In modern physical security operations, IP-based devices have become the norm, effectively replacing the analog systems of yesteryear. These digital systems and devices are generally regarded as superior to their predecessors, offering a wider range of options and advanced capabilities such as shooter detection, emergency power supplies, access control systems, intercoms, alarms and more. But this abundance of choice has also brought about a host of new challenges. The integration of physical security into the IT infrastructure means that physical security teams are now subject to greater scrutiny from IT professionals, auditors, and other stakeholders. As a result, physical security is expected to meet the same enterprise-level standards and practices as those in the IT field. This places pressure on vendors of physical security devices to ensure their products are fully compliant. To help navigate these complexities, we’ll explore the responsibilities and key technical requirements needed to become enterprise-ready.
Five Responsibilities of Physical Security Departments
The responsibility of running physical security operations is essential to maintaining a safe and secure environment and requires a combination of technical expertise, operational knowledge and commitment to ongoing training and professional development. Some of the most critical responsibilities of managing physical security operations include:
● Device Availability. This is the baseline for physical security. The organization expects it. Nobody wants to hear, “That incident was unrecorded because cameras were down.”
Physical security teams are expected to deliver the highest device availability they can. Granted, 100% is impossible. However, the current percentage of security cameras offline in some cities and mass transit systems is believed by some experts to exceed 20%. Audits show over 30% of scheduled camera maintenance may be neglected. High availability takes effort and preparation. It is harder to achieve with large fleets of diverse devices, especially those dispersed over multiple sites. When a device goes offline, the team needs to receive alerts for rapid diagnosis and repair.
● Cybersecurity. IP-based devices connected to IT networks are often an easy target for cybercriminals. They may serve as entry points to the entire network, allowing untold damage. Physical security teams need visibility into the current landscape of cyber threats, and ways to detect vulnerabilities in their devices and systems.
● Compliance. Physical security teams and device manufacturers are increasingly bound by compliance mandates. Compromised devices can lead to exposure of private data protected by regulations. Companies also face internal and industry requirements, as well as IT standards that necessitate management of all devices on the network, and visibility into their compliance status.
● Cost-Efficiency. Creating efficiencies where possible has become especially critical in this economy where many physical security departments are trying to “do more with less.” In particular, there is an opportunity to reduce avoidable truck rolls, break free of expensive break-fix cycles and apply automation to repetitive, large-scale cyber security tasks.
● Future Planning. Replacing outdated and unsupported devices at the right point in their life cycle requires visibility into the age and model of each device. Managing end-of-life (EOL) is crucial to maintain cybersecurity and availability. Industry studies indicate that 15% of devices deployed in a typical physical security environment are past their EOL, while a further 40% of physical security devices are within three years of their EOL.
Now that we’ve outlined the sweeping responsibilities of physical security organizations, let’s talk about how they can fulfill those criteria.
How to Become Enterprise-Ready
Working with physical security at many organizations, we see their challenges first-hand. Their task is easier when devices have the capabilities we describe below in this checklist. When a device checks these eight boxes, it helps physical security deliver on the responsibilities of availability, cybersecurity, compliance, cost-efficiency and future planning.
1. Operational Asset Mapping. Basic device information should be accessible for monitoring purposes. There is static data, like models and serial numbers. Then there’s dynamic data, such as the current firmware version, projected end-of-life, certificate version and warranty information. IoT devices require careful monitoring, which depends on those data points.
2. Configuration Hardening. Identify specific attack surfaces of physical security devices and systems, provide actionable information to address vulnerabilities, and close off potential entry points to malicious actors.
3. Health and Performance Monitoring. Dynamic performance data is another requisite for monitoring. Accessible performance data should include CPU usage, network utilization, RAM usage, PoE consumption, etc. Careful monitoring helps IoT devices maintain sufficient memory and power to perform their tasks 24/7. This requires real-time device accessibility for ad hoc monitoring, and advanced tracking and alert capabilities.
4. Password Management. Devices need to allow remote management of users and passwords, along with key-related functions to set access and permissions, rollback and more.
5. Remote Firmware Upgrades. When firmware upgrades become available, devices must allow a centralized management system to identify their current firmware version. They need the ability to receive firmware updates remotely, at scale, from a trusted source and confirm compatibility with the latest firmware.
6. Certificate Management. To achieve compliance with security policies, devices need to be enabled for the management of SSL and 802.1x certificates. A management system for physical security devices can then deploy and maintain the security certificates automatically.
7. Cybersecurity (detection and protection). To harden physical security devices against new threats, visibility into unusual behavior is required, along with software mechanisms to manage vulnerabilities and mitigate potential attacks.
8. Detailed Log collection. Standardized audit and technical logs for each device should be supported. This means they can be created, continuously updated, and available for review. Log collection serves both cybersecurity audit and technical diagnostics purposes. These logs are likely to be leveraged by other systems and tools.
Physical security departments should screen potential hardware purchases, confirming they have the eight capabilities above. When manufacturers design these features into devices, making them enterprise-ready, they help physical security protect the organization much more effectively. That’s easier said than done and will require ongoing collaboration between manufacturers, users, software providers and third parties. That will spur alignment in the physical security ecosystem, reduce costs for the many participants, and strengthen the protection of the enterprise.