What is physical security? How to keep your facilities and devices safe from on-site attackers

Physical security definition

Physical security is the protection of people, property, and physical assets from actions and events that could cause damage or loss. Though often overlooked in favor of cybersecurity, physical security is equally important. And, indeed, it has grown into a $30 billion industry. All the firewalls in the world can’t help you if an attacker removes your storage media from the storage room.

The growing sophistication of physical security through technologies such as artificial intelligence (AI) and the internet of things (IoT) means IT and physical security are becoming more closely connected, and as a result security teams need to be working together to secure both the physical and digital assets.

Why physical security is important

At its core, physical security is about keeping your facilities, people and assets safe from real-world threats. It includes physical deterrence, detection of intruders, and responding to those threats.

While it could be from environmental events, the term is usually applied to keeping people – whether external actors or potential insider threats – from accessing areas or assets they shouldn’t. It could be keeping the public at large out of your HQ, on-site third parties from areas where sensitive work goes on, or your workers from mission-critical areas such as the server room.

Physical attacks could be breaking into a secure data center, sneaking into restricted areas of a building, or using terminals they have no business accessing. Attackers could steal or damage important IT assets such as servers or storage media, gain access to important terminals for mission critical applications, steal information via USB, or upload malware onto your systems.

Rigorous controls at the outermost perimeter should be able to keep out external threats, while internal measures around access should be able to reduce the likelihood of internal attackers (or at least flag unusual behavior).

One of the most common errors a company makes when approaching physical security, according to David Kennedy, CEO of penetration testing firm TrustedSec, is to focus on the front door. “They’ll put all of the security in the front door; surveillance cameras, security guards, badge access, but what they don’t focus on is the entire building of the whole.”

Smoking areas, on-site gym entrances, and even loading bays may be left unguarded, unmonitored and insecure, he says. Turnstiles or similar barriers that have movement sensors on the exits can also easily be opened by putting a hand through to the other side and waving it around.

While the cost of successful digital attacks keeps increasing, physical damage to your assets can be just as harmful. One notorious example of physical security failing saw a Chicago colocation site robbed four times in two years, with robbers taking 20 servers in the fourth break in.

Scope of physical security risks

The pandemic, civil unrest related to the January 6 insurrection, and an increase in gun violence have made CISOs and other executives more concerned about physical security, including the well-being of themselves and their employees. That’s according to the 2021 Mid-Year Outlook State of Protective Intelligence Report from the Ontic Center for Protective Intelligence. 

The report, which is based on a survey of 300 physical security decision makers, CISOs, CIOs, CTOs, and other IT leaders, emphasizes four areas of concern over physical threats:

• Business continuity: Unmanaged and rising physical threats increase corporate risk and potentially could impact business continuity. The report recommends companies invest in physical security to mitigate violent threats.
• A larger threat landscape: Intelligence failures put executives and employees at risk of physical harm or supply chain damage or property theft by insiders. Seventy-one percent of respondents said the physical threat landscape has “dramatically” changed in 2021.
• Lack of unification between physical and cybersecurity: Most respondents (69%) said that unifying cyber- and physical security could have helped avoid incidents that resulted in hard or death at their organizations. This includes having a single platform to identify and communicate threats.
• Unexpected challenges: Compared to an earlier study, some of the key challenges IT and security leaders faced in 2021 were not the ones they expected to have when asked in 2020. Those challenges include regulatory compliance reporting and demonstrating a return on investment in physical security.

Overall, 64% of respondents reported an increase in physical threat activity so far in 2021, while 58% say they feel less prepared to handle physical security for their organization.

Physical security principles and measures

Physical security largely comes down to a couple of core components: access control and surveillance. 

Access control

Access control encompasses a large area that includes basic barriers to more sophisticated things such as keypad, ID card or biometrically-restricted doors. 

The first line of defense is the building itself–the gates fences, windows, walls, and doors. Locking these, adding deterrents such as barbed wire, warning signage, and visible guards will put off most casual attempts on your locations.   

Access control systems are many and varied, and each have their own pros and cons. Simple ID card scanners might be cheap but are easily stolen or forged. Near-field communication (NFC) or radio-frequency identification (RFID) cards make forging harder but not impossible. Embedding NFCs in workers – something that is reportedly becoming a trend in Sweden and drew ire from workers unions in the UK – is also way to reduce the chance of card loss.

“RFID badges are easily cloneable,” warns Kennedy. “Instead, use magnetic strips where you actually have to swipe and maybe use a second form of authorization like a pin number.”

Biometric security is also a common option to secure both facilities and devices. In theory our unique body identifiers – whether fingerprint, iris, face or even your pulse – are harder to steal or fake than any cards. A report from ABI Research predicts the use of biometrics will only increase in the future. Fingerprint remains the most common method, but ABI suggests it will be augmented with a growth in face, iris and pulse.

“I haven’t seen a whole lot of facial recognition in companies yet, but stay away from biometrics,” says Kennedy. “A lot of people want to move to that but there’s a lot of issues.”

Fake fingers can overcome fingerprint readers, photos or masks can be enough to fool facial recognition, and German hacking group Chaos Computer Club found a way to beat iris recognition using only a photo and a contact lens.

Surveillance

Surveillance includes everything from guards on patrol, burglar alarms and CCTV to sound and movement sensors and keeping a log of who went where.  

At more high-risk locations, companies can deploy far more sophisticated detectors such as proximity, infrared, image, optical, temperature, smoke and pressure sensors to maintain a holistic view of their facilities.

IoT and AI bring physical security into the digital world

Where typically physical security and digital security used to be entirely separate realms, they are slowly becoming more and more intertwined. Surveillance systems are increasingly connected to the internet, access control systems and monitoring systems are keeping digital logs, while use cases for AI in physical security are become more popular.

For example, CCTV-based image recognition can alert you to the arrival of people or vehicles. In more sophisticated systems, facial or even walk recognition is possible across entire facilities and let you know if an unknown person is on-site or a worker is somewhere they shouldn’t have access to. Behavioral analytics tied into access controls can alert you to unusual behavior. Companies are also beginning to use drones for facilities surveillance, and increasingly drone manufacturers are looking to add automated, unmanned capabilities. According to research from Memoori, AI-based video analytics could “dominate” physical security investment over the next five years.

“Over the last two years that the focus has really shifted from just health and safety to also information security as well to try to really protect all the information as well as the physical location itself,” says TrustedSec’s Kennedy. “We’re very much seeing the convergence of physical and logical security together; if you’re doing a badge access swipe in New York but you’re logged in through a VPN in China, that’s a way in which to detect potentially malicious activity is going on and use physical data to help provide intrusion analysis in your environment.”

Bringing physical and IT security teams together

However, this growth in physical security technology means IT and physical security need to operate more closely. Digital logs need to be processed, stored and presented to the right people. AI models may need to be created and systems trained. Importantly, all internet-connected devices need to be properly secured.

“Physical security systems are no longer just a sensor that reports back to the user whether it detects motion or not,” says Kennedy. “These are heavily technological systems that are just increasing every year in sophistication. However, the security providers are often device manufacturers first and now they want to get into the whole IoT business so they’re really a development shop second. And what we’re finding with these devices are actually introducing more exposures than those closed off systems than we’ve seen in the past.”

These devices can often be hacked remotely. CCTV cameras, for example, made up a large portion of the Mirai botnet used to take town Dyn in a major DDoS attack in 2016. If your sensor networks are not adequately segmented and protected, a flaw in one device can allow an attacker to disable a range of your security processes.

“The technology these companies are starting to implement is very promising and really with the mindset of trying to stop people from breaking into buildings, but they’re still immature in the development cycle and it’s going to take a long time to fix,” says Kennedy.

As a result of this growing convergence of the physical and digital, physical and IT security are becoming increasingly merged in cross-functional teams, with some companies creating security operation centers (SOCs) that deal with both types of security.

“A limited number of business that do converge both operations centers,” says Steve Kenny, industry liaison of architecture and engineering at physical security and video surveillance provider Axis Communications. “But at the moment much of the of the focus is around the convergence of control centers; rather than have several CCTV controls centers around the UK they’ll just have one big one to improve operational efficiency.”

Even if the two teams are not merging into one large function, Kenny says it is still important that the two work together and have shared responsibility. “The cyber criminals don’t care what the roles and responsibilities are for an individual, and the different departments can speak completely different languages.”

Having CSOs responsible for both physical and IT security, Kenny says, can bring the different teams together to help raise security across the organization. Given that the EU’s GDPR requirements include physical security, ensuring all teams are aligned and working towards the same goal is essential.

Social engineering and physical security

It’s an old adage than you can get in anywhere wearing a high-vis jacket and carrying a ladder, because people are inherently trusting and want to be helpful. And penetration testers often try to gain onsite access during intrusion simulations by impersonating builders, cleaners, or even IT support workers.

“Our easiest way by far to get in is just walking to a location you see employees going into wearing a suit,” says Kennedy. “I’ll wear a suit to impersonate an executive and walk in behind somebody that is casually dressed because nine times out of 10 they are not going to question who I am because of level of importance. They don’t want to cause any disruptions or challenge somebody that may be of higher authority to them.”

At a branch office of a financial organization, Kennedy was able to gain access just by saying that he was from corporate IT there to update the servers. In another case, a story about fixing a server crash was enough to convince a guard at an electricity company’s office that two men who were wearing black and sneaking around at 3 a.m. were legitimate employees.

Given the major human element involved in such attacks, they can be hard to defend against. The best security technology will fail if your employees allow friendly but unverified people in places they shouldn’t have access to. Employee education and awareness is key to reducing the potential threat of social engineering.

Physical security policies

While the scale and sophistication of your controls and monitoring will vary depending on location and need, there are best practices that can be applied across the board to ensure a robust physical security posture.

Take a risk based-approach and do your research. Map your risk profile and put in appropriate controls. Don’t employ a team of armed guards where a simple card lock with CCTV will do. “A supplier needs to protect themselves in order to protect their customers so supply chain due diligence in a must” says Kenny. “Who are we working with, what sort of internal processes and policies do they follow, what frameworks do they follow around hardening systems?” Make sure that the people you’re buying technologies from understand the risks and have things in place like vulnerability management programs, security advisory notifications if something does go wrong.

Make sure access controls are tied to people and customize access. Each ID card or keycode should have a unique person tied to it. Blanket access cards or codes make data leaks more likely and harder to track. If your facility has strict schedules, ensure access is tied to times–for example, no overnight access for caterers.

Have audit trails and keep inventory. Keep logs of not only who accessed what, but also of attempts. Repeated failed attempts to access might signal bad actors. Know who is in procession of all cards, keys and other access items. Revoke access if a card is lost or when employee circumstances change. Claim back keys as soon as possible if someone leaves.

Educate staff to follow protocol for dealing with guests. People are usually friendly and want to help. Teaching employees – including guards — to keep a healthy skepticism, follow proper procedure, and not give out too much information can reduce the chance of your own workers being used against you. Ensure IDs are checked and pre-planned visits are made known, and have processes for dealing with unexpected visitors. Ensure that visitors aren’t left alone in sensitive areas. “Educating your employees is always a good idea to ensure they don’t feel afraid to challenge somebody that is not wearing a badge,” says TrustedSec’s Kennedy. “As is communicating to employees to remove their badge to their pocket when they’re going out of the building [to prevent cloning or copying].”

Test your capabilities and processes. Run simulations; try to gain access to your own facilities. In the same way companies will often send out fake phishing emails as test of workers’ attention to detail, see if your workers give out information over the phone or let unverified guests in.