Attack surface is an IT term that we don’t commonly hear spoken in the physical security domain. An attack surface is defined as the total number of all possible entry points for unauthorized access into any system. It includes all vulnerabilities and endpoints that can be exploited to conduct a security attack. (WhatsIs.com).

Q:        At the end of a meeting about network requirements for a manufacturing plant’s building expansion, an IT department colleague said to me, “You certainly have a complicated attack surface.” What does that mean?

A:        She was probably thinking about the potential physical and digital cybersecurity weak spots that exist from having a wide variety of networked devices located all throughout your plant’s buildings and grounds. Security puts web servers (cameras) on rooftops and above doors – a crazy situation for many IT folks.

Security personnel responsible for deploying and managing physical security systems are more likely to hear the words “attack surface” today, because the term attack surface management (ASM) has been coined to emphasize a key perspective in IT infrastructure risk management: the attacker’s perspective.

Attack Surfaces

The attacker’s perspective is nothing new to physical security. But our thinking has always centered around harm to people, buildings and physical assets. It has typically focused on physical attack points and adversary paths. See Chapter 13, “Analysis and Evaluation”,  in Mary Lynn Garcia’s classic book, The Design and Evaluation of Physical Protection Systems. Using the attack surface perspective, we could say that retail security practitioners have long been aware that product shelves in retail spaces are 100% physical attack surfaces. Although adversary thinking is not new, what is new is applying that thinking to our electronic security systems themselves.

As we already know, the systems themselves can be targets. For years hacker conventions have held educational sessions on how to clone access cards and how to defeat card readers and intrusion monitoring devices, for example. What’s more, today’s systems are vastly more complex than in earlier decades. They have more failure points than the non-networked systems of earlier decades.

In Chapter 4, “Systems and How They Fail”, of his outstanding book Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Bruce Schneier writes, “Security experts worry more about how systems don't work, about how they react when they fail, how they can be made to fail.”

For over two decades security investigators have been telling me that 10% to 20% of the time the evidential video they look for isn’t there but should be. The Viakoo platform is designed to secure IoT attack surfaces, and its Service Assurance Manager product is designed to address the problem of missing video and much more.  For decades we have under-designed electronic physical system deployments by mostly ignoring the risks relating to the technology components. We simply accept the problems with a shrug and put the security system service providers on speed dial to respond to user-discovered problems and malfunctions. In contrast, IT folks scan and monitor their networks and devices to get ahead of problems before users experience them, because they focus on delivering an excellent user experience, which requires robust IT infrastructure management.

Security System Reliability

Most security systems should be at least 99.999% reliable. Why aren’t they? Big data centers are. I think it’s because we don’t treat our IT systems (PACS, video, etc.) like IT practitioners treat theirs. Data centers and cloud service providers include a measure of uptime commitment (such as five nines like above, or six nines) in their service level agreements (SLAs). Yet we allow only 90% to 80% reliability – which means failing 10% or 20% of the time. Security alarms are so unreliable that many police departments now require video verification of an alarm before they will respond. That situation is improving, but it’s taking legislation to make it happen. Shame on us.

In all fairness, security systems face challenges that business IT systems don’t, because security systems are cyber-physical systems, meaning that they are computerized systems that interact with the environment around them in physical ways. However, that’s actually even more reason to protect their attack surfaces rather than ignore them.

Applying IT Security Fundamentals

For computer-based systems, a fundamental concept to apply in evaluating attack surfaces is the information security triad: confidentiality, integrity and availability (CIA). These should be the goals of cyber-physical systems protection. Today, AI-enabled security systems are capable of providing information of value not just to security but also to business operations. Some data has real-time reliability requirements (in terms of seconds, not minutes) that have integrity (data accuracy) and availability requirements, such as video analytics to determine the length of customer service lines and alert on the length of the line and the average waiting time in line. It’s easy to see the applicability of CIA to physical security systems, especially video.

Usefulness of the Attack Surface Concept

The primary usefulness of the attack surface concept lies in the fact that it aggregates a wide variety of security systems CIA vulnerabilities that don’t become known during traditional security design, deployment and operations. Defining the attack surface entirely enables us to identify, characterize and properly remediate all the system weaknesses. There are two kinds of attack surfaces – digital and physical.

Digital attack surfaces for security systems include workstation and server computers, computer operating systems and software applications, networks (wired and wireless), and their points of connection to other systems and the Internet, plus network and software-based points of human interaction such as device and systems configuration.

Physical attack surfaces for security systems encompass all endpoint devices, such as server, desktop, and laptop computers and their USB ports; personal mobile devices; security cameras; intrusion detection sensors and controllers; and access card readers, controllers and their door monitoring and control hardware.

Security system infrastructure weaknesses can be addressed using, for example, the applicable controls in the CIS Critical Security Controls defined by the Center for Internet Security – coupled with security system manufacturer guidance on the subject. The CIS Controls are a relatively short list of high-priority, proven-effective actions that provide an excellent starting point for improving the CIA status of physical security systems. Several leading physical security industry companies base their hardening guides on the CIS controls and/or the NIST Cybersecurity Framework.

About the author: Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s Top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and is a member of the ASIS communities for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS.

© 2022 RBCS