Even worse, the company was using a wireless WEP security, which has been known to be insecure for a long time; it can be cracked in minutes or even in seconds. Anybody could have hacked into their wireless network and locked the doors. On top of that, the lock function itself wasn’t foolproof; they discovered that it was possible to force the doors open as well.
Firewalls are like the gate to your network, but what’s the point of having a firewall protecting your servers if you don’t have a working lock on the door? Every company needs both. Even with locking doors, cybersecurity is critical for physical protection of all the assets on the premises.
Overlap in Security
Physical security and cybersecurity overlap. Even in the era of cloud-everything and wireless-everything, there is still a need for wired networks. The cybersecurity manager needs to interact with the facilities people to make the right choices for protection of their physical systems. For instance, access control systems should be segregated away from workstation networks. All of those little closets and server rooms with switches, routers, firewalls, and cabling should be well protected. Unfortunately, facilities people usually don’t understand the connection of facilities and cybersecurity unless the cybersecurity manager helps them understand.
For example, a luxury hotel in Switzerland switched from physical keys to completely electric locks. Guests had an access card or a token and could beep their way into their rooms. It worked well until a hacker came along and locked all the guests out of their rooms. It was a big scandal in the media; the hotel had to remove all the networked locks and replace them with old-school locks with keys. When facilities span more than one building, the challenge is even bigger. Access control systems are usually implemented per facility or per building installation. If you have ten buildings, it’s a nightmare to manage. If you can put the control in the cloud, however, and treat all those facilities as one entity that’s managed centrally, life gets much simpler. Once people started doing that, cloud-based applications and cloud computing companies popped up everywhere, offering this service. Those cloud providers are now using that cloud technology to control security access to a lot of different customers and buildings all over. Of course, this brings new risks. If somebody breaches the security of that cloud, they can get access to any of those clients and facilities.
We’ve also seen some other hacks with cars that are wirelessly connected, such as when a thief opens a car’s locks, steals the car, and sells it for money. It’s an emerging problem. In the future, it’s likely that we will see more of these car-related cyberattacks.
Working with Facilities
Facilities people might be office managers, or they might have the responsibility of acquiring janitorial services, landscapers, and receptionists. They may have a role in the maintenance of the buildings and facilities. If there is a water leak somewhere, they will be the ones to figure out how to fix it or to find someone who can. Sometimes they manage the security control technologies in the buildings. Put simply, they manage physical building assets. The reason physical security rests with these people is that they often buy the security systems when a building is first constructed. Facilities people now need to buy cybersecurity technologies, too, because everything from access control systems to CCTV are all controlled by computers.
If the cybersecurity manager is dealing with a facilities team who is not security savvy, they need to help team members understand what security is all about. The facilities people might not even realise they need security. If they don’t, the cybersecurity manager has to sell that idea or help them discover it. The cybersecurity manager could ask, “What happens if someone hacks the internal network, then hacks the access control system? What might happen?” Faced with this question, facilities staff might realise it would mean someone could open all the doors or flood the floors with water, causing major damage. There’s also a risk of explosions, contamination, or other bad results. This is a deadly serious concern in production plants, especially for medical or chemical manufacturing.
We’ve seen dozens and dozens of server rooms that don’t have any environmental controls for cooling and moisture removal, or redundant power or drainage. Or maybe they had controls, but they were really shoddy or didn’t include a redundant cooling system, where a backup system takes over if the primary system fails. In a server room that’s running a critical business operation, maybe even a big plant, with nothing to secure it, what happens if the cooling breaks down in the middle of the night? The next morning, it’s 42°C in the server room, and most of the servers have shut down to protect themselves. Now there’s a production break and a disaster all because facilities didn’t know how to physically equip the room in the correct way.