infect a system. As soon as that system’s infected, it can reach out to the internet to the bad guys and give them access back into that network.
Firewalls and all those security protections aren’t going to stop it because that infected device reached out to the bad guy. Now the bad guy is inside. Whether it’s of video surveillance equipment or any other computer, it could be a pivot point for that bad actor to go and try to attack other systems, install things like ransomware like you mentioned or even go exfiltrate sensitive data.
CS: Like what happened in Target a few years ago with the HVAC system, correct?
Davis: Correct. There’s been a number of situations over the past years where the main systems of the organization or the company were secured, but some of these peripheral systems weren’t treated as production enterprise systems, and that’s where you run in to some trouble.
CS: So when we’re talking about vulnerable systems, we’re talking about heating and ventilation and air conditioning systems, lighting, different types of things that you might not think would be connected to the internet, right?
Davis: Sure. They all fall under the internet of things or IoT devices, and so now we’ve got this great internet and we’ve got amazing capacity to remotely connect and control these systems, but we have to get in the mindset of understanding that this is part of our enterprise infrastructure. This is part of our IT systems, so your cyber security teams at your universities or your organizations should be monitoring traffic, looking for intrusions or hacking or malicious and suspicious activity in those networks as well as the networks that have laptops, desktops and servers.
Stay tuned for part 2 of CS’ interview with Davis where he discusses the steps universities, schools and hospitals can take to improve their organizations’ cyber security.