Physical Security and the Internet of Things
Kathy Vogler, PERRY proTECH, Marketing Director
When we talk about the importance of cyber security, we often focus on the Internet and the cloud. We understand the need for strong user authentication, event monitoring, activity logging, encryption of data and all of the controls that need to be built in to our IT networks to keep us secure. As the Internet of Things continues to grow (to an estimated 20 to 50 billion devices by 2020), we need to make sure our physical security is looked at with the same eyes too.
Physical security is the protection of life and property and includes things as diverse as people, hardware, programs and even the data that occurs from an event that causes loss or damage. Access control and video surveillance were built to perform very specific security functions: keep an eye on the good people and don’t let the bad people in. At first, these solutions were not connected to other systems and were purpose built and self-contained. CCTV systems had cameras linked through coax cable with proprietary communications to a video controller that sat it its own closet somewhere. Users had credentials like badges, tokens or fobs that connected straight to the identity and access management tool system. Equipment was monitored and serviced by facilities teams or outside contractors. Not the IT department.
A breach of the independent physical security solution could be carried out with little or no technical knowledge by the attacker. And, natural disasters and accidents are an inevitable part of our daily lives. But the Internet of Things and interconnectivity is having a big impact on the physical security industry. This brings two questions to mind; how do you connect physical security devices to the Internet and ensure they are protected from hackers and how can you use your current surveillance, access control and intrusion detection devices that are already in place? Older, out of support systems such as Windows XP may be a critical part of a physical security system that is now moving to the larger picture of the Internet of Things.
Our legacy and closed systems can only go so far, and at some point they can’t keep up with the massive amount of information. We all know an employee or two who found a work around to the systems – prop open a door, borrow someone else’s fob, wait until someone else gets access and slip in. And, when things didn’t go as planned (such as a reader malfunction) possibly had to stand outside in the dark or in the rain waiting for entry. And, this is where the The Internet of Things is a natural progression for security. The IoT offers a way to improve our physical security and access control systems. With the IoT and cloud management, we can use our existing solutions but improve on them with scalability and system changes that are shared across the network in real time. Systems will need to be open-sourced and available on multiple platforms, just like in network technology. Manufacturers will need to figure out how to serve this market. And, many traditional networking vendors are already working on open camera IP platforms that enable attachment to edge-based storage and offer an API for application development.
Connected devices and their inherent vulnerabilities add complexity to our network architectures. And just like BYOD came through to business from consumers as we brought our new personal devices to work with us, the consumer in each of us will expect everything to interconnect and that all of our devices should be able to speak to each other. Autonomous machine to machine data transfer may link our smart phones to our cars to our homes. The business technology network and our physical security systems will also have to figure out how to make all of that interconnectivity work. And stay secure. Security loopholes can occur anywhere in the IoT and new smart devices that often started as dumb (or non-connected) objects don’t always store sensitive data in secure locations. Sometimes the data goes into a collection hub and then gets uploaded in bulk. The OS, firmware and patch support that IT is accustomed to is not always available with these devices. In addition to the security of that data, who is watching out for the privacy? The IoT presents itself with great opportunity and even greater responsibility. Regulation and legislation will be difficult since we can’t predict where this will go or what will happen. But, it is certain and we can’t allow automated systems to interact with our physical world and possibly endanger lives.
What happens if the Internet goes down? You can bet our government is worried about what happens if the Internet is compromised – not just the surface web, but the deep web or the dark part that is just like a power grid. As the IoT consumes more and more devices it becomes just as impactful as power. All systems need redundancy and safe-check mechanisms. We can’t rely on a single point of failure and need to think about the things that can go wrong and invest in those technologies.
A study by VMware found that fewer than one in four IT professionals are confident in the secure configuration of IoT devices such as Internet phones, physical security sensors, smart controllers for lights and air conditioning and point of sale units that are already on the enterprise network. The bad guys will take advantage of devices that are put online with default settings that allow anyone with web access to take control. Today we are seeing IoT devices ship with default passwords like “12345,“ vulnerable services such as telnet enabled and firmware updates that depend on HTTP calls. The “Enterprise of Things” whitepaper shows that remote workers have an average of 11 Internet-connected devices on their home networks. Employees often download third party apps and then connect to the corporate network over a cheap home router. And, now with the interconnectivity, the attacker doesn’t just get into your data on the back end but might be able to walk right through your front door.
Companies with the most experience managing complex technology and physical security integrations will be the ones more likely to succeed in an IoT environment. Many of us felt the first impact with virtualization and cloud services and soon thereafter BYOD’s wave of disruptive technologies that also threatened our well-established security practices. The IoT brings a wide range of intentions and business purposes and can quickly lead to an exploding security minefield. The IoT is a convergence of your organizations existing information technology and operational technology networks and requires a new approach that combines physical and cyber security components.