Protecting Data is Critical

Physical security and cybersecurity converge

• May 16, 2024

To say that the Internet of Things (IoT) has become a part of everyday life would be a dramatic understatement. At this point, you would be hard-pressed to find an electronic device that is not connected to the internet.

There are smart fridges, smart toasters, thermostats, etc. Companies are even connecting things like belts and (I can’t believe I’m not making this up) beehives to the internet. Sometimes the benefits are clear. Other times, not so much. But in all cases, the increased use of connected devices has thrust cybersecurity even further into the spotlight.

Connected devices are hardly new to the security industry — IP cameras have been around for more than 25 years. But as network cameras grow both more advanced and more accessible to a broad range of businesses, the line between physical security and cybersecurity has grown increasingly fuzzy. Any connected device represents a potential entry point for a would-be attacker, and cameras, audio sensors, access control stations, and other physical security devices have become common targets for adversaries.

Fortunately, this is not happening in a vacuum. Device manufacturers, application developers and government regulators have all taken note of the growing convergence of physical and digital security, and several trends are now emerging that point toward stronger devices security in the future.

NIST CSF Updates Focus on Improving Governance
Last year, the National Institute of Standards and Technology (NIST) made it known that the organization was reevaluating its cybersecurity framework (NIST CSF). In late February, the updates to the framework became public, and organizations are now working to understand what NIST CSF 2.0 means for their security practices.

It is important to note that NIST CSF is not a government regulation — which is to say, there is no penalty for noncompliance. Rather, NIST CSF is a voluntary framework that organizations can use to measure the maturity of their security program, complete with tips and recommendations for how certain areas of security can be strengthened.

NIST is not the only organization to publish security recommendations — advisory groups like MITRE and OWASP have freely available guidelines of their own, and frameworks like SOC 2 and ISO 27001 have become all but mandatory for organizations that manage significant amounts of data. But NIST CSF is considered to be the most widely used framework, with a recent study finding that nearly 50% of businesses map their security controls to the recommendations outlined in the framework.

Traditionally, NIST CSF has focused on five core functions: Identify, Protect, Detect, Respond and Recover. While important, those functions are primarily aligned with incident response, which meant there was not really a way for security teams to customize their approach according to their specific circumstances, such as industry, company size or program maturity.

There was also no way to consider contractual regulations or compliance needs, both of which are significant risk factors for organizations. But NIST CSF 2.0 addressed this by adding a sixth core function: Govern. Rather than sitting side-by-side with the other functions, Govern touches all of them, with a focus on organizational context, risk management strategies, roles and responsibilities, and polices, and procedures.

That is a lot of background, but what does it mean for security specifically? Ultimately, it is up to end customers to decide which security frameworks to adhere to, but manufacturers and developers can be confident that NIST CSF will continue to be among the most common, especially in the United States. That means they have a vested interest in ensuring that their devices make it easy to integrate with cybersecurity systems and implement effective governance capabilities.

Security integrators, especially those that do business with the government or government contractors, will do quite a bit of compliance work, and NIST CSF is likely to be one of the frameworks they use. Working directly with those integrators can help manufacturers and developers better understand how to enable their devices to adhere to NIST standards, which will in turn make them more attractive to customers.

New “U.S. Cyber Trust Mark” Program Launches for IoT Labeling
While NIST CSF applies to general cybersecurity readiness, the government recently introduced a new measure aimed specifically at IoT devices. The U.S. Cyber Trust Mark initiative is a voluntary labeling program for IoT devices designed to help consumers make more informed purchasing decisions when it comes to security sensors and other connected devices. Like the “Energy Star” label found on energy efficient appliances, the Trust Mark logo will serve as an FCC-backed certification that devices have met the minimum-security standards outlined in NIST IR 8425.

This initiative has been a long time coming. Attackers have been exploiting poorly secured IoT devices for as long as these devices have been around, as anyone who remembers the Mirai Botnet can attest. Back in 2016, Mirai became one of the most disruptive pieces of malware in history, exploiting default passwords settings to infect millions of IoT devices, which were then used to conduct massive, distributed denial of service (DDoS) attacks.

While there were some security standards implemented in the wake of Mirai, such as requiring password updates for new devices—IoT devices remain broadly vulnerable today. While the program is a voluntary one, it is clear that both integrators and end users will want to prioritize devices that bear the Trust Mark logo.

The United States has traditionally been slow to adopt these measures, which means this is a crucial step in the right direction. Interestingly, Singapore has been one of the nations at the forefront of IoT labeling, and the country’s “Cybersecurity Labeling Scheme” has helped pave the way for other regulations across the globe. There is certainly some overlap with the U.S. program, and while official reciprocity doesn’t yet exist, it’s likely that global IoT regulations will continue to converge over time.

The Challenge of AI and Cybersecurity
AI-based analytics have been used for security purposes for some time, helping organizations adopt a more proactive and predictive security posture rather than a reactive one. What’s more, AI has enabled much more effective data processing at the network edge, which means businesses no longer need to send all of their data to the cloud to be analyzed.

An IoT device with deep learning capabilities can apply the AI model as the entire data set is being generated, which is particularly important for video, as it allows the device to run AI models on the raw imaging data, rather than the compressed data sent to the cloud. This dramatically reduces both bandwidth and cloud storage needs and has made AI more accessible than ever to a wide range of organizations.

At its core, AI is just data science, and understanding how to secure the data AI both uses and generates continues to be a challenge. The updated NIST guidelines underscore the fact that data governance is a growing priority for both organizations and regulatory bodies, which means today’s businesses need a plan.

Responsible AI use is also an important consideration, as privacy and ethical concerns remain significant. Employees need to be trained in appropriate use of AI solutions, but manufacturers and developers also need to take precautions to limit the potential for misuse. This, too, ties into governance. Ensuring that personally identifying information (PII) is obfuscated can help address privacy concerns while also reducing the data’s value to attackers. It is also important to protect the AI model itself, as it represents valuable intellectual property and could be an attractive target. While AI security can be a challenge, organizations have more guidelines than ever to help them shape their security programs. A growing number of regulations are emerging, including the recent EU AI Act and the Biden administration’s Executive Order 14110—to govern the development, use, and protection of AI, providing organizations with a helpful set of guardrails to ensure they are using AI securely and responsibly. With more regulations on the horizon, both manufacturers and end users of security devices should set themselves up for success by prioritizing compliance from an early date.

Don’t Wait for a Breach to Prioritize Cybersecurity
Physical security and cybersecurity are no longer as separate as they once were, and understanding how to secure IoT devices, particularly those equipped with AI-based capabilities—is increasingly critical for today’s organizations. This is particularly true as a growing emphasis on responsible governance, risk and compliance (GRC) practices has put more scrutiny than ever on the way physical security devices are secured.

Fortunately, both government and nongovernment entities are putting forth regulations and frameworks designed to help organizations do a better job protecting their devices, data and users. As attacks on IoT devices continue to increase in both volume and severity, maintaining compliance with those frameworks will be essential. Modern businesses cannot afford to wait until a breach occurs. They need to ensure that securing their physical security devices is a priority.

This article originally appeared in the May / June 2024 issue of Security Today.