By Michael Brookes
As physical security evolves to become more aligned with IT systems, businesses need to consider a broader level of protection for their facilities.
The Internet has enabled us to become more connected than ever before, with estimates that by 2015, the number of networked devices will reach twice the global population. With this level of connectivity comes opportunity – anywhere, anytime access; big data analytics and more – but equally our level of exposure increases. The flip-side of having more accessible data is that it can more easily fall into the wrong hands.
In June 2010, the Stuxnet virus reportedly ruined almost one-fifth of Iran’s nuclear centrifuges. It was designed to attack industrial Programmable Logic Controllers or PLCs. PLCs allow the automation of electromechanical processes such as those used to control machinery on factory assembly lines, amusement rides, or centrifuges for separating nuclear material. Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, and then seeking out Siemens Step7 software. Stuxnet reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart.
In 2013, researchers managed to easily hack the building management system of Google’s Sydney headquarters. The researchers from security firm Cylance were able to obtain the password for the control system, where it could access the system that controls alarms and other building services. They also accessed blueprints of the floor and roof plans of building, a clear view of water pipes and the location of a kitchen leak.
And then more recently, Target became a victim of a sophisticated cyber attack operation where it is thought that a heating and air conditioning contractor may have provided the opening hackers exploited to steal vendor credentials that were used in the breach of payment and personal information for as many as 110 million customers.
So how can a business protect itself from being hacked? There is a school of thought that says nothing is safe forever; but equally, an ounce of prevention is worth a pound of cure!
Many instances of cyber-crime are linked to no, or poor, password protection. As corporate users we are more often than not accustomed to entering a 20-digit password comprising a mix of capitals, alphanumeric and ancient Egyptian hieroglyphics in order to access company data; changed every few weeks. However, this same level of password protection is often overlooked for the IT infrastructure that hosts the Building Management System or Electronic Security System. Adopting the same policy that governs IT security would make great sense here.
Similarly, remote access to enterprise business systems is usually done by way of an encrypted connection that utilises sophisticated authentication methods such as Digital Certificates or RSA tokens. Again, this level of sophistication is often overlooked when providing the ability to connect to the core systems that support the facility.
Beyond the considerations around protecting access to these facility systems is the Operating System that hosts them. Many Building Management and Security systems were installed a number of years ago, and have not been kept up-to-date. As an example, support for the venerable Windows XP operating system has recently ended. It means that there will be no more official security updates and bug fixes for the operating system from Microsoft. Security firms have said anyone else using the 13-year-old software would be at increased risk of infection and compromise by cyber-thieves. Windows Server 2003 is also rapidly reaching its end of life and will undoubtedly create a whole new set of vulnerabilities as support ends. As such, ensuring that there is a lifecycle program in place for these systems is good practice and will go a long way to ensuring that the latest security patches are in place.
Companies looking to implement current security best practices are finding just how closely physical security and information security are linked. This convergence is leading to growth and complexity of the security related data, that may exist in numerous locations; IT applications, security logs and physical access management systems. This poses the risk of theft of corporate information or other assets by an inside perpetrator or a disgruntled employee with physical access to critical IT systems.
Building a sound security program is a continuous exercise that takes into consideration an organisation’s risk and exposure to internal and external threats and vulnerabilities. An organisation should devise a program that is aligned to business objectives and industry accepted best practices, and formulate an approach to obtaining the desired level of security based on an organisations needs, asset valuation and exposure to threats.
It is wise to frequently test a company’s exposure to risk either by periodic threat-based risk assessments or continuous monitoring services such as Intrusion Detection & Prevention, and Vulnerability Scanning. Policies and protective measures can then be modified in accordance with the level of exposure to risk. Organisations seeking to embark on such a strategy need to ensure that buy-in is gained at all levels; these strategies need to be closely aligned with business objectives, and not be viewed as simply an IT security issue.
It is also important to work with organisations capable of delivering comprehensive and best-of-breed security solutions. Honeywell takes a holistic view towards corporate security management, delivering integrated solutions for managing facilities, personnel and IT systems. Honeywell is recognised as being one of the most mature large integrators in terms of convergence strategy, combining IP cameras, access control, security event monitoring and identity management into a comprehensive systems architecture. This experience reflects a solid technology background, strong business savvy and strategic focus, making Honeywell an undisputed technology leader in the security integration market.