Articles by Mike Gillespie
Problems caused by physical systems in terms of cyber-attack are quite extensive, damaging systems and assets Security experts of various disciplines agree that physical systems are increasingly being leveraged in attacks on organisational networks and supply chains. Many manufacturers maintain that security (including that of security systems) is the responsibility of the end user, which would be fine if they were only expected to maintain security and not create the security in the first place. End users probably feel it is the responsibility of the manufacturer or installer, and the attackers don’t care who is responsible as long as the door is left open and unguarded for them to exploit the vulnerability created by the confusion and lack of cohesive response. Need for a change in approach Our organisational structures in terms of Security, Risk, IT and Information Security are not helping this situation. In many organisations there is a lack of board room oversight; control is still sitting in silos and Information Security is potentially even on a different Risk Register. Clearly this creates even more risk, but sometimes it is hard to see the wood for the trees and the necessary culture change has to start with behavioural change first; the behaviour then creates a new and more resilient culture. Problems caused by physical systems in terms of cyber attack are quite extensive and the results might be damage to systems or other assets or sometimes in a data breach, an exfiltration of valuable information, possibly intellectual property. As an example, imagine an internal CCTV system in a banking chain. It isn’t protected by corporate network security as that is focused on the user system and emails etc. It isn’t protected by the same network as the exterior either but it is web-enabled and sitting on a network somewhere. Because it falls outside of the remit of IT security, it hasn’t been patched or firewalled and it has certainly never been penetration tested to check that it is secure. Why are firewalls and anti-malware important? Because physical security fallsoutside of the remit of IT security,it hasn’t been patched or firewalledand it has certainly never beenpenetration tested to check that itis secure Let’s imagine that this system is then attacked, probably by using a phishing email to a staff member who unwittingly allows attackers to access this internal CCTV. The attackers then spend months harvesting login credentials and studying normal system behaviour in order that they can emulate it at a later date, using the stolen logins. At the same time, having breached the network, they hack a selection of ATMs in a variety of countries. At a predetermined time, they create money and add it to a variety of accounts in a manner and at a time that their research has shown them would be considered normal and not attract unwanted attention. They then turn that invented money into cold hard cash by ejecting it at a predetermined time out of the predetermined and compromised ATMS into the hands of the gang who are waiting to collect. Without the access to the CCTV, this could not have happened. But the important aspects of this scenario actually happened. And it happened in more than 30 countries and more than one billion dollars was created and removed in this way. The accounts they used to filter this created cash were largely unscathed and the game ran for a long time. Another example might be a blast furnace in Germany in December 2014. The Industrial Management System was compromised and the furnace was unable to be shut down. The damage was extensive and risk to life and limb very real. Details on this are scant and we do not know if the exploit continued into the corporate network or whether the target was the furnace system itself. But this is a cyber attack on a physical system and our physical systems do not enjoy the same regular attention that our corporate networks do. This could just as easily be an attack on an air filtration system, remotely managed from a centralised platform or a heating system or even a door entry system; locking down an entire site. So firewalling and protecting with anti-malware is a must. So are regular health checks and penetration testing but few of these systems get that attention. Many systems are built on legacy platforms never intended to be called into web enabled service and are not really fit for that purpose; no longer supported with security patching such as XP for instance. Being the inadvertent cause ofa breach at a supply chainpartner could be cataclysmicfor organisational reputationand can lead to lawsuits Mitigating cyber attack risk How do we approach mitigating the risk that our continued lack of attention is creating? Well, the impact of culture is huge and unavoidable. Culture starts from the top and the right board room attitude goes a long way to embedding a security culture into an organisation. Our security and risk functions need boardroom oversight and organisations need to step away from a project-based approach to security. Installers and maintainers need to understand the implications that physical systems can have on the resilience of their organisations and therefore training needs to be available to those disciplines. The training needs to be practical, targeted and relevant; focused on the impacts from installers and managers. Regular testing and patching needs to be brought within oversight of IT security so it forms part of other corporate network securing cycles. Risk needs to encompass the security functions including information security and how resulting data from physical systems, such as CCTV or entry systems, needs to be securely managed through its lifecycle. Supply chain cyber threats Supply chains also need to be considered as a potential security vulnerability. If you need an example of why, then take a look at the Target mega breach. This was enabled by a phishing attack on their air conditioning contractor. An employee clicked on a link which delivered the malware that in turn gave them access to the managed maintenance portal - used to upload and manage tasks. If an attacker can find an easy way in through a less secure underbelly, they will naturally take it. Being the inadvertent cause of a breach at a supply chain partner could be cataclysmic for organisational reputation and can lead to lawsuits. Add in potential financial penalties and a breach has the potential to close a business. Summing up, I would say we need to change our approach to securing our organisations to protect all of the assets in a joined-up, blended approach. Everything we do should be informed by this, and that means opening lines of communication, understanding and training between disciplines.
Several video manufacturers have participated in the development of a U.K. 'Secure by Default' baseline standard to ensure cybersecurity measures are included in equipment as it leaves the factory. The standard includes ensuring that passwords must be changed from the manufacturer default at start-up, that chosen passwords should be sufficiently complex to provide a degree of assurance, and that controls are placed around how and when remote access should be commissioned. The standard aims to ensure security products are cyber- and network-secure by default and out of the box. The concept is that network video products will ship to installers in the most hardened, cyber-security-optimal form possible, with default settings that provide minimal vulnerabilities on first use. Secure by Default is a self-certification scheme that allows manufacturers to assess their systems for compliance and to apply for the U.K. Surveillance Camera Commissioner’s Secure by Default mark. The mark demonstrates to installers and customers that they are a competent manufacturer who takes the security of their products seriously. The Secure By Default mark demonstrates to installers and customers that they take the security of their products seriously Axis, Bosch, Hanwha, HikVision and Milestone Systems participated in developing the standard, which was officially unveiled at the IFSEC 2019 show. “The launch of the standard is not the end of the journey, but rather the beginning of something unique, exciting and vital for the future success of video surveillance,” says cybersecurity consultant Mike Gillespie, who works with the National Surveillance Camera Strategy for England and Wales. The standard has been developed so as not to present a barrier to entry The manufacturer standard is intended to lay out the basic areas where all video surveillance systems should be secure, regardless of their intended use, whether in public space or not, says Gillespie. “This is very much intended to be an entry-level standard and has been written with the intention of providing [video] manufacturers with a minimum baseline level all should aspire to,” he says. The standard has been developed so as not to present a barrier to entry for any competent and responsible manufacturer, he adds. The Secure by Default standards form part of a wider set of cyber security proposals from the Surveillance Camera Commissioner for the UK Home Office. Adoption within the industry Hanwha Techwin has embraced Secure by Default as part of its comprehensive approach to cybersecurity. “Although we appreciate security needs to be easy to implement, we do not allow for a default password to be used,” according to Hanwha Techwin. “We consider it essential that a secure password be set up during the initial installation process, which is why we prohibit the consecutive use of the same letter or number and we encourage the use of special characters as well as a combination of letters and numbers.” Hanwha Techwin’s approach has been to make security a fundamental feature of cameras and recording devices. Cybersecurity has been taken into account at the start of the design and development process, and not just treated as an optional feature. Article 25 mandates that organisations put in place appropriate technical and organisation measures Axis is aligned with the Secure by Default principles recommended by the U.K. National Cybersecurity Strategy Code of Practice. Furthermore, General Data Protection Regulation (GDPR) makes data protection and security by design and default a legal requirement. Article 25 mandates that organisations put in place appropriate technical and organisation measures designed to implement data protection in an effective manner. Gary Harmer, UK and Ireland Sales Director for Hikvision, said the new Secure by Default scheme is a further positive step forward for the industry, one which Hikvision fully supports. “The process of developing these standards has been one of open collaboration between companies across the network video security industry,” he said. “It’s a truly positive and genuine initiative geared towards creating a more secure environment for all stakeholders in the network security ecosystem.”
Tavcom Training, part of the Linx International Group, has announced it is once again delivering the free educational programme for ‘The Future of Security Training Theatre‘ at IFSEC International 2018, with sponsor Panasonic UK. The Theatre will deliver a range of essential CPD accredited presentations on cutting-edge subjects that are key to technical security professionals. Renowned for over ten years as the ‘Tavcom Theatre’, this year, following an extensive research programme, show organisers UBM have rebranded the theatre to meet with the theme for the event. ‘The Future of Security Training Theatre’ will be a major element in the new ‘Show Me How’ project at IFSEC 2018, which will identify educational opportunities where visitors can learn about industry best practice and capabilities. This year’s schedule promises something for everyone, including cyber security and integrated networks, audio systems, countering drone threats" Physical and cyber security education Tavcom Training Executive Director, Paul Tennent commented, “We have a longstanding and proud tradition of delivering free education at IFSEC, which expects to see over 40,000 visitors this year and has been at the heart of the security market for more than 40 years. This year’s schedule promises something for everyone, including cyber security and integrated networks, audio systems, countering drone threats and the ever-increasing links between physical and cyber security.” During the three days of the show, Tavcom will deliver a wide range of free educational sessions which will be supported by specialist speakers from across the security industry, including: Peter Mason, M Ed., CTSP, who has been the lead IP tutor for Tavcom Training Ltd for over 15 years, starts the programme with ‘Future of Security Networks’. Peter is also presenting: ‘Cybercrime and security’. David Needham, Sales Manager for Axis in the UK and Ireland, will be presenting ‘Network Audio Systems – Integrated Audio made Smart and Easy’. Jim Perkins, Business Development Manager at Panasonic UK will be discussing video management systems with: ‘Panasonic breaks the VMS mould with video insight’. Nikola Serfimovski, Director – Business Strategy at PureLifi will be giving a seminar entitled: ‘LiFi, the future of high bandwidth secure broadband communication’. Mike Gillespie, Managing Director and Co-Founder of Advent IM Ltd and Vice President of the C3i Centre for Strategic Cyberspace + Security Science (CSCSS) will be presenting ‘Raising standards; raising cyber security awareness’. Justin Pringle, Chief Technology Officer CTO at DroneOps Ltd will be giving a timely presentation entitled: ’Countering the drone threat’. Tony Weeks, Head of Technical Services at the National Security Inspectorate (NSI) will be discussing ‘Automating the transfer of alarms to emergency services: maximising public benefits’. Dr Mark Wherrett CEng MIET CTSP will present the future of analytics in a seminar entitled: ‘Smart, connected cameras and big data – the power of video is being unleashed’ IP-based integration and video analytics Tavcom Training’s Warren Collins CTSP will be discussing the integration of security systems with ‘Deploying an IP Based Integration Project’, whilst Senior Tavcom Training Tutor, Dr Mark Wherrett CEng MIET CTSP, will present the future of analytics in a seminar entitled: ‘Smart, connected cameras and big data – the power of video is being unleashed’. IFSEC International is also the perfect opportunity to learn more about the Register for Certified Technical Security Professionals (CTSP), which has been endorsed in the UK by the British Security Industry Association (BSIA), as well as internationally by Dubai’s Security Industry Regulatory Agency (SIRA). It represents the only opportunity for individuals fulfilling technical roles in the electronic security and fire systems sectors, to be officially recognised for their competencies and qualifications on a public register. Paul Tennent continued, “IFSEC International will again deliver on its promise to educate and enlighten visitors. Myself and the team at Linx International Group look forward to seeing you there!”