John Davies, Managing Director of TDSi, argues cybersecurity must be firmly on the agenda for all ‘self-respecting’ physical security providers and operators.
There was a time where cyber and physical security almost existed in isolation from each other – except perhaps for the locked doors of a server room.
This has all changed in the era of IoT of course, physical security systems are fully integrated into the wider IT network to deliver the flexibility and overview benefits that are expected today.
This does mean however that cybersecurity must be firmly on the agenda for all self-respecting physical security providers and operators.
Undoubtedly the move to greater integration of security systems has brought obvious benefits for operators in terms of functionality and control.
However, if it is easier for you to access then it is also (potentially) easier for an unfriendly force to gain unauthorised control. This is further compounded by the enhanced connectivity of physical security systems – a potential intruder doesn’t even have to be onsite to gain control, they can attempt to hack these systems via their online connectivity.
There is no point having a toughened security system which is virtually impervious to physical attack if a skilled hacker can simply override it remotely and compromise these defences.
This is where the likes of the end-to-end encryption offered by the OSDP (Open Supervised Device Protocol) standard become essential.
Featuring a secure channel that supports high-end AES-128 encryption to enhance cybersecurity, OSDP also constantly monitors wiring to protect against more localised attack threats.
Furthermore, being a bidirectional communication, the wires constantly ‘supervise’ one another to protect against tampering.
With the big drive towards cloud hosted security solutions there is an even more acute need to ensure physical security systems are properly hardened to potential cyber-attacks. Using HTTPS access to secure cloud storage or systems for instance is essential for ensuring hackers don’t just intercept data communications and take advantage.
Broader cyber protection
Much like its physical counterpart, cybersecurity must be watertight throughout the whole infrastructure – literally any weak end point could be exploited by a savvy intruder.
This must extend beyond the security products and the operator’s inhouse IT or cloud-based networks right through to the security manufacturers and installers that produce these systems.
In the same way that an integrated physical security system isn’t truly secure if it has any vulnerability to a cyber-attack, any solution produced by a manufacturer that isn’t itself fully cybersecure has the potential to be vulnerable as well.
At the very least, any security business (in fact any business that shares information) should be fully ISO 27001 audited and checked. With most security systems relying upon software at some level, any potential breaches at the production company could see the products themselves also compromised.
The UK Cyber Essentials Certification, which demonstrates a company or organisation’s dedication to fully securing its operations as well as its products and services, is another excellent way to ascertain that a security manufacturer is itself fully secure and cyber aware.
Backed by the UK Government through the National Cyber Security Centre (NCSC), Cyber Essentials helps any size or type of organisation to protect itself and those that rely on it from a range of common and potentially dangerous cyber-attacks.
Impenetrable security barriers
It is also important that products from different security providers can not only integrate seamlessly, but also safely. This is where organisations such as the SPAC (Smart Physical Access Control) Alliance are particularly valuable.
The SPAC® Alliance is an organisation that helps define the standards of Digital Security in Europe through initiatives such as the Secure & Smart Communication Protocol (SSCP), to promote standardisation and interoperability. It is recognised as a key driver in the European Market, working with many major European manufacturers to promote interoperability between systems and acting as a catalyst for success through better information sharing, training and the promotion of standardisation.
SSCP certification demonstrates fully secure connections between readers and the security management system, guaranteeing a level of protection in line with government approved requirements and providing peace of mind that all systems are fully cyber-protected.
A proactive approach
Physical security systems always need to stay one step ahead of the bad guys when it comes to protecting people and property, but the need to be proactive is even more imperative when it comes to cybersecurity. Criminals are using automated tools such as bots to constantly probe and test apparently secure networks, which potentially includes those which oversee physical security systems as well.
It’s wise to tackle these threats head on wherever possible. For instance, at TDSi for example we have taken the proactive approach of having our IT service provider check the Dark Web for any signs of our systems being potentially attacked or if passwords have been compromised, to head off threats.
If you are using cloud-based systems, it is also vital to ensure these have the tightest cybersecurity in place.
This applies to everyone – be you a security provider, an organisation which uses these systems or a cloud provider yourself.
There is no room for compromise, particularly when so many IoT systems are sharing the same infrastructure and an attack on one element of the network is potentially an attack on them all.
With the rise of hybrid-working and traditional workplaces sitting empty for longer periods, physical security needs to be at the top of its game.
Ensuring full cybersecurity across the board is essential, there is no room for gaps.
Being able to fully rely on your security systems and have peace of mind that they are protected from any kind of attack is something which every person, business and organisation deserves.
For more information, visit: www.tdsi.co.uk
This article was originally published in the August 2022 edition of Security Journal UK. To read your FREE digital edition, click here.