The Most Common Cybersecurity Errors Found in the Installation of Physical Security Technologies

It’s that kind of nightmare scenario that every CEO, CIO and CSO hopes will never happen: A system designed to keep your people and property safe becomes a conduit for a cyberattack, all because a common cybersecurity implementation practice was overlooked.

Will Knehr, a member of SIA’s Cybersecurity Advisory Board who serves as senior manager of information security and data privacy for i-PRO Americas, tells the story of being called in to investigate a cybersecurity incident and what he found:

“I responded to an incident where ransomware had been installed on a VMS server,” explained Knehr. “The ransomware was installed on the machine within five minutes of connecting it to the network – the ransomware was installed so fast the integrator thought that we shipped it with ransomware on it.”

“After conducting a bit of an investigation, I found that the integrator had installed it to the network by plugging it into a public facing router – wide open and fully accessible to any hacker on the internet. The VMS server had no antivirus/malware solution installed; there were no passwords on the device, zero network segmentation – basically no protection.”

“I asked the integrator what his line of thought was, and he said, ‘I do this all the time, and I thought that Linux devices couldn’t get hacked.’ This was a Windows server, by the way. The integrator had no idea what he was doing. It was eye opening for me. The customer is lucky that the ransomware didn’t spread across their network – the only thing that saved them is that the installer was still there when it got infected, so they removed it immediately. Otherwise, their entire network would have been compromised. That would scare me as a customer.”

In speaking with a select group of cybersecurity subject matter experts from SIA’s Cybersecurity Advisory Board, we wanted to find out key common field implementation errors and common cyber problems, so that integrators and even solution developers can work to address these challenges. Fortunately, there are great training resources available to help overcome challenges, such as SIA’s Security Industry Cybersecurity Certification Review Course, which is particularly valuable for integrators overseeing field installs.

Here’s what we heard from members of SIA’s Cybersecurity Advisory Board: 

Feedback From the Practitioner Perspective

Bruce Webbe, technical application manager at Meta, provided feedback that was particularly relevant for both integrators and product manufacturers from the practitioner/end user perspective. He pointed to three consistent challenges he has experienced:

 

1.      Lack of awareness of configuration or hardening guides.  “In some cases, we have had to work with distributors to configure our devices prior to integrators receiving them, so they are configured and hardened before connecting to our network. The issue we run into is that configuration is only good until a ‘factory reset’ is performed.  We've attempted to work with manufacturers on reasonably hardening their devices; turning off insecure protocols and such, but it seems we have a long way to go on this point.”  

2.      Remote Login Software. “For want of providing better service, we find at times integrators will want to install remote login/control software that they are familiar with onto our servers.  We end up having to deny them this and point them in the direction of our authorized remote access methods.”

3.      Local accounts.  “Local accounts tend to be largely unmanaged and are typically configured for full access. We work to have these accounts disabled or deleted from a system; however, some manufacturers still require this type of configuration.” 

 

Mind the Basics, Your Processes and User Privileges!

Rachelle Loyear, vice president, sales, integrated security solutions at Allied Universal, works with a variety of clients, advising them on security solutions and proper cyber implementation of those systems, and has seen it all in her years in business. She says that most of what she sees is “procedural error” type of issues, where simple steps are overlooked.

“Misconfigurations in systems, applications or network devices can create significant security gaps that can be exploited by attackers,” said Loyear. “These issues come up when default settings are not changed, from improper configurations of connections and systems that need to talk to each other, or sometimes simply overlooking critical security settings.

But user privilege management is one area that she calls “critical.”

“For ease of use, we can see accounts given more permissions than necessary, violating the principle of least privilege/role-based access/zero trust. Overpermissioned accounts can provide attackers with extensive access if compromised. Ensuring correct configurations and strict access controls is crucial, especially when installations are handled by external partners. With both installers and end users having access to systems, you now have two possible entry vectors instead of one.”

i-PRO Americas’ Knehr echoed a focus on process and covering the basics, as he said it’s often simple oversights that can lead to great exposure.

“The most common technical implementation errors include weak or default passwords, lack of proper network segmentation, failure to update firmware and software regularly and inadequate encryption of data in transit and at rest. These errors often stem from a lack of understanding of basic cybersecurity principles or a focus on convenience over security.” 


Take a “Security by Design” Approach

Josh Chin, CEO of NetForce, says the most common technical implementation errors are “overconfidence, assumptions and not designing things securely.”

“During the requirements phase of any solution or product, security requirements are not being built out upfront; it's usually an afterthought,” said Chin. “Usually it's traced back to overconfidence in one's coding or technical abilities, assuming an end user is going to do things correctly, insufficient time/budget allocated towards development of security or that afterthought of security comes back to roost, causing security to be bolted on. Security by design is generally not taught in majority coding, or development classes and coursework. Consequently, there are many potential 'bad habits' inherited when anything is developed, leaving any product or solution vulnerable.” 


Watch for the Cybersecurity Warning Signs Related to Physical Security Systems

John Gallagher, vice president of Viakoo Labs, works in the area of enterprise Internet of Things (IoT) device cybersecurity, and his constant focus is helping companies to ensure that their client’s IoT devices, particularly those in the areas of operational technology and physical security, don’t become a cyber burden!

These are the warning signs he lists that you can use as a checklist for your own field implementations.

  • Not putting all security devices and applications within a segmented network that is firewalled off from the corporate network and with no internet-exposed ports. 
  •  Assuming that what was set up and commissioned stays exactly as it was. Configuration drift, network changes, storage issues and others can all change the cybersecurity posture once a system is deployed.
  • Not using your organization’s single sign-on capabilities to authenticate users.
  • Not using certificates to encrypt traffic and to authenticate devices. 
  • Not having a way to quickly gather data that is relevant to cyber insurance.
  • Not having a method to verify if the data stream from the camera is the same as what is put into storage.
  • Not aligning your maintenance plans (such as for rotating passwords or updating firmware) to your existing corporate governance around passwords and firmware.
  • Not removing access immediately when an employee leaves.

In our next article, we’ll dive deeper into the threat vectors that are often used to attack systems and point you to even more training recommendations to ensure your team is prepared to implement security systems and IoT platforms in a cyber-secure manner.