Blending Cybersecurity Into an IoT World
Dec. 12, 2016: By By Vince Ricco, Business Development Manager, Technology Partner Program
Axis Communications, Inc.
When it comes to cybersecurity the world falls into two camps: those focused on securing their hardware and applications as a closed system and those who recognize that converging technologies calls for a more ecosystem-centric approach. My early days in the world of physical security systems – especially in video surveillance – initially planted me firmly in the first camp. But as I’ve watched the migration from analog to IP-based technology and the accelerated convergence of technologies on a shared backbone I’ve shifted my views. In this new IoT ecosystem, every cybersecurity measure that manufacturers and integrators put into play can impact every other device and application on the network. So it’s imperative that the synergy between systems and devices not only happens on an operational level, but also on a cybersecurity level.
Today’s ecosystem is comprised of multiple vendors and building blocks working together to create a complete solution. Added to this mix are the BYOD technologies – smartphones, laptops and tablets – that gain access to the system. All of these devices and applications represent potential cyber risk. It could be a Trojan horse accidentally introduced through a personal intelligent device or a determined hacker exploiting an unsecured connection to cloud storage.
Even if physical security is run on a separate backbone from the corporate IT infrastructure –often times an impractical and cost prohibitive solution – mishaps happen: an inadvertent connection to a broadband router, an accidental cross connection to the data network in a wiring closet or any number of unintentional oversights. It’s important to remember that cybersecurity is never a guarantee.
In the face of all these challenges, how do you develop an effective cybersecurity strategy?
Securing an Inter-Connected Web of Systems
The solution is to find an optimal way of merging the best practices of both the physical security world with the best practices of a traditional IT domain without introducing new cybersecurity vulnerabilities for other components in the converged system. .
On the physical security side of the ecosystem this could be everything from emergency broadcast systems to access control systems, security cameras and video and audio analytics. On the IT side, which is sharing the same network, could be everything from finance to personnel to telephony. And then there’s the cross-pollination – using physical security metadata to glean business intelligence that extends beyond safety and security in other company operations like marketing and merchandising, further blurring the line between physical security and IT.
In a closed system such as home security and intelligent automation, the number of vulnerability points is somewhat limited. The components talk to each other in their own home network ecosystem. That may include:
Door and window sensors
Intelligent thermostats for each heating/cooling zone
Intelligent lighting controls
Video surveillance cameras
Network Connection for remote monitoring and access via smart apps (through Wi-Fi, Blue Tooth, Ethernet, or other connectivity technology)
This ecosystem typically runs off of a single subnet behind a router with – hopefully – some firewall protection. Cyber threats usually come from a device within the home network being hacked and sending network access information back to a third party. Or the remote smart application interface gets hacked allowing a third party to gain access to the home network and maliciously turn off the heating and cooling systems. Manufacturers in the IoT home protection and automation industry tend to have more control over user and device interfaces and therefore can commonly deploy the latest generation point-to-point and point-to-multipoint cyber protection technologies across the system.
In a converged ecosystem such as an IP-based physical security scenario, the cyber threats and vulnerabilities become far more complex. Not only does the number of components increase, so do the number of vendors that are supplying that technology and the number of users accessing them. For instance, the ecosystem might include:
IP video cameras (from one or multiple vendors) that are capable of transmitting high-resolution video as well as high-quality audio recordings
IP access control devices or legacy analog access control panels and readers that communicate over the network to the physical security management system
One to multiple video management systems (VMS) that possibly come from yet another vendor
A server or servers that the VMS are running on
One to many viewing clients (PCs and mobile devices with access to the camera video either directly from the cameras or via a connection to the VMS
Network storage for retention of the video from the VMS
To mitigate risks in this kind of an open ecosystem, you need all the vendors operating off the same cybersecurity playbook.
Finding common ground to mitigating cyber risks
IT, physical security and technology manufacturers should be working as a cohesive unit – reaching consensus on current standards and current cyber mitigation technologies that really reflect “Highest Common Denominator” cyber risk mitigation techniques. For instance, the common baseline for cybersecurity applications and protocols often begins with the network infrastructure. That could include strategic measures such as using traditional VLAN technology to separate surveillance video from other data traffic on the network traffic. A unified cybersecurity methodology might also include implementing 802.1x access control using an authenticator such as a RADIUS or TACAS server.
For larger enterprise networks, cybersecurity often includes linking a secure device’s Certification Authority (CA) with an Active Directory (AD). Of course that means vendors need to provide components that support these implementations. In most cases, the video surveillance cameras and VMS are selected by the project owner based on two main criteria: their specific intended use – perimeter protection, surveillance in crowded public areas, etc. – and the strength of the vendor to satisfy that specific use. But there’s a third criteria that needs to be considered as well: does Camera Manufacturer A support the same security protocols as VMS Manufacturer B and do these protocols tie seamlessly into IT’s current suite of hardware, software and cyber protection protocols?
Who Owns Connectivity?
Since the ecosystem runs on IT’s infrastructure, it raises another important question: Who’s responsible for the connectivity? It wasn’t long ago that IT was insisting: “No IP video over my backbone!” But now businesses are readily accepting that it’s just not cost-effective to run parallel networks. It puts a strain on everyone’s budget – for infrastructure cost as well as personnel to install, manage and maintain each network. So does this mean that the cybersecurity strategies for the physical security network-attached systems and device now belong to IT? Or does the physical security department mandate that IT support the cybersecurity technologies inherent in physical security’s solutions? The simplest answer is that physical security management needs to work with their providers (integrators and manufacturers) and IT to devise solutions that are inherently supportive of IT’s current methodologies for cyber risk mitigation.
Making sure cybersecurity is a team effort
The similarities in cyber protection technologies between IoT and physical security might be self-evident, but there are some key concerns that should remain at the forefront of any system builder. No matter how sophisticated IoT devices and systems become they still operate in an IT world. And as such, they need to adopt a cooperative cyber protection strategy with IT. Mature IoT technologies such as physical security will need to evolve, in order to benefit from some of the great emerging IoT cyber protection techniques such as higher use of Crypto Keys and Lock-Box strategies.
In the meantime, those in the trenches will have to determine which environment we live in and address the increasing risk of cyber threats as a joint effort between vendor and security professionals and IT. We need to work with common tools to provide the end-user with the best possible cyber protection while living within budgetary constraints.