Protecting Data is Critical

Physical security and cybersecurity converge

To say that the Internet of Things (IoT) has become a part of everyday life would be a dramatic understatement. At this point, you would be hard-pressed to find an electronic device that is not connected to the internet.

There are smart fridges, smart toasters, thermostats, etc. Companies are even connecting things like belts and (I can’t believe I’m not making this up) beehives to the internet. Sometimes the benefits are clear. Other times, not so much. But in all cases, the increased use of connected devices has thrust cybersecurity even further into the spotlight.

Connected devices are hardly new to the security industry — IP cameras have been around for more than 25 years. But as network cameras grow both more advanced and more accessible to a broad range of businesses, the line between physical security and cybersecurity has grown increasingly fuzzy. Any connected device represents a potential entry point for a would-be attacker, and cameras, audio sensors, access control stations, and other physical security devices have become common targets for adversaries.

Fortunately, this is not happening in a vacuum. Device manufacturers, application developers and government regulators have all taken note of the growing convergence of physical and digital security, and several trends are now emerging that point toward stronger devices security in the future.

NIST CSF Updates Focus on Improving Governance
Last year, the National Institute of Standards and Technology (NIST) made it known that the organization was reevaluating its cybersecurity framework (NIST CSF). In late February, the updates to the framework became public, and organizations are now working to understand what NIST CSF 2.0 means for their security practices.

It is important to note that NIST CSF is not a government regulation — which is to say, there is no penalty for noncompliance. Rather, NIST CSF is a voluntary framework that organizations can use to measure the maturity of their security program, complete with tips and recommendations for how certain areas of security can be strengthened.

NIST is not the only organization to publish security recommendations — advisory groups like MITRE and OWASP have freely available guidelines of their own, and frameworks like SOC 2 and ISO 27001 have become all but mandatory for organizations that manage significant amounts of data. But NIST CSF is considered to be the most widely used framework, with a recent study finding that nearly 50% of businesses map their security controls to the recommendations outlined in the framework.

Traditionally, NIST CSF has focused on five core functions: Identify, Protect, Detect, Respond and Recover. While important, those functions are primarily aligned with incident response, which meant there was not really a way for security teams to customize their approach according to their specific circumstances, such as industry, company size or program maturity.

There was also no way to consider contractual regulations or compliance needs, both of which are significant risk factors for organizations. But NIST CSF 2.0 addressed this by adding a sixth core function: Govern. Rather than sitting side-by-side with the other functions, Govern touches all of them, with a focus on organizational context, risk management strategies, roles and responsibilities, and polices, and procedures.

That is a lot of background, but what does it mean for security specifically? Ultimately, it is up to end customers to decide which security frameworks to adhere to, but manufacturers and developers can be confident that NIST CSF will continue to be among the most common, especially in the United States. That means they have a vested interest in ensuring that their devices make it easy to integrate with cybersecurity systems and implement effective governance capabilities.

Security integrators, especially those that do business with the government or government contractors, will do quite a bit of compliance work, and NIST CSF is likely to be one of the frameworks they use. Working directly with those integrators can help manufacturers and developers better understand how to enable their devices to adhere to NIST standards, which will in turn make them more attractive to customers.

New “U.S. Cyber Trust Mark” Program Launches for IoT Labeling
While NIST CSF applies to general cybersecurity readiness, the government recently introduced a new measure aimed specifically at IoT devices. The U.S. Cyber Trust Mark initiative is a voluntary labeling program for IoT devices designed to help consumers make more informed purchasing decisions when it comes to security sensors and other connected devices. Like the “Energy Star” label found on energy efficient appliances, the Trust Mark logo will serve as an FCC-backed certification that devices have met the minimum-security standards outlined in NIST IR 8425.

This initiative has been a long time coming. Attackers have been exploiting poorly secured IoT devices for as long as these devices have been around, as anyone who remembers the Mirai Botnet can attest. Back in 2016, Mirai became one of the most disruptive pieces of malware in history, exploiting default passwords settings to infect millions of IoT devices, which were then used to conduct massive, distributed denial of service (DDoS) attacks.

While there were some security standards implemented in the wake of Mirai, such as requiring password updates for new devices—IoT devices remain broadly vulnerable today. While the program is a voluntary one, it is clear that both integrators and end users will want to prioritize devices that bear the Trust Mark logo.

The United States has traditionally been slow to adopt these measures, which means this is a crucial step in the right direction. Interestingly, Singapore has been one of the nations at the forefront of IoT labeling, and the country’s “Cybersecurity Labeling Scheme” has helped pave the way for other regulations across the globe. There is certainly some overlap with the U.S. program, and while official reciprocity doesn’t yet exist, it’s likely that global IoT regulations will continue to converge over time.

The Challenge of AI and Cybersecurity
AI-based analytics have been used for security purposes for some time, helping organizations adopt a more proactive and predictive security posture rather than a reactive one. What’s more, AI has enabled much more effective data processing at the network edge, which means businesses no longer need to send all of their data to the cloud to be analyzed.

An IoT device with deep learning capabilities can apply the AI model as the entire data set is being generated, which is particularly important for video, as it allows the device to run AI models on the raw imaging data, rather than the compressed data sent to the cloud. This dramatically reduces both bandwidth and cloud storage needs and has made AI more accessible than ever to a wide range of organizations.

At its core, AI is just data science, and understanding how to secure the data AI both uses and generates continues to be a challenge. The updated NIST guidelines underscore the fact that data governance is a growing priority for both organizations and regulatory bodies, which means today’s businesses need a plan.

Responsible AI use is also an important consideration, as privacy and ethical concerns remain significant. Employees need to be trained in appropriate use of AI solutions, but manufacturers and developers also need to take precautions to limit the potential for misuse. This, too, ties into governance. Ensuring that personally identifying information (PII) is obfuscated can help address privacy concerns while also reducing the data’s value to attackers. It is also important to protect the AI model itself, as it represents valuable intellectual property and could be an attractive target. While AI security can be a challenge, organizations have more guidelines than ever to help them shape their security programs. A growing number of regulations are emerging, including the recent EU AI Act and the Biden administration’s Executive Order 14110—to govern the development, use, and protection of AI, providing organizations with a helpful set of guardrails to ensure they are using AI securely and responsibly. With more regulations on the horizon, both manufacturers and end users of security devices should set themselves up for success by prioritizing compliance from an early date.

Don’t Wait for a Breach to Prioritize Cybersecurity
Physical security and cybersecurity are no longer as separate as they once were, and understanding how to secure IoT devices, particularly those equipped with AI-based capabilities—is increasingly critical for today’s organizations. This is particularly true as a growing emphasis on responsible governance, risk and compliance (GRC) practices has put more scrutiny than ever on the way physical security devices are secured.

Fortunately, both government and nongovernment entities are putting forth regulations and frameworks designed to help organizations do a better job protecting their devices, data and users. As attacks on IoT devices continue to increase in both volume and severity, maintaining compliance with those frameworks will be essential. Modern businesses cannot afford to wait until a breach occurs. They need to ensure that securing their physical security devices is a priority.

This article originally appeared in the May / June 2024 issue of Security Today.

Featured

  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Busy South Africa Building Integrates Custom Access Control System

    Nicol Corner, based in Bedfordview, Johannesburg, South Africa, is home to a six-star fitness club, prime office space, and an award-winning rooftop restaurant. This is the first building in South Africa to have its glass façade fully incorporate fritted glazing, saving 35% on energy consumption. Nicol Corner (Pty) LTD has developed a landmark with sophisticated design and unique architecture by collaborating with industry-leading partners and specifying world-class equipment throughout the project. This includes installing a high-spec, bespoke security and access control system. Read Now

  • Only 13 Percent of Research Institutions Are Prepared for AI

    A new survey commissioned by SHI International and Dell Technologies underscores the transformative potential of artificial intelligence (AI) while exposing significant gaps in preparedness at many research institutions. Read Now

  • Survey: 70 Percent of Organizations Have Established Dedicated SaaS Security Teams

    Seventy percent of organizations have prioritized investment in SaaS security, establishing dedicated SaaS security teams, despite economic uncertainty and workforce reductions. This was a key finding in the fourth Annual SaaS Security Survey Report: 2025 CISO Plans and Priorities released today by the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

Featured Cybersecurity

Webinars

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3