Assets and Access Part III: Facilities - Cyber Intelligence House
We love it when companies start focusing on cybersecurity. Too often, though, the new focus distracts companies from basic security measures that have to be taken care of, no matter what, like physical security. Physical security may seem too basic to spend much time on, but it forms the foundation on which the company, and the cybersecurity manager, must build all security.
We have seen too many businesses post security guards in the lobby and implement access control systems yet fail to train front desk staff to adequately verify the identity of anyone entering the building. It’s often too easy for an intruder to give the front desk officer a fake business card in the lobby, ask for access to a certain floor, and head on up. Or they might use the fire exit or the loading bay to gain access to areas that are supposed to be secure. We see it all the time—doors on the way to the most secure areas are left open and unlocked, and nobody is checking badges. It makes no sense, but it’s commonplace.
The facilities department should be the team in charge of all of this—not only the physical building and all the security technology but also the related services—the lobby, receptionists, guards—and the access control technology, such as the burglar alarm system. Facilities concerns are directly related to cybersecurity because all the computers, switches, and networks within facilities are usually connected, so they are key to securing all facilities as well as systems and suppliers.
Systems put in place to secure facilities are often vulnerable in surprising ways. In Saudi Arabia, for example, a huge company installed a new access control system that opened and closed their doors. This system was connected to the internal network of the company. Their computers and systems were sitting on the same LAN. When they hired us to test whether their system was secure, the first thing we did was to scan the system to see what was there. At that instant, all the doors in the whole building locked. No one could get in or out; this was not the type of security they were looking for. The bottom line is that physical security solutions are seldom tested for security; meanwhile, everybody is selling security technology. Some of it is secure, but some is awful.
Facility Security = IT Systems
These days, facility security systems are IT systems, the same as everything else.
CCTV, access, HVAC, alarms, the IoT (internet of things)…lots of small computers that usually get little attention. Facilities buy them, make sure they’re running and working, but then they forget about maintenance. Meanwhile, IT doesn’t usually have access because they didn’t buy them.
Facility security is the Achilles heel of many companies today.
Even worse, the company was using a wireless WEP security, which has been known to be insecure for a long time; it can be cracked in minutes or even in seconds. Anybody could have hacked into their wireless network and locked the doors. On top of that, the lock function itself wasn’t foolproof; they discovered that it was possible to force the doors open as well.
Firewalls are like the gate to your network, but what’s the point of having a firewall protecting your servers if you don’t have a working lock on the door? Every company needs both. Even with locking doors, cybersecurity is critical for physical protection of all the assets on the premises.
Overlap in Security
Physical security and cybersecurity overlap. Even in the era of cloud-everything and wireless-everything, there is still a need for wired networks. The cybersecurity manager needs to interact with the facilities people to make the right choices for protection of their physical systems. For instance, access control systems should be segregated away from workstation networks. All of those little closets and server rooms with switches, routers, firewalls, and cabling should be well protected. Unfortunately, facilities people usually don’t understand the connection of facilities and cybersecurity unless the cybersecurity manager helps them understand.
For example, a luxury hotel in Switzerland switched from physical keys to completely electric locks. Guests had an access card or a token and could beep their way into their rooms. It worked well until a hacker came along and locked all the guests out of their rooms. It was a big scandal in the media; the hotel had to remove all the networked locks and replace them with old-school locks with keys. When facilities span more than one building, the challenge is even bigger. Access control systems are usually implemented per facility or per building installation. If you have ten buildings, it’s a nightmare to manage. If you can put the control in the cloud, however, and treat all those facilities as one entity that’s managed centrally, life gets much simpler. Once people started doing that, cloud-based applications and cloud computing companies popped up everywhere, offering this service. Those cloud providers are now using that cloud technology to control security access to a lot of different customers and buildings all over. Of course, this brings new risks. If somebody breaches the security of that cloud, they can get access to any of those clients and facilities.
We’ve also seen some other hacks with cars that are wirelessly connected, such as when a thief opens a car’s locks, steals the car, and sells it for money. It’s an emerging problem. In the future, it’s likely that we will see more of these car-related cyberattacks.
Subscribe To Our Newsletter
Get the latest intelligence and trends in the cyber security industry.
Working with Facilities
Facilities people might be office managers, or they might have the responsibility of acquiring janitorial services, landscapers, and receptionists. They may have a role in the maintenance of the buildings and facilities. If there is a water leak somewhere, they will be the ones to figure out how to fix it or to find someone who can. Sometimes they manage the security control technologies in the buildings. Put simply, they manage physical building assets. The reason physical security rests with these people is that they often buy the security systems when a building is first constructed. Facilities people now need to buy cybersecurity technologies, too, because everything from access control systems to CCTV are all controlled by computers.
If the cybersecurity manager is dealing with a facilities team who is not security savvy, they need to help team members understand what security is all about. The facilities people might not even realise they need security. If they don’t, the cybersecurity manager has to sell that idea or help them discover it. The cybersecurity manager could ask, “What happens if someone hacks the internal network, then hacks the access control system? What might happen?” Faced with this question, facilities staff might realise it would mean someone could open all the doors or flood the floors with water, causing major damage. There’s also a risk of explosions, contamination, or other bad results. This is a deadly serious concern in production plants, especially for medical or chemical manufacturing.
We’ve seen dozens and dozens of server rooms that don’t have any environmental controls for cooling and moisture removal, or redundant power or drainage. Or maybe they had controls, but they were really shoddy or didn’t include a redundant cooling system, where a backup system takes over if the primary system fails. In a server room that’s running a critical business operation, maybe even a big plant, with nothing to secure it, what happens if the cooling breaks down in the middle of the night? The next morning, it’s 42 °C in the server room, and most of the servers have shut down to protect themselves. Now there’s a production break and a disaster all because facilities didn’t know how to physically equip the room in the correct way.
Server Room Security
When a company has server rooms or data centres, the cybersecurity manager should make sure these security controls are in place:
- Redundant cooling
- Uninterruptible Power Supply (UPS)
- Raised Floor
- Cleanliness (no dust or moisture)
Big data centres usually have standards for this.
Most data centre service providers have some measures in place but no agreement about maintenance or testing. They might have implemented UPS systems—Uninterruptable Power Supply—but nobody is maintaining them. Or they might have rooms full of batteries to endure an hour of power outage, but nobody maintains or testing them, so it’s never clear if they’re working or not.
Check the Cloud
Every company is happily buying “cloud,” but many forget that they’re in someone’s computer out there. Did they check that facilities are secure enough for the data?
Some measures are simply misguided—yes, sprinklers are very common in server rooms, though they are a terrible choice for mission-critical server rooms because they will destroy the equipment as surely as fire will. What’s more, the systems themselves can fail and pose a risk to the equipment. We have also seen highly flammable liquids, piles of combustible materials, and hosts of drain pipes dripping from the ceilings. These are not just in-house errors; even midsized and large hosting service providers make these mistakes all the time.
The cybersecurity manager has to know about these physical risks. The cybersecurity manager might not be the best person to solve the problems—that’s the facilities team’s role—but he has to communicate that there is a risk and that something should be done about it.
If there are a number of physical security problems that should be handled by the facilities team, the cybersecurity manager should help facilities people to do a risk analysis that includes all the things that are a risk or a threat to the company, assess the likelihood and impact of each, then make a plan for which ones to fix first and find the budget and resources to do it.
Without input from the cybersecurity manager, it’s unlikely the facility manager would attempt any threat or risk analysis. Just like IT managers, their job is to keep their department or function running. It’s rare that people get bonuses for security or add it to their job description on their own.
The cybersecurity manager can be an advocate for facilities to help them analyse their risks and to advocate for their budget requests. Fortunately, some facilities departments do have large budgets. They maintain brick and mortar buildings and assets, renovate buildings, and manage the human power necessary to get it all done. Their budgets must be big enough to handle this, so it’s often not a big deal to slip some security items in as well. The facilities team just has to know what to include.
The best time to get physical cybersecurity into a building is when it’s first built or when it’s being renovated. If you’re building a $100 million production facility, $100,000 more for physical security isn’t that much.
The bottom line is that the cybersecurity manager needs to get involved with the facilities team, know about any large facility projects, and help the company get the security it needs. These are small investments comparatively—and it’s money well spent.