The IoT and perimeter security: a hole in the wall? – Part One
Simon Gawne Tyco
The Internet of Things (IoT) is playing an increasingly large role in physical security, as perimeter-guarding devices such as CCTV and access management begin to take advantage of IP-based communications. Devices now have the power to share information faster than ever before and across a far wider physical area – but how secure are the security devices themselves? In a two-part series, Simon Gawne, director of integrated solutions and innovation at Tyco, investigates the need for security teams to consider not only the man outside the gate, but also the ghost in the machine, as hackers attempt to exploit vulnerable system backdoors.
The role of the security director is almost as old as civilisation itself, and for most of its history has been a physical role – essentially concerned with keeping person X away from item or person Y. Over the last five to ten years, however, the rise of connected devices has broadened that scope to include the digital world and the unseen adversary. With traditional security devices now becoming Internet of Things-enabled, for example in the form of connected cameras and database-linked access systems, the perimeter of security networks has widened massively. Cyber attackers who target poorly defended connected devices to reach servers and frontline systems can cause just as much damage to a business as a physical trespass.
The boundlessness that comes with connected technology is also being felt in the physical security sphere, however. Many physical security processes are now increasingly being managed from a central control facility with responsibility for multiple sites – which may not even be on the same continent.
Why target IoT devices?
While the merging of IT and physical security has undeniably reaped many benefits – including making systems faster, smarter and easier to manage – the downside has been the real and perceived vulnerabilities that come with network-based systems.
Because of the perceived weakness of the virtual network, IP-enabled security devices are becoming a favourite target for security researchers, but rarely the end target for a real cyber attack. Cybercriminals come in several varieties – for example, cyber thieves want to make money, state sponsored attacks intend to cause damage or steal information, while hacktivists try to make a statement. As such, even if a malicious person could play with your locks or watch your video feeds, there’s not much value in such an activity.
What an attacker really wants to do is get to something useful or valuable. In this case, IoT security devices can often provide access to that. So how do you ensure your security products are not the weakest link to your network?
Test carefully
When evaluating IoT security products before implementation, it is essential that organisations have a clear understanding of how digital security is built into IoT devices. When constructing security systems, no matter the size of the facility in question – from small stores to school systems to even the largest government agencies – it is critical to understand how IoT components, such as cameras and video management, fit in within those network architectures, all without introducing new vulnerabilities.
One important challenge for IoT manufacturers is reconciling ease of use with an appropriate level of security. A key selling point for many IoT security devices today is that they are easy and fast to install, saving the integrator and the end user valuable time and expense. However, if the trade-off is a lack of authentication or encryption, system vulnerabilities creep in.
As such, the security of the products that make up any IoT-based system must be questioned. When security is not a consideration from the start of the process, through the final stages of its creation, it can result in a product that becomes impossible to secure at deployment.
This is only one half of the challenge involved in securing IoT-enabled physical security products. In the second half of this blog series, we will explore the cultural changes that must also take place in order to ensure a strong security posture.