How can organisations address the ongoing challenge of securing vast numbers of physical security devices across the Internet of Things?
The Internet of Things (IoT) is becoming increasingly ubiquitous, with millions of new devices connecting to the Internet daily. For enterprises with large workforces operating across disparate locations, this means safeguarding connected devices, such as video surveillance cameras, network radar detectors, and IP-enabled speakers, is now mission-critical to their operations. Yet a lack of awareness of vulnerabilities when introducing these devices to their cybersecurity infrastructure places them at greater risk of breaches.
The number of physical security devices introduced into IoT environments has increased significantly over the past few years as organisations take advantage of the efficiency and real-time visibility that networked devices provide. Thanks to cloud connectivity, video surveillance devices have transformed into a smart, interconnected system of cameras and sensors that can collect and process data at speed, efficiently producing powerful insights that enhance security and operational decision-making.
However, these devices may come from a range of manufacturers, not all of which have high-security standards, making some more vulnerable to attack than others. This creates more potential points of access and hackers are always looking for ways to gain unauthorised access to steal data or use a device as an attack vector or entryway to access other parts of the network. Their objectives may be to sell the stolen data to other nefarious groups, disable a particular part of an organisation’s operations, or install ransomware on a network.
Mitigating threats
As more organisations realise the benefits of connected security devices, so too does the threat of attack. As a result, businesses need to take practical, proactive steps to stay ahead of would-be cyber criminals.
Before purchasing items such as cameras and other surveillance , organisations should check that the supplier is transparent about its cybersecurity procedures and policies when it comes to mitigating risks in its own operations and supply chain, as well as reducing the vulnerabilities in its products.
Businesses should also ask how suppliers handle newly discovered vulnerabilities; do they have a vulnerability management policy? Do they provide security notifications, timely security patches, and bug fixes for products? Do they provide a guide on how to deploy and operate products in a secure manner and/or provide the tools that enable efficient implementation of cybersecurity measures of their products?
They could also examine the built-in cybersecurity support of the security device and check for the latest operating system, which needs to be continually updated to avoid running a version with known vulnerabilities.
Organisations should also follow best-practice cybersecurity guides appropriate for their needs. For example, leading video surveillance provider, Axis Communications, follows the AXIS OS Hardening Guide which establishes a baseline configuration to address common threats and provides best practices and technical advice.
Other measures could include; running regular security scans on devices to ensure they are not affected by vulnerabilities or weak configuration, and planning for when the device should be decommissioned based on the end of support date for the OS of that device.
Having the right frameworks in place
Ensuring the security of the video surveillance cameras, network radar detectors, and other devices in your IoT environment is not just about the security of your devices. It is also vital for your company’s IoT suppliers to have the right frameworks in place to meet the ever-increasing cyber challenges that may come their way. The good news is that IoT suppliers are becoming increasingly aware of their security responsibilities.
As an example, Axis Communications develops and supplies physical security solutions that contain embedded cybersecurity measures and are the first Common Vulnerabilities and Exposures (CVE) numbering authority (CNA) in the physical security industry.
However, creating a secure environment is not only embedding security features into products but also having the right procedures in place to mitigate the potential threats of bugs by providing a Software Bill of Materials (SBOM) for their operating system or introducing bug bounty programs.
Embedding security across the supply chain has also become increasingly vital for eliminating potential vulnerabilities as cyber criminals look for new threat vectors. It is therefore essential to look for suppliers that safeguard the integrity of devices from the factory as part of your cybersecurity strategy. Together, this ensures the protection of your organisations, preventing one weak link from compromising your entire IoT environment.
Device protection will become even more critical in the future
Cybersecurity and the protection of security devices operating in the IoT environment will be critical for organisations in the future, especially in light of the relentless drive toward decentralised workforces. As the ecosystem of devices continues to expand and integrate with more and more aspects of daily life, the implications of security breaches will become more significant.
Video surveillance for example remains a pivotal component in enhancing urban quality of life and advancing the journey towards smart cities by ensuring the safety and security of citizens. Therefore, safeguarding the integrity of these systems and the data they capture is paramount, especially as video surveillance technology becomes more sophisticated.
Governments are increasingly passing cybersecurity-related laws and regulations that any business operating within their borders must comply with. Australian companies can now be penalised as a result of the Federal Government’s introduction of data breach penalties in 2022 for derelict cybersecurity, even if this is due to a failure on behalf of one of their suppliers.
Moving forward, vendor assessments and supply chain security will be even more important and these new data breach penalties will indirectly impose obligations on manufacturers, importers and distributors, who will need to ensure they provide a duty of care throughout the lifecycle of their products.
All of this means that robust security solutions will become more vital for securing the cybersecurity integrity of security devices across the entire IoT ecosystem well into the future.