Security around The Internet of Things “demands serious consideration”

John Davies

John Davies

Nobody would doubt that the integration of physical and logical security has proven to be highly beneficial for both disciplines. With The Internet of Things (IoT) promising exponential growth and options for systems integration far beyond this, there also needs to be a word of caution warns John Davies.

While this means much greater access and network integration of a far wider number of devices, conversely it also means the security function needs to monitor a greater number of potential points of attack, with some items clearly struggling to offer the protection assurances we would all hope for.

Having an increased number of cyber connections is a two-way street – for every new device that has full access to your network, you have an end-point which needs protection. Potentially at least, any vulnerable point could leave any other part of your network open to attack or intrusion.

For example, it’s likely you would host a number of surveillance cameras as part of an integrated security network. Any gap in this defence could allow access to your core network and, by extension, any crucial items using it (such as your own security cameras). This could give access to any amount of data on a secure facility, including what times people are there (and therefore when it’s empty) or when your security team is on patrol.

It could even spy on specific images/scenes held in plain view of a high-resolution camera.

Practical considerations

This makes it very important to think about the layers of security in any product associated with IoT. In an ideal world, all online-enabled devices would contain the highest levels of protection. Realistically, though, SSL standards cannot be employed in everything. If nothing else, the price point would be prohibitive.

On that basis, it’s sensible to consider cheaper or simpler options as potential end-point security risks in themselves and perhaps to look at ways in which to limit their access to central systems.

Generally speaking, most organisations or individuals are protected from online intrusion by firewalls, but a connected IoT device may not uphold this level of end-point security. A relatively simple IoT device could be used to perform a straightforward task, but there’s no guarantee it will include SSL encryption. This could leave a relatively humble device as a worryingly weak point in the security of an IP network.

Lack of understanding

Adding to the issues at the core of this problem is often a common lack of shared technical knowledge between security providers and some other parties involved in IoT.

Security is a complex and sometimes finely-balanced commodity which does not necessarily lend itself well to outside influences, particularly so those which have little understanding of security protocols.

The obvious answer is for the various parties to share knowledge and training on how these systems interact and their operational requirements. While this works very well for commonly integrated systems (for example, a physical access control system and a business database system), the use of IoT could introduce any number of seemingly unrelated technologies that need to work together.

The physical security sector has been very quick to get up-to-speed with IP-based technology, something which has helped us move towards fully integrated systems very well. Unfortunately, this hasn’t always been the case in reverse, with some IT providers being slower to catch up with the intricacies and benefits of integrating with physical security systems.

Conversely, some installers don’t understand the intricacies of IP configuration such as firewalls, VLANs and/or SSL which can also serve to compromise security.

At the same time, of course, the physical security industry will probably not understand the intricacies of all other IoT devices, so trying to ensure both sides work well together is a considerable challenge. A lack of confidence from both parties can make true integration far more challenging.

Who takes responsibility?

There’s also a more political challenge involved in terms of who’s responsible for the components used in IoT. In a typical business, the different facets traditionally had specific owners – the IT Department, the security team, etc. However, IoT will see many areas of definition blur together and the responsibility for these cross-over areas needs to be defined to safeguard both security and resilience of business systems.

This is made even more complex when Bring Your Own Device (BYOD) systems are allowed to join the mix. The degree of security on an employee’s smart device, for example, is unlikely to match that of company assets, yet the access to restricted parts of the network will need to be the same and could represent a weak spot in security.

The intricacies of successfully incorporating IoT systems securely into a core network are mind-boggling. From a security industry point of view, it’s also a real worry. As an industry, our core mission is to beef up security, to ensure every eventuality is covered and protect vulnerable assets and people.

It’s very tempting to exclude end-point devices that don’t offer the highest levels of security, but that goes against the ethos and considerable benefits on offer from IoT.

What’s certain is that a lot more debate is needed (both in our industry and across all the other potential IoT suppliers) as to the best ways to approach this potentially brewing problem.

We need to ensure relevant levels of security are in place where they’re needed and that vulnerable areas are recognised and mitigating steps introduced.

Much like the wider Internet itself, the IoT has a huge amount to offer – but this offering should not be at any cost.

John Davies is Managing Director of TDSi

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts