Introducing KB CYPHY: Cyber Security for Your Physical Security Network

By David Strickland, Vice President of Kenton Brothers

As you may have read – The time is now to secure your networks. CYPHY is a combination of Cyber and Physical security. CISA (Cybersecurity and Infrastructure Security Agency) and DHS (Department of Homeland Security) have published, distributed, and are now looking to regulate critical infrastructure, critical services, state and local municipalities, manufacturers and healthcare companies to follow the guidelines set out in the recent campaign “Resolve to be Resilient”.

As a part of this campaign, they are asking everyone to follow a very simple three step plan:

  • Assess Your Risk. Organizations should identify their most critical functions and assets, define dependencies that enable the continuity of these functions, and consider the full range of threats that could undermine functional continuity.
  • Make a Plan and Exercise It. Organizations should perform dedicated resilience planning, determine the maximum downtime acceptable for customers, develop recovery plans to regain functional capabilities within the maximum downtime, and test those plans under real-life conditions to ensure the ability to operate through disruption.
  • Continuously Improve and Adapt. Organizations should be prepared to regularly adapt to changing conditions and threats. This starts with fostering a culture of continuous improvement, based on lessons learned from exercises and real-world incidents, and evolving cross-sector risks.

To counter the ever-evolving threat landscape, security is not merely about physical fortification; it extends into the digital realm, demanding a comprehensive solution. At Kenton Brothers Systems for Security, we understand the significance of safeguarding both your tangible assets and your digital infrastructure. With our proven reputation in the security industry, we bring you a holistic approach that combines cutting-edge physical security systems that are protected properly from cyber-attacks.

KB CYPHY

KB CYPHYWe are excited to introduce the new KB CYPHY service to lower risk and increase the hardening of your physical security networks.

As with all our projects we begin with assessing the current state of your physical security network. Once we determine where we will need to concentrate our efforts, our certified engineers put together a plan to bring your level of cyber security up to a satisfactory level. Once the plan is agreed on in collaboration with your IT department, we begin the process.

Here are a few of the steps we take to raise your CYPHY security level.

Network Security:

Collaboration is key. During the installation process, we work closely with your IT team to implement measures such as locking switch ports, MAC address reservation, and the enforcement of unprivileged accounts for routine system use.

Password Protection:

In the digital age, password security is paramount. KB CYPHY employs a stringent password policy, ensuring that each password is a unique combination of at least 13 characters, including lower and upper-case letters, numerals, and special characters as a minimum.

Manufacturers Hardening Guides:

Following manufacturers’ hardening guides is a fundamental aspect of our security strategy. KB CYPHY is meticulously configured to minimize vulnerabilities, providing you with a robust defense against potential threats.

Firewall Configuration:

Our pre-configured firewalls adhere to the guidelines specified in the hardening guide. By carefully managing open ports, we reduce the surface area for potential cyber threats, enhancing the overall security of your digital infrastructure.

DMZ Implementation:

Strategic placement of internet-facing servers in a Demilitarized Zone (DMZ), combined with IP filtering for local IPs only, segregates them from your internal network. This additional layer of defense, facilitated by the CYPHY system, protects against external threats.

Quarterly Security Measures:

Security is an ongoing process and must continuously improve and adapt.  Our proactive approach, facilitated by KB CYPHY, includes monitoring Common Vulnerabilities and Exposures (CVEs) and implementing necessary updates quarterly. This ensures that your security infrastructure remains resilient and up-to-date.  These services include:

– Device firmware upgrade
– Hotfix/patch for security VMS/AC software
– Verify Encryption
– Apply OS Patches

Device and Software Maintenance:

Regular maintenance is crucial. Our quarterly routine, facilitated by the CYPHY system, includes firmware upgrades and security patches, with a focus on hotfixes for potential vulnerabilities in our Video Management Systems (VMS) and Access Control (AC) software. Where possible, encryption is enabled to protect data in transit.

Camera Security:

Our camera systems go beyond basic surveillance. Regular port scans, facilitated by the KB CYPHY team, disable unnecessary services and ports (Telnet, FTP, HTTP, SMTP, SSH, Bonjour), minimizing potential attack vectors. Edge storage is encrypted, and unused SD cards are disabled for a comprehensive approach to camera security.

By choosing Kenton Brothers Inc Systems for Security and our advanced CYPHY system, you’re not just investing in physical security; you’re securing the future of your business. Our holistic solution ensures that both your tangible assets and digital infrastructure are fortified against the evolving threats of the modern world.  We invite you to explore how KB CYPHY coupled with robust cybersecurity measures, can be tailored to meet your unique needs.

Subscription Based

KB CYPHY is available now and is an annual subscription based on the size of your system. Kenton Brothers Systems for Security will offer this on every installation and will be a standard minimum moving forward.

It’s time to throw the gauntlet down on open, unsecure networks. Please give us a call if you would like to talk about this offering and how it could help your organization.

Introducing the Kenton Brothers CyPhy Security Plan

By Neal Bellamy, IT Director at Kenton Brothers

CyPhy Security PlanLately we’ve been talking a lot about Cyber Security. As with all types of commercial security, Cyber Security is best implemented as layered defense. In other words, a single key or credential won’t gain access to the entire kingdom. Also, like Physical Security, even a small oversight can become the launch point for a larger attack.

For years, Kenton Brothers has been doing our part to help maintain security on your physical security devices. We use unique, randomly generated passwords for all of your devices. We make sure the firmware is updated at the time of install and implement other industry standard security best practices. While it’s a good start, there were still some gaps. So we are taking it to the next level.

The Kenton Brothers CyPhy Security Plan

Kenton Brothers is introducing our CyPhy Security Plan. Security is not a “set it and forget it” proposition. The security landscape, both Cyber and Physical, is always changing. It must be evaluated and re-evaluated to make sure the greatest number of holes are closed. With the CyPhy Security Plan we will still make sure your physical security systems are set up with the latest software, unique passwords, etc.

With this new program, we will follow the security hardening guides from all manufacturers, lock down all switch ports and ensure firewalls are set up and configured properly. After the initial installation is complete, we will be involved ongoing. We will monitor new releases from the manufacturer and alert you to any critical security related issues for your system. Furthermore, if you have the manufacturer’s software upgrade plan in place, we will remotely upgrade your systems and firmware every 6 months.

Where applicable, the CyPhy Security Plan includes:

• Using unique and randomly generated passwords for each purpose and user
• Upgrading firmware to the latest supported version
• Setting the server firewall to only allow authorized communications
• Locking switch ports to allow only authorized devices
• Monitoring manufacturer’s software for critical security alerts
• Enforcing encrypted communication wherever possible
• Disabling services, applications and ports not being used on devices
• Using unprivileged account for normal system usage
• Enforcing encrypted edge storage
• Filtering communication to local IP addresses only
• Disabling SD card slots not being used
• Following hardening guides from all installed manufacturers

We want the CyPhy Security Plan to dovetail into your existing cyber security plan.

If you have other cyber security initiatives already installed, like MFA, managed firewall, managed global service accounts, VPNs etc., we will help you integrate those into the physical security devices, networks and servers. We will also make suggestions to improve the security and operations of your systems. For example, deploying internet facing servers in the DMZ or connecting the security systems to Active Directory for ease of user management.

If you don’t have a cyber security plan in place, you can rest assured that the physical security devices will be protected and can even use our commercial security best practices to increase the security for your other systems.

Of course, there is no un-pickable/un-hackable lock, and there will never be a perfect defense for cyber attacks. Setting up a layered defense will significantly decrease the chances of a successful cyber attack on your network. The CyPhy Security Plan is our commitment to protect you whether the attack comes to your front door, or from the internet.

To learn more about our CyPhy Security Plan, please give us a call and we will discuss your current setup as well as the benefits of ramping up your security efforts.

Cyber Security is Complex: Don’t Bury Your Head in the Sand

Cyber SecurityBy Neal Bellamy, IT Director at Kenton Brothers

In the physical security world, we tend to think about security as locks, keys, access control, and maybe cameras. If you are an IT person, you might think security is more about firewalls, usernames, passwords, and encryption. Physical security people and IT security people really have the same goal: Protect the Business. Physical security teams and IT Security teams generally operate in different bubbles, but I think it’s time for another convergence.

Cybercrime has a cost, and when it happens, the cost is often high. In 2021, Ransomware alone cost an estimated 620+ million. While Ransomware is probably one of most everyone’s top concerns, there are other ways to make money from your data. Exporting your data or your customer’s data or denying access to your data could also have major impacts to your business.

The capabilities of computers continue to skyrocket.

Anyone in the computer field knows “Moore’s Law”. While not actually a law of physics, it was more of an observed phenomenon. The idea is that the speed of a computer doubles every two years. This idea is bigger than I’ve given it credit for. You can see the phenomenon in more than just microchips. Since the beginning of programming, we’ve built software tools (by writing code) to make new coding efforts faster. Since the processing power of computers doubles every two years, software has access to more and more resources. Software’s capabilities continue to grow at an astounding rate. Machine learning, Deep learning, and AI are all outcomes of this growth. It’s terrifying and inspiring at the same time.

Here’s why software matters.

Cyber SecurityOnce upon a time, a computer programmer made a program that could do something malicious. It might take that programmer months to code and tweak, then it would be released to the world. Sometimes it would make a big splash. Even if it was a major threat, anti-virus companies would find a way to identify it and stop it in a matter of days. Now, we have programs that make programs. Coding a virus can be done in minutes, but viruses are old hat.

What happens if we release an AI to attack a company? It could find the open ports, discover what software is behind those ports, look up vulnerabilities, and then try to exploit the vulnerabilities in seconds. Once an attacker is in, the game is over. It’s only going to get scarier from here.

What can you do?

First, take it seriously. As someone trying to protect your business, you should have several plans. A defense plan is important, but so are recovery plans. The basics still apply. Protect your perimeter, have at least two sets of backups, and use strong passwords (preferably with Multi-Factor Authentication). Anti-Virus alone is no longer good enough. You need to implement Endpoint detection and response (EDR / XDR / MDR) of some type.

How can Kenton Brothers Help?

While we can’t protect all of your networks (we have partners that do), we will do our part while we are on your network. We make sure that software and firmware are up to date when we install equipment, we use strong, randomly generated passwords for your security systems. This is standard in all of our implementations. If your IT company has further security, we will work side-by-side to complement it. Even though we are a physical security company, we understand and value IT security.

If you need help in the physical security world, we are always here to help. But if you need help in the cyber security world, I am also here to help. I have done a deep dive into the cyber world for the last six months and would be happy to share my knowledge. I’m certainly not an expert, but I can share my experiences trying to make KB more secure. I’ve also met some great people and companies along the way that would love to help you with your cyber security efforts. Just give us a call.

Why Physical Security has to be part of the convergence discussion of OT/ICS security.

By David Strickland, Vice President of Kenton Brothers

Why Physical Security has to be part of the convergence discussion of OT/ICS security. There is a real buzz in the security world right now around securing Operational Technology (OT) and Industrial Control Systems (ICS). This buzz comes from two sources: companies and organizations that are being attacked through cyber security and physical attacks, and government agencies trying to get information broadcast to counter these threats. Threat levels have been increasing over the last few years and the cost of these attacks have risen to devastating levels.

According to CISA, in the first half of 2022 there were at least 22 reported large impact attacks on critical infrastructure leading to billions of dollars in losses. As the second half of 2022 numbers are being compiled, the sense of urgency to shore up the vulnerabilities is at an all time high.

How is OT security different than IT Cybersecurity?

IT – Information technology is just that. It is the transfer of data or information through physical appliances such as routers, switches and servers. Security for this technology centers around the prevention, detection and mitigation of attacks from software.

OT or Operational Technology is the manipulation of real world physical devices such as pumps, valves and controls through software or human interaction.  These are called Industrial Control systems. In contrast to IT cybersecurity attacks, the outcomes of successful OT / ICS  attacks include the potential to impact human safety and damage physical equipment. For example, taking any industrial processes OT / ICS equipment offline for extended time periods. This can be done through software or physical attacks known as sabotage.

Many organizations point to the Purdue Model for protecting OT and ICS. 

Why Physical Security has to be part of the convergence discussion of OT/ICS security. The Purdue model, created in the 1990’s is a comprehensive look at protecting ICS and has been the standard for many years. The Purdue Model has five zones that are considered when creating a robust security model. Yes, this model is the current standard, but in our opinion does not adequately address physical security.

Cybersecurity of IT, IIT (Industrial IT) and OT systems is still a very high priority.

A recent comprehensive report provided by the Department of Homeland Security (DHS) pointed out a few concerns. “Many organizations lack visibility into their complete OT environments, including IT/OT interconnections and supply chain dependencies. Cybersecurity is overwhelming for organizations and entities with small staffs and budgets. As a result, many are not able to achieve the cybersecurity posture required to adequately secure their IT/OT infrastructure. The majority of legacy OT equipment was never designed for internet connectivity, and may not easily be replaced, making it increasingly challenging to secure in converged environments.”

We must not make the mistake of ignoring the real probability of physical attacks on these same organizations that are overwhelmed with cybersecurity.

“A top priority must be to prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. Essentially a key aspect of this standard is to implement effective access control and protection of systems and equipment from damage.”

Physical Security for the OT Starts here:

Policies and Procedures:

Why Physical Security has to be part of the convergence discussion of OT/ICS security.It’s a well-known fact that most breaches (95%+) are a failure of procedure or policy over systems. A good red team will tell you that their most effective weapon for entry is a poorly trained or poorly disciplined employee. Polices and procedures must be created, trained, followed and tested constantly.

Establishing your perimeter:

As with most things involving physical security, you must start with a strong perimeter. This perimeter must be extended as far as physically possible. Access should be granted to only authorized personnel that have been through proper background checks and assigned clearance based on their job function. The perimeter is your best chance at early detection, reaction and mitigation.

Access Control:

Only authorized personnel with the proper clearance and certifications should ever be allowed access to your OT systems. These authorized personnel should constantly be vetted. Many organizations don’t remove terminated employees from this list quickly. No visitors or vendors should ever be allowed access without proper vetting and escort. Your access control systems should be set up in concentric circles with stronger policy the closer you get to critical infrastructure. All access control devices should be kept in proper working order and updated with proper firmware and cyber security practices.

Alarms:

Why Physical Security has to be part of the convergence discussion of OT/ICS security.Too many times we see organizations practice poor alarm management. Alarms in any form (Fire, Access Control, Intrusion Detection, Car) should never be ignored yet many times are. OT devices are vulnerable to physical attack and to things like flooding, fire and electrical damage. A system alarm can help bring immediate attention if properly managed.

Surveillance:

Who inspects the inspector? Your IP video surveillance system. It keeps honest people honest and identifies those who are not. Critical infrastructure devices should have surveillance on the device itself and the human interaction point. This of course is on top of all perimeter entrance areas and key points throughout your property.

Knowledge and Cooperation:

The United States can leverage an existing body of knowledge to secure OT infrastructure. Prioritizing and applying these best practices, recommendations, and standards more broadly, in a comprehensive and accelerated manner, would strengthen security and achieve strategic outcomes.

Kenton Brothers Systems for Security stands by to do our part. Please let us know how we can help your organization.

Everything is Sunny in the Cloud… Maybe Even Sunnier When the Robots Take Over?

By Neal Bellamy, IT Director at Kenton Brothers

Cloud-based physical access control systems offer several advantages over on-premise access control servers.

Here are a few key reasons why this is true:

Commercial Security and Artificial Intelligence1. Scalability: Cloud-based systems can easily scale to accommodate a growing number of users and devices, without the need for expensive hardware upgrades. This makes them a cost-effective solution for businesses that are expanding or experiencing high levels of turnover.
2. Remote Management: Cloud-based systems can be managed remotely, allowing administrators to manage access control from anywhere with an internet connection. This is especially useful for businesses with multiple locations or employees who travel frequently.
3. Increased Security: Cloud-based systems are often more secure than on-premise systems because they are managed by experts who specialize in security. They also benefit from automatic software updates and backups, which can help protect against data breaches and other security threats.
4. Cost-Effective: Cloud-based systems generally require a lower upfront investment than on-premise systems, as they do not require expensive hardware or software. Additionally, they eliminate the need for costly IT staff to manage and maintain the system.
5. Flexibility: Cloud-based systems can integrate with a wide range of devices and platforms, making them more flexible than on-premise systems. This allows businesses to easily add new features and functionality as their needs evolve.

It might surprise you that the content above was written by Artificial Intelligence (AI).

Commercial Security and Artificial IntelligenceIt’s certainly not the best blog I’ve ever written, but it might not be the worst either. It’s factual, it is the top 5 reasons IT companies got to the cloud, and it has no grammatical errors. The coolest part about this content is that I asked only a single question to the AI… “Can you write a blog post on why cloud based physical access control is better than on premise access control server?”

As you can see from the question, I didn’t give much information. Yet the AI had gathered enough information to create five bullet points, use a beginning and ending paragraph and come up with valid statements. This particular AI is not specifically programmed to write blog content. It can also tell you about world events, write a Haiku in the voice of Captain Kirk, and solve math problems.

“Galaxy vast and wide
Stars that shine so bright and bold
Adventure calls forth.”

From a technological point of view, this is groundbreaking.

Computers have started to “think” for themselves. AI has been around for several years, but until now the “thinking” has been mainly contained to “What color is this object?” or “What fruit is in this video?” This is the first example I’ve seen where an artificial intelligence can take a subject and formulate a response on almost any topic based on its trained knowledge.

I can see AI launching into the commercial security world in an impactful way. While everything is “AI” right now, there is a major difference between telling a program what to look for to determine an outcome versus letting a program learn and make decisions based on past learning. I can certainly see a future where we don’t have to monitor commercial security systems for every single alert. Instead, an AI will monitor the incoming data and alert us when there is an anomaly. And we can define the rules that define an anomaly. I can see where an AI will alert us intelligently. Not that a person is in the parking lot. But the fact that there is a person in the parking lot, they have a saw, and they just disappeared under a car.

It will be interesting to see where this new AI charge leads us. I will certainly be paying attention to how AI can keep us safer while making it easier to manage commercial security systems.

If you need help designing and implementing a commercial security system to protect your people, property and possessions, please give us a call.