Protecting Data is Critical

Physical security and cybersecurity converge

To say that the Internet of Things (IoT) has become a part of everyday life would be a dramatic understatement. At this point, you would be hard-pressed to find an electronic device that is not connected to the internet.

There are smart fridges, smart toasters, thermostats, etc. Companies are even connecting things like belts and (I can’t believe I’m not making this up) beehives to the internet. Sometimes the benefits are clear. Other times, not so much. But in all cases, the increased use of connected devices has thrust cybersecurity even further into the spotlight.

Connected devices are hardly new to the security industry — IP cameras have been around for more than 25 years. But as network cameras grow both more advanced and more accessible to a broad range of businesses, the line between physical security and cybersecurity has grown increasingly fuzzy. Any connected device represents a potential entry point for a would-be attacker, and cameras, audio sensors, access control stations, and other physical security devices have become common targets for adversaries.

Fortunately, this is not happening in a vacuum. Device manufacturers, application developers and government regulators have all taken note of the growing convergence of physical and digital security, and several trends are now emerging that point toward stronger devices security in the future.

NIST CSF Updates Focus on Improving Governance
Last year, the National Institute of Standards and Technology (NIST) made it known that the organization was reevaluating its cybersecurity framework (NIST CSF). In late February, the updates to the framework became public, and organizations are now working to understand what NIST CSF 2.0 means for their security practices.

It is important to note that NIST CSF is not a government regulation — which is to say, there is no penalty for noncompliance. Rather, NIST CSF is a voluntary framework that organizations can use to measure the maturity of their security program, complete with tips and recommendations for how certain areas of security can be strengthened.

NIST is not the only organization to publish security recommendations — advisory groups like MITRE and OWASP have freely available guidelines of their own, and frameworks like SOC 2 and ISO 27001 have become all but mandatory for organizations that manage significant amounts of data. But NIST CSF is considered to be the most widely used framework, with a recent study finding that nearly 50% of businesses map their security controls to the recommendations outlined in the framework.

Traditionally, NIST CSF has focused on five core functions: Identify, Protect, Detect, Respond and Recover. While important, those functions are primarily aligned with incident response, which meant there was not really a way for security teams to customize their approach according to their specific circumstances, such as industry, company size or program maturity.

There was also no way to consider contractual regulations or compliance needs, both of which are significant risk factors for organizations. But NIST CSF 2.0 addressed this by adding a sixth core function: Govern. Rather than sitting side-by-side with the other functions, Govern touches all of them, with a focus on organizational context, risk management strategies, roles and responsibilities, and polices, and procedures.

That is a lot of background, but what does it mean for security specifically? Ultimately, it is up to end customers to decide which security frameworks to adhere to, but manufacturers and developers can be confident that NIST CSF will continue to be among the most common, especially in the United States. That means they have a vested interest in ensuring that their devices make it easy to integrate with cybersecurity systems and implement effective governance capabilities.

Security integrators, especially those that do business with the government or government contractors, will do quite a bit of compliance work, and NIST CSF is likely to be one of the frameworks they use. Working directly with those integrators can help manufacturers and developers better understand how to enable their devices to adhere to NIST standards, which will in turn make them more attractive to customers.

New “U.S. Cyber Trust Mark” Program Launches for IoT Labeling
While NIST CSF applies to general cybersecurity readiness, the government recently introduced a new measure aimed specifically at IoT devices. The U.S. Cyber Trust Mark initiative is a voluntary labeling program for IoT devices designed to help consumers make more informed purchasing decisions when it comes to security sensors and other connected devices. Like the “Energy Star” label found on energy efficient appliances, the Trust Mark logo will serve as an FCC-backed certification that devices have met the minimum-security standards outlined in NIST IR 8425.

This initiative has been a long time coming. Attackers have been exploiting poorly secured IoT devices for as long as these devices have been around, as anyone who remembers the Mirai Botnet can attest. Back in 2016, Mirai became one of the most disruptive pieces of malware in history, exploiting default passwords settings to infect millions of IoT devices, which were then used to conduct massive, distributed denial of service (DDoS) attacks.

While there were some security standards implemented in the wake of Mirai, such as requiring password updates for new devices—IoT devices remain broadly vulnerable today. While the program is a voluntary one, it is clear that both integrators and end users will want to prioritize devices that bear the Trust Mark logo.

The United States has traditionally been slow to adopt these measures, which means this is a crucial step in the right direction. Interestingly, Singapore has been one of the nations at the forefront of IoT labeling, and the country’s “Cybersecurity Labeling Scheme” has helped pave the way for other regulations across the globe. There is certainly some overlap with the U.S. program, and while official reciprocity doesn’t yet exist, it’s likely that global IoT regulations will continue to converge over time.

The Challenge of AI and Cybersecurity
AI-based analytics have been used for security purposes for some time, helping organizations adopt a more proactive and predictive security posture rather than a reactive one. What’s more, AI has enabled much more effective data processing at the network edge, which means businesses no longer need to send all of their data to the cloud to be analyzed.

An IoT device with deep learning capabilities can apply the AI model as the entire data set is being generated, which is particularly important for video, as it allows the device to run AI models on the raw imaging data, rather than the compressed data sent to the cloud. This dramatically reduces both bandwidth and cloud storage needs and has made AI more accessible than ever to a wide range of organizations.

At its core, AI is just data science, and understanding how to secure the data AI both uses and generates continues to be a challenge. The updated NIST guidelines underscore the fact that data governance is a growing priority for both organizations and regulatory bodies, which means today’s businesses need a plan.

Responsible AI use is also an important consideration, as privacy and ethical concerns remain significant. Employees need to be trained in appropriate use of AI solutions, but manufacturers and developers also need to take precautions to limit the potential for misuse. This, too, ties into governance. Ensuring that personally identifying information (PII) is obfuscated can help address privacy concerns while also reducing the data’s value to attackers. It is also important to protect the AI model itself, as it represents valuable intellectual property and could be an attractive target. While AI security can be a challenge, organizations have more guidelines than ever to help them shape their security programs. A growing number of regulations are emerging, including the recent EU AI Act and the Biden administration’s Executive Order 14110—to govern the development, use, and protection of AI, providing organizations with a helpful set of guardrails to ensure they are using AI securely and responsibly. With more regulations on the horizon, both manufacturers and end users of security devices should set themselves up for success by prioritizing compliance from an early date.

Don’t Wait for a Breach to Prioritize Cybersecurity
Physical security and cybersecurity are no longer as separate as they once were, and understanding how to secure IoT devices, particularly those equipped with AI-based capabilities—is increasingly critical for today’s organizations. This is particularly true as a growing emphasis on responsible governance, risk and compliance (GRC) practices has put more scrutiny than ever on the way physical security devices are secured.

Fortunately, both government and nongovernment entities are putting forth regulations and frameworks designed to help organizations do a better job protecting their devices, data and users. As attacks on IoT devices continue to increase in both volume and severity, maintaining compliance with those frameworks will be essential. Modern businesses cannot afford to wait until a breach occurs. They need to ensure that securing their physical security devices is a priority.

This article originally appeared in the May / June 2024 issue of Security Today.

Featured

  • Evolving Cybersecurity Strategies: Uniting Human Risk Management and Security Awareness Training

    Organizations are increasingly turning their attention to human-focused security approaches, as two out of three (68%) cybersecurity incidents involve people. Threat actors are shifting from targeting networks and systems to hacking humans via social engineering methods, living off human errors as their most prevalent attack vector. Whether manipulated or not, human cyber behavior is leveraged to gain backdoor access into systems. This mainly results from a lack of employee training and awareness about evolving attack techniques employed by malign actors. Read Now

  • Report: 1 in 3 Easily Exploitable Vulnerabilities Found on Cloud Assets

    CyCognito recently released new research highlighting critical security vulnerabilities across cloud-hosted assets, revealing that one in three easily exploitable vulnerabilities or misconfigurations are found on cloud assets. As organizations increasingly shift to multi-cloud strategies, the findings underscore significant security gaps that could provide attackers with potential footholds into networks. Read Now

  • Built for Today, Ready for Tomorrow

    Selecting the right VMS is critical for any organization that depends on video surveillance to ensure safety, security and operational efficiency. While many organizations focus on immediate needs such as budget and deployment size, let us review some of the long-term considerations that can significantly impact a VMS's utility and flexibility. Read Now

  • Paving the Way to Smart Buildings

    In today's rapidly evolving security landscape, the convergence of on-prem, edge and cloud technologies are critical. The physical security landscape is undergoing a profound transformation, driven by the rapid digitalization of buildings and the evolving needs of modern organizations. As the buildings sector pivots towards smart, AI and data-driven operations, the integration of both edge and cloud technology has become crucial. Read Now

  • The Cybersecurity Time Bomb

    If you work in physical security, you have probably seen it: a camera, access control system, or intrusion detection device installed years ago, humming along without a single update. It is a common scenario that security professionals have come to accept as "normal." But here is the reality: this mindset is actively putting organizations at risk. Read Now

New Products

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.