Tony Babicz, Director of Sales – The Americas at Commend Americas tells SJA about the best approach to ensuring cybersecurity for physical devices.

What are some of the biggest cyber vulnerabilities that exist for the physical security industry?

One of the main threats to cybersecurity is the vulnerabilities that physical devices present.

Somebody can physically pull a device such as a camera or intercom off its mounting surface and plug right into the network.

If the network is not secured by using authentication protocols like 802.1x, then they can access the network with ease.

In particular, intercoms are usually placed on the unsecured sides of walls and within reach, so they represent some of the most vulnerable physical security devices.

Supply chain attacks can occur when compromised software or hardware from third-party suppliers introduces vulnerabilities into OT systems, which attackers can exploit to gain access or disrupt operations. 

Ensuring the proven trust of the manufacturer and its suppliers is essential.

Outdated firmware exploits can be used to gain unauthorized control and disrupt operations.

That’s why it’s important for end users to update firmware on their physical devices on a routine basis, to enhance cybersecurity.

Lastly, insider threats are another way that organizations can become exposed.

If you have an employee or a vendor and for whatever reason they want to cause harm to your system, they may be able to wipe your database, cleaning and resetting your entire access control, intercom or video management system, which can create absolute chaos.

How can organizations protect themselves against these cyber-threats?

To protect against cyber-threats targeting Internet of Things (IoT) devices, organizations must implement a multi-layered security approach.

First, it’s essential to ensure that all devices, including cameras, access control systems and communication platforms, are updated regularly with the latest firmware and security patches.

Many physical security devices run on embedded systems that can be vulnerable if not properly maintained.

Network segmentation is also critical; separating the security device network from the general IT network can prevent attackers from moving laterally within the system if one segment is compromised.

Implementing strong authentication measures, such as multi-factor authentication (MFA) and ensuring that default passwords are changed, adds an additional layer of protection.

In addition to technical measures, organizations should focus on employee training and awareness.

Since social engineering and phishing are common threat vectors, educating staff about these risks and how to recognize suspicious activity can significantly reduce the likelihood of a successful cyber-attack.

Regular audits and vulnerability assessments of physical security devices and networks can help identify potential weaknesses before they are exploited.

What questions should an end user ask a potential vendor?

When researching potential vendors or manufacturers, it’s best to seek those that have really committed themselves to cybersecurity and can prove – through various certifications – that they are taking the necessary steps to ensure they are following best practices through proven frameworks.

Of course, you need to ask about a vendor’s certifications.

It’s all very well and good if a vendor is saying they are “compliant”, but unless they have a certification confirming this, then that could leave a vulnerability.

Certification needs to be conducted through a third-party agency, and you want to look for certifications such as ISO 27001 or IEC 62443, which are critical within the Industrial IoT and physical security space.

IEC 62443 specifically focuses on the full development lifecycle process of a product and indicates that the manufacturer is committed to utilizing proven cybersecurity frameworks from the conception of a product all the way through its eventual use and decommissioning years down the road.

You should also ask about the vendors’ vulnerability process and policy.

If there is a vulnerability that the vendor finds, they need to be able to communicate this with the customers using their products within a certain time frame.

Vendors should let customers know there is a cybersecurity issue and tell them how to fix or mitigate the risk.

How can an organization make sure they remain resilient in a landscape of evolving cybersecurity threats?

It’s important to use trusted partners at all levels including the integration channel which is responsible for implementation.

As a manufacturer, we can ensure that we are using secure protocols and processes, but it’s a shared responsibility for both the integration channel and end user.

They must implement the system and follow best practices by using the tools available during the implementation and life of the system.

One of the biggest issues I see is patch management.

Systems need to be managed and updated on a regular basis.

I know there are some challenges with APIs where, if different components are integrated, sometimes you might update one system but not the other at the same time, which can cause issues with integrations.

However, this issue is getting much better and with modern APIs, it’s much easier to manage with different protocols to address this.

Lastly, I would recommend that organizations stay vigilant.

It’s important to know who you’re hiring by vetting the teams that are going and installing your product, ensuring they have experience and are following best practices from a cybersecurity perspective.

Abiding by the frameworks that are already out there is essentially the best way to navigate this changing landscape.

How do you think the cybersecurity landscape will change in the future?

Threat assessment tools for cybersecurity can now be automated, for example by using AI to understand data and processes to look for minor changes that happen to the network.

Overall, cybersecurity will improve once the entire ecosystem is secure.

That’s where the symbiotic relationship comes back into play, and security becomes a shared responsibility between the manufacturer, integrator and end user.

We’re not going to improve cybersecurity until everyone gets on board.

How does Commend ensure that its customers remain cybersecure?

Cybersecurity is as simple as following best practice.

We look at each layer and make sure that all parts work together.

For the physical layer, we have something as simple as tamper switches.

This means that if a Commend device like an intercom is pulled off a wall, that will cut the physical connection to the network, by severing what we call the IP Secure Connector.

In addition to this, we ensure that we are using best practices such as 256-bit encryption and secure protocols like, 802.1x, SRTP, SIPS, HTTPS, TLS – all the things that you would expect in an IT system.

Something as simple as managing passwords or automating firmware updates can help our customers to stay cybersecure.

For example, forced password changes on initial login mean that once the password is used, it must be changed to a personalized password with a minimum of 12 characters, which is much more secure.

We have achieved ISO 27001 compliance, which demonstrates that we can manage information systems and secure them so that our data and customers’ data is safe.

Part of this whole process is bringing in the right people who do the right thing.

This also relies on training, where we teach people how to handle threats, such as recognizing phishing emails.

We have also achieved IEC 62443, which means that our development team thinks about a product’s design in full, from its implementation all the way through to the actual production of the product, shipping to the customer and its installation.

We maintain security through firmware updates and, eventually, ten years down the road, when the device is decommissioned and taken off the wall, it’s completed in a secure manner.

We embody a secure-by-design and secure-by-default philosophy, but when we detect vulnerabilities, we communicate openly with the customer on how to mitigate that risk until there is a patch that resolves the problem.

Is there anything else you’d like to add?

It’s really important that people pay attention to the way manufacturers work and understand what their true cybersecurity measures are.

There’s a lot of behind-the-scenes effort that goes into creating a cybersecure system that is also easy to program and work with.

However, this is what we need to do to provide end users with a system that is secure and helps them progress.

This article was originally published in the September edition of Security Journal Americas. To read your FREE digital edition, click here.