A Professional’s Guide

A Professional’s Guide

Helping end users get – and stay – cyber secure in the IoT era

The interconnectivity and integrations created by the Internet of Things (IoT) deliver many benefits, but because all devices and systems can be vulnerable to breaches, this hypoconnectivity can also have a major downside.

As demonstrated by each publicized data breach, the need to protect network devices and systems from unauthorized and unwanted intrusion has never been greater. The results of these breaches can be catastrophic, ranging from loss of customer confidence to business closure or even legal action. As a result, cybersecurity must be a top priority for everyone, particularly in the IoT world.

Thankfully, integrators and other security professionals can play an important role in cybersecurity by following a number of strategies and best practices to make sure their customers’ systems are protected both at the time of deployment and on an ongoing basis.

Password Management

Practically all devices, whether for security or other purposes, come with default passwords. Because these defaults are wellknown and readily available on the Internet, it is imperative that all devices are deployed with new passwords. But simply changing the password is not enough; it is imperative that chosen passwords are difficult to crack.

Creating a strong password is a simple thing to do, but unfortunately, it is often overlooked in favor of more complex technologies and practices to protect a system. However, a strong, unique password is more than a great first step in cybersecurity–it is the easiest way to prevent unauthorized access to a system.

Legislation, such as California’s SB-327, is driving change and helping to do away with weak default passwords. A device must have either a strong unique password by default or force you to change the password when the device is turned on for the first time. Some manufacturers have changed their firmware to accommodate these new requirements, with several being “secure by default,” meaning no services will work until the password is set.

For the highest level of protection, passwords should have no fewer than eight characters (a mix of upper and lowercase letters, numbers and symbols) and should not include words that would normally be found in a dictionary. Consider using passphrases, such as a made-up sentence, to help remember increasingly complex passwords.

Once passwords are in place, it also is important to change them regularly, especially if a number of people have access to a system. Depending on the size of the customer’s organization, integrators either ensure passwords are regularly changed under an extended service agreement or this can be handled by the end user’s IT department.

Device Selection and Deployment

Long before passwords even need to be considered, strong cybersecurity began with choosing products that can deliver a high level of protection for customers’ networks.

A primary factor when evaluating products is to identify a manufacturer that adheres to cybersecurity best practices such as strong encryption and a variety of additional security features that deliver the highest level of protection for devices.

Once the proper products have been selected, it is important to follow manufacturers’ recommendations for how they should be deployed. Many providers offer a hardening guide that details how best to secure their devices. This can be an invaluable tool for integrators and end users, but it cannot replace the need for an organization to have a security policy in place.

Then the integrator can use the hardening guide to determine which specific features can be implemented to fit into that policy. A list might include encryption, IP address filtering to restrict who and what can access a device, digitally signed firmware or secure booting, which will halt the boot process if foreign code is introduced to the device.

For example, if an IT department does not allow FTP or discovery services on its network, those capabilities need to be disabled.

In addition to services that are not permitted under IT policy, disabling any services that are not being used or that are not required will reduce the footprint through which someone could compromise a device and, by extension, the overall network.

Therefore, when installing and deploying a device, it is not practical to simply turn on all the security features, drop it onto an enterprise network and hope it works. IoT relies on interconnectivity and communication between devices, so there needs to be coordination between solutions, and all communication between devices and systems has to be encrypted.

Not all encryption is the same, meaning that whatever encryption is running on the edge device must also be running on the server it’s connecting to. Otherwise, they simply cannot communicate, which completely undermines the main benefit of the IoT.

Each end user will require some degree of customization in the configuration of devices, so integrators must ensure they and their staff have the right skills and that they are properly communicating with the end user to make sure their security needs are addressed.

And finally, the level of customization required, as well as the end user’s cybersecurity needs, must be dictated by the organization’s established policies.

Updating and Patching

Similar to password management, another simple but often overlooked step in cybersecurity is keeping device firmware and software up to date.

In today’s ecosystem of connected and interdependent devices and solutions, proactive maintenance leads to a more stable and secure system. In addition, responsible manufacturers constantly release firmware updates and security patches that address vulnerabilities in a consistent manner, while also fixing any bugs and other factors that affect performance over time.

Like any other software-based technology, security devices must be patched to prevent those with less-than-admirable intentions from exploiting known vulnerabilities. In addition, the VMS, which controls the overall system also must be regularly updated and patched along with the operating system on which it runs.

However, device patching and updating cannot simply be applied to one part of the overall system. To be effective, these processes need to be applied to all devices across the network, including IP cameras, switches, servers, video management systems and more.

Every one of these devices must be regularly updated, but it is not always necessary to do this immediately when a manufacturer issues a new update.

The reason is that a particular update, while important, may not yet be aligned between the camera, VMS and other manufacturers. Instead, it is better to create a schedule that end users can adhere to, perhaps monthly, quarterly or twice a year depending on the size of the system, and the available time and resources.

While it is essential to update software when new firmware is available, the unfortunate reality is that many organizations fail to do so, mainly because of the time and effort involved in updating each and every device on the network.

Integrators can offer scheduled updating and patching as part of an ongoing maintenance contract to generate additional RMR and ensure that customers’ updates actually do get applied on a regular basis.

Lifecycle Management

The first step in securing an enterprise network is to have a solid understanding and comprehensive inventory of the devices that are deployed on that network. This must include documentation about every device as any overlooked device can provide an entry point for attackers.

In particular, older technologies and devices present tremendous risk to an organization in many ways, including on the cybersecurity front.

Updates and patches are the best way to ensure cybersecurity, but many older technologies have little to no update capabilities and may not even be supported by the manufacturer anymore. Unpatched technology can leave your network vulnerable to a cyberattack.

While it probably is not the first thing that comes to mind in terms of cybersecurity, lifecycle management is a crucial component of ensuring networks and the critical data they contain are protected from threats and vulnerabilities.

In the IoT world, all devices and systems are part of an overall ecosystem, so securing the network and everything that connects to it is another step toward maximizing cybersecurity. This includes software and firmware updates, adhering to manufacturers’ best practices and following IT policies, but it also means regularly switching out devices and software.

If a device or software is no longer supported by a manufacturer, its software can no longer be updated or patched to protect from cybersecurity threats.

From a software perspective, a solution that was purchased five years ago may not be as relevant as modern software that offers certified integration with other devices and systems that the previous version simply was not capable of providing. Those capabilities not only make it easier for the customer to integrate the software into other

In these cases, it makes sense to upgrade to solutions that remain fully supported by manufacturers so that security providers take advantage of the latest packages as well as performance enhancements.

While all technologies, regardless of their function, will eventually expire, in many cases this can be predictable if you are engaged in a structured lifecycle management program. Security is a critically important function, and a network camera outage could potentially have dire consequences. For example, the functional lifetime of an IP camera could be upwards of 10 to 15 years. During that time, security vulnerabilities will change rapidly, making it difficult for manufacturers to keep pace with the cybersecurity threat landscape. A lifecycle management program allows end users to keep on top of what is critical in their environment and avoid the negative costs associated with cyberbreaches. By including this kind of program in a service agreement, integrators can eliminate the surprise or shock that comes from unexpectedly needing to replace a major system component.

Instead, customers will be able to plan and budget for replacing a certain number or percentage of devices each year rather than facing a very large and very expensive replacement of an entire system or major component. Giving customers the chance to plan their expenses, and build trust surrounding the amount of money they need to invest in a system, has the added benefit of improving the relationship between client and provider.

Keep it Going

Cybersecurity is not a one-time consideration; it is an ongoing process, one that requires constant action to maintain network protection.

Therefore, it is critical for integrators to properly select and deploy devices, and to ensure their customers are continually engaging in password management. Those same customers must also apply regular updates and patches, in addition to replacing components that may no longer be supported by the manufacturer.

It is important to ensure these practices are applied to all IoT devices across the entire network. This not only contributes to better-functioning systems, but also ensures that all devices and systems are protected from becoming the weakest link in the overall network.

This article originally appeared in the January / February 2020 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3