Make This October Count by Focusing on Cybersecurity

By John Gallagher and Min Kyriannis, SIA Cybersecurity Advisory Board on October 7, 2024 |
Cybersecurity Awareness Month

October is Cybersecurity Awareness Month, and the Security Industry Association (SIA) Cybersecurity Advisory Board is marking the occasion with a series of helpful content, tips and guidance on key cybersecurity topics. In this blog from SIA Cybersecurity Advisory Board members John Gallagher – vice president at Viakoo – and Min Kyriannis – CEO of Amyna Systems – learn how you can make this month count by prioritizing cybersecurity.

John Gallagher, vice president at Viakoo, is a member of the SIA Cybersecurity Advisory Board.
John Gallagher, vice president at Viakoo, is a member of the SIA Cybersecurity Advisory Board.

This October, we all have a shared responsibility to focus on cybersecurity, not just for ourselves, but also for our communities and organizations. First of all, October is Cybersecurity Awareness Month, the theme for this year being “Secure Our World” – a focus that physical security professionals live across every month of every year.

This October has many more examples than ever of how physical security and cybersecurity are woven together; recent reports show that hundreds of thousands of IP cameras, NVRs and other digitally connected Internet of Things (IoT) devices are being compromised and used by threat actor groups such as Flax Typhoon and nation-state attacks from countries like Russia, Iran and North Korea, to name a few.

Min Kyriannis, CEO of Amyna Systems, is a member of the SIA Cybersecurity Advisory Board.
Min Kyriannis, CEO of Amyna Systems, is a member of the SIA Cybersecurity Advisory Board.

Furthermore, we will be heading into the final stretches of the upcoming U.S. election, where the cyber integrity of voting systems (which are IoT devices) is scrutinized because these devices are targeted.

Let’s dive into election security a bit, as it encapsulates many of the cybersecurity threats facing operators of physical security systems as well as the principles behind “Secure Our World.” There are many parallels between voting systems and physical security systems:

  • Both are forms of IoT, using nonstandard operating systems and specialized devices.
  • Both have significant public trust aspects.
  • The “chain of custody” must hold up in a court of law.
  • Both have multiple makes, models and configurations – a heterogeneous environment.
  • Both are often managed by non-IT or noncybersecurity personnel.
  • Both have concerns over supply chain threats.
  • Both follow the “CIA Triad” of confidentiality, integrity, and availability.

Of course, there are also significant differences, especially in scale and visibility:

  • Physical security systems are massively higher in numbers and locations.
  • Election systems have intense public interest and scrutiny.
  • Physical security systems are used 24/7/365, not for a few days every couple of years.
  • Physical security systems use corporate networks; election systems use ad hoc (consumer) networks.
  • Deployment of these systems is by staff who are not necessarily trained and/or vetted to ensure integrity.
  • There are no clear lines of due diligence to ensure the integrity of these systems.

The good news is that the principles guiding Cybersecurity Awareness Month are also the foundation for securing physical security systems, election systems or other IoT systems.

According to the Cybersecurity and Infrastructure Security Agency (CISA), here are the fundamental principles to follow to Secure Our World:

  • Passwords:  Use strong passwords and a password manager.
  • Multifactor authentication (MFA): Use it! Turn it on for all systems that support it.
  • Software updates: Ensure all devices and applications are updated to the latest (safest) version.
  • Phishing: Recognize and report phishing attempts.

However, some IoT devices may not necessarily follow these principles since they operate differently. For example, the traditional IT phishing approach of sending an email with corrupt links or attachments may not directly exist for IoT systems, but the critical point is to look for efforts to compromise your system through external traffic or methods. During the election process, here are some examples of how to adapt these foundational principles:

  • Make sure you keep your credentials secure and updated.
  • Make sure you log in properly and log out properly.
  • Beware your surroundings and who might be observing.

Use the focus on cybersecurity this month to ensure your physical security and/or other IoT systems abide by these basics. Are you regularly rotating passwords and using strong passwords? Do your camera and access control devices have a plan for being updated to the latest (safest) firmware versions as soon as they are available? Do you use certificates to provide device authenticity (and when available, do you have MFA turned on)?

Make this October the time to plan your IoT security efforts that will last across the year. In particular, ensure that all managers and operators of physical security and IoT systems have training on these security fundamentals. Pass along CISA’s Toolkit and Guide to Cybersecurity Awareness Month. Encourage and promote industry-specific resources, such as the Security Industry Association website, and aim to gain a key credential, the Security Industry Cybersecurity Certification (SICC). Best of all, lead by example and promote your cybersecurity success by presenting at industry conferences such as ISC West, ISC East and Securing New Ground.

Together, we all benefit from improved security (both physical and cyber), so let’s make the commitment this month to Secure Our World.

The views and opinions expressed in guest posts and/or profiles are those of the authors or sources and do not necessarily reflect the official policy or position of the Security Industry Association.