If you work in physical security, the recent high-profile cyberattacks targeting U.S. water infrastructure should serve as a wake-up call. 

Since a cyberattack struck a Pennsylvania water utility in November 2023, similar attacks have affected multiple water facilities in the United States, raising significant alarm bells. The series of attacks has continued into 2024, striking facilities across the U.S. In addition, hackers linked to China have targeted U.S. water facilities. 

In light of those incidents, a recent letter from the federal government to state governors sheds light on what’s at stake and how to protect water facilities from threat actors. As that letter makes clear, U.S. water infrastructure has a long way to go in terms of addressing the cybersecurity risks it faces. 

That’s all very alarming — but what does it have to do with physical security? 

A lot.

In many of these cases, the hackers gained access via IoT devices that were inadequately protected. Physical security teams today rely on connected devices too – from cameras to access control systems, alarm systems and more. And in most organizations, those physical security devices are just as wide-open to cyber attackers, due to a lack of adequate device management. Given physical security teams’ dependence on IoT devices, it’s critical to learn from these attacks and protect physical security devices from similar threats.

The problem of weak and unchanged passwords

Highlighting how a lack of adequate device management left at least some of the targeted water facilities vulnerable to hackers, it has been reported that some of the affected devices used the password “1111.” Notably, a reliance on weak and unchanged passwords is also a common problem among physical security devices. 

It’s not hard to see why using a weak default password on sensitive devices connected to the internet is a risky move. But today’s professionals are well aware of that risk. So, if the risk is so widely known, why is it still so common for devices to use passwords that can be easily guessed? 

The reality is that the amount of work involved in managing passwords is simply too massive for many organizations to handle. It involves knowing which devices need to have their passwords rotated at any given time, manually rotating each relevant device’s password, then searching for and updating those devices in the relevant management systems accordingly. 

Given the scale of many organizations’ fleets of physical security devices, the amount of work involved in performing all of those steps manually can quickly become too time-consuming and overwhelming to be feasible. Adding to the challenge, those devices are often deployed across large areas, and sometimes distributed across multiple sites. 

In addition, the variety of those physical security devices – different device types and models, made by different manufacturers, installed at different times and running different firmware versions – further contributes to the complexity of this challenge. Taken together, those factors can make it seemingly impossible for many organizations to properly manage passwords across their entire fleets of physical security devices. 

And weak passwords are just the tip of the iceberg…

As important as it is to rotate physical security devices’ passwords in line with best practices, sufficiently protecting them from the cyber threats they face also requires additional steps. 

It’s critically important to upgrade firmware as necessary, since firmware upgrades sometimes include patches to address cyber vulnerabilities. But organizations often come up short in this regard. In fact, Genetec has estimated that nearly 40% of security cameras are vulnerable to hackers due to their use of outdated firmware. 

And not all connected physical security devices can even receive firmware upgrades. Devices that have passed their end of life or end of service can pose a serious risk, because their lack of firmware upgrades can make them an easy target for hackers. 

Meanwhile, many organizations lack even a basic inventory of all of their physical security devices, let alone the details they need in order to ensure those devices aren’t vulnerable to cybercriminals. That largely leaves those organizations flying blind when it comes to managing their physical security devices. 

Not only does this lack of visibility hinder the ability of many organizations to harden and maintain their physical security devices properly, but it can also prevent them from detecting anomalies that could indicate that a device has been compromised or is being targeted. And given how high the stakes are when it comes to security, organizations have good reason to worry that their lack of real-time insight into the health and status of their physical security devices could put them at serious risk.

Could your organization’s physical security devices be vulnerable to hackers and cybercriminals, and how can you stay safe? For a detailed breakdown of your devices and their critical vulnerabilities, get a free system evaluation report from SecuriThings.