This post is also available in: heעברית (Hebrew)

By Or Shalom

The design, planning and deployment of physical security layers are based, among others, on technological systems and tools. In spite of the concept that supports the isolation of each system into an autonomous action independent of other security layers (as result of a cyber attack or manipulation), the current functional application is slightly different. Technological security layers are based mainly on computerized systems that monitor and control the installation’s physical, perimeter and internal security. 

This planning is based on the integration of security technologies, such as electronic systems for fences, smart cameras, access control systems (including biometric), systems for the detection of illicit materials, such as weapons, chemicals, etc. The integration and deployment mode enable information gathering for big data, inter-system synergy, automation processes, decision making support, planning and maximal utilization of the forces, as well as the improvement of system performance and accuracy based on self learning.

As a popular example of technology-based automation processes, take the automatic opening of an organization’s electronic gate and the direction of authorized vehicles into a secure perimeter according to their license number. Alternatively, the cross-check of biometric facial identification of crowd images with network databases’ suspects images.

The integration of such technological systems provides opportunities for cyber attacks and other technological threats.

The assailant’s motivation is based on the ability to bypass the technological systems and defeat current security methods, gain access, jamming capabilities, cause chaos, etc.

Several scenarios are possible, including gaining control over systems’ opening and closing, systems’ locking, neutralization of communications between the security detectors and the control centers, false alerts (as a distraction), switching or theft of images or biometric data, changing access authorizations, image freezing, archived image or documentation (as misrepresentation), neutralization of electricity systems causing a system stoppage, etc.

Therefore, a risk management process focusing on cyber threats must be executed at the planning stage of the technological security layers. This process should be based on the capability to understand functional changes and manipulations that a technological adversary can inflict to systems, integrated assets and workflows. It must be assumed that the attacker knows the products, manufacturer’s definitions, etc. Adversaries might also use technician’s passwords and knowledge about system reset. This is why changing the system’s architecture can help in thwarting an attack.

At the next stage of the risk management process, possible consequences for the security systems should be considered and taken into account, and feasibility should be evaluated. These will be directed at prioritizing controls for risk reduction. The controls bank will also direct towards dedicated controls in order to decrease the assailant’s intervention along the supply chain’s route, the exploitation of over-the-air communication interfaces as well as inter-system communications in attempt to gain access to the network and execute illegitimate actions.

Operations must include the prevention of unauthorized actors’ intervention in the controls integration of password changes, strong authentication controls, encryption mechanisms, etc. Changing manufacturer’s passwords in systems is efficient also against information gathering through mapping websites, e.g. SHODAN. Such search engines enable the mapping and detection of systems and interfaces, including connected cameras. This is being done through queries according to component  and manufacturer names, as well as manufacturer passwords.

An important focus of the planning and integration is the controls intended for isolation inter-system communications. This is being done in a way that does not influence the synergy processes and information use and dependency on the one hand, while preventing the assailant who got control over one system from paralyzing all systems simultaneously. Adding dedicated controls and physical components for unidirectional elements (e.g. diodes) (1) will substantially decrease the risk.

The planning of security layers should be adapted also to the rival’s tactical technological threats. For example, the use of frequency jamming systems (such as radio-based systems and GPS) or the rival’s use of remote control systems through robotic systems or unmanned aerial vehicles.

At the beginning of 2021, the USA Cybersecurity and Infrastructure Security Agency (CISA) published the Unauthorized Drone Activity over Sporting Venues document (2) as a dedicated recommendation document for controls and activities against unauthorized drones. This was a response to several incidents, including sports events at stadiums (whose flight was not coordinated with the authorities). Although in most cases the drones served for games documentation and photography, there is still the potential of disrupting and physically harming the event. 

The document divides the required actions according to families: Prevent, Protect, and Respond controls. The prevention controls include coordination among authorities, increasing public awareness and issuing warnings regarding the limits of drone use (on the internet and through regional signage), and law enforcement. 

The protection controls are directed at the execution of a risk survey at potential launching spaces (parking lots, balconies, open spaces), the preparation of an emergency response, training security teams in anomaly detection, listing indications based on speed, weight, flight near or above people, drone’s design changes, etc. 

The response controls family incorporates responses during a drone crash, responses outside the security perimeter, and the mode of reporting to authorities and other security organizations.

In addition to CISA’s recommendations, coping with such incidents requires the integration of frequency jamming capabilities during the identification of an unknown drone. Another arena that requires more capabilities is the integration of technologies for the improvement of the drone operators detection, alongside active security and initiated patrols.

In addition to the technological preparation, the security teams must be prepared to secure the installation also if there are technological problems, and the security and cyber systems fail to operate. For example, the security array’s ability to operate in the dark (due to an initiated power outage) due to a cyberattack against the building management system in order to spread chaos, confusion, and adversarial advantage.

1 An electronic component with two connections operating as a unidirectional valve and enabling electricity flow in one direction only.

2 CISA 25.1.2021

Or ShalomSecurity and cyber expert and consultant to government ministries and defense industries. He holds a master’s degree, as well as civil and national qualifications in the realm of HLS and Cyber Security. He has experience in security, innovation, planning and characterization of technological security systems, HLS and Cyber preparedness. Mr. Shalom leads centers of excellence and advanced training programs in Cyber and HLS for various organizations in the civilian, security, industry and academic sectors.