Emerging Technologies

Your 2016 radar should include IoT, cyber security and smart codecs

• By James Marcella
• May 01, 2016

If you’re like most security professionals, your daily inbox is crammed with updates from industry associations, publications and online communities summarizing the hot topics of the day. If you want to predict what will be trending for 2016 just look back at the key issues that started bubbling up to the top in the latter half of 2015.

Those are the ones that are picking up steam and will become significant factors for security professionals in the coming year. Each one represents a major advancement in edge-based electronic devices that deliver additional layers of security on both the physical and logical sides of the spectrum.

PROTECTING THE INTERNET OF THINGS

The Internet of Things (IoT) has not faded into obscurity nor is it just a marketing claim to promote the sale of another device on your network. It has become so firmly established that it garnered official security requirements from the Department of Homeland Security (DHS), Science and Technology Division. DHS lists three prerequisites for managing any IoT device or program on their networks:

Detection: the ability to know what IoT devices and components are connected to a given network or system.

Authentication: the ability to verify the provenance of IoT components and prevent and detect spoofing.

Updating: IoT security programs must include the ability to securely maintain and upgrade these components.

The combination of these three capabilities decreases the risk of security breaches by identifying which devices are on your network, ensuring that those devices have the proper logical credentials to reside on the network and confirming that they can be upgraded to the latest software when new threats are introduced.

But what really makes security of IoT so challenging is its highly diverse and widely distributed nature. The permutations and combinations of devices and networks and the ways they can connect with IoT systems are virtually endless. Therefore, it’s imperative that security professionals work closely with their IT counterparts to examine each device on their network to assure its compliance with the DHS definition of secure.

Nowadays almost anything connected to a network falls into the broad definition of IoT. This contrasts sharply with past models of operation. In the past, different systems were siloes of technology, but today it is not uncommon to combine intrusion detection, access control, mass notification, video surveillance and other electronic security devices on a single network. In the best case, these devices share information with each other and drive new solutions that mitigate risk.

For instance, a camera embedded in a door station primarily used for entry management could detect a person loitering outside your facility’s main entrance. Before alerting security professionals, it could trigger an event that plays a prerecorded message to an outdoor speaker instructing the people to move on. If they don’t, then a security guard could be notified on a mobile device or even over their VoIP phone system and have a discussion with the people outside. In the worst case, each of these devices share information directly with a local PC server, which acts as an intermediary but accomplishes the same solution. The main difference between the two is the budget it takes to arrive at the same finish line.

HARDENING CYBER CONNECTIVITY

The security industry owes most of its innovation to the consumer electronics industry, and IoT is certainly no exception. Today, I could purchase a networked thermostat, doorbell, smoke detector, television, speaker, garage door opener and even door locks that I can control from anywhere I have a signal on my smartphone. Unfortunately, in many cases, so can hackers.

There are many instances where manufacturers sacrifice security in favor of ease of use. When that happens, it’s buyer beware. While this compromise may be acceptable in consumer markets, this lack of security at the network level is unacceptable for security practitioners tasked with the protection of people and assets.

But security doesn’t rest solely on the shoulders of the practitioner. The responsibility to secure a network, its devices and the services it supports also extends to the entire vendor supply chain as well as the end user organization. That’s why reputable manufacturers not only keep security at the forefront of product development, but also provide education on best practices for the use of their products. Each installation is different and not all need to be secured to the highest levels possible. It’s noteworthy that many products come with default settings designed for ease of installation, but unfortunately also help identify devices to potential hackers by broadcasting their connection status over the network. Protocols such as UPnP and Bonjour are examples of this and should be turned off.

Compared with their consumer counterparts, professional grade products will offer an advanced level of protection using authentication methods and encryption. Authentication should sound familiar. It is the second building block for the DHS IoT definition and is the heart of a secure installation. Many edgebased products accomplish this through IEEE 802.1x which provides port level security on network switches using certificates that are assigned to specific network devices. Without the valid certificate, the switch disables the port and the device cannot communicate across the network.

This approach also requires a Radius server to manage the certificates which can either be a standalone server or embedded in the switch. Authentication mitigates the risk of unauthorized network access if someone gains physical access to your network such as hijacking the network cable from an outdoor camera and plugging in a laptop.

Encryption is another advanced security measure that should be incorporated in edge-based devices particularly if your solution leverages public networks such as the Internet. There are many installations that require a decentralized recording of video that needs to be reviewed centrally when an event occurs. In many cases the infrastructure to deliver this solution would be cost-prohibitive without using public networks. For instance, the owner of several small franchise restaurants could record events at each property and view that live or recorded video remotely from the comfort of home. There are many instances of this happening today and very few leverage encryption when doing so.

Savvy security professionals need to understand that the landscape is rapidly changing with regards to their organization’s cyber security posture. It is no longer just the responsibility of the IT department. As more electronic security counter measures move to the network, security professionals need to vet a product on its potential cyber vulnerability as well as the device’s physical security value to the organization.

DEPLOYING SMARTER CODECS

Another edge device concern involves the resolution of network cameras. As resolution continues to push ever higher it directly increases the bandwidth and storage needed to view or record it. With the introduction of 4K this past year, as well as the proliferation of even higher resolution cameras, security professionals are inundated with the mantra of more is better.

The bottom line of higher resolution from a surveillance perspective is that wider angle lenses can be used while maintaining the appropriate pixels on target for detection, recognition and/or identification, the operational requirements of a given scene. That wider field of view provides increased situational awareness and in, some cases, enables fewer cameras to be installed. Unfortunately those benefits directly translate into higher costs for bandwidth and storage which have limited their use for some customers.

Advances in video compression continue to drive down the bit rate of video with the latest being H.265, which has gained limited acceptance in the security industry. Ratified in 2013, H.265 boasts an impressive 50 percent saving in bitrate over its H.264 predecessor. The limited adoption is not unique to the security industry as it has yet to supplant H.264 in the consumer market as well, despite the improvements.

The big challenge for adoption rests on legal issues, not technical ones. HEVC Advance represents a pool of 500 patent holders for H.265 and has developed a licensing and royalty model which many companies feel goes too far. The real issue relates to the royalties for content revenue generated using H.265, which was never an issue with H.264. This model has led companies like Google and Cisco to develop their own video compression techniques. As a result, the water is getting even muddier and H.265 will probably remain a niche solution in the security industry for at least the next year.

Fortunately, several manufacturers have developed enhancements to existing implementations of H.264. Since they are using H.264 as the codecs foundation, there is broad-based support in the VMS community, which will generate some head-to-head competition once H.265 cameras start hitting the market.

One such technique called Zipstream is a radically more efficient implementation of H.264 that can reduce bandwidth and storage requirements by an average of 50 percent or more when compared to existing H.264. Sounds familiar right? That is the same savings figure that H.265 is touting. Axis Communications is not the only company offering bandwidth savings by optimizing H.264, but this particular iteration has a unique approach that dynamically allocates regions of interest inside a camera scene. In more traditional solutions the user defines a static region of interest. The problem with that approach is two-fold: the bad guy is likely to move out of a static region of interest and if you try to compensate for that fact by making the region of interest too big, you miss out on the compression savings.

KEEP AN EYE ON YOUR INBOX

There are certainly more items on the security professional’s radar for 2016, such as cloud-based services, analytics, as well as a host of new advances in camera technology. In my opinion, however, IoT, cyber and smart compression techniques will be the ones having the greatest impact on our industry in the coming year.

This article originally appeared in the May 2016 issue of Security Today.