Reducing the Risk of Cyberattacks on Public-Sector Security Systems

Reducing the Risk of Cyberattacks on Public-Sector Security Systems

Recent statistics highlight the rise of cyberattacks in the public sector. In its latest Internet Crime Report, the FBI stated that they received nearly 2,500 ransomware complaints in 2020. And the Identity Theft Resource Center reports that, as of September 2021, the year-to-date total number of data compromises related to cyberattacks was already 27% higher than for all of 2020. For the public sector, cybersecurity has become a top priority.

IT teams at all levels of government are understandably concerned about how vulnerable their networks are to these disruptive and costly cyberattacks. But government organizations aren’t the only targets. The K-12 Cybersecurity Resource Center 2020 Year in Review Report found that K-12 schools experienced more than 400 cyber incidents in 2020, up 18% from the previous year.

For organizations in the public sector—including governments and schools—the question is how to reduce the risk of cyberattacks. The first step in addressing the situation is determining how cybercriminals are gaining access.

Understanding Network Vulnerabilities

There are several ways that cybercriminals can gain access to an organization’s network. An employee can click on a link in a phishing email. A default application password can remain unchanged. Or a network-connected device can be inadequately protected. It’s important to remember that these devices include elements in a physical security system. Cameras as well as door controllers and their monitoring systems can all pose cybersecurity risks.

Unfortunately, the risks associated with under-protected network devices has increased during the COVID-19 pandemic. As millions of people began working from home, organizations faced new challenges around protecting their spaces. According to Morgan Wright, a Center for Digital Government (CDG) Senior Fellow, “When fewer people are working in buildings, organizations need more technology to maintain physical protection.”

Many organizations deployed additional cameras and other technology to keep an eye on their environments and assets and also implemented measures to protect the devices themselves. But, while their goal was greater security, their focus was frequently limited. Said Wright, “When it comes to protecting physical security devices, too often the worry is about damage or theft, not that they can be used as an entry point from ransomware.”

Organizations in the public sector need to think about how they deploy physical protection technologies so that they can better control access to sensitive and restricted areas and, at the same time, increase the cybersecurity of their networks. They need to look at deploying new technologies, establishing new staff roles, and implementing new practices that will strengthen both physical and cybersecurity.

Risks Associated with Security Devices

Physical security devices are purpose-built to help keep people, assets, and environments safe. In the face of rising cybercrime, organizations have to expand their view of security. Most cyberattacks are not intended to compromise physical safety. Instead, they target applications, files, and data managed by IT departments. An attack that originates in a camera can find its way through an organization’s network to block access to critical applications, lock and hold files for ransom, or steal personal data from employees, students, program clients, and residents.

One major challenge is that many public sector organizations continue to use older model cameras and door controllers. With their limited security capabilities, these devices, especially cameras, can present significant risk. Organizations in the public sector tend to replace these devices only when absolutely necessary or when their capital costs can be fully amortized. These are not effective strategies.

According to Wright, “Today’s hackers know that certain security devices are easy to take over and use as an entry point to a connected network. This means that security cameras and access control systems need to be considered critical network devices. They need to receive a high level of protection and monitoring for both operations and cybersecurity.”

The good news is that the public sector is beginning to realize how internet-connected security cameras and door controllers can give hackers easy access to their networks. At the same time, IT departments are becoming increasingly aware of the risks that inadequately protected devices can pose when connected to their networks. The problem is that historically, IT has had limited visibility and control over an organization’s security devices.

Unifying Physical and Cybersecurity

Currently, many organizations in the public sector approach physical security and IT as separate. But the growing cyber risks that physical security technologies can present mean that this needs to change.

In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) recommends joining IT and physical security into a single, integrated team. As a single team, they can better focus on developing a comprehensive security program that is based on a common understanding of risk, responsibilities, strategies, and practices. Wright agrees with this recommendation, saying “Physical security needs to be integrated into the network security team and not viewed as an ancillary function.”

According to CISA, there are several benefits to this approach. First, it would provide a more holistic view of security threats across the organization, which can lead to improved information sharing and threat response preparation. In addition, by implementing unified policies and shared practices, organizations would be able to achieve greater flexibility and resilience.

Starting with What is Already in Place

The first step towards better protecting a physical security system against cyberattacks is conducting a current posture assessment, which will help identify specific devices of concern. The assessment process allows an integrated IT and physical security team to focus on

o creating an up-to-date inventory of all network-connected cameras, door controllers, and associated management systems
o performing a thorough vulnerability assessment of all connected physical security devices to identify models and manufacturers of concern
o consolidating and maintaining detailed information about each physical security device, including connectivity, firmware version, and configuration
o improving network design as needed to segment older devices and reduce potential for crossover attack
o identifying all users who have knowledge of physical security devices and systems and then documenting that knowledge for broader use and retention.

Once the assessment is complete, the team can then move to reviewing the necessary changes that need to be made.

The Next Phase in Protecting Network Security

After assessing an organization’s current physical security, the team should produce a review of required improvements for individual devices as well as the entire system. These improvements can include ensuring that all network-connected devices are managed by IT network and security monitoring tools as well as implementing end-to-end encryption that protects video streams and data in transit and in storage.

Organizations can also think about strengthening protection measures by improving existing configurations and management practices for physical security devices. This could require using secure protocols for connecting devices to the network, disabling access methods that don’t support a high level of security protection, verifying configurations of security features and alerts, and replacing defaults with new passwords that must be changed on a regular and verified schedule.

Another option for protecting network security is to enhance access defenses with a layered strategy that includes multifactor access authentication and defined user authorizations. Organizations can also improve update management by defining who is responsible for tracking updates availability; and for vetting, deploying, and documenting updates on all eligible systems and devices.

Developing a Replacement Strategy

Ultimately, this review can help determine which devices and systems should be replaced because they present a high cyber risk. When it comes to developing replacement programs, organizations in the public sector need to prioritize strategies that support modernization for both physical and cybersecurity. One effective approach is to unify physical and cybersecurity devices and software on a single, open architecture platform with centralized management tools and views.

Replacement programs can also focus on cybersecurity features, including data encryption and anonymization, that are built into a device’s firmware and management software. Another important consideration is looking at a vendor’s capabilities to support a solution lifecycle of up to 10 years, including ongoing availability of updates for firmware and management system software.

In the U.S., federal funding may be available to help cover some of the costs associated with replacement programs. The 2021 Investment and Jobs Act includes $1 billion in funds, managed by the Department of Homeland Security, designed to help state and local governments modernize their cybersecurity.

With the number of cyberattacks increasing around the world, it is becoming clear that the public sector needs to implement effective cybersecurity improvements to their IT networks. An important step towards reducing the cybersecurity risks associated with physical security devices is to integrate physical security and IT and develop a coordinated strategy for hardening systems.

This article originally appeared in the May / June 2022 issue of Campus Security Today.

Featured

  • Buffalo Public School District Modernizes Security With New Cameras NVRs

    i-PRO Co., Ltd. (formerly Panasonic Security), a provider of professional security solutions for surveillance and public safety, recently announced that the Buffalo Public School District (BPSD) has modernized its security footprint with i-PRO multi-sensor and 360° fisheye network cameras, and i-PRO NV300 network video recorders (NVR). The BPSD serves 28,000 K-12 students out of 70 facilities in western New York. Read Now

  • Lessons Learned from Past School Shootings

    Two experts are working together and collaborating on new ways school campuses can develop a proactive and comprehensive security plan. For three consecutive years, the U.S has had a record-high number of school shootings resulting in a repetitive cycle of grievances, anger, and frustration. The U.S. had 344 school shootings in 2023 which surpassed the record-breaking number of 308 school shootings in 2022 as reported by K-12 School Shooting Database. Read Now

  • Mother of Michigan School Shooter Found Guilty on Four Counts of Involuntary Manslaughter

    The mother of the teenager who killed four students in an Oxford, Michigan school has been found guilty of four counts of involuntary manslaughter because of the shooting. That’s according to a report from CNN. Read Now

  • Utah State Legislature Funds Gun Detection Technology and Incident Management System in All Public K-12 Schools

    ZeroEyes, the creators of the only AI-based gun detection video analytics platform that holds the US Department of Homeland Security SAFETY Act Designation, and AEGIX Global, a Utah-based provider of industry-leading critical incident management services, recently announced that the Utah State Board of Education has approved a contract to provide the joint solution for all Utah public K-12 schools, including charter schools. Read Now

Webinars