The era of connected devices promises many things: by combining digital data from previously unconnected analogue systems, we can deliver new insights and innovations to improve efficiency and safety in our homes and workplaces. The first rule of innovation, however, must be to “do no harm”, which in the case of the Internet of Things (IoT) means getting cybersecurity basics right first.
The momentum is shifting rapidly in the fields of video surveillance and physical security. While the journey to the cloud had been slower than in other sectors, increasingly CCTV, access control and audio systems are becoming network-connected, and therefore integrated into IT networks and processes to deliver more intelligent physical protection.
But this move to the cloud also creates many more business opportunities. Real-time video data from network connected cameras, for example, can be combined with information from other systems to develop new sources of business value via cloud analytics.
This can be seen in retail stores, which commonly deploy network surveillance cameras to prevent or identify shoplifters. Connecting those same cameras to a cloud analytics suite can also give retail managers the ability to automatically detect queue build-ups and generate alerts, or gain a better understanding of traffic flow around a store.
The ever-present risk of connected systems
But if businesses are wary of connected cameras, they have good reason to be. The world’s largest Distributed Denial of Service (DDoS) attack, which disabled many popular internet applications such as Dropbox, Netflix, Uber and more in late 2016, was launched in part from hundreds of thousands of compromised network surveillance cameras. The Mirai malware which directed the attack took control of networked devices by testing common default username and password combinations, such as admin:admin.
Two and a half years after these major incidents, it’s still the case that too many professional grade physical security products are being sold with little to no consideration for cybersecurity best practice, and still failing basic oversight tests such as default credentials. The emphasis remains on speed to market and reducing costs. There’s not enough attention paid to quality control, “secure by design” product development and effective processes for post-sale support with firmware updates and asset control.
This critically undermines the potential of these devices to deliver. If the promise of IoT in physical security is that of a better, safer world, it can’t be achieved if equipment is liable to introduce new vulnerabilities into a client’s network.
OEMs need to put in a lot of effort to ensure devices are fit for purpose and can be trusted for innovation. It requires investment in skills and processes internally, and clear communication and transparency throughout the entire supply chain. Does every component meet the rigorous standards that a customer has a right to expect?
Just as important, however, is the investment that needs to be made into end user education. The market is highly price sensitive, and customers need clear guidance to understand the risks involved when purchasing equipment from unknown vendors that isn’t configured correctly.
And beyond that, awareness must be driven beyond the IT department. Everyone in an organisation needs to understand the importance of correct procurement processes, as the falling cost and simplicity of use for modern IoT devices makes them difficult to control. A CIO may have the best strategy in place, but if a business manager is purchasing equipment on a credit card and adding them to the corporate network, who is responsible for ensuring the products are safe?
Regulations have increased awareness
That said, businesses are becoming more aware of the cybersecurity risks that network connected devices present, and 2018 saw much regulatory change to counteract the threats. The General Data Protection Regulation (GDPR) began being enforced, as did the Directive on security of network and information systems (NIS Directive).
Both directives impose the same substantial financial penalties for non-compliance. Large monetary fines have the potential to debilitate businesses, so it is imperative that the relevant companies undertake due diligence in meeting its requirements.
We have already witnessed GDPR fines being imposed across the UK and EU related to the deployment of CCTV systems. It was recently reported that hackers in the UK broke into schools’ CCTV systems and streamed footage of pupils live on the internet. Understandably, this gained a lot of negative publicity; after all, we send our children to school with the expectation that they will be safe, and the security systems are there to protect them rather than put them at risk.
Selecting the right technology partners is critical
In our converging security landscape, selecting the right technology partner has never been so important. Security practitioners need to acknowledge that cybersecurity isn’t just an IT issue and understand the associated cybersecurity risks to a business related to the deployment of physical and electronic security systems. While the digitisation of physical security is a tremendously exciting space to be in at the moment, for it to continue, as an industry we need to better address the issue of cybersecurity, and soon.
Steven Kenny has spent 15 years in the security sector undertaking various roles that have seen him take responsibility for key elements of mission critical, high profile projects across a number of different vertical markets. For the last, five year’s Steven has been Industry Liaison Manager for Axis Communications, focusing his attentions on how technologies can best complement day to day operations, specifically address operational issues by supporting the A&E consultant community across Northern Europe. Steven is also the Director of Systems, Information and Cyber Security for ASIS International, the UK technology advisor for TINYg (Global Terrorist Information Network), and sits on the Cybersecurity Advisory Committee for the Wall Street Journal.