where physical and cyber security meet - northland controls · 2018-03-20 · cyber questions for...

Where Physical and Cyber Security Meet

Is your physical security network itself secured?

Where Physical and Cyber Security Meet 1

About this presentation

• What we will cover:• How are Physical and Cyber Security connected?• Real world cyber/physical issues• Securing the physical security infrastructure

The speaker:Rodney Thayer – Convergence Consultant, Smithee

Where Physical and Cyber Security Meet 2

How are Physical and Cyber Security connected?Where does that RJ-45 connector go?

Where Physical and Cyber Security Meet 3

What’s in your Physical Security Solution

• Access Control servers attached to a network• Door control panels attached to a network• Cameras attached to a network• Video Management attached to a network• Visitor Management, Analytics, Robots, Drones attached to a network

Where Physical and Cyber Security Meet 4

What’s Cyber got to do with it?

• Vulnerable configurations common• Outdated devices subject to known and preventable attacks• Limited network defenses• Limited network situational awareness• Adversaries have access to decades of exploit experience• Shares common vulnerability characteristics with SCADA, IoT, Cars,

Medical Devices

Where Physical and Cyber Security Meet 5

Is it really that bad?

• Compromises continue • Customers (procurement teams) asking for more effort• Governance pressures increasing (see UL 2900-1)• Infrastructure inertia

Where Physical and Cyber Security Meet 6

State of the Art Networking(Physical Security style)• Static configurations – no/limited updates• Operational lifetime longer than intended lifetime of networked

components• Budget trumps capabilities even if the network is unsafe• Minimal resources for proper infrastructure management (all

resources)

Where Physical and Cyber Security Meet 7

Legacy Issues in Physical Security Networks

• Manually allocated IP addresses• Minimal use of credentials• Limited/no network management• Minimal network maintenance• Limited/Primitive network protocol implementations• Assumption of closed benign environment• Limited/Primitive configurations

Where Physical and Cyber Security Meet 8

Why should you care?

• Risk to the enterprise• Risk of assets being compromised (stolen, corrupted, lost)• Risk of availability of “mission-critical” capabilities• Risk of (external) brand damage• Risk of (organizational) reputation damage• Liability issues (corporate, management, board-level)• Costly Audit remediation

Where Physical and Cyber Security Meet 9

Real world cyber/physical issuesReal adversaries, real victims

Where Physical and Cyber Security Meet 10

WCGW?

• Widely used devices exploited• Malware infections• Exposed business information• Vendor supply chain compromise• Internet-scale network attacks (generic and physical security specific)

Where Physical and Cyber Security Meet 11

Broadband modems under attack

Where Physical and Cyber Security Meet 12

IBM Storage appliance firmware under attack

Where Physical and Cyber Security Meet 13

Overshared Infrastructure(what could go wrong?)

Where Physical and Cyber Security Meet 14

Shodan(Like Facebook but for misconfigured devices)

Where Physical and Cyber Security Meet 15

Overshared Infrastructure(what could go wrong?)

Where Physical and Cyber Security Meet 16

Internet Service Providers under attack

Where Physical and Cyber Security Meet 17

Target (the retailer)

Where Physical and Cyber Security Meet 18

•

Mirai Worm/Botnet

Where Physical and Cyber Security Meet 19

Securing the physical security infrastructureVandal-proofing security cameras in cyberspace

Where Physical and Cyber Security Meet 20

Strategically addressing cyber

• More rigorous deployments• More rigorous operations• Application of “Security Controls”

• ISO 27001, UL 2900-1, NIST SP800-53, SANS Top-20, ITSC-6)

• Apply business drivers for vendor change

Where Physical and Cyber Security Meet 21

Tactically addressing cyber

• Identify your current capabilities – inventory, available solutions• Identify quick-fix issues and remediate• Sync up with enterprise risk management• Facilitate cyber awareness in your organization (add if necessary)• Identify how you’re prepared for a breach (or start planning now)• Establish lines of communication with your vendor supply chain about

cyber issues.

Where Physical and Cyber Security Meet 22

ITSC-6(From the ASIS IT Security Council)

1. Document physical security system configuration2. Follow a planned maintenance procedure3. Use standards based technology4. Maintain and measure vendors supply chain5. Treat data within physical security infrastructure as sensitive

enterprise data6. Follow the vendor’s best practies

Where Physical and Cyber Security Meet 23

Cyber Questions for your Physical Security Team

• When was the last time you had the network audited.• Do you know when you next need to replace a security camera

because the vendor has announced that model has gone “end of life”.• Do you know exactly what network traffic is exiting your network

right now.• What are you going to say when the receptionist calls to tell you DHS

is in the lobby asking for the person who owns (insert security camera IP address here.)

• Have you ever done a presentation for your board of directors on how much a cyber incident has cost you?

Where Physical and Cyber Security Meet 24

Conclusions

• There are adversaries who may want to and probably can attack your physical security network.

• Managing cyber risks requires some effort but there are things you can do.

• There are probably business reasons for you to think about this.• It’s worth talking to your vendor supply chain partners about this.

Where Physical and Cyber Security Meet 25

QUESTIONS

• Rodney Thayer rodney@smithee.us• Guy Morgante gmorgante@northlandcontrols.com

©2017 Smithee,Spelvin,Agnew & Plinge Inc.

Where Physical and Cyber Security Meet 26

References

• http://www.shodan.io• https://cve.mitre.org• Krebsonsecurity.com• https://www.asisonline.org/About-ASIS/Who-We-Are/Whats-

New/PublishingImages/ITSC%20Top%206.pdf

Where Physical and Cyber Security Meet 27

About Smithee

• Consultancy based in northern California, founded 2012 by a team with decades of cyber/crypto/networking experience.

• Focus on network integration and security issues for physical security and infrastructure operators.

• Delivers consulting, training, technical evaluation services.• Internet client base (US, international clients.)

Where Physical and Cyber Security Meet 28