Tech Trends: How Secure is the Physical Security Network?

March 18, 2011
The biggest threats to IP security systems

That physical security has long passed the point of no return on its transition to being IP network-based is generally accepted in the industry. One can argue that a critical mass of designers, engineers and technicians (if not the salespeople) in the industry has been reached, to the point where most IP-based security systems generally work - streaming, displaying and recording video, locking and unlocking doors, providing audio over intercom, etc.

Granted, the industry has a long ways to go in creating a set of generally recognized certification credentials which bridge IT and physical security. So, now that the industry has more or less stumbled its way through this first "phase" of the technology shift, we must turn our attention to the next challenge - security of these physical security networks.

IP device manufacturers worth their salt will tell you about the (network) security features built into their products. If they can't, think twice about using them. Over the last year, I have looked at the security features of a number of CCTV manufacturers and have been pleasantly surprised. These features include password protection, IP address filtering, secure shell (SSH) in lieu of Telnet, secure access via SSL/TLS, 802.1x authentication and encryption options. Axis cameras, for example, allow initial password configuration over a secure connection. How often are these features taken advantage of? Probably not often enough. For example, are your default passwords changed as a matter of policy? Google "Hack CCTV" and see what you find!

Obviously, securing components of the system from unauthorized access is a critical area for the physical security professional to address. Network infrastructure components - cabling, patch panels and equipment racks, switches, routers, servers, storage devices and the rooms that house them - should clearly be secured. Controlling outside access should come naturally to security professionals, but the process assumes another dimension when you realize that access to a network port or to a PC creates a potential opportunity to intrude on the security network. With this, the urgency of properly training those people who are in a position to allow physical access - receptionists, security guards, physical plant personnel, etc. - is heightened. The physical security manager should clearly take a lead role in providing protection against threats of a physical and social nature.

Unsecured switch ports are like unlocked doors. Access to ports can occur in unintended ways, such as by guests in a conference room or a reception area. Port security starts with disabling unsecure parts, ideally putting them in an unused VLAN. Operational ports need the right security controls - including 802.1x authentication - before network access is granted.

Wireless technology creates additional portals into the network, and security concerns take on a new dimension. Making recognition of the networks difficult (disabling SSID broadcast, for example) as well as secure communications (WPA2) are baseline procedures. Also, the organization must be on guard against the installation of unauthorized wireless access points. Check networks on a regular basis for wireless vulnerabilities, including mobile devices. Companies increasingly need to be concerned about the interaction of users' mobile devices with their networks. A recent study by Frost & Sullivan cited encryption, network access control, mobile virtual private networks (VPN's), mobile device management and remote lock-and-wipe functionality as the most popular tools IT professionals were employing for mobile devices.

Even when the network infrastructure has been secured, PCs, servers and their applications remain vulnerable to the expanding array of threats. Besides the usual list of suspects - worms, viruses, etc. - serious threats exist from malware injected from even legitimate sites or installed via malicious Java scripts, Website redirection and phony e-mail links. Anti-virus is not enough - multiple layers of defense are needed including end-user education about what is acceptable and limits on who has access to the security network.

Those who specify and purchase applications, including VMS, PSIM and access control, need to have a thorough understanding of the steps vendors are taking to maintain the integrity of their applications. Are these applications as robust as the devices they access and manage? Further, security features of an end-device may be rendered less useful, or even useless, without tight integration with the head-end software managing them. That's a challenge when systems are provisioned from different manufacturers and selected solely on feature sets related to physical security. Vendors who integrate well with others to provide robust end-to-end security are acting in the best interest of their customers and doing the industry a valuable service. They deserve to win.

If applications and services such as remote storage are being provisioned through the cloud, do not take security as a given. Cloud computing providers expose their own Application Programming Interfaces (APIs) for clients to interface with their services and may have security vulnerabilities.

The Cloud Security Alliance recommends strong compartmentalization to "ensure that individual customers do not impact the operations of other tenants running on the same cloud provider." Ask tough questions of your application provider, including security requirements for network access. Also, a disaster recovery plan should be in place to allow critical applications and services to continue in a transparent fashion. Adequate back-up server capacity and bandwidth should also be provided.

Although choices are extremely limited in networking certifications for physical security, the CISSP (Certified Information Systems Security Professional) is one to consider. It hits on many of the topics I have mentioned here and provides a basis for providing network security for physical security, and vice versa.
Ray Coulombe is founder of, the industry's largest searchable database of specifiers in the physical security and ITS markets. He is also Principal Consultant for Gilwell Technology Services. He can be reached at [email protected] or through LinkedIn.