How to Protect Network-Centric Physical Security Systems

Sept. 23, 2023
The migration to a single-pane-of-glass approach limits risk but does not eliminate security threats

Physical security systems are no longer independent and stand-alone. In the modern era, the Industrial Internet of Things (IIoT) has revolutionized the way we interact with technology, offering increased convenience and efficiency. In the realm of physical security, IIoT devices have become pervasive, seamlessly integrating into our daily lives to safeguard our homes, offices, and public spaces. However, while these smart devices offer numerous benefits, they also expose us to significant vulnerabilities. The physical security device manufacturers, security executives, and physical security practitioners no longer have the luxury of cyber ignorance.

This article will examine legacy security solutions and the present state of the physical security industry, talk about the threats, examine use cases, and provide some physical and cyber prevention strategies to support proactively protecting the devices used in physical security solutions.

Where Did It All Begin?

Twenty-three years ago, physical security systems were purpose-built, stand-alone systems. There were disparate systems for exterior and interior security, access control, visitor management, intrusion detection, and closed security television. These analog systems used independent and separate cabling systems to communicate with a security operations center. Although inefficient, the systems were secure. The most significant hazards were an adversary cutting a cable, accessing a cable, spoofing the system, or bridging the system to gain illicit entry.

Physical Security Information Management Systems (P-SIMS)

Although the word “convergence” was discussed in hushed tones prior, P-SIMS first entered the market in 2006. In 2010 P-SIMS were being heavily marketed, and the tradeshow floor was full of vendors who had entered the market.

Physical Security Information Management Systems (PSIM) were software that provided platforms and applications created by middleware developers. They were designed to integrate multiple unconnected security applications and devices and control them through one comprehensive user interface.

The problem with P- SIMS was the fact that they were middleware. Middleware provides a bridge between the present state and the to-be state. Although there are a few P-SIMS around today, most disappeared after six years as the industry matured and software capabilities improved.

Present State

Today there are numerous initiatives to create a single pane of glass to use and manage integrated physical security solutions. Through the use of Application Programming Interfaces (API) and Web Parts, which are added to enable end users to modify the content, appearance, and behavior of Web pages directly from a browser, manufacturers work together to achieve this goal.  Lenel, Genetec and Open Options are some products that use this technology. These platforms permit integrating multiple physical security devices and other information, such as crime reporting, geospatial information, and news feeds, into a common operating platform. These integrations can introduce risk and vulnerabilities to the network if not properly implemented and managed throughout the lifecycle of the system.


Security devices are often manufactured with the main priorities of being first to market and ease of use of their devices. The security of the technology is not typically a priority because it is a cost center and increases the time it takes to get the product to market. However, there are several important security measures to consider when implementing IIoT devices.

Weak Authentication and Authorization -- One of the fundamental weaknesses of physical security IIoT devices lies in the inadequate implementation of authentication and authorization mechanisms. Many of these devices come with default login credentials, which users often neglect to change. Hackers exploit this oversight, easily gaining unauthorized access to the devices, allowing them to manipulate settings or gather sensitive data. Additionally, weak password policies and the absence of multi-factor authentication further exacerbate the risk of unauthorized access.

Outdated Firmware and Software -- Manufacturers frequently release firmware and software updates to address vulnerabilities and improve device security. Unfortunately, many users neglect to update their networked devices regularly, leaving them exposed to known vulnerabilities that attackers can exploit. This neglect is often due to users' lack of awareness regarding the importance of updates or the complexity of the updating process. It is important to incorporate firmware and software updates into the lifecycle management of your security technology.

Lack of Encryption -- Insufficient encryption in physical security IoT devices can lead to data interception and unauthorized access. For instance, video streams from smart security cameras transmitted without encryption are susceptible to interception, compromising the privacy and security of the premises they are meant to protect. The interception of this data can be used for a myriad of purposes, including reconnaissance and espionage.

Inadequate Secure Boot Mechanisms -- A secure boot process is vital to ensure that IoT devices only run trusted code and are not compromised during startup. However, some manufacturers do not implement robust, secure boot mechanisms, leaving devices vulnerable to malicious firmware or bootloader modifications. This provides an opportunity for bad actors to compromise devices, steal data, enable unauthorized access, disrupt functionality, execute harmful commands, and propagate malware. Security risks are significant when not implementing secure boot processes.

 Lack of Regular Security Audits -- A lack of periodic security audits by manufacturers and users can result in unaddressed vulnerabilities. IIoT devices must undergo regular penetration testing and security assessments to effectively identify and mitigate potential risks. The common use of open-source code poses significant risks if there aren’t periodic security audits.

 Supply Chain and Third-Party Risks -- The complexity of the supply chain in IIoT device manufacturing can lead to security vulnerabilities. Third-party components and software integrated into these devices may not undergo rigorous security testing, making them potential entry points for attackers. Understanding where products are manufactured and what processes are in place to secure the supply chain is an important step in reducing risks associated with the supply chain.

 Distributed Denial-of-Service (DDoS) Attacks -- IIoT devices with weak security can be recruited into botnets and used to launch DDoS attacks, flooding networks and causing service disruptions. In recent years, various incidents have demonstrated the devastating impact of such attacks on critical infrastructure and online services. With many enterprise environments utilizing thousands of networked cameras and access control technology, the recruitment of these devices for DDoS attacks could significantly disrupt the facility.

Physical security IoT devices have rapidly become an integral part of our lives, enhancing our safety and convenience. However, they are not immune to vulnerabilities, which malicious actors can exploit with significant consequences. Addressing these vulnerabilities requires collective efforts from manufacturers, developers, users, and policymakers. By implementing robust security measures, regularly updating firmware, and maintaining vigilance, we can create a safer and more secure ecosystem for physical security IIoT devices, ensuring that they fulfill their intended purpose of protecting us from harm.

Physical Protection of the Logical Systems

 Cybersecurity is not just a technology issue. According to NIST, many people narrowly associate cybersecurity with only software and code. However, physical security should not be discounted when protecting sensitive data assets and logical systems. Logical Systems, including computer networks, software, and databases, form the backbone of modern organizations and societies. The security of these logical systems is of utmost importance to protect sensitive information, maintain data integrity, and ensure the continuity of operations.  Deciphering a code and finding an exploit are not the only ways to hack into a system. Many data breaches and intrusions occur at the point of convergence between the physical and cyber domains. Often, social engineering is the mechanism used to create the breach.

 Social engineering is a form of manipulation and psychological manipulation used to deceive individuals or groups into divulging sensitive information, performing specific actions, or compromising security measures. It relies on exploiting human trust, emotions, and cognitive biases rather than technical vulnerabilities to achieve its objectives. Social engineering is a common mechanism used to physically gain access to data assets.

Some important things to consider when physically securing data assets and logical systems are:

Employee Awareness -- All employees should receive training, education, and testing in their knowledge of cyber and physical policies and procedures, threat awareness, best practices in passwords, personal devices in the workplace, and personal storage devices at work. Security awareness training should be iterative and ongoing as part of the overall security program. Gone are the days of the one-hour-a-year security training. Physical and cybersecurity should be a part of the culture of the organization.

 Protection of data rooms -- One of the most frequent things observed when performing physical security assessments of data rooms is that the room has been repurposed for data storage and needs to be properly upgraded to support the sensitive nature of the assets being contained in the room. For example, the walls are drywall that easily can be penetrated or a drop ceiling that provides access over the top of the wall.  To mitigate this, the wall can be reconstructed from floor to ceiling with solid, impenetrable construction or mitigated by removing one side of the drywall and reinforcing the wall with wire mesh that makes it difficult to penetrate with battery-operated hand tools.

 Access control -- Another frequently overlooked process or system is access control.  Access control cards, digital credentials, electronic door strikes, and card readers are frequently used to secure facilities. As mentioned earlier, they are increasingly reliant on network technologies such as Wi-Fi and Bluetooth-enabled locking systems. Implementing these technologies requires substantial planning and engineering to ensure that they are free from physical tampering, programmed properly with the “least privilege” philosophy in mind, and credential management to ensure that only active users have credentials.  Credential creep and credential overload often happen when the access control systems are not audited and properly managed. In the case of credential creep, users have more access than they should because they may have changed jobs or got promoted. In the case of credential overload, systems have more active credentials than they do active users of the facility. This occurs when credentials are not removed from the system when people are no longer with the organization or located at that facility.

Locks -- If manual locks are used, ensure they are of suitable security construction, six or seven pins keyways, a long throw deadbolt, and a regularly audited key control system with no master keys issued. If locks are more modern and rely on network technology to operate, ensure the device is properly secured at the edge to prevent physical tampering. This is a point of vulnerability for a bad actor to gain physical access to the network by disconnecting the lock and connecting another device to the network.

Server cabinets -- Recent developments in technology have brought us smart server cabinets.  Smart server cabinets create another layer of security by providing a fully enclosed cabinet with a card reader, a balanced magnetic switch on the door, and a keyed lock.  This ensures that only authorized people are accessing the server and its contents.

Cameras -- Installing security cameras to monitor data closets and data rooms is an essential component of securing your data assets. Consider selecting a camera with advanced video analytics to alert on intrusions quickly. Smaller server rooms may only need one or two cameras. Larger data rooms may want a camera covering each row of servers. It is recommended that a high-resolution three- to five-megapixel day/night camera be provisioned with video analytics.  In dark rooms, consider the use of internal or external infrared illuminators.

Protection of Cabling -- Unprotected cabling is a source of risk and vulnerability. Often protecting network cables is not part of the engineering process. When it is considered, it is not typically protected from end to end. Whenever feasible, cabling should be protected in metal conduit or secured in enclosed cable trays to prevent tampering and access.

Cyber Protection of Logical Systems

Logical systems encompass all digital components that process, store, and transmit data. They include operating systems, applications, servers, routers, firewalls, and databases. Ensuring the cybersecurity of these elements is vital, as any breach or compromise can have severe consequences, ranging from data theft and financial losses to reputational damage and legal liabilities. The evolving threat landscape presents a constant challenge to logical system security. Cybercriminals, hacktivists, nation-state actors, and even insider threats relentlessly seek vulnerabilities to exploit. Phishing, malware, ransomware, and Distributed Denial of Service (DDoS) attacks are some common techniques used to infiltrate and compromise logical systems.

 The physical protection of these systems must dovetail well with the cybersecurity controls implemented to protect them. A holistic security posture that includes physical and cyber elements will reduce the organization's risk of a security incident. Cybersecurity controls mirror those of physical security. The main difference between the two is the types of protected assets. Some essential elements of logical system cybersecurity that reflect physical security program elements include:

  • Risk Assessment: Conducting regular risk assessments helps identify potential vulnerabilities and assess the impact of a successful attack. It allows organizations to prioritize security efforts and allocate resources effectively.
  • Access Control: Limiting access to authorized personnel minimizes the risk of unauthorized access. Implementing multi-factor authentication and role-based access control can bolster the security of logical systems.
  • Encryption: Encryption ensures that data remains confidential even if it falls into the wrong hands. Encrypting data at rest and during transmission safeguards sensitive information from unauthorized disclosure.
  • Patch Management: Keeping software and hardware updated with the latest security patches is essential to address known vulnerabilities and reduce the attack surface.
  • Network Security: Deploying firewalls, intrusion detection and prevention systems, and virtual private networks (VPNs) helps protect logical systems from external threats.
  • Employee Awareness Training: Raising cybersecurity awareness among employees is crucial to prevent social engineering attacks and ensure that staff follows best practices.
  • Incident Response ad Business Continuity Plan: Developing a well-defined incident response plan allows organizations to respond promptly and effectively to security breaches, minimizing their impact. Adding a business continuity plan to the organization's incident planning helps to define which critical systems are needed for the organization to operate and what the tolerance is for those systems to be down. The plan will then outline the order of operations to get the organization back up and running.

Zero-Trust Security Model

The Zero-Trust model is gaining traction as a robust approach to logical system security. It assumes that no device or user should be trusted by default, regardless of their location within the network. Instead, every access request is thoroughly verified before being granted, reducing the risk of lateral movement in case of a breach. Implementing the zero-trust model will greatly reduce the opportunity for bad actors to exploit the network.

Cloud Security

With the increasing adoption of cloud computing, securing cloud-based logical systems becomes paramount. Employing robust authentication mechanisms, data encryption, and monitoring cloud service providers' security practices are essential steps in this regard. It is important to understand the cloud service provider’s service level agreement to determine the roles and responsibilities in protecting information and data being stored in the cloud. Not all services are equal.

Regular Auditing and Testing

Periodic auditing and penetration testing help assess the effectiveness of cybersecurity measures and identify potential weaknesses. Ethical hacking and vulnerability assessments are valuable tools to proactively address vulnerabilities before malicious actors exploit them. Utilizing third-party auditing and penetration testing services will help to ensure unbiased testing.

To Sum It Up

As network-based physical security solutions become more pervasive in our lives, the need for holistic security practices intensifies. Organizations must adopt a multi-layered and comprehensive approach to safeguarding these systems from the evolving threat landscape. By implementing risk assessments, access controls, encryption, network security measures, physical security measures, employee training, and a well-defined incident response and business continuity plan, organizations can fortify their defenses and reduce risk. Through proactive measures and ongoing vigilance, the resilience of security solutions can be enhanced, bolstering the security posture of organizations and the overall cybersecurity landscape.

About the authors:Jeffrey A. Slotnick, CPP, PSP, is President, of Setracon ESRMS andan internationally known Enterprise Security Risk Consultant with over 28 years of experience. Jeff is peer-recognized as a “Thought Leader and Change Agent. He focuses on all Enterprise Security Risk Management facets, including quality management programs, risk, vulnerability, threat assessments, Emergency Response Planning, Business Continuity Planning, and Physical Security System Master Planning, Design, and Integration. As a curriculum developer and master trainer, Jeff advocates for quality professional development and training of security and military personnel. He is a member of the North American Board for ASIS International, a Faculty Advisor for the University of Phoenix Bachelor of Science in Cyber Security and Security Management Degree Program.
Antoinette King, the founder of Credo Cyber Consulting, LLC, has 21 years of experience in the security industry. Beginning her career as a field technician responsible for the installation, design, and implementation of integrated security solutions, Antoinette has worked on projects that include the protection of one of our nation’s most treasured monuments, the Statue of Liberty. Antoinette has held roles within the security industry that include Engineered Systems Specialist, Operations Manager, Regional Sales Manager, and Key Account Manager in both integration and manufacturing. Drawing on her 2+ decades of experience, Antoinette founded Credo Cyber Consulting in 2020 to provide her clients a holistic perspective on a cyber-physical security program with a focus on data privacy and protection. She is a Board-Certified Physical Security Professional (PSP), as well as a certified Data Privacy Protection Specialist (DPPS).         
About the Author

Jeffrey A. Slotnick CPP, PSP | President of Setracon ESRMS

Jeffrey A. Slotnick, CPP, PSP is President of Setracon ESRMS. He is an internationally known Enterprise Security Risk Consultant with more than 28 years of experience, peer recognized as a “Thought Leader” and a “Critical Architect in homeland security”. As an ISO credentialed Lead Auditor Jeff is responsible for the some of the latest advancements in All Hazards Disaster Resilience, Organizational Resilience Management, ISO/ANSI Standards Development, Resiliency Information Management Processes, and Enterprise Security Risk Management.

Jeff is focused on the professional development and training of security and military personnel, the provision of exceptional security services, protective services, and all facets of Enterprise Security Risk Management. Jeff is a Senior Regional Vice President for ASIS International, Faculty Advisor for the University of Phoenix Bachelor of Science in Cyber Security and Security Management Degree Program, a member of the Risk Management Society and a 20 year Reserve Law Enforcement Officer for the City of Centralia, Washington. [email protected]  

About the Author

Antoinette King, PSP, DPPS, SICC, CMMC-RP | founder of Credo Cyber Consulting, LLC

Antoinette King is the founder of Credo Cyber Consulting, LLC, and has 21 years of experience in the security industry. Beginning her career as a field technician responsible for the installation, design, and implementation of integrated security solutions, Antoinette has worked on projects that include the protection of one of our nation’s most treasured monuments, the Statue of Liberty. Antoinette has held roles within the security industry that include Engineered Systems Specialist, Operations Manager, Regional Sales Manager, and Key Account Manager in both integration and manufacturing.

Drawing on her more than two decades of experience, Antoinette founded Credo Cyber Consulting in 2020 with the goal of providing her clients a holistic perspective on a cyber-physical security program with a focus on data privacy and protection. Antoinette is a Board-Certified Physical Security Professional (PSP), as well as a certified Data Privacy Protection Specialist (DPPS). She has an associate degree in Criminal Justice, Bachelor of Science in Managing Security Systems, and master’s degree in Cybersecurity Policy and Risk Management.