Can access control and CCTV put you at risk?
Connected building access control systems and CCTV cameras extend the attack surface of your organisation’s IT network. How can Cross Domain Solutions and data diodes defend organisations from threats like these?
Most organisations are well aware that they must segregate their Information Technology (IT) networks from their Operational Technology (OT) networks – and wherever else the threats, and the assets at risk, are very different.
CCTV and access control systems can rightly be considered an OT network. And yet many organisations wouldn’t think to include it in their list of sensitive ‘OT assets.’ This is despite all the hallmarks being present: specialist and often legacy systems; links to critical core IT; and a unique threat exposure profile.
The modern best practice, for an IT/OT link, is a Cross Domain Solution (CDS): a robustly architected link that allows valid data flow, but reliably blocks misuse. By focussing on the data, it offers far better protection than either a firewall, or a bare ‘airgap.’ So how can organisations apply the CDS approach to their access control and CCTV systems – and why is it important?
Can you defend it?
Traditional network security relied on barriers to defend a 'castle' from attack, which highlights a problem: an organisation’s CCTV and access control systems must extend beyond its physical walls, whether that be onto the street, carparks, or other external space. Every camera and card-reader introduces a vulnerable point of connection. And yet they must all connect to the recording controller and access controller.
This becomes a challenge when linking those controllers back into your core IT, which you must do for account changes, reporting, alerting, maintenance and provisioning, and so on. And it’s even more tricky when managing multiple sites remotely.
While IT teams will do their best to add protection as they link up this OT network with the organisation’s wider IT network, they may lack the necessary expertise on configuring the physical security devices. Moreover, it’s commonly a company’s facilities team, and not the IT team, that are tasked with managing the devices, their configuration, and their upgrades. How joined up is your own organisation about this?
Cross Domain Solutions
Organisations that routinely handle extremely sensitive data – whether that’s state secrets, global finance, or critical infrastructure – also segregate their network into low security and high security domains. And then they link them up again using a CDS: an architectural pattern now being championed by the UK’s NCSC (National Cyber Security Centre) as best practice. It's already a matter of course in the above listed industries, whenever security is paramount.
The Cross Domain Solution approach drills into and secures every aspect of getting your data – and only your data – across the boundary from one domain to another. As detailed in the NCSC's guidance, a CDS must cover things like data inspection, ensuring one-way data flows, and defence against protocol attacks. And it goes deeper: the CDS itself becomes a natural point for attackers to target, and must be designed to defend its own integrity. The 'people' aspect is also important: the CDS must serve the dataflow needs fully, and be easy to manage.
If we contrast an engineered CDS with a traditional ‘airgap’ approach, which is a common practice for CCTV and access control, the 'people' aspect shows exactly why airgaps are weak. An airgap is always aspirational. The time comes when you need to move data across anyway – that's why you'll often hear the term ‘airgap’ with ‘air-quotes’ around it. An airgap means entrusting your exacting security assurance demands to people who are only human: busy, fallible, and sometimes armed only with a USB stick and a lengthy set of instructions.
Another approach, again common for CCTV and access control, is to connect domains via a firewall. This obviously affords much richer data exchange than an airgap. But when you assess its security, a firewall rates as ‘mostly safe’. Careful comparison against the CDS principles shows some important concerns remain that a firewall simply cannot address.
It's a deep and nuanced issue, but the gap fundamentally comes down to two things. Firstly, firewalls are less picky about ruthlessly sanitising and inspecting every part of the data. Secondly, firewalls are very complex and largely controlled by a body of software. Despite every care, if that software has a vulnerability, there’s often no second line of defence. In other words, one chink in the armour can be all that an attacker needs to strike.
Importance of data diodes in CDS
By contrast, a CDS aims to take critical security guarantees out of the hands of one human, or of one critical piece of potentially vulnerable software.
In the centre of any CDS is a part that sits exactly on the boundary, between one domain and the next – where the data handover occurs. Exposed to both domains, it's the most critical component. And this is where a data diode comes in.
A data diode delivers critical security guarantees with hardware. At a minimum, diode hardware ensures one way data flow. So depending on the scenario, infiltration of malware, or exfiltration of information, can be directly prevented by the device's fundamental physical properties – such as the very wires and components soldered onto the circuit boards. For example, you might architect a one-way link allowing your IT network to send access updates to your access control system, while blocking any possibility of an attack in the other direction.
Modern data diodes do more: they strip away all the network ‘packaging’ that carries data in, to leave the data alone. If acceptable, only that data is sent through. A completely new and uncontaminated stack of network packaging is freshly constructed, by the diode, to deliver it onwards to the receiving domain. This ‘protocol break’ defeats attacks smuggled in through lower levels of network protocols by simply discarding them. Advanced data diodes also check the data in detail, performing syntax checks in hardware and rejecting any message that does not match specification.
Historically data diodes were exotic, expensive, and tricky to use. But companies such as Oakdoor, part of PA Consulting, have developed revolutionary data diodes that are far simpler, more performant, and more cost-effective – while remaining equally secure. This brings practical and affordable diodes within reach, even for the highest levels of classification where certification such as NCSC's CAPS approval is required. With hardware data inspection, they disarm a broad set of attack techniques in the most robust way possible.
Against this backdrop, the NCSC now publishes detailed guidance for safely importing and safely exporting data, with a view to helping organisations across a growing number of sectors adopt this approach. And it's no surprise. Connectivity is ever-growing – we rely on it more, and so we increasingly need to defend it better.
Getting started
Cross Domain Solutions aren’t simple. Implementing them requires a solid understanding of your infrastructure, a thought-out plan, and the right partners and products.
Organisations need to start with a thorough assessment of their assets, needs, and threats. Consider your security domains: the data that currently flows across boundaries, and the data you would like to flow across – if only you could do so safely.
With the right foundations in place, taking a CDS approach can be revolutionary: it can unlock new and transformative data links that bring huge cost savings, reduce process risks, increase reliability, and enable an organisation to work more nimbly and efficiently. You now have that option, while remaining safe. For example, with access control and CCTV, organisations can gain access to instant alerts and long-term metrics that transform their responsiveness and future-planning.
It can seem daunting, but organisations don’t have to commit to a big investment from the outset. Start small, seeking the most critical and beneficial boundary to treat first. A good solution will act as a smooth and well-integrated link. Seek components that are robust, accredited, easy to manage, and will integrate to form an effective CDS, and consider guidance from regulatory bodies such as the UK's NCSC (National Cyber Security Centre) and the USA's NCDSMO (National Cross Domain Strategy and Management Office).
The important thing is to get started. Your data's value to you, and the importance of keeping it secure from others, will only increase. Whether your CCTV and access control system comes out top of your list, or will wait its turn in the queue – evaluate your risks, and look to where a proper Cross Domain Solution can deliver both freedom and security.
Authored by Richard Kistruck, security architect at Oakdoor, part of PA Consulting
