This is the 61st article in the award-winning “Real Words or Buzzwords?” series about how real words become empty words and stifle technology progress, also published on SecurityInfoWatch.com.
By Ray Bernard, PSP, CHS-III
All-in-one RWOB
MAXIMIZE YOUR SECURITY OPERATIONS CAPABILITIES
Upgrade your security operations effectiveness through Security Technology Strategic Planning. Provably get more for your company's security technology investment.
★ ★ ★ GET NOTIFIED! ★ ★ ★
SIGN UP to be notified by email the day a new Real Words or Buzzwords? article is posted!
Real Words or Buzzwords?
The Award-Winning Article Series
#1 Proof of the buzzword that killed tech advances in the security industry—but not other industries.
#2 Next Generation (NextGen): A sure way to tell hype from reality.
#3 Customer Centric: Why all security industry companies aren't customer centric.
#4 Best of Breed: What it should mean to companies and their customers.
#5 Open: An openness scale to rate platforms and systems
#6 Network-friendly: It's much more than network connectivity.
#7 Mobile first: Not what it sounds like.
#8 Enterprise Class (Part One): To qualify as Enterprise Class system today is world's beyond what it was yesterday.
#9 Enterprise Class (Part Two): Enterprise Class must be more than just a top-level label.
#10 Enterprise Class (Part Three): Enterprise Class must be 21st century technology.
#11 Intuitive: It’s about time that we had a real-world testable definition for “intuitive”.
#12 State of the Art: A perspective for right-setting our own thinking about technologies.
#13 True Cloud (Part One): Fully evaluating cloud product offerings.
#14 True Cloud (Part Two): Examining the characteristics of 'native-cloud' applications.
#15 True Cloud (Part Three): Due diligence in testing cloud systems.
#16 IP-based, IP-enabled, IP-capable, or IP-connectable?: A perspective for right-setting our own thinking about technologies.
#17 Five Nines: Many people equate high availability with good user experience, yet many more factors are critically important.
#18 Robust: Words like “robust” must be followed by design specifics to be meaningful.
#19 Serverless Computing – Part 1: Why "serverless computing" is critical for some cloud offerings.
#20 Serverless Computing – Part 2: Why full virtualization is the future of cloud computing.
#21 Situational Awareness – Part 1: What products provide situational awareness?
#22 Situational Awareness – Part 2: Why system designs are incomplete without situational awareness?
#23 Situational Awareness – Part 3: How mobile devices change the situational awareness landscape?
#24 Situational Awareness – Part 4: Why situational awareness is a must for security system maintenance and acceptable uptime.
#25 Situational Awareness – Part 5: We are now entering the era of smart buildings and facilities. We must design integrated security systems that are much smarter than those we have designed in the past.
#26 Situational Awareness – Part 6: Developing modern day situational awareness solutions requires moving beyond 20th century thinking.
#27 Situational Awareness – Part 7: Modern day incident response deserves the help that modern technology can provide but doesn’t yet. Filling this void is one of the great security industry opportunities of our time.
#28 Unicity: Security solutions providers can spur innovation by envisioning how the Unicity concept can extend and strengthen physical access into real-time presence management.
#29 The API Economy: Why The API Economy will have a significant impact on the physical security industry moving forward.
#31 The Built Environment: In the 21st century, “the built environment” means so much more than it did just two decades ago.
#32 Hyper-Converged Infrastructure: Hyper-Converged Infrastructure has been a hot phrase in IT for several years, but do its promises hold true for the physical security industry?
#33 Software-Defined: Cloud-computing technology, with its many software-defined elements, is bringing self-scaling real-time performance capabilities to physical security system technology.
#34 High-Performance: How the right use of "high-performance" can accelerate the adoption of truly high-performing emerging technologies.
#35 Erasure Coding: Why RAID drive arrays don’t work anymore for video storage, and why Erasure Coding does.
#36 Presence Control: Anyone responsible for access control management or smart building experience must understand and apply presence control.
#37 Internet+: The Internet has evolved into much more than the information superhighway it was originally conceived to be.
#38 Digital Twin: Though few in physical security are familiar with the concept, it holds enormous potential for the industry.
#39 Fog Computing: Though commonly misunderstood, the concept of fog computing has become critically important to physical security systems.
#40 Scale - Part 1: Although many security-industry thought leaders have advocated that we should be “learning from IT,” there is still insufficient emphasis on learning about IT practices, especially for large-scale deployments.
#41 Scale - Part 2: Why the industry has yet to fully grasp what the ‘Internet of Things’ means for scaling physical security devices and systems.
#42 Cyberspace - Part 1: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#43 Cyber-Physical Systems - Part 1: We must understand what it means that electronic physical security systems are cyber-physical systems.
#44 Cyberspace - Part 2: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#45 Artificial Intelligence, Machine Learning and Deep Learning: Examining the differences in these technologies and their respective benefits for the security industry.
#46 VDI – Virtual Desktop Infrastructure: At first glance, VDI doesn’t seem to have much application to a SOC deployment. But a closer look reveals why it is actually of critical importance.
#47 Hybrid Cloud: The definition of hybrid cloud has evolved, and it’s important to understand the implications for physical security system deployments.
#48 Legacy: How you define ‘legacy technology’ may determine whether you get to update or replace critical systems.
#49 H.264 - Part 1: Examining the terms involved in camera stream configuration settings and why they are important.
#50 H.264 - Part 2: A look at the different H.264 video frame types and how they relate to intended uses of video.
#51 H.264 - Part 3: Once seen as just a marketing term, ‘smart codecs’ have revolutionized video compression.
#52 Presence Technologies: The proliferation of IoT sensors and devices, plus the current impacts of the COVID-19 pandemic, have elevated the capabilities and the importance of presence technologies.
#53 Anonymization, Encryption and Governance: The exponential advance of information technologies requires an exponential advance in the application of data protection.
#54 Computer Vision: Why a good understanding of the computer vision concept is important for evaluating today’s security video analytics products.
#55 Exponential Technology Advancement: The next 10 years of security technology will bring more change than in the entire history of the industry to now.
#56 IoT and IoT Native: The next 10 years of security technology will bring more change than in the entire history of the industry to now.
#57 Cloud Native IoT: A continuing look at what it means to have a 'True Cloud' solution and its impact on today’s physical security technologies.
#58 Bluetooth vs. Bluetooth LE: The next 10 years of security technology will bring more change than in the entire history of the industry to now.
#59 LPWAN - Low-Power Wide Area Networks: Emerging IoT smart sensor devices and systems are finding high-ROI uses for building security and safety.
#60 Edge Computing and the Evolving Internet: Almost 15 billion personal mobile devices and over 22 billion IoT devices operating daily worldwide have shifted the Internet’s “center of gravity” from its core to its edge – with many implications for enterprise physical security deployments
#61 Attack Surface: (Published as a Convergence Q&A Column article)An attack surface is defined as the total number of all possible entry points for unauthorized access into any system.
#62 Autonomous Compute Infrastructure: We’re on the brink of a radical new approach to technology, driven by autonomous operations.
#63 Physical Security Watershed Moment: We have reached a juncture in physical security technology that is making most of our past thinking irrelevant.
#64 Access Chaos: For 50 years we have had to live with physical access control systems that were not manageable at any large scale.
#65 AI and Automatiom: Will engineering talent, business savvy and capital investment from outside the physical security industry bring technology startups that transform reactive security to proactive and preventive security operations?
#66 Interoperability: Over the next five years, the single greatest determinant of the extent to which existing security industry companies will thrive or die is interoperability.
#67 AI Model : One key factor affects the accuracy, speed and computational requirements of AI
#68 Interoperability – Part 2: There are two types of security system interoperability – both of which are important considerations in the design of security systems and the selection of security system products.
#69 Interoperability – Part 3: There are two types of security system interoperability – both of which are important considerations in the design of security systems and the selection of security system products.
#70 Operationalizing AI: AI is not a product, but a broad category of software that enables products and systems to do more than ever before possible. How do we put it to good use?
#71 Shallow IT Adoption – Part 1: It’s not just about being IT compliant, it’s also about leveraging IT capabilities to properly serve the needs and wants of today’s technologically savvy customers.
#72 E-waste – an important security system design issue: Now e-waste is an important design issue not just because of growing e-waste regulations, but because educated designers can save enterprise security system customers a lot of money.
#73 LRPoE - Long Reach Power over Ethernet: A dozen factors have improved the business attractiveness of network cameras, making it more desirable to place cameras further from existing IT closets than the 328 foot limitation of standard Ethernet cable.
#74 NIST Declares Physical Access Control Systems are OT: Does it really mean anything that OT has joined the parade of labels (IT, IoT, and then IIoT) variously getting applied to security systems?
#75 Future Ready: Google sees the term "future-ready" trending up across many subject domains. But does that term apply to the physical security industry and its customers?
#76 Data KLiteracy: AI needs data. Thus, the ability of any department or division in an organization (including security) to use AI effectively depends on its ability to effectively obtain and utilize data – including security.
#77 Security Intelligence (upcoming): AI brings two kinds of intelligence to physical security systems – people bring the third.
More to come about every other week.
An attack surface is defined as the total number of all possible entry points for unauthorized access into any system.
This article was originally published as a Convergence Q&A Column article in Security Technology Executive magazine on June 13, 2022.This version has a slightly revised introduction for the “Real Words or Buzzwords” series.
Attack surface is an IT term that we don’t commonly hear spoken in the physical security domain. An attack surface is defined as the total number of all possible entry points for unauthorized access into any system. It includes all vulnerabilities and endpoints that can be exploited to conduct a security attack. WhatsIs.com.
She was probably thinking about electronic physical security systems and the potential physical and digital cybersecurity weak spots that exist from having a wide variety of networked devices located all throughout a site’s buildings and grounds. For example, security puts web servers (cameras) on rooftops and above doors – a crazy situation from the perspective of many IT folks.
Security personnel responsible for deploying and managing physical security systems are more likely to hear the words “attack surface” today, because the term attack surface management (ASM) has been coined to emphasize a key perspective in IT infrastructure risk management: the attacker’s perspective.
Attack Surfaces
The attacker’s perspective is nothing new to physical security. But our thinking has always centered around harm to people, buildings and physical assets. It has typically focused on physical attack points and adversary paths. See Chapter 13, “Analysis and Evaluation”, in Mary Lynn Garcia’s classic book, The Design and Evaluation of Physical Protection Systems. Using the attack surface perspective, we could say that retail security practitioners have long been aware that product shelves in retail spaces are 100% physical attack surfaces. Although adversary thinking is not new, what is new is applying that thinking to our electronic security systems themselves.
As we already know, the systems themselves can be targets. For years hacker conventions have held educational sessions on how to clone access cards and how to defeat card readers and intrusion monitoring devices, for example. What’s more, today’s systems are vastly more complex than in earlier decades. They have more failure points than the non-networked systems of earlier decades.
In Chapter 4, “Systems and How They Fail”, of his outstanding book Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Bruce Schneier writes, “Security experts worry more about how systems don’t work, about how they react when they fail, how they can be made to fail.”
For over two decades security investigators have been telling me that 10% to 20% of the time the evidential video they look for isn’t there but should be. The Viakoo platform is designed to secure IoT attack surfaces, and its Service Assurance Manager product is designed to address the problem of missing video and much more. For decades we have under-designed electronic physical system deployments by mostly ignoring the risks relating to the technology components. We simply accept the problems with a shrug and put the security system service providers on speed dial to respond to user-discovered problems and malfunctions. In contrast, IT folks scan and monitor their networks and devices to get ahead of problems before users experience them, because they focus on delivering an excellent user experience, which requires robust IT infrastructure management.
Security System Reliability
Most security systems should be at least 99.999% reliable. Why aren’t they? Big data centers are. I think it’s because we don’t treat our IT systems (PACS, video, etc.) like IT practitioners treat theirs. Data centers and cloud service providers include a measure of uptime commitment (such as five nines like above, or six nines) in their service level agreements (SLAs). Yet we allow only 90% to 80% reliability – which means failing 10% or 20% of the time. Security alarms are so unreliable that many police departments now require video verification of an alarm before they will respond. That situation is improving, but it’s taking legislation to make it happen. Shame on us.
In all fairness, security systems face challenges that business IT systems don’t, because security systems are cyber-physical systems, meaning that they are computerized systems that interact with the environment around them in physical ways. However, that’s actually even more reason to protect their attack surfaces rather than ignore them.
Applying IT Security Fundamentals
For computer-based systems, a fundamental concept to apply in evaluating attack surfaces is the information security triad: confidentiality, integrity and availability (CIA). These should be the goals of cyber-physical systems protection. Today, AI-enabled security systems are capable of providing information of value not just to security but also to business operations. Some data has real-time reliability requirements (in terms of seconds, not minutes) that have integrity (data accuracy) and availability requirements, such as video analytics to determine the length of customer service lines and alert on the length of the line and the average waiting time in line. It’s easy to see the applicability of CIA to physical security systems, especially video.
Usefulness of the Attack Surface Concept
The primary usefulness of the attack surface concept lies in the fact that it aggregates a wide variety of security systems CIA vulnerabilities that don’t become known during traditional security design, deployment and operations. Defining the attack surface entirely enables us to identify, characterize and properly remediate all the system weaknesses. There are two kinds of attack surfaces – digital and physical.
Digital attack surfaces for security systems include workstation and server computers, computer operating systems and software applications, networks (wired and wireless), and their points of connection to other systems and the Internet, plus network and software-based points of human interaction such as device and systems configuration.
Physical attack surfaces for security systems encompass all endpoint devices, such as server, desktop, and laptop computers and their USB ports; personal mobile devices; security cameras; intrusion detection sensors and controllers; and access card readers, controllers and their door monitoring and control hardware.
Security system infrastructure weaknesses can be addressed using, for example, the applicable controls in the CIS Critical Security Controls defined by the Center for Internet Security – coupled with security system manufacturer guidance on the subject. The CIS Controls are a relatively short list of high-priority, proven-effective actions that provide an excellent starting point for improving the CIA status of physical security systems. Several leading physical security industry companies base their hardening guides on the CIS controls and/or the NIST Cybersecurity Framework.