where physical and cyber security meet - northland controls · 2018-03-20 · cyber questions for...

Where Physical and Cyber Security Meet

Is your physical security network itself secured?

Where Physical and Cyber Security Meet 1

About this presentation

• What we will cover:• How are Physical and Cyber Security connected?• Real world cyber/physical issues• Securing the physical security infrastructure

The speaker:Rodney Thayer – Convergence Consultant, Smithee


How are Physical and Cyber Security connected?Where does that RJ-45 connector go?


What’s in your Physical Security Solution

• Access Control servers attached to a network• Door control panels attached to a network• Cameras attached to a network• Video Management attached to a network• Visitor Management, Analytics, Robots, Drones attached to a network


What’s Cyber got to do with it?

• Vulnerable configurations common• Outdated devices subject to known and preventable attacks• Limited network defenses• Limited network situational awareness• Adversaries have access to decades of exploit experience• Shares common vulnerability characteristics with SCADA, IoT, Cars,

Medical Devices


Is it really that bad?

• Compromises continue • Customers (procurement teams) asking for more effort• Governance pressures increasing (see UL 2900-1)• Infrastructure inertia


State of the Art Networking(Physical Security style)• Static configurations – no/limited updates• Operational lifetime longer than intended lifetime of networked

components• Budget trumps capabilities even if the network is unsafe• Minimal resources for proper infrastructure management (all

resources)


Legacy Issues in Physical Security Networks

• Manually allocated IP addresses• Minimal use of credentials• Limited/no network management• Minimal network maintenance• Limited/Primitive network protocol implementations• Assumption of closed benign environment• Limited/Primitive configurations


Why should you care?

• Risk to the enterprise• Risk of assets being compromised (stolen, corrupted, lost)• Risk of availability of “mission-critical” capabilities• Risk of (external) brand damage• Risk of (organizational) reputation damage• Liability issues (corporate, management, board-level)• Costly Audit remediation


Real world cyber/physical issuesReal adversaries, real victims


WCGW?

• Widely used devices exploited• Malware infections• Exposed business information• Vendor supply chain compromise• Internet-scale network attacks (generic and physical security specific)


Broadband modems under attack


IBM Storage appliance firmware under attack


Overshared Infrastructure(what could go wrong?)


Shodan(Like Facebook but for misconfigured devices)


Overshared Infrastructure(what could go wrong?)


Internet Service Providers under attack


Target (the retailer)


•

Mirai Worm/Botnet


Securing the physical security infrastructureVandal-proofing security cameras in cyberspace


Strategically addressing cyber

• More rigorous deployments• More rigorous operations• Application of “Security Controls”

• ISO 27001, UL 2900-1, NIST SP800-53, SANS Top-20, ITSC-6)

• Apply business drivers for vendor change


Tactically addressing cyber

• Identify your current capabilities – inventory, available solutions• Identify quick-fix issues and remediate• Sync up with enterprise risk management• Facilitate cyber awareness in your organization (add if necessary)• Identify how you’re prepared for a breach (or start planning now)• Establish lines of communication with your vendor supply chain about

cyber issues.


ITSC-6(From the ASIS IT Security Council)

1. Document physical security system configuration2. Follow a planned maintenance procedure3. Use standards based technology4. Maintain and measure vendors supply chain5. Treat data within physical security infrastructure as sensitive

enterprise data6. Follow the vendor’s best practies


Cyber Questions for your Physical Security Team

• When was the last time you had the network audited.• Do you know when you next need to replace a security camera

because the vendor has announced that model has gone “end of life”.• Do you know exactly what network traffic is exiting your network

right now.• What are you going to say when the receptionist calls to tell you DHS

is in the lobby asking for the person who owns (insert security camera IP address here.)

• Have you ever done a presentation for your board of directors on how much a cyber incident has cost you?


Conclusions

• There are adversaries who may want to and probably can attack your physical security network.

• Managing cyber risks requires some effort but there are things you can do.

• There are probably business reasons for you to think about this.• It’s worth talking to your vendor supply chain partners about this.


QUESTIONS

• Rodney Thayer [email protected]• Guy Morgante [email protected]

©2017 Smithee,Spelvin,Agnew & Plinge Inc.


mailto:[email protected]

mailto:[email protected]

References

• http://www.shodan.io• https://cve.mitre.org• Krebsonsecurity.com• https://www.asisonline.org/About-ASIS/Who-We-Are/Whats-

New/PublishingImages/ITSC%20Top%206.pdf


https://cve.mitre.org/

https://cve.mitre.org/

About Smithee

• Consultancy based in northern California, founded 2012 by a team with decades of cyber/crypto/networking experience.

• Focus on network integration and security issues for physical security and infrastructure operators.

• Delivers consulting, training, technical evaluation services.• Internet client base (US, international clients.)


where physical and cyber security meet - northland controls · 2018-03-20 · cyber questions for...

Documents