Securing the Security System Network

by

When I sat down in 2007 to write the first edition of Integrated Security Systems Design, part of the driving force was that I was finding integrated security system IP networks were, for the most part, unsecured. Tragically, eight years later, that situation has not changed very much.

Think about that for a moment. The security system that a multi-billion dollar organization relies upon to protect its corporate headquarters may reside on a network that is not adequately secured. So the security system entrusted to secure billions of dollars in corporate assets may itself not be secure on its own network!

Even where the Corporate IT Department has network security provisions in place, vulnerabilities are often introduced through user practices, installation procedures, mobile access, cameras, access control and other elements of the system.  The risks of this situation can be profound and extraordinary. Security systems have been compromised, allowing malicious and damaging intrusions.

Security System Threats, Vulnerabilities and Risks

An adversary wishing to compromise corporate assets can exploit the following security system vulnerabilities to gain access to the network:

  • Compromised Credentials
  • Edge Devices (networked cameras, intercoms, and access control modules in exposed areas)
  • Network Infrastructure (switches, cables, etc.)
  • Exposed Network Cabling
  • Remotely Accessed Servers
  • Dedicated Workstation Data and Storage Ports
  • Internet Connections
  • Mobile Devices
  • Non-Network Security Elements located in Unsecure Areas
  • Sluggish operation due to an accumulation of fragmented files, old temporary files, etc.
  • The interface between the security system logical network and the organization’s business network
  • Shared-function Workstations that perform both business and security system tasks
  • Patches
  • Incompatible or unstable network security software

Organizations face growing risks to their assets when adversaries take advantage of system vulnerabilities with numerous attack scenarios.

  • Targeted Network Intrusions
    • To gather intelligence or information from stored system data
    • To directly compromise the alarm, video or access control system to facilitate entry to the building
    • To embarrass the organization and damage its brand
  • Untargeted Malware Intrusions
  • Unintentional Security Network Attacks (such as console operators who use a malware infested memory stick to move files between a security workstation and an outside computer)
  • Zero-Day Internet Attacks
  • Compromised software or operating systems
  • Undetected intrusions or malware presence (commonly associated with network firewall and intrusion detection software that has no intrusion reporting console)

Securing the Security System

Securing the networks is part of securing the overall security system.  Initial provisions include assuring that:

  • Only authorized software and file types exist on the security system network.
  • Only intended processes are operating.
  • Systems are continuously monitored for performance and alerts are raised when anomalies are detected.
  • Designing for robustness as a complete system including infrastructure and the operational elements (cameras, workstations, etc.) that are visible to end-users.

While the information above is not exhaustive, it does include the basic methods that security system designers and project managers can take to help assure that their security system, and thus their facilities, are protected.

Security compromise through network exploitation is both ongoing and expanding as security systems increase in size and complexity. This often leaves the security system network security for others to attend to, which rarely happens as hoped. And hope… is not a security strategy.