“The age of IoT and AI means that physical and IT security are no longer separate domains. Instead, everything is connected, and you need to converge your security leadership, teams, capabilities, and technologies to navigate the evolving risk landscape,” said Fred Streefland, Director of Cybersecurity and Privacy at Hikvision EMEA.
Until recently, physical and cybersecurity domains were separate from one another. Security teams, access control systems, and CCTV systems were used to physically secure buildings – from data centers to factories and warehouses. And IT teams looked after IT and network security with firewalls, anti-virus software, and data encryption technologies.
But as organisations have forged ahead on their digital transformation journeys, innovative technologies such as IoT and AI have blurred the lines between physical security and cybersecurity: a trend that’s set to continue long term.
Why IoT is increasing your physical and IT ‘attack surface’
When thinking about your overall security strategy, consider that your security cameras and other security infrastructure are now ‘IoT devices’ that are connected to the network. This gives criminals and hackers a much larger ‘attack surface’ for their activities, with multiple ways into your organisation.
For example, hacking or otherwise accessing a network-connected camera or other device can allow criminals to override physical security controls and enter restricted areas or buildings. Equally, hackers who can breach IoT devices on the network may be able to disrupt critical systems, steal data, install ransomware, or otherwise compromise your company’s operations.
Physical break-ins also pose major cybersecurity risks
Equally, criminals who manage to circumvent your physical security infrastructure can also gain access to IT equipment and systems housed in restricted buildings. This means they can extend the impact of their localised attack across the length and breadth of your network, causing untold damage and disruption in the process.
This is especially the case where server rooms are left open or unlocked within a building. The mission-criticality of the network, and the sensitive data stored in connected systems, means that much stronger security is needed for these kinds of facilities to ensure they are never accessed, even if intruders breach your building defenses.
Here are some examples of how physical threat vectors can compromise digital security:
– An infected USB drive is planted in a parking lot, lobby, etc., which an employee picks up and loads onto the corporate network.
– An attacker breaks into a server room and installs a rogue device that captures confidential data.
– An attacker pretends to be an employee and counts on a real employee’s courtesy to hold the door for him as they enter together.
– An inside actor looks over the shoulder of a system engineer as they type administrative credentials into a system.
The most well-known example of an attack on physical systems followed by an attack of IT systems is the hack on the retail giant Target in 2013. The attackers used an HVAC vendor’s credentials to compromise the network and ultimately the point of sale (POS) systems of this company. The attackers ‘entered’ the company via the Heating, Ventilation & Air Conditioning (HVAC) systems and managed to compromise several millions of credit cards of Target customers, which caused the resignation of the CIO and CEO of Target.