It’s a question that continues to engage debate, as the majority of new physical security devices being installed are now connected to a network. While this offers myriad benefits, it also raises the question: Who is responsible for their cybersecurity?
In recent years it has become more obvious that physical security systems are dependent on IT and vulnerable to cyberattacks.
In 2007, the movie Live Free or Die Hard showed how a group of criminals were able to control traffic systems and bring Washington DC and the stock market to a standstill. In the film Johnny English Strikes Again (2018), all the trains in the UK are directed to Bristol.
These movies are very much based in reality. In 2016, the BSIA warned us of the risks and recommended that “end users of IP connected CCTV systems should also ensure that they have comprehensive cyber security and information security policies in place.” In 2019 a Norwegian company spent £45 million to restore its computer systems, factory machinery and building systems following a ransomware attack on its 170 sites and over 35,000 staff.
While these were operational technology systems, the 2019 BBC series The Capture demonstrated how CCTV could be hacked to convince police and security services’ investigations that a lead suspect was guilty by adjusting the time frame in the system. Once again, this television ‘drama’ is now the unfortunate reality. The “IFSEC Global Video Surveillance Report 2020” found that 76% of respondents were concerned about the cybersecurity of surveillance systems.
For those who haven’t noticed this issue, it would be wise to take stock. It is now likely that the physical security system can be attacked. As far back as 2014, the UK CPNI stated that it was possible. Cybersecurity has progressed very rapidly since then, hence a physical security lead should be engaging with the cybersecurity team to work with them — and vice versa.
Whose Responsibility Is It?
But who is responsible for protecting them from these attacks?
Is it the owner of the system? For some this is clearly the physical security lead. After all, they or their predecessor purchased or recommended it, didn’t they?
But now they have a problem as they have heard the systems are not secure. Are they accountable to the business if an attacker gains access through the CCTV system to the IT corporate email and convinces the finance director to authorize an invoice costing thousands of pounds?
Or is the head of IT who authorized the CCTV system and gave responsibility for its day-to-day management to the head of physical security responsible? Or perhaps it is the head of cybersecurity who is an expert in the field and has implemented a range of controls on the network to mitigate cyberattacks? Surely this person is the one who is responsible?
A poll I conducted in November with a small group of 14 security professionals indicated 69% think physical security systems are cyber. When a ransom attack is mounted and successful, whose job is then at risk — the CEO/CIO/CISO or CSO? The board may decide that one or more people should be fired.
When you want to pay a ransom — who does it? This is a gray area, but once these systems are hacked the responsibilities will become clearer and some will lose their jobs.
Are there easy answers? Is one person responsible? Or, as some would argue, isn’t everyone responsible for security?
In risk management there are RACI (Responsible, Accountable, Consulted, Informed) tables which indicate that one person is responsible for performing the work effort and management of the risk. This is usually the system or business unit owner. But that might be hard to identify for some people in large organizations.
Other business functions are meant to support that person and offer their expertise and technological services. If you occupy any of these roles, then it is important to ensure you are protecting the systems from attack, whether you are directly responsible or not. If you see a person in need of help it is vital to work with them — for their sake and the success of the business.
Whoever you believe is the most responsible for protecting physical security systems from cyberattacks, ultimately it must be a cross-functional team effort.