Security awareness

Modern Physical Security Awareness Is More Than Dumpster Diving [Updated 2019]

Pierluigi Paganini
August 27, 2019 by
Pierluigi Paganini

What is Physical Security

The term "physical security" refers to the security measures that are put in place in order to deny unauthorized access to a facility, equipment or any other asset, and to protect the personnel and assets from damage or loss.

Physical security is implemented following a multi-layered approach that involves a multitude of systems (i.e. Access control systems, CCTV surveillance, locks, protective barriers) and trained personnel.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Physical Security can reduce the risks of unauthorized accesses by combining complementary controls that can work as a deterrent for the threat factor, can help detect intrusions and trigger appropriate incident responses.

Among the goals of physical security, there is the persuasion of potential attackers that the costs of attack and related risks exceeds the value of making the attack.

Physical security rapidly evolved over the time, measures considered adequate in the past tend to be obsolete today.

Basic elements recognized as useful to implement Physical security are:

  • Obstacles (fences, vehicle barriers, vehicle height restrictors), to disturb and delay the action of trivial attackers.
  • Detection systems to discover ongoing intrusion attempts. They include CCTV surveillance systems, alarms, security guard patrols, and security lighting.
  • Security response system to repel or catch the intruders.

Physical security is comparable to a puzzle that continues evolving, where the various components are complementary to achieve the objective.

  • Environmental design.
  • Mechanical, electronic and procedural access control.
  • Intrusion detection.
  • Personnel Identification (authentication).

As anticipated, environment design is usually combined with an access control mechanism.

It is the norm to find environmental protection measures like warning signs and fences integrated with active access control systems.

Access control systems in modern physical security are an essential component to manage large user populations; the introduction of electronic systems allows security managers to provide a full control for user life-cycles times. Permission granted to each user, or to groups of users, could be dynamically changed to allow an important control of the access in every time.

The presence of such systems represents a deterrent for intruders that need a deep knowledge of the targeted environment in order to access the controlled areas.

The measures introduced have the primary goal to work as a deterrent for the attacker, but physical security includes also the detection of the threat.

Intrusion detection systems or alarm systems, represent the pillar of physical security that must trigger the response every time an unauthorized access is detected.

There are various systems that could be deployed in order to detect unauthorized access, including automated surveillance systems, sensors, and glass break detectors.

All these systems could cooperate to trigger the response to the intrusion, for example alerting internal security patrols.

Key Factors to Consider When Dealing With Physical Security

Every time security experts analyze the physical security of an infrastructure, they need to consider carefully a number of further factors such its natural events, location, and the building conditions.

The physical security of a facility in a specific area could be threatened by numerous risks, including natural phenomena such as an earthquake, or a flood. Experts need to evaluate recurring weather conditions as a factor that could influence the overall security level.

The location of the building is another element to analyze to secure a facility, buildings in high-risk urban crime zone request the adoption of further mitigation measures such as CCTV and armed guards. Sometimes a location can be an advantage to the intruders. This is the case of facilities are in an isolated place are or in proximity of a wood.

The knowledge of the surrounding environment could allow security manager to choose the most appropriate solution to avoid unauthorized access to the building.

The security managers need to consider also the condition of the facility. Every access needs to be audited to evaluate the way an attacker could compromise it. The experts need to consider the number of doors, windows and every access point evaluating the materials used and its resilience to attacks and natural phenomena.

If you speak with a security manager about physical security, he will tell you that factor that influences the security of a facility most of all is the internal staff, and of course, the budget assigned to the security of the building.

Physical security strictly depends on the humans that represent the weakest link in the security chain. Personnel need to be trained on threats and the procedure to mitigate the risk of exposure and to coordinate a response to potential attacks.

The budget is probably the most important constraint when analyzing the physical security, with limited resources, managers need to prioritize the various requirements evaluating the security risks.

New Challenge for Physical Security

The concept of physical security is rapidly changing due to the evolution of technology. Information security measures adopted in the past to protect facilities from unauthorized accesses and acts of sabotage are not effective any more. Let's think for example of the paradigm of Internet of Things and drones. Both deeply influence the concept of Physical Security.

Security experts are aware of the significant impact of the introduction of the IoT devices. Modern solutions for the physical protection of assets and facilities are connected to the internet and exchange a large number of data with peers. Poorly configured IoT devices could be exploited by attackers as an entry point within the target infrastructure, the Internet of Things can pose serious risks to physical security if not properly configured and defended.

According to the Verizon's report titled 2015 State of the Market IoT report, in the next 10 years organizations that will use IoT devices heavily will likely be up to 10 percent more profitable. The experts predict a 204 percent growth in the number of IoT connections only in the manufacturing sector, this means also that the number of devices used in solutions for the physical security will rapidly increase.

Access control systems and surveillance cameras are evolving to become smart objects that are always online. This implies that they need to be carefully protected to avoid hacking attacks that could compromise the physical security.

The IoT paradigm can drastically improve physical security and access control systems. By combining IoT and cloud management, security managers can implement scalable solutions that can share across the network in real time.

However, the side effects of the violation of such devices cannot be underestimated; the unauthorized violation of the access control system used to protect a building could allow attackers to masquerade their presence in the site giving them the possibility to access undisturbed to the restricted areas. Something similar could happen if hackers breach the video surveillance system or are able to block the alarm system deployed within the organization.

The Internet of Things and interconnectivity is already having a significant impact on the physical security industry.

It is essential to understand which physical security devices are connected to the Internet and how to secure them from the risk of cyber-attacks that can result in unauthorized accesses to the building or organization's assets.

Another important problem related to the adoption of IoT devices for the physical security is the patch management of their firmware. The updates and patches are not always available and in many cases, they are not easy to deploy. This is a serious problem if we consider that flawed physical security devices are easy to localize and manipulate in order to advantage the action of intruders by disabling detection and alerting systems.

The principal problems are represented by devices that are put online with a poor security configuration. It is quite easy to find IoT physical security devices (i.e. Sensors, smart controllers for lights and air conditioning) having default settings that could be exploited to take over them.

The Internet of Things isn't the unique paradigm that is affecting physical security; the rapid diffusion of relatively new technologies is urging a new approach when dealing with the protection of a restricted area or the perimeter of a building.

Drones are probably one of the technologies that will affect physical security most of all in the short-term.

In August, David Jordan of the US-based Aerial Assault presented at the Def Con conference an assault drone equipped with hacking tools. The inventor explained that the unmanned vehicle could be used in hacking missions, for example by landing atop buildings and probing for cracks in the internal networks.

Figure 1 - An Aerial Assault drone is displayed during a Def Con hacker gathering August 9, 2015 in Las Vegas

Jordan described the drone as a "unique" hacking tool with infinite options of attack:

"There has never been this capability before," Jordan said as he showed the drone to AFP.

The drone was equipped any kind of hacking software used in penetration testing. It is able to discover vulnerabilities in the target network and exploit it.

The Aerial Assault drone scans for unsecured wireless connections to networks, as explained by Jordan, assessing weaknesses of computer networks and tracking the GPS coordinates of a target.

The Aerial Assault drone is available for sale at a price of $2,500 each.

Now let's imagine a similar device flying over the building of a government organization or a private company. The presence of a drone represents a serious threat to the targeted structure because the unmanned aerial vehicle is able to bypass conventional physical security measures and in the specific case, it is also able to penetrate the system used to archive corporate data.

Small drones could be used to take aerial pictures of the target, discover the physical security measures adopted to protect the area (i.e. a number of guards and their location) and could be also used to attack physically the target.

The use of drones is increasing and the possible misuses too; the unmanned aerial vehicles could be used by groups of terrorists for reconnaissance before an attack on a critical infrastructure. The security problems are even more serious if we consider the use of drones and quadcopters in the urban areas, for this reason, it is necessary the monitoring of these vehicles to prevent dangerous situations.

When analyzing the physical security of a structure, it is essential to assess the risks of exposure to such threat and evaluate necessary countermeasures.

Recently, the Israeli company ARTSYS 360 presented a small 3D electronic radar that will be able to monitor every unmanned vehicle in small areas. This new radar is lightweight, has low power consumption and is able to monitor aerial traffic in an area with a range of 400 meters.

Figure 2 - Portable Drone Radar presented by the ARTSYS 360

ARTSYS 360 states its radar ensures blind zones coverage: 3D-360° and assures detection and tracking also in a high-density environment such as an urban area.

"The system performs a 3D 90 degrees vertical scanning and an horizontal 360 degrees scanning. The company claims that the system provides 1.5 degrees horizontal and vertical accuracy.The new radar, according to the company, performs a 360 degrees scanning every second." states the iHLS portal.

The radar represents a privileged solution to enforce physical security of an area with a limited perimeter because it allows monitoring the presence of drones along fences or borders. The device is ideal for urban areas thanks the low radiation emissions during operations.

The company website advertises its Grid Micro-Radar systems with the following statements:

  • Monitor the Aerial Environment for detection and tracking of UAVs
  • Query on Board Transponders for identification of the UAVs
  • Grid Operation network of Micro-Radars in urban area
  • Handover of UAVs between Radars in the grid for continuous tracking
  • FAA and other law enforcement access the cloud grid for:
  • Tracking
  • Communicating
  • Friends-or-Foe Identification
  • Jamming

The small radar is able to communicate with the control center via Wi-Fi, LAN, Rj45 and 3G, the power supply relies on an electric grid and has as an optional four lithium batteries to last through 48-96 hours of operations as well as a solar panel.

The radar has also the ability to interfere with intruder's drones, once it detects unauthorized UAVs and quadcopters it is able to jam them causing malfunction.

For simplicity, we have analyzed drones and IoT devices separately, but let's think for example of the combined exploitation of both technologies to breach the physical security of a building.

In August 2015, a group of researchers at the Praetorian firm launched an aerial security-scanning project relying on ZigBee-sniffing drone to map online Internet of Things devices and build searchable archive.

The team of researchers has started a project to analyze the security of internet-of-things devices using the popular ZigBee communications protocol.

Figure 3 - ZigBee-sniffing drone

The goal of the researchers is to build a SHODAN-like search engine specialized for the internet of things devices, highlighting their security vulnerabilities.

"At its core, this project is driven by exploration," explained the researchers. "Where are these things? Who made them? What do they do? Are they secure? These are some of the questions we hope to answer."

"The first step of our exploration involves locating and fingerprinting ZigBee-enabled smart devices and networks. We're starting local and expanding from here. It's a big world to explore and billions of things to discover."

The experts published on the official page of the project a real-time tracker that allows to see where is flying the drone.

More than 1600 unique internet of things devices have been already identified, nearly 453 of them are made by Sony, and 110 by Philips.

Figure 4 -ZigBee-sniffing drone, Map of detected devices

The experts are analyzing for each device security settings, manufacturer ID, channels, and other attributes. Now just for a moment imagine this information in the wrong hands. Attackers can have a detailed map of the area, including the presence of IoT devices, including physical security devices implementing the ZigBee protocol. The drone is able to log the locations of Internet of Things devices within a 100-meter range, which is enough to map the area occupied by a building hosting the headquarters of a company.

"ZigBee is buzzing all around us, everywhere, everyday. In order to listen in on conversations taking place between machines, we've developed an autonomous, hand-held device that speaks the ZigBee language. It helps us humans better understand the conversations going on around us—a translator of sorts. The device is equipped with several ZigBee radios for communicating with the devices around it and an integrated GPS to triangulate the location of each device. It's self-powered, weighs about 250g, and has software that makes it fully autonomous. While in operation, the device captures and logs the locations of all smart devices it finds within range (approximately 30-100 meters). Today, it can be held in your hand while taking a stroll around town or it can sit in your car while driving. Soon it will take flight on a drone." the researchers explain on the web site of the project.

The researcher used a six-rotor drone equipped with ZigBee radios for communicating with Internet of Things devices and a GPS device to track their position. The researchers are planning to release the code used in their project to extend it to other cities and populate their database, let me add that this archive will contain a lot of information that is better to keep private.

"Very soon, we'll be releasing a full how-to build guide for our device, along with a release of the code the drives it, so other passionate engineers and hackers interested in ZigBee can start listening in to the machines around them," the team says.

 

The Cyber-Physical System (CPS) and Physical Security

A cyber-physical system (CPS) is a system of collaborating computational elements controlling physical entities. Cyber-physical systems play a crucial rule in modern physical security programs due to the evolution of technology.

Security experts focused on physical security must take care the diffusion of CPS and their use to improve physical security.

The experts at the National Institute of Standards and Technology (NIST) are aware of the importance of CPS in modern applications and released a "Draft Framework for Cyber Physical Systems" with the intent of supporting manufacturers in the design of new devices for the physical security that can that bridge the physical and computational spaces.

Today unmanned vehicles, "intelligent" buildings, mobile devices; RFID bracelets could be exploited by attackers to bypass physical security measures, it so important to integrate the classic approach for the protection of physical assets and environment with new solutions and methods that could help to mitigate the risk of exposure.

The Draft Framework for CPS is available for comments for 45 days starting from its publication; experts from several industries, academic and government have contributed to its development joining in the NIST CPS Public Working Group (CPS PWG). The NIST CPS Public Working Group has worked more than a year for the development of the draft.

David Wollman, experts at the NIST and co-chairs NIST's Cyber-Physical Systems Public Working Group, explained that the framework is born to define a methodology for understanding, designing and building CPS including those with multiple applications.

"Creating a complex device involves a lot of people with varying interests and concerns, from the designers to the engineers to the safety testers," explains Wollman. "What the framework provides is an organized treatment of these concerns so the group can address and manage them all effectively. It will prompt them to think of concerns they may not be aware of, and support understanding and integration of different CPS."

As highlighted in the framework the implementation of physical security tightly depends on the ability to integrate physical and computing devices.

The draft framework proposes a set of common attributes that must be implemented by CPS devices and systems in order to share information and interact successfully with the broader CPS environment.

Conclusion

We have explained why the concept of physical security is rapidly changing with technological evolution.

Physical and IT security are converging each other, as we have seen physical security devices need to be resilient to cyber-attacks to avoid intrusion that could result in the violation of the assent to defend.

It's my personal opinion that IoT devices most of all are already influencing the concept of physical security, and for this reason it is essential to adopt a modern approach that will consider also a new range of cyber threats.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Cyberspace and physical environment are closer than ever before.

References

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.