Dovetailing Cybersecurity into an IoT World
Why an ecosystem approach is the way to go
- By Vince Ricco
- Apr 01, 2016
When it comes to cybersecurity the world falls into two camps:
those focused on securing their hardware and applications
as a closed system, and those who recognize that converging
technologies calls for a more ecosystem-centric approach.
My early days in the world of physical security systems, especially
in video surveillance, initially planted me firmly in the first camp. But as
I’ve watched the migration from analog to IP-based technology and the accelerated
convergence of technologies on a shared backbone I’ve shifted my views.
In this new IoT ecosystem, every cyber security measure that manufacturers
and integrators put into play can impact every other device and application on the
network. So it’s imperative that the synergy between systems and devices not only
happens on an operational level, but also on a cybersecurity level.
Working Together
Today’s ecosystem is comprised of multiple vendors and building blocks working
together to create a complete solution. Added to this mix are the BYOD technologies, smartphones, laptops and
tablets that gain access to the system.
All of these devices and applications
represent potential cyber risk, whether
through broadband access or cloud
exposure. It could be a Trojan horse
accidentally introduced through a personal
intelligent device or a determined
hacker exploiting an unsecured connection
to cloud storage.
Even if physical security is run on
a separate backbone from the corporate
IT infrastructure, oftentimes an
impractical and cost prohibitive solution,
mishaps happen: an inadvertent
connection to a broadband router, an
accidental cross connection to the data
network in a wiring closet or any number
of unintentional oversights. It’s important
to remember that cybersecurity
is never a guarantee.
In the face of all these challenges,
how do you develop an effective cybersecurity
strategy?
Securing an Inter-connected
Web of Systems
The solution is to find an optimal way
of dovetailing the best practices of
both the physical security world with
the best practices of a traditional IT
domain without introducing new cybersecurity
vulnerabilities for other
components in the converged system.
That involves testing and fine-tuning a
lot of moving parts.
On the physical security side of the
ecosystem this could be everything
from emergency broadcast systems to
access control systems, security cameras
and video and audio analytics. On
the IT side, it could be everything from
finance to personnel to telephony. Then
there’s cross-pollination, using physical
security metadata to glean business
intelligence that extends beyond safety
and security in other company operations
like marketing and merchandising,
further blurring the line between
physical security and IT.
In a closed system such as home security
and intelligent automation, the
number of vulnerability points is somewhat
limited. The components talk to
each other in their own home network
ecosystem. That may include:
- Door and window sensors
- Intelligent thermostats for each
heating/cooling zone
- Intelligent lighting controls
- Video surveillance cameras
- Network connection for remote
monitoring and access via smart apps
(through Wi-Fi, Blue Tooth, Ethernet
or other connectivity technology).
Behind the Router
This ecosystem typically runs off of
a single subnet behind a router with,
hopefully, some firewall protection. Cyber
threats usually come from a device
within the home network being hacked
or hijacked and sending network access
information back to a third party. Or
the remote smart application interface
gets hacked allowing a third party to gain access to the home network and
maliciously turn off the heating and
cooling systems. Manufacturers in the
IoT home protection and automation
industry tend to have more control over
user and device interfaces and therefore
can commonly deploy the latest generation
point-to-point and point-to-multipoint
cyber protection technologies
across the system.
In a converged ecosystem such as
an IP-based physical security scenario,
the cyber threats and vulnerabilities become
far more complex. Not only does
the number of components increase, so
do the number of vendors that are supplying
that technology and the number
of users accessing them. For instance,
the ecosystem might include:
- IP video cameras (from one or multiple
vendors) capable of transmitting
high-resolution video as well as
high-quality audio recordings.
- IP access control devices or legacy
analog access control panels and
readers that communicate over the
network to the physical security
management system.
- One to multiple video management
systems (VMS) that possibly come
from yet another vendor.
- A server or servers that the VMS are
running.
- One too many viewing clients (PCs
and mobile devices with access to
the camera video either directly
from the cameras or via a connection
to the VMS.)
- Network storage for retention of the
video from the VMS.
To mitigate risks in this kind of an
open ecosystem, you need all the vendors
operating off the same cybersecurity
playbook.
Finding Common Ground to
Mitigating Cyber Risks
IT, physical security and technology
manufacturers should be working as a
cohesive unit, reaching consensus on
current standards and current cyber
mitigation technologies that really reflect
“Highest Common Denominator”
cyber risk mitigation techniques. For
instance, the common baseline for cybersecurity
applications and protocols
often begins with the network infrastructure.
That could include strategic
measures such as using traditional
VLAN technology to separate surveillance
video from other data traffic on
the network traffic. A unified cybersecurity
methodology might also include
implementing 802.1x access control
using an authenticator such as a RADIUS
or TACAS server.
For larger enterprise networks, cybersecurity
often includes linking a
secure device’s Certification Authority
(CA) with an Active Directory (AD).
Of course that means vendors need to
provide components that support these
implementations.
In most cases, the video surveillance
cameras and VMS are selected by the project owner based on two main criteria:
their specific intended use, perimeter
protection, surveillance in crowded
public areas, and the strength of the
vendor to satisfy that specific use. But
there’s a third criteria that needs to be
considered as well: does Camera Manufacturer
A support the same security
protocols as VMS Manufacturer B and
do these protocols tie seamlessly into
IT’s current suite of hardware, software
and cyber protection protocols?
Who Owns Connectivity?
Since the ecosystem runs on IT’s infrastructure,
it raises another important
question: Who’s responsible for the connectivity?
It wasn’t long ago that IT was
insisting: “No IP video over my backbone.”
But now businesses are readily
accepting that it’s just not cost-effective
to run parallel networks. It puts a strain
on everyone’s budget, for infrastructure
cost as well as personnel to install, manage
and maintain each network.
So does this mean that the cybersecurity
strategies for the physical security
network-attached systems and
device now belong to IT? Or does the
physical security department mandate
that IT support the cybersecurity technologies
inherent in physical security’s
solutions? The simplest answer is that
physical security management needs to
work with their providers (integrators
and manufacturers) and IT to devise
solutions that are inherently supportive
of IT’s current methodologies for cyber
risk mitigation.
Making Sure Cybersecurity
is a Team Effort
The similarities in cyber protection
technologies between IoT and physical
security might be self-evident, but there
are some key concerns that should remain
at the forefront of any system
builder. No matter how sophisticated
IoT devices and systems become they
still operate in an IT world. And as
such, they need to adopt a cooperative
cyber protection strategy with IT. Mature
IoT technologies such as physical
security will need to evolve in order to
benefit from some of the great emerging
IoT cyber protection techniques
such as higher use of Crypto Keys and
Lock-Box strategies.
In the meantime, those in the
trenches will have to determine which
environment we live in and address
the increasing risk of cyber threats as
a joint effort between vendor and security
professionals and IT. We need to
work with common tools to provide the
end-user with the best possible cyber
protection while living within budgetary
constraints.
This article originally appeared in the April 2016 issue of Security Today.