Using Security to Support your COVIDsafe Plan

As part of the government’s three-step framework to return from lockdown, workplaces and premises are required to develop a COVIDsafe plan.

A COVIDsafe plan is a risk assessment with respect to COVID-19 which identifies what could happen if someone is exposed to a hazard, in this case, COVID-19, and the likelihood of it occurring.

The exposure of your workers and/or customers/clients to COVID-19 is a foreseeable risk that must be assessed and managed in the context of your operating environment.[1]

Should you have a COVID-19 outbreak at your premises, you may need to demonstrate that you have taken adequate steps to protect their health and safety.

Assessing and managing risk is a core function that security industry provides, and an area in which it has developed extensive skills and capabilities. As such, there is a great deal of value that the security industry can offer to organisations as they return to their places of business.

In the first instance, security specialists and consultants may be able to assist you in identifying and assessing the risks that are associated with your place of business as well as the development or plans to manage these risks to a tolerable level.

In addition to assisting in the development of your COVIDsafe plan, there may be opportunities to utilise your security technology to support this plan.

Many places of business have security technology in place that may be able to assist in managing your COVID-19 risk either through modified usage or with some modifications. In this article, we take a look at some of the ways in which this can be achieved.

Occupancy Management

As we progress through the phases of the Three Step Framework for a COVIDsafe Australia, different thresholds for people in an area will need to be enforced.

While we’re in phase 1, limiting occupancy to ten people is a relatively straight forward task. As this increase to twenty, then one hundred people, it becomes more challenging.

For spaces with controlled entries and exits such as offices it may be possible to use your electronic access control system (EACS) to enforce these limits. To do so, you will require an EACS that supports occupancy management, then implement a strict badge in badge out policy so that every entry and exit is recorded

For moderate sized spaces such as retail stores with a limited number of entries, you may be able to utilise your people counting systems, or your CCTV system to provide a count of the number of people entering and exiting the premises.

For larger spaces such as shopping centres and clubs, you may need to manage both the total number of people on site as well as ensuring that that crowding does not occur in the various spaces. Whilst more complex, this can be achieved using a combination of technologies such as people counters to measure the total occupancy, as well as video analytics for crowd counting.

Contact Tracing

Should a person who tests positive to COVID be determined to have been in your premises, you will most likely need to determine who else was on site at that time. The more accurately you can record this, the less of your workforce that is likely to be impacted.

By implementing strict access control policies, you can achieve an accurate log of who was in a space at the time that the COVID positive person was in that space.

Visitor Management

Depending on the nature of your premises, a visitor management system provides a powerful tool to assist in contact tracing.

Many visitor management systems allow for the inclusion additional information fields – these can be used to ask the basic COVID risk questions such as recent travel, fever, contact with a known COVID case etc.

You may also wish to have all visitors pre-register and take measures to both reduce the total number of visitors and ensure that the total expected number of visitors and staff are not going to exceed occupancy limits.

Automation

Items that are handled by many people such as doors and exit buttons are potential transmission sources for COVID-19. Depending on the layout of your site, you may be able to utilise technologies such as Facial Recognition, License Plate Recognition, or touch free exit sensors to reduce the number of surfaces that a user needs to interact with.

Thermal Cameras

There has recently been a good deal of discourse about using thermal CCTV Cameras for fever detection. Whilst there may be a few edge cases where the use of any thermal camera will assist in reducing COVID risk, infected people are contagious for up to five days before they display symptoms such as a fever and a large number of cases are asymptomatic, so none of these will be detected by a thermal camera.

If you have an environment in which you need to screen large numbers of people and your risk assessment has shown that fever detection is a required control, then you should probably invest in a medical grade camera as these offer the required accuracy.


Of course none of these controls reduce the requirement to ensure that good hygiene practices are observed such as hand washing or sanitisation, distancing, and ensuring adequate separation between staff.

There are also a lot of process related actions an organisation can take to reduce their COVID risk as discussed in our previous article.


If you would like assistance developing your COVIDsafe plan get in touch with us today.


Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings, and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology).

Simon Pollak is the principal consultant at STSC

You can follow him at https://au.linkedin.com/in/simonpollak


[1] https://www.safeworkaustralia.gov.au/covid-19-information-workplaces/industry-information/general-industry-information/risk-assessment?

Read More

Structuring for resilience as we emerge from COVID Lockdown

We’ve all seen the impact that COVID has been having on individuals and organisations around the globe, and as Australia starts to emerge from lockdown, now is the time for organisations to put measures in place to improve their resilience.

All predictions are that as lockdown eases, there will be an increase in case rates; and that there will be spot outbreaks as we’ve already observed to be the case with McDonald’s closing 12 Victorian outlets after they were all visited by an external truck driver who tested positive for COVID-19.

For most organisations, there are steps that you can take now to improve your resilience and reduce the impact if one of your team contracts COVID or comes into contact with someone who tests positive.

Team Structuring

Depending on the nature of your workforce, you should consider how teams can be structured to reduce the number of close contacts that each person has. In this way, if one of your staff members return a positive result, the smallest possible number of people will need to be isolated.

Is there a way that you can break your workforce into small teams that never work in the same space or come into face to face contact with each other?

If you run a service or trades business, can you have fixed teams that never work on the same sites? If you run a manufacturing or sales business, can you change rosters to reduce contact between staff members.

Remote working

Many businesses have been successful in transitioning to a remote working model. If you have been able to manage such a transition, you may want to continue this as much as possible. This could be done by having parts of the team come into the office on different days, or by keeping part of your workforce completely remote.

Social Distancing & Hygiene

Pretty much every adult is now well aware of how to maintain social distancing and good hygiene, but as we start to transition back to business, it is going to be easy to slip back into old habits.

Workplaces should consider what they can do to reinforce good social distancing habits. Some examples of this could include:

  • Reducing face to face meetings
  • Signage around the office areas
  • Cancelling or modifying staff drinks
  • Reconfiguring lunch rooms
  • Ensuring adequate handwashing and hygiene facilities

Space management

After more than a decade of increases in the prevalence of open plan offices, we’re now in a position where many offices no longer provide the necessary social distancing for safe work in a post-COVID world.

Cushman & Wakefield’s Safe Six – Workplace Readiness Essentials provides some excellent guidance on how to prepare workspaces for bringing workers back with the steps being:

  1. Prepare the Building
  2. Prepare the Workforce
  3. Control Access
  4. Create a Social Distancing Plan
  5. Reduce Touch Points & Increase Cleaning
  6. Communicate for Confidence

Contact Management

One of the key controls as we emerge from lockdown is having robust contact management and tracing systems in place.

Depending on the nature of your business, can you reduce the number of visitors to your premises, or can you keep a record of all staff and visitors on site on any given day.

Make Use of Technology

Many businesses have technologies in place that can be used to assist in reducing the risk of COVID transmission. This can include people counting systems to manage the number of people in a space at any time, using access control system to limit numbers and maintain a log of who’s been in a space, and visitor management systems to track visitors to a premises.

The good news is that we will get through this.

It will take some time, and there will no doubt be spot outbreaks and other challenges along the way.

The more organisations can do to ensure that their employees, customers, and visitors are kept safe, the more likely they are to get through this in the best possible position.


If you would like assistance developing your COVIDsafe plan get in touch with us today.


Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology).

Simon Pollak is the principal consultant at STSC

You can follow him at https://au.linkedin.com/in/simonpollak  

Read More

Everyone loves shiny new toys

Back when they were common place, I recall going into my local bait and tackle store and seeing a display of fishing lures on the counter touting some super power or other that would almost guarantee you’d catch more fish. I asked Steve, the shop owner who I’d known for some years his opinion, and his reply has remained with me ever since. 

“You know what Simon, some lures are designed to catch fish, others are designed to catch fishermen. This one is designed to catch fishermen.”

This advice has served me well in the many intervening years, across many different sets of products. 

In the last few years, with cyber security becoming a concern at all levels of busienss, I am observing far too many decision makers failing to fully consider whether their security expenditure is the most suitable for their organisation. 

There are a number of broad questions that should be asked with any security investment, cyber or otherwise, that will assist in evaluating any expenditure. 

What problem does it solve or what risk does it mitigate for my organisation? 

In the physical security world, we’d find it laughable to deploy a team of Ghurkhas, SEALS, and SAS soldiers to stop kids sneaking in alcohol into a party. Same principle in cyber security – just because a product solves a problem, is it a problem that you need to solve? If you’re not a target for state sponsored hackers, then maybe an APT detection product isn’t the best solution for you. 

Across the spectrum of risks that my organisation faces, does this address a high priority risk or a low priority risk?

Similar to the previous question; is this the best, or at least a good use of my organisation’s resources. Start with the basics. Ensure you have systems and processes in place for patching, identity and access management, encryption, data classification, perimeter security etc. If you have internet connected devices with default credentials or known vulnerabilities, then maybe you should address this before you worry about real time network forensics. 

Can I do something with the output that this solution provides?

There’s a world of difference between information and intelligence. If a solution gives you information that you don’t have the ability to action, does it add any value? Once you know someone from China or Russia has logged into your systems, do you have the ability to assess whether it is genuine or malicious, then block or remove them if it is malicious?

What am I protecting, and why?

Your systems, your processes, and your information all have a value to your organisation. How much value does the solution you are considering protect? A solution that prevents your manufacturing systems going offline for days or weeks may protect a great deal of value, whereas data leakage prevention for information that’s available from your public facing web site less so. 

How does this fit in with my overall security strategy?

As an organisation’s security posture matures, though ideally for all organisations, there will be a security strategy that identifies risks, priorities, and opportunities in the business context. Does this solution align with and assist with progressing that strategy?

Will it integrate with my existing tool set?

If you already have security tools and systems in place, the ability to integrate a new solution into your existing environment is an important consideration. If a product is going to result in a disparate set of notifications that reduce the likelihood of them being actioned correctly, is there a product that will better integrate, or has the cost to integrate been allowed for?

How will it be supported?

It’s all well and good to have the latest, greatest products, however for technology to be effective, it requires support, maintenance, and updates in order to remain effective. Has support; both availability and expense been evaluated as part of the product assessment? What is the product support lifecycle, and will it be adequately supported for as long as you are expecting it to be in use?

There are of course all the other questions to ask as should be the case with any expenditure such as “Can I afford it?” and “Is this the right vendor?”

So, next time your preparing to spend your hard-earned cash on a security solution, just remember to question whether they are fishing for fish or fishing for fishermen. 


If you would like some assistance improving your cyber security get in touch with us today.


Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology).

Simon Pollak is the principal consultant at STSC

You can follow him at https://au.linkedin.com/in/simonpollak  

This article was first published in Issue 6 of Australian CyberSecurity Magaxine

Read More

Cyber Attacks on CCTV Systems

With Cyber attacks on CCTV systems making news headlines on a weekly basis of late, there is a good deal of concern and uncertainty about how at risk these systems are, as well as why they are being attacked. In this article, we take a closer look at some of these attacks; how they are carried out, the likely motivations behind them.

Canon Cameras in Japan  – For the LOLZ

What happened? In May, 2018, over 60 Canon cameras in Japan were hacked with “I’m Hacked. bye2” appearing in the camera display text.

How did the attack take place? IP Cameras were connected to the internet and were left on default credentials. It appears that the hackers logged into the cameras and changed the on screen display.

What was the impact? Other the defacement of the camera displays and some reputational damage, there doesn’t seem to have been a good deal of impact of the attacks.

What was the attacker’s motivation? The most likely explanation was they did it for the LOLZ, a hacker term implying the attack was done for laughs, however there’s no guarantee that this wasn’t cover for a more sinister attack

How bad could it have been? Whilst this sort of attack is relatively innocuous, having a hacker gain control of a network device can have catastrophic impacts. Once a hacker has gained control of a device, they could use the camera for hostile reconnaissance, they could inject their own video stream in a Mission Impossible style attack, or they could use the device to pivot into other devices on the same network all of which would make for a really bad day.

Mirai BotNet of Cameras and DVR’s  – Free computing

What happened? In October 2016, 600,000 internet connected cameras, DVR’s, routers and other IoT devices were compromised and used to for a massive Bot Net to launch what was the largest Denial Of Service (DOS) attack the internet had experienced to date.

How did the attack take place? Yet again, devices were left connected to the internet and were left on default credentials. In this case, the attackers developed software that scoured the internet searching for vulnerable devices, which they then took control using their own malicious software.

What was the impact? The Mirai attacks significantly compromised the internet resulting in Dyn, one of the largest service providers going offline and taking many web sites offline including Twitter, Amazon, and Netflix.

What was the attacker’s motivation? The perpetrators of Miriai were charged with conspiracy to violate the Computer Fraud and Abuse Act in the US courts in Anchorage. It turns out that they were a group of college students who ran a Minecraft server and they had built the Bot Net to degrade the performance of competing servers in order to gain more users for their service. They have been sentenced to between five and ten years in prison and fined up to $500,000.

How bad could it have been? Once the Mirai source code was released into the wild, there were many variants developed including Bricker Bot that similarly scoured the internet then bricked devices so that they had to be factory reset to regain control and functionality. A more determined attacker could have done far more damage to the devices or launched more damaging attacks using the same techniques.

A friend of the US hacks back against the Russians – Targeted Attack

What happened? In 2014, a US ally observed a malicious actor attacking the US State Department computer systems. In response the NSA traced the attacker’s source and infiltrated their computer systems gaining access to their CCTV cameras from where they were able to observe the hackers comings and goings.

How did the attack take place? Not surprisingly, details of the hack back have been withheld from media coverage. Given this was carried out by professionals, we can assume that the attack was both sophisticated and stealthy.

What was the impact? For the Russian hackers who were identified, this will have put a damper on any travel plans they may have as they are likely to be arrested if they holiday in a country with an extradition arrangement with the US.

What was the attacker’s motivation? In this instance, the hackers are the good guys so they carried out the attack in order to defend their systems.

How bad could it have been? If the attackers hadn’t been on the right side of the law, and their target had been a bank, a celebrity, or any place that privacy is important, the attack could have caused a lot of harm.

Washington DC CCTV System Infected – Ransomware

What happened? In the lead up to the 2017 US Presidential inauguration, 65% of the recording servers for the city of Washington CCTV system were infected with ransomware.

How did the attack take place? Whilst unknown, it most likely occurred by the same means as other common PC hacks such as infected USB keys, malicious web sites, or phishing attacks.

What was the impact? The system administrators had to wipe the infected systems and reinstall the Video Management System so it’s entirely possible a good deal of footage was lost and the system was rendered inoperable for a period of time.

What was the attacker’s motivation? As with any ransomware attack, the attackers motivation is to hold the compromised system to ransom and only restore control once the ransom has been paid. It is important to note that ransomware can be used to conceal more malicious or targeted attacks by keeping defenders distracted combatting the more visible attack.

How bad could it have been? Whilst functionality was restored, we may never know just how much important footage was lost or what other systems could have been compromised.

What lessons can we learn from these attacks?

Don’t connect your devices directly to the Internet If you need to have a camera or CCTV system be remotely accessible, port forwarding all inbound traffic to your system is just asking to be attacked. Use a VPN, use non-standard network ports, enable two factor authentication, or use a remote access service. Whilst these measures won’t guarantee your security, they will certainly make you less of a target for attackers that are scouring the internet for vulnerable systems.

Change Default Passwords. It’s like the road safety advertisements from the 1990’s which asserted that “If you drink and drive, you’re a bloody idiot”

Same goes for credentials:           “If you don’t change the passwords, you’re a bloody idiot”

Don’t forget that it’s a computer. Just because it connects to a bunch of cameras, doesn’t mean that your NVR isn’t a computer. All the cyber security advice that is applicable to traditional IT is just as applicable when said computer is used as part of a CCTV system


Whilst we aren’t seeing the flood of attacks that have been predicted in CCTV systems, they are a ripe target. If a determined attacker starts attacking these systems, there will not be the time to remediate very many of these systems before the damage spreads.


If you would like some assistance improving your security get in touch with us today.


Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology).

Simon Pollak is the principal consultant at STSC

You can follow him at https://au.linkedin.com/in/simonpollak  

This article was first published in the August 2018 issue of Security Insider

Read More