Data centre security - where cyber meets physical

Data breaches are rising worldwide. While some are caused by weaknesses in an organisation’s virtual perimeter that allow hackers to exploit software vulnerabilities, a growing number access through connected IoT (Internet of Things) devices. 

Security cameras, access control readers, and other devices that make up physical security systems are often overlooked as a source of vulnerability. With devices like perimeter fences and door locks, the approach was ‘install it and let it do its job.’ 

As security technology advanced, this mindset persisted. Even as organisations implemented IP-based technology and IoT devices, they didn’t always consider how these assets might make their networks vulnerable. In some instances, even though a physical security system resides on an organisation’s network, it is managed by corporate security instead of IT. 

Physical security and cybersecurity are linked. There’s no difference in the result whether a hacker accesses a server room physically or through a video camera, HVAC equipment, or laptop. As cyber threats grow, physical security and IT must work together to safeguard the network infrastructure.  

Unifying physical and cybersecurity

A unified team can develop a comprehensive security program based on a common understanding of risk, responsibilities, strategies, and practices. 

Firstly, the team should conduct a posture assessment to identify devices of concern. 

• Create an inventory of all network-connected cameras, door controllers, and associated management systems, identify their functions and confirm their role/relevance
• Assess the vulnerability of all connected physical security devices to identify models/manufacturers of concern
• Maintain detailed information about each physical security device, including connectivity, firmware version, and configuration
• Improve network design to segment older devices and reduce crossover attack potential 
• Document all users who have knowledge of physical security devices and systems.

Hardening devices and systems - mitigating cybersecurity risks

The team can then recommend improvements for devices and the entire system. 

These can include ensuring all network-connected devices are managed by IT network and security monitoring tools, as well as implementing end-to-end encryption to protect video streams and data in transit and storage. 

Devising and implementing a schedule of ongoing testing and risk assessment for all inventoried devices is an important part of mitigating risk.

Teams can improve configurations and management practices for physical security devices by using secure protocols to connect devices to the network, disabling access methods that don’t support adequate security protection, verifying configurations of security features and alerts, and replacing defaults with new passwords that must be changed regularly. 

Enhance access defences with a layered strategy that includes multifactor access authentication and defined user authorisations. Organisations can also improve update management by defining who is responsible for tracking update availability, and vetting, deploying, and documenting updates on all systems and devices. 

Developing a product replacement strategy

A posture assessment can inform which devices and systems must be replaced. Prioritise strategies that support modernisation of physical and cybersecurity. One effective approach is to unify physical and cybersecurity devices and software on a single, open architecture platform with centralised management tools and views.

Replacement programs should also focus on cybersecurity features, including data encryption and anonymisation, that are built into a device’s firmware and management software. Vendors should support a solution lifecycle of up to 10 years, including ongoing availability of updates for firmware and management system software, and conduct their own penetration tests regularly to catch vulnerabilities and guard against new forms of cyberattack.  

An important step towards reducing cyber risks associated with physical security devices is integrating physical security and IT and developing a coordinated strategy for hardening systems. Vigilance is key, and it should extend to every partner in the chain of your physical security system and devices.  

About Mark Feider

Mark Feider is a National Director in Genetec’s Enterprise sector. Prior to joining the company in 2007, he was a National Account Manager at a large Canadian security systems integrator.