Was your physical security system designed, by default, to be cyber secure? That is a question we all need to ask as we evaluate security for an IoT world.
The greatest cyber threats to physical security systems are problems with management software and insecure communications between controllers and locks. The imperative we now face is making physical security infrastructure management easier and more cost-effective while fulfilling cybersecurity standards.
Your Network Evolved to Be Interconnected, But Not in a Cyber Secure Way
As with industrial control systems, many physical security infrastructures are designed and implemented without considering cybersecurity. Networks and communications protocols for remote control and management assumed closed, non-public networks. However, these networks evolved over time to be interconnected with open, public networks- either intentionally for easier management or incidentally by trying to share resources across networks.
Brivo recognizes that delivering a secure platform is vital for customers to best realize their investments in physical security with assets that always work as intended and when needed. We see best practice as validating cybersecurity in three key areas: how we build products, deploy and support applications, and manage our business.
How We Build Products
It becomes difficult to manage your level of cybersecurity as locks, cameras, and other physical security devices commonly come from multiple vendors with varying attention to cybersecurity. One of the primary tenets of cybersecurity is to not trust input from other systems. At Brivo, we design our systems with cybersecurity as an explicit component.
We assume that networks used to communicate with controllers and management systems may be public, untrusted networks. As such, we use:
- Techniques such as mutual client-server authentication (the strongest available encryption) for communications protocols
- Anomaly detection and monitoring to locate and terminate unexpected communications or processes
- Client-server TLS certificates to protect the content of communications between devices and provide mutual authentication between devices and servers – This means an unauthorized device or hostile server will not be able to negotiate a network connection to a device, much less change its operation or status
How We Deploy Applications
Cybersecurity is an explicit acceptance criteria for our systems – meaning we see it as an integral part of what we do, not just a box to check. We design, architect and code our applications for cybersecurity from the start.
We test for cybersecurity throughout the development lifecycle. This includes:
- Using automated code analysis tools on software prior to deployment
- Continual scanning of deployed and upcoming software/systems for potential cybersecurity issues
- Manual code and design reviews with developers and security experts
Brivo has frequent software deployments to provide new features and functionality to our customers. As availability is a major concern, Brivo also uses multiple physical and logical networks to ensure availability even in the case of region-wide disruptions, such as hurricanes or other natural or man-made disasters.
How We Manage Our Business
As the old adage goes, a chain is only as strong as the weakest link. Therefore, Brivo takes cybersecurity into mind with our personnel and internal business processes.
This means we:
- Invest in technical and security training for our internal developers, testers and other personnel
- Use the principle of least privilege to minimize the impact a rogue actor might cause – Personnel can only access systems and data they have a demonstrable business need to access (and that access is still monitored)
- Use third-party audits and assessments of our software, devices, servers and business processes to validate that we meet industry standards, legal, and other compliance drivers
Our focus on cybersecurity means we follow or exceed industry standards and best practices.
Brivo Continually Improves the Cybersecurity of Our Platforms and Our Customers’ Devices
We realize the trust placed in us by our customers to protect the physical assets they hold dearest in a great honor and responsibility. Doors are locked for a reason; lockdowns aren’t performed for fun. We are committed to providing safe, secure environments to allow our customers to thrive. And we also have the same concerns as you – that our systems protect our physical security too.
To learn more about best practices for combating physical security threats, listen to this on-demand webinar.
For a more detailed look at how Brivo is cyber secure, check out our overview.