Physical security has been enjoying the benefits of digitization for a long time: security cameras, video management systems (VMS), command and control systems, access control, intrusion prevention and fire and smoke detectors have revolutionized the field of physical security in the past decade.
This IoT shift enables security integrators to easily deploy multiple sensors in remote locations. However, this also exposes organizations to new risks.
Traditional security solutions are mostly installed on premises, which uses internal networks and includes simple devices (sometimes even analog devices with a basic converter) connected to a central command and control location.
Today’s security equipment is IP-enabled and connected to larger networks (or directly to the Cloud), which enables greater flexibility, but also makes the security system the weakest link in the organization IT-security chain. This risk can manifest in several ways.
Network intrusion: An intruder can use the security device to gain access to an organization’s IT infrastructure and move to a full-scope cyber attack. Simply by disconnecting a security device (e.g., a camera), the attacker gains physical access into the network. Alternately, if these cameras use WiFi communication, it can be leveraged to gain access to the network. Once inside, hackers can cause substantial damage, far exceeding a physical incident such as theft or sabotage.
Infected security devices: Even a secured network can be compromised by preinstalled malware that can be remotely and covertly activated. Often these devices are used for botnets (facilitating denial-of-service attacks or cryptocurrency mining) and sending spam, making the organization potentially liable for criminal activity without even knowing it.
Destructive devices: Some IoT-dedicated malware can infect devices such as physical access control devices with a unique code that renders them unusable. The useless devices have to be physically replaced with new and functioning ones; in the meantime, they grant unauthorized people access to restricted areas.
To mitigate these many risks, physical security integrators looking to safely deploy connected devices can explore several avenues of assistance. Following are six considerations for keeping IoT devices safe.
1. Offer professional help
CSOs understand security, but are not always the savviest when it comes to modern IT, Cloud and IoT architecture. Nevertheless, they are in charge of deploying the best possible security solution. Integrators would be wise to be involved in the specification and design process and offer professional advice to the customer designing a new security apparatus. This will likely require bringing along IT security professionals.
2. Apply discretion when considering connected devices
Not all devices need to be connected to the Internet. Although this is the trendy thing to do, seriously consider whether the risk outweighs the potential benefits. Having a device connected to a local network (assuming it does not also communicate with the Cloud, for instance, by using a SIM) greatly reduces the “attack surface.”
3. Use reasonably secured devices
Since no industry-wide standard has been set in regard to securing IoT devices, it would be best to follow the standards of the U.S. government, which is stepping up security on IoT devices, and examine the source of the device and the communication protocol it uses. If these do not apply, try to purchase a device from a known, respected vendor.
4. Conduct risk assessment
After selecting the devices, examine the network and its potential fail-points, as well as the IoT/Cloud platform used for control and storage of data. Many simpler IoT devices have no computing power and communicate with a gateway (local router connecting multiple smaller devices to the web). Considerations should be given to selecting a remote monitoring service or IoT service platform
5. Make sure devices are properly configured
IoT devices need to be connected in a way that permits access only to their owners. Having robust passwords is important, as is managing the user’s access to the information. Whatever you do, do not leave the device with its factory setting.
6. Recommend a dedicated IoT security solution
Even if a device is configured correctly, it can still be hacked. Hackers use open-source search engines like Shodan to identify devices that can be remotely accessed, and then use brute-force attacks (automated attacks that try millions of combinations) to crack their passwords. Thus, adequate security systems must be put in place to alert users of such intrusions and provide real-time visibility for all devices in the network.