Converged threat is when the threat to our organisational security is physical and cyber, combined in a perfect storm. This is perhaps best characterised by physical systems, such as video surveillance and building management systems, that are Internet Protocol (IP) based. The threat offered is both to the physical wellbeing and security of the system, its users and its data (think, surveillance images), as well as to the network on which it sits, its connected assets; be they information or physical and inevitably, the health and safety of all concerned. Yes, it is a big topic and we are only going to scratch the surface here.
Why is this important? Cyber attacks facilitated by poorly configured domestic devices is one thing, (yes, I am looking at you people who bought internet enabled kettles for reasons best known to yourselves) but when it is our own security infrastructure that is turned against the rest of us then that is really worrying. What happens when vast numbers of these devices are all harnessed by a malicious actor? There can be no better recent demonstration of this than the Mirai botnet, which devastated several online platforms such as Twitter, Spotify and PayPal by making them inaccessible for users. This was done by finding unsecured items, such as video surveillance systems still using factory default Admin and Password login credential, for example, and then harnessing them into a zombie army under the control of an attacker.
Interestingly, if you choose to buy a web-enabled system, you need to appreciate that the manufacturers appear to think that you are the one responsible for security, not them. Your failure to secure it, by not changing the username and password on the administrator web portal, might mean it is vulnerable and could be relatively easy to exploit in this way. On the face of it, you might be forgiven for thinking that this is a pretty simple thing to fix, after all, all security managers need to do is change the username and password and we are sitting pretty right? Sadly not.
Even if the default username and password is changed, many of these devices can still be reached via other communications services such as Telnet and SSH. I don’t have enough column inches to go into detail about these services, however simply put they are alternative interfaces that can be used to remotely connect to the device. An interface that the web management portal doesn’t tell you is there, and an interface that you cannot change the username and password for, because it is hardcoded into the firmware.
Given all that, it hardly seems fair that the manufacturer appears to be abdicating responsibility for security to the end user does it? Especially when, once the vulnerability has been identified and widely published, manufacturers are continuing to make these inherently vulnerable devices!
Developing the theme of video surveillance vulnerability a little more, along with the theme of responsibility for our shared online world; poor cyber security protecting our infrastructure is not only a corporate security issue, it is also opening us up to national security problems too. For example, over a year ago we were awaiting the inauguration of President Trump, days before this event, which let’s face it must have been a security nightmare, over 70 per cent of the DVR capability in the DC area were infected with two types of ransomware. Ransomware is a malware designed to prevent use or access to a system or files. Those systems were going to be used to spew out this ransomware to millions of further victims and at the same time had negated the possibility of recording on the majority of WDC police surveillance systems. Not what you need right before an inauguration really.
So as you can imagine, it was reassuring to me to be approached last year by Tony Porter the Surveillance Camera Commissioner (SCC, pictured). I was asked to provide a cross-cutting cyber-security lead to his surveillance camera strategy. I found this reassuring partly because getting manufacturers, installers and buyers to take cybersecurity seriously has sometimes felt like herding cats, and also to have a regulator such as the SCC understand the challenge and proactively want to engage with cyber expertise to improve awareness, knowledge and thereby security and privacy, for everyone.
The SCC strategy contains a number of strands, including, Standards and Certification, Horizon Scanning, Civil Engagement, Police, Local Authorities, Voluntary Adopters, Critical National Infrastructure, Installers, Designers and Manufacturers, Training, Regulation and a Buyers Guide.
It is important to understand at this stage however that, although the strategy contains 12 basic strands (plus the Buyers Guide), these strands are in no way standalone or siloed – quite the opposite in fact, it is well understood by everyone involved in developing and delivering the strategy that there are many interdependencies. For example, you cannot produce an effective and useable buyers guide that enables the buyer to specify and procure a surveillance system that is fit for purpose, including being fully capable of being cyber secure, if the manufacturers are not producing systems capable of meeting these requirements or if installers and integrators are not installing them properly – including basic good practice like changing the default username and password.
In this (not so) new era of convergence and converged threat, it is no longer viable to continue to think of security in terms of physical and cyber …… and to do so is to court disaster. The whole of the security profession needs to come together to meet this challenge. The threat is holistic and our response needs to be holistic too …