Assessing cybersecurity weaknesses in electronic security systems.
Electronic security systems, including video surveillance and access control systems, are integral components of an organization’s physical security plan, and important defense-in-depth layers which define overall security posture.
Like the facilities they protect, they can sometimes have an operational lifespan of several decades. And, like other technology developed long before modern computers, many security systems were architected during a time when threats like hackers, malware, and ubiquitous network connectivity were inconceivable. Unfortunately, their architecture predates the concept of 'Zero Trust', and often ignores the principle of least privilege.
Network convergence vs. air-gap
In the early 2000s, network convergence became trendy. IT departments were already expanding their computer networks with global reach, and now they could use the same infrastructure for voice-over-IP, video conferencing, point-of-sale, security systems, building automation, and much more (who would've thought this list would grow to include watches and refrigerators and toasters?).
By the time electronic security system devices began making use of computer networks, convergence had already happened, and they weren’t designed for it. While these devices really needed to be isolated due to lack of network security controls, security system manufacturers feared network traffic congestion would impact performance and reliability. This resulted in most manufacturers recommending deployment on dedicated ‘air-gapped’ networks that are physically isolated from corporate infrastructure and the public internet.
When people began to worry about cybersecurity, the air-gap recommendation was re-branded as cybersecurity best-practice. Most modern electronic security systems are still being designed this way - relying on protection from physical isolation, and physical security controls (guns, gates, guards, etc.) protecting the equipment itself.
An air-gapped network's physical isolation can be a very effective security control, but it only works if the network is in fact completely physically isolated. There are some highly security-conscious organizations that operate this way, but completely isolated networks have become very rare.
Air-gapped networks are more secure, but there’s a better business case for convergence
While security professionals may view connectivity to the enterprise network or internet as unnecessary risk, there's too much business value in connectivity for the C-suite to ignore. In addition to massive cost savings achieved by sharing infrastructure, the access control system's cardholder database can be fully synchronized with HR, cameras can identify high-value customers to let them into the parking garage, the marketing department can gain valuable customer insights by using analytics to comb through vast amounts of data found in video recordings, and support personnel can resolve issues from their phones in seconds instead of days. While there's clear business value in going away from complete isolation, quantifying the risk in doing so can be challenging, often leading to blissful ignorance.
What’s the worst that could happen?
Even when electronic security systems are completely isolated, attackers can still succeed. If the bad actor is an insider or breaches physical security, they can exploit design flaws, lack of cybersecurity controls, or misconfiguration to impact the safety and security of your organization. Video surveillance and recording can be disrupted (e.g. D.C. Metro Police lost recording before Trump’s inauguration). Video surveillance recordings or access control data could be disclosed, tampered with, or destroyed. If cardholder data or incident reports contain protected information, this likely also means non-compliance and privacy violations.
When electronic security systems are connected to the enterprise network, the exposure can make them even more dangerous. The security systems are now easier to get to, with their attack surface extended by the reach of the enterprise network. Malicious actors no longer need to breach physical security to access the security systems - they may be able to do so using a PC or application that they've already compromised. Vulnerabilities in security systems and their endpoint devices (like cameras, where hundreds or thousands may exist across the enterprise) can be exploited to provide attackers with footholds that can be used later to exfiltrate sensitive information (e.g. fish tank thermometer used to steal data from casino) or to attack other systems (e.g. Cameras almost brought down the internet).
When connected to the internet, the attacker population grows significantly, not to mention that they'll have always-on 24/7 access to look for vulnerabilities. If your systems weren't designed to be secure-by-default, Verkada’s recent incident shows us how this story ends.
Is it likely that a given organization could be impacted by these seemingly-sophisticated attacks?
Some of the best incident data can be found in the Verizon Data Breach Investigations Report (DBIR). The DBIR only captures a small portion of the world’s cybersecurity incidents, and while attacks like these are represented in the report, there’s just not enough resolution in the data to come up with a simple answer.
What we can say definitively is that the attacks we described above are all accompanied by actual examples that happened within the last few years.
Sophisticated attacks are no longer exclusive to nation-states.
Not too long ago, only a nation-state actor could pull off the kinds of attacks we're describing, especially on a completely isolated air-gapped network. Most commercial businesses weren't worried about defending themselves from nation-states. We now live in a world where nation-states have demonstrated willingness to engage in cyber warfare against non-military targets, and where cyber criminals sell airgap-jumping malware to enable almost anyone to profit from ransomware attacks.
It's not all doom and gloom, though. These changing conditions in the global cyber threat landscape have governments around the world feverishly working on legislation to encourage technology companies and product vendors to make better security built-in by default, while mandating more security controls to protect organizations and the public.
What can we do about it?
In the meantime, if you are responsible for designing, deploying, administering, or supporting electronic security systems, here are a few questions to get you thinking about ways to enhance the security posture of your security systems:
Have we included security systems in our IT hardware, software, and data inventories?
What sensitive data do they store and process?
Are they connected to other systems that store and process protected data?
Have you or your IT team assessed these systems for vulnerabilities?
What could happen if these systems were compromised?
Ensuring that electronic security systems are configured using hardening guides or best-practices from vendors is a good place to start. Then, systems should be regularly assessed for cybersecurity vulnerabilities to avoid costs associated with impact, and to provide assurance to your board, customers, or regulators.
In addition to validating the effectiveness of security controls, assessments also help prioritize limited resources to protect systems which are most vulnerable.
JTI can help.
JTI Cybersecurity specializes in offensive cybersecurity operations, including penetration testing, red team engagements, and vulnerability management. While we work with customers to assess security controls across all of their systems, we 'have a very particular set of skills' when it comes to electronic security systems.
We have extensive expertise in the development of security products, as well as in the deployment, operation, and protection of security systems in industries where they're mission-critical, including gaming and government.
Our team's unique knowledge and experience allow us to deliver an unparalleled level of quality in the assessment of electronic security systems.
Please feel free to contact us to discuss an assessment for your organization.
#shamelessplug