“Security” looks a little different in today’s world than it did in the past, and locking your doors is no longer enough. Modern security tools, including cutting-edge resources, such as IP surveillance cameras and access control technology, have made it easier than ever to protect facilities, as security teams benefit from automated alerts and advanced analytics capabilities enabled by today’s predominantly open-platform devices.
In many ways, the widespread adoption of these tools has shifted the security battlefield from the physical world to the digital world. Savvy hackers capable of compromising connected devices can do as much damage—or more—than a physical break-in. Recent hacks have even targeted power plants, and although catastrophe has thus far been averted, these incidents provide a sobering reminder of the potential harm that a malicious attacker could do. Today, everything from employee laptops to industrial control systems are networked, and facility executives must have a plan in place to avoid allowing hackers to compromise and exploit those devices.
Here are a number of steps that facility executives can take to help ensure their digital devices aren’t risking their physical security.
See What You Already Have By Taking Inventory
It’s hard to build a comprehensive security plan if you don’t have full visibility into the devices that are connected to the network. What devices and controls have been deployed within the facility? How many surveillance cameras are in your security suite, and who manufacturers them? Collecting this information is an essential first step.
“You need to know what you have before you even consider protecting it,” explains Ryan Zatolokin, Business Development Manager, Senior Technologist, Axis Communications, Inc. “You need to know what the devices are. How old are they? Does the manufacturer still offer updates? It’s a lot to tackle, but having the inventory is a critical place to start. There are tools like AXIS Device Manager that helps gather an inventory of devices and allows you to export that list into a CSV file, which can be imported to Excel to easily track the different devices on the network.”
In addition to discovering devices and identifying their model, AXIS Device Manager can report the device’s firmware version and even provide alerts when new firmware becomes available.
Perform A Maintenance Assessment
Effective lifecycle management is critical, as the physical lifespan of a device (how long it remains functional) is generally longer than its economic lifespan (how long it receives manufacturer support and updates, and how long it remains supported in the ecosystem). Updates and patches are issued for a reason, and that reason is often to fix known cybersecurity issues. If a device is no longer being supported by the manufacturer, you may be forced to switch to a newer device or find a third party capable of providing support.
“Once you’ve identified all the different devices you have out there, it’s time to figure out how old those devices are,” says Zatolokin. “You need to know whether they’re at end of warranty, end of support, or end of life from the manufacturers. It’s important to know what support you can expect to receive for those products.”
This sort of analysis can be complex, and businesses often turn to outside consultants to provide support.
“If you don’t have the technical experience doing it, it might be good to have someone run an assessment,” explains Zatolokin. “If you’re using a device that’s 15 years old and the manufacturer has never released any firmware or software patches, it’s probably not very secure from a network security or cybersecurity perspective.”
Zatolokin went on to explain that if that’s the case, a facility might need to replace that device with something newer. Or you may need to take other steps to mitigate the exposure to that device such as putting it onto its own network segment.
Create A Maintenance And Firmware Update Plan
For the most part, patches and updates should be installed as they become available, but scheduling an assessment every few months to ensure that everything is up to date is a good idea.
“Maintenance, once it’s begun, should be ongoing,” says Zatolokin. “Let’s say we upgraded all the firmware and software today. Now we need to plan to do it again at regular intervals. AXIS Device Manager will make it much simpler the second time through, because we already did the heavy work—the inventory and assessment. We already have an idea of where everything’s at and which manufacturers support what.”
This is another area where AXIS Device Manager can help by providing clear visibility into available updates and patches, making continued maintenance simpler. The value of working with manufacturers with strong product support is clear here.
“Ideally you’d want products that are fully supported by the manufacturer, like Axis,” continues Zatolokin. “That way, if you get into trouble, you have somebody you can call for support. That applies to products that facilities support directly and those they contract out to an integrator to support. Remember, the integrator will still need someone to call if it becomes a real issue.”
Generating Interdepartmental Buy-in Is Crucial
In order to be effective, measures like proper inventory and maintenance planning must be implemented company wide. An industrial control system that diligently adheres to all security recommendations can still be compromised by a hacker entering the network through a less secure endpoint. Effective security requires cooperation across all possible endpoints where an attacker could potentially infiltrate the network.
“Some of the biggest breaches in retail history have been done by getting access to devices—such as HVAC units—and using them as launching points to do more sophisticated attacks on systems that had more monetary value, like point of sale systems,” says Zatolokin. “In the network world, any device could potentially be compromised and used to gain access to other devices on the network. It’s important to have alignment between IT and facilities so that those security policies are being applied to all devices in the network.”
The consequences might vary depending on the facility in question. An unprotected HVAC unit could lead to compromised access control technology, granting physical access to unauthorized individuals. An unsecured laptop or phone could lead to a compromised point-of-sale device. Industrial facilities even face the risk of hackers tampering with chemical mixes or manufacturing processes, with potentially catastrophic results. Only a comprehensive approach to facility security can help prevent a cybercrime from becoming a real-world disaster.
Modern Problems With Modern Solutions
As security technology changes, so too do the steps necessary to effectively secure facilities. Where locked doors, security guards, and CCTV cameras might once have sufficed, today’s increasingly interconnected world demands more innovative solutions capable of bridging the gap between the physical and digital worlds.
Tools like AXIS Device Manager make it easier than ever to monitor, update, and secure the hundreds and even thousands of devices that facility executives manage. By providing increased visibility into both the network as a whole and the individual devices within it, AXIS Device Manager enables security personnel to easily inventory and maintain these devices while effectively managing their lifecycles.
When it comes to facility security, knowledge is power. AXIS Device Manager puts that knowledge in the hands of defenders, giving them the power they need to keep their facilities as secure as possible.
Interested in learning more from Axis Communications?
Click here to read more facility management-related articles from Axis Communications.