Dovetailing Cybersecurity into an IoT World

Dovetailing Cybersecurity into an IoT World

Why an ecosystem approach is the way to go

When it comes to cybersecurity the world falls into two camps: those focused on securing their hardware and applications as a closed system, and those who recognize that converging technologies calls for a more ecosystem-centric approach. My early days in the world of physical security systems, especially in video surveillance, initially planted me firmly in the first camp. But as I’ve watched the migration from analog to IP-based technology and the accelerated convergence of technologies on a shared backbone I’ve shifted my views.

In this new IoT ecosystem, every cyber security measure that manufacturers and integrators put into play can impact every other device and application on the network. So it’s imperative that the synergy between systems and devices not only happens on an operational level, but also on a cybersecurity level.

Working Together

Today’s ecosystem is comprised of multiple vendors and building blocks working together to create a complete solution. Added to this mix are the BYOD technologies, smartphones, laptops and tablets that gain access to the system. All of these devices and applications represent potential cyber risk, whether through broadband access or cloud exposure. It could be a Trojan horse accidentally introduced through a personal intelligent device or a determined hacker exploiting an unsecured connection to cloud storage.

Even if physical security is run on a separate backbone from the corporate IT infrastructure, oftentimes an impractical and cost prohibitive solution, mishaps happen: an inadvertent connection to a broadband router, an accidental cross connection to the data network in a wiring closet or any number of unintentional oversights. It’s important to remember that cybersecurity is never a guarantee.

In the face of all these challenges, how do you develop an effective cybersecurity strategy?

Securing an Inter-connected Web of Systems

The solution is to find an optimal way of dovetailing the best practices of both the physical security world with the best practices of a traditional IT domain without introducing new cybersecurity vulnerabilities for other components in the converged system. That involves testing and fine-tuning a lot of moving parts.

On the physical security side of the ecosystem this could be everything from emergency broadcast systems to access control systems, security cameras and video and audio analytics. On the IT side, it could be everything from finance to personnel to telephony. Then there’s cross-pollination, using physical security metadata to glean business intelligence that extends beyond safety and security in other company operations like marketing and merchandising, further blurring the line between physical security and IT.

In a closed system such as home security and intelligent automation, the number of vulnerability points is somewhat limited. The components talk to each other in their own home network ecosystem. That may include:

  • Door and window sensors
  • Intelligent thermostats for each heating/cooling zone
  • Intelligent lighting controls
  • Video surveillance cameras
  • Network connection for remote monitoring and access via smart apps (through Wi-Fi, Blue Tooth, Ethernet or other connectivity technology).

Behind the Router

This ecosystem typically runs off of a single subnet behind a router with, hopefully, some firewall protection. Cyber threats usually come from a device within the home network being hacked or hijacked and sending network access information back to a third party. Or the remote smart application interface gets hacked allowing a third party to gain access to the home network and maliciously turn off the heating and cooling systems. Manufacturers in the IoT home protection and automation industry tend to have more control over user and device interfaces and therefore can commonly deploy the latest generation point-to-point and point-to-multipoint cyber protection technologies across the system.

In a converged ecosystem such as an IP-based physical security scenario, the cyber threats and vulnerabilities become far more complex. Not only does the number of components increase, so do the number of vendors that are supplying that technology and the number of users accessing them. For instance, the ecosystem might include:

  • IP video cameras (from one or multiple vendors) capable of transmitting high-resolution video as well as high-quality audio recordings.
  • IP access control devices or legacy analog access control panels and readers that communicate over the network to the physical security management system.
  • One to multiple video management systems (VMS) that possibly come from yet another vendor.
  • A server or servers that the VMS are running.
  • One too many viewing clients (PCs and mobile devices with access to the camera video either directly from the cameras or via a connection to the VMS.)
  • Network storage for retention of the video from the VMS.

To mitigate risks in this kind of an open ecosystem, you need all the vendors operating off the same cybersecurity playbook.

Finding Common Ground to Mitigating Cyber Risks

IT, physical security and technology manufacturers should be working as a cohesive unit, reaching consensus on current standards and current cyber mitigation technologies that really reflect “Highest Common Denominator” cyber risk mitigation techniques. For instance, the common baseline for cybersecurity applications and protocols often begins with the network infrastructure. That could include strategic measures such as using traditional VLAN technology to separate surveillance video from other data traffic on the network traffic. A unified cybersecurity methodology might also include implementing 802.1x access control using an authenticator such as a RADIUS or TACAS server.

For larger enterprise networks, cybersecurity often includes linking a secure device’s Certification Authority (CA) with an Active Directory (AD). Of course that means vendors need to provide components that support these implementations.

In most cases, the video surveillance cameras and VMS are selected by the project owner based on two main criteria: their specific intended use, perimeter protection, surveillance in crowded public areas, and the strength of the vendor to satisfy that specific use. But there’s a third criteria that needs to be considered as well: does Camera Manufacturer A support the same security protocols as VMS Manufacturer B and do these protocols tie seamlessly into IT’s current suite of hardware, software and cyber protection protocols?

Who Owns Connectivity?

Since the ecosystem runs on IT’s infrastructure, it raises another important question: Who’s responsible for the connectivity? It wasn’t long ago that IT was insisting: “No IP video over my backbone.” But now businesses are readily accepting that it’s just not cost-effective to run parallel networks. It puts a strain on everyone’s budget, for infrastructure cost as well as personnel to install, manage and maintain each network.

So does this mean that the cybersecurity strategies for the physical security network-attached systems and device now belong to IT? Or does the physical security department mandate that IT support the cybersecurity technologies inherent in physical security’s solutions? The simplest answer is that physical security management needs to work with their providers (integrators and manufacturers) and IT to devise solutions that are inherently supportive of IT’s current methodologies for cyber risk mitigation.

Making Sure Cybersecurity is a Team Effort

The similarities in cyber protection technologies between IoT and physical security might be self-evident, but there are some key concerns that should remain at the forefront of any system builder. No matter how sophisticated IoT devices and systems become they still operate in an IT world. And as such, they need to adopt a cooperative cyber protection strategy with IT. Mature IoT technologies such as physical security will need to evolve in order to benefit from some of the great emerging IoT cyber protection techniques such as higher use of Crypto Keys and Lock-Box strategies.

In the meantime, those in the trenches will have to determine which environment we live in and address the increasing risk of cyber threats as a joint effort between vendor and security professionals and IT. We need to work with common tools to provide the end-user with the best possible cyber protection while living within budgetary constraints.

This article originally appeared in the April 2016 issue of Security Today.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3