Some of the safest computers in the world are the ones that have never been connected to the internet – but only if they’re also out of physical reach from those who would do them harm, Oshana Jouna at Axis Communications writes.
Most cyber threats come in the form of ones and zeros along copper wire, fibre optic cables or through the air as high-frequency radio waves. Sometimes, though, threats can come from a real person who has physical access to the computer. Perhaps the simplest example of such a threat is highlighted by the warnings we often hear about not plugging unidentified USB sticks into our PCs without knowing where these come from or what’s on them.
The attacks described above can do real damage to any computer, whether it's connected to the internet or not and can bring down an entire enterprise. This is all because of one little USB stick.
The same can be said about digital systems that control physical infrastructure, particularly critical infrastructure.
The concerns about critical infrastructure operators’ exposure to external cyber threats have been growing over the past few years. There have been some very high-profile incidents of successful attacks targeting critical infrastructure operators, an example of such attacks is the devastating Colonial Pipeline ransomware attack in the United States last year.
Some of the cyber espionage that has accompanied the physical aspects of the war in Ukraine has further demonstrated the risk to a country and its critical infrastructure presented by malicious cyber activity.
If you think these types of incidents do not occur closer to home, consider recent comments by the Australian Cyber Security Centre (ACSC) suggesting that it has observed continued ransomware targeting Australian critical infrastructure entities, this including healthcare, financial services, higher education, and energy sectors.
Although these types of attacks are typically launched from thousands of miles away, cyber risks could arise because of something as simple and innocuous as someone walking through a door they’re not supposed to walk through.
Physical security, layer by layer
In the words of the ACSC, the application of the so-called defence-in-depth principle to protect systems is enhanced using successive layers of physical security.
The defence-in-depth principle refers to the implementation of multiple layers of security controls in a system to provide redundancy in the event a security control fails, or a vulnerability is exploited, this is according to the ACSC.
This approach is not only a useful guide to the implementation of software-based security measures, but it is also particularly apt for the physical protection of digital infrastructure as well.
In fact, the same broad principles can often be applied to both the physical security and the cyber security of an organisation.
Perhaps one of the best ways to begin such a journey of vigilant protection is to start with the fundamentals, and one of the most fundamental ways to safeguard systems today is through the practice of zero trust.
At its most fundamental level, a zero-trust process means that we trust nobody until verified. This approach has become widespread in the field of information security. But it is also applicable to the physical security of critical infrastructures.
With zero-trust approach, verification can happen in several ways and at multiple times, and often also involves only granting access to specific parts of a network or facilities that are applicable to the task being carried.
Physical security, intrusion protection
Effective intrusion protection requires depth, this can be achieved by installing layers of physical security measures that combine to safeguard protected areas in a way that is comprehensive. We will break our discussion in the following focus areas.
Perimeter protection – your first line of defence
Parameters can be protected by using thermal and visual cameras to detect, verify and identify potential intruders. With pan, tilt and zoom (PTZ) cameras, an intruder can be tracked through the facility. This type of solutions can function in challenging lighting condition or even in total darkness. Smart analytics can trigger warnings and alert staff. Warnings can also trigger live or pre-recorded audio announcement to deter intruders.
Area protection can be achieved by using a combination of technologies, this includes multidirectional cameras with 360 degrees coverage. Unexpected activities can also be detected using radar technology that track people or vehicles and provide information about their speed, distance, and angle of movement – even in complete darkness. Events generated by this technology and linked to an audio system that can play pre-recorded messages to deter the threat. The radio coordinate can also be sent to PTZ camera to actively track the intruder and provide a visual confirmation of the incident.
Access control can be managed by using a complete access control system which can include digital readers and intercoms, cameras can also be used with number plate recognition (LPR) which can be used as credentials to grant or deny entry to people attending the site. To improve security, it is also recommended to use double-factor authentication. An example of double-factor authentication is to use the vehicle number plate which is automatically detected and sent to the system and use pin in combination. Some of the most common access control credentials are RFID, PIN codes, biometric, mobile credentials, car number plate and QR codes for visitors mainly.
Oshana Jouna is a sales engineering and training manager at Axis Communications.