A Professional’s Guide
Helping end users get – and stay – cyber secure in the IoT era
- By Ryan Zatolokin
- Feb 01, 2020
The interconnectivity and integrations created by
the Internet of Things (IoT) deliver many benefits,
but because all devices and systems can be
vulnerable to breaches, this hypoconnectivity can
also have a major downside.
As demonstrated by each publicized data breach, the need
to protect network devices and systems from unauthorized and
unwanted intrusion has never been greater. The results of these
breaches can be catastrophic, ranging from loss of customer confidence
to business closure or even legal action. As a result, cybersecurity
must be a top priority for everyone, particularly in
the IoT world.
Thankfully, integrators and other security professionals can
play an important role in cybersecurity by following a number
of strategies and best practices to make sure their customers’ systems
are protected both at the time of deployment and on an
ongoing basis.
Password Management
Practically all devices, whether for security or other purposes,
come with default passwords. Because these defaults are wellknown
and readily available on the Internet, it is imperative that
all devices are deployed with new passwords. But simply changing
the password is not enough; it is imperative that chosen passwords
are difficult to crack.
Creating a strong password is a simple thing to do, but unfortunately,
it is often overlooked in favor of more complex technologies
and practices to protect a system. However, a strong, unique
password is more than a great first step in cybersecurity–it is the
easiest way to prevent unauthorized access to a system.
Legislation, such as California’s SB-327, is driving change and
helping to do away with weak default passwords. A device must
have either a strong unique password by default or force you to
change the password when the device is turned on for the first time.
Some manufacturers have changed their firmware to accommodate
these new requirements, with several being “secure by default,”
meaning no services will work until the password is set.
For the highest level of protection, passwords should have no
fewer than eight characters (a mix of upper and lowercase letters,
numbers and symbols) and should not include words that would
normally be found in a dictionary. Consider using passphrases,
such as a made-up sentence, to help remember increasingly complex
passwords.
Once passwords are in place, it also is important to change
them regularly, especially if a number of people have access to
a system. Depending on the size of the customer’s organization,
integrators either ensure passwords are regularly changed under
an extended service agreement or this can be handled by the end
user’s IT department.
Device Selection and Deployment
Long before passwords even need to be considered, strong cybersecurity began with choosing products that can deliver a
high level of protection for customers’ networks.
A primary factor when evaluating products is to identify a
manufacturer that adheres to cybersecurity best practices such
as strong encryption and a variety of additional security features
that deliver the highest level of protection for devices.
Once the proper products have been selected, it is important
to follow manufacturers’ recommendations for how they should
be deployed. Many providers offer a hardening guide that details
how best to secure their devices. This can be an invaluable tool
for integrators and end users, but it cannot replace the need for
an organization to have a security policy in place.
Then the integrator can use the hardening guide to determine
which specific features can be implemented to fit into that policy.
A list might include encryption, IP address filtering to restrict
who and what can access a device, digitally signed firmware or
secure booting, which will halt the boot process if foreign code is
introduced to the device.
For example, if an IT department does not allow FTP or
discovery services on its network, those capabilities need to be
disabled.
In addition to services that are not permitted under IT policy,
disabling any services that are not being used or that are not required
will reduce the footprint through which someone could
compromise a device and, by extension, the overall network.
Therefore, when installing and deploying a device, it is not
practical to simply turn on all the security features, drop it onto
an enterprise network and hope it works. IoT relies on interconnectivity
and communication between devices, so there needs to
be coordination between solutions, and all communication between
devices and systems has to be encrypted.
Not all encryption is the same, meaning that whatever encryption
is running on the edge device must also be running on the
server it’s connecting to. Otherwise, they simply cannot communicate,
which completely undermines the main benefit of the IoT.
Each end user will require some degree of customization in
the configuration of devices, so integrators must ensure they and
their staff have the right skills and that they are properly communicating
with the end user to make sure their security needs
are addressed.
And finally, the level of customization required, as well as the
end user’s cybersecurity needs, must be dictated by the organization’s
established policies.
Updating and Patching
Similar to password management, another simple but often overlooked
step in cybersecurity is keeping device firmware and software
up to date.
In today’s ecosystem of connected and interdependent devices
and solutions, proactive maintenance leads to a more stable and
secure system.
In addition, responsible manufacturers constantly release
firmware updates and security patches that address vulnerabilities
in a consistent manner, while also fixing any bugs and other
factors that affect performance over time.
Like any other software-based technology, security devices
must be patched to prevent those with less-than-admirable intentions
from exploiting known vulnerabilities. In addition, the
VMS, which controls the overall system also must be regularly
updated and patched along with the operating system on which
it runs.
However, device patching and updating cannot simply be
applied to one part of the overall system. To be effective, these
processes need to be applied to all devices across the network, including
IP cameras, switches, servers, video management systems
and more.
Every one of these devices must be regularly updated, but it is
not always necessary to do this immediately when a manufacturer
issues a new update.
The reason is that a particular update, while important, may
not yet be aligned between the camera, VMS and other manufacturers.
Instead, it is better to create a schedule that end users can
adhere to, perhaps monthly, quarterly or twice a year depending
on the size of the system, and the available time and resources.
While it is essential to update software when new firmware is
available, the unfortunate reality is that many organizations fail
to do so, mainly because of the time and effort involved in updating
each and every device on the network.
Integrators can offer scheduled updating and patching as
part of an ongoing maintenance contract to generate additional
RMR and ensure that customers’ updates actually do get applied
on a regular basis.
Lifecycle Management
The first step in securing an enterprise network is to have a solid
understanding and comprehensive inventory of the devices that
are deployed on that network. This must include documentation
about every device as any overlooked device can provide an entry
point for attackers.
In particular, older technologies and devices present tremendous
risk to an organization in many ways, including on the cybersecurity
front.
Updates and patches are the best way to ensure cybersecurity,
but many older technologies have little to no update capabilities
and may not even be supported by the manufacturer anymore.
Unpatched technology can leave your network vulnerable to a
cyberattack.
While it probably is not the first thing that comes to mind in
terms of cybersecurity, lifecycle management is a crucial component
of ensuring networks and the critical data they contain are
protected from threats and vulnerabilities.
In the IoT world, all devices and systems are part of an overall
ecosystem, so securing the network and everything that connects
to it is another step toward maximizing cybersecurity. This
includes software and firmware updates, adhering to manufacturers’
best practices and following IT policies, but it also means
regularly switching out devices and software.
If a device or software is no longer supported by a manufacturer,
its software can no longer be updated or patched to protect from cybersecurity threats.
From a software perspective, a solution that was purchased
five years ago may not be as relevant as modern software that
offers certified integration with other devices and systems that
the previous version simply was not capable of providing. Those
capabilities not only make it easier for the customer to integrate
the software into other
In these cases, it makes sense to upgrade to solutions that remain
fully supported by manufacturers so that security providers
take advantage of the latest packages as well as performance
enhancements.
While all technologies, regardless of their function, will eventually
expire, in many cases this can be predictable if you are engaged
in a structured lifecycle management program. Security is a
critically important function, and a network camera outage could
potentially have dire consequences.
For example, the functional lifetime of an IP camera could be
upwards of 10 to 15 years. During that time, security vulnerabilities
will change rapidly, making it difficult for manufacturers to
keep pace with the cybersecurity threat landscape.
A lifecycle management program allows end users to keep on
top of what is critical in their environment and avoid the negative
costs associated with cyberbreaches. By including this kind
of program in a service agreement, integrators can eliminate the
surprise or shock that comes from unexpectedly needing to replace
a major system component.
Instead, customers will be able to plan and budget for replacing
a certain number or percentage of devices each year rather
than facing a very large and very expensive replacement of an
entire system or major component. Giving customers the chance
to plan their expenses, and build trust surrounding the amount of
money they need to invest in a system, has the added benefit of
improving the relationship between client and provider.
Keep it Going
Cybersecurity is not a one-time consideration; it is an ongoing
process, one that requires constant action to maintain network
protection.
Therefore, it is critical for integrators to properly select and deploy
devices, and to ensure their customers are continually engaging
in password management. Those same customers must also
apply regular updates and patches, in addition to replacing components
that may no longer be supported by the manufacturer.
It is important to ensure these practices are applied to all
IoT devices across the entire network. This not only contributes
to better-functioning systems, but also ensures
that all devices and systems are protected from
becoming the weakest link in the overall network.
This article originally appeared in the January / February 2020 issue of Security Today.