Better Cybersecurity Standards Mean Better Physical Security
There is dearth of cybersecurity standards in the Internet of Things, but we are seeing some progress.
The convergence of IT and physical security has illuminated the need for interoperability standards. Without government standards to adopt, the physical security industry started a successful effort, through different organizations, to promulgate its own standards back when IP-based equipment began to take off.
Security companies, competitors in the marketplace, began to work together to design standards, easing interoperability and giving integrators the opportunity to create best-of-breed systems. That work continues today.
But the standards saga is not over. Now, the industry needs a new set of standards: cybersecurity standards. And the stakes surrounding cybersecurity standards are much higher. The lack of interoperability standards was mainly an inconvenience. The lack of cybersecurity standards is downright dangerous.
The Dangers of Lax Cybersecurity
Standards create a common baseline for products. From an interoperability perspective, standards allow devices from different manufacturers to work with each other. From a cybersecurity perspective, standards provide a checklist of requirements that protect devices from known cyberattack methods.
Imagine if you bought a car without turn signals or door locks or even brakes. All of those features are required on modern cars because the automotive industry and governments have created standards and laws that require them for safety and security reasons. In the world of computing, similar requirements are added to our laptops, desktops and mobile devices.
When you set up your computer, you are required to set a password. Firewalls are built into modern operating systems and mobile device apps are sandboxed, so they have limited access.
Most people use the four most popular operating systems — Windows, macOS, iOS and Android — and those systems have built-in cybersecurity controls by Microsoft, Apple and Google.
But what about Internet of Things (IoT) devices? Most IoT devices run on Linux, the free, open-source operating system. While Linux is supported and updated regularly, there are no requirements on how to use and secure it. This isn’t necessarily a bad thing for the hobbyist, but it can be dangerous for a commercial device that is sold to an organization who puts that unsecured device on their campus network.
As people build IoT widgets, their priority is almost always focused on functionality rather than cybersecurity. In fact, with small, inexpensive hobbyist kits like the Raspberry Pi, almost anyone can build an IoT device, and many people do. The IoT industry as a whole is moving rapidly and hobbyists and companies are building convenient, Internet-connected gadgets with a limited understanding of cybersecurity. According to Statista, there will be more than 75 billion IoT connected devices in use by 2025.
Even vendors of enterprise IoT devices are missing the mark. It wasn’t long ago that many commercial video surveillance cameras were set with a default password. Most vendors have removed those default passwords because end users were not changing the default password and their cameras were getting hacked.
Here’s a little secret: Criminal hackers love default settings. They search for default passwords, default ports and default settings. Then, they focus attacks on all those default settings because they know that many people will not change from the default. Eventually vendors learned to make changes to better protect their customers, like forcing end users to create a password when they set up their device. While this is progress, it is much better to be proactive than reactive.
We know how to secure a computer, now we need to adopt those standards and requirements for IoT devices.
Early Stages: Where We Are Today
As recently as 2017, observing physical security from the computing world it was readily apparent that the former had not adopted some of the basic cybersecurity controls used by the latter. However, there was a lot of talk about cybersecurity in the industry because just a year earlier, thousands of IP video cameras, NVRs and home routers all over the world were used as part of an Internet weapon, the Mirai botnet.
The Mirai botnet was used in a number of Distributed Denial of Service (DDoS) attacks that took down or slowed down large portions of the Internet, including Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times.
Since then, cybersecurity has become not only a talking point in the security industry but also a concern. End users are rightly concerned that a vulnerable camera or NVR will be the vector by which an attacker breaches their network. This is a valid concern, but they need to realize that their cameras, recorders and all of their IoT devices are computers and technically, they are likely all Linux web servers.
The good news is that simple network segmentation can greatly reduce the risk of an IoT device being the entryway for an attacker to gain access to sensitive systems and data. So, what role do the different parties play in the securing a device? Who’s responsible for what?
First, manufacturers need to build security into their products; that’s a given. But manufacturers can only do so much when it comes to securing a device. If the end user places a camera directly on the Internet, that device will be attacked. If the device has a weak password or unpatched vulnerabilities, that device will not only be attacked, it will likely be compromised.
The bottom line is this: Everyone has responsibility when it comes to cybersecurity and the challenge is making sure that everyone knows what their role is in securing a device.
Baking in Cybersecurity
Vendors need to build cybersecurity into products, dealers and integrators need to install devices in a secure manner and advise end users on how to securely manage their devices, and end users need to maintain the device and patch it when needed. If everyone knows and executes their roles, the threat of cyberattack is greatly reduced.
Vendors compete against each other in the marketplace, but the only way to defend against a common threat, like cyber-attackers, is to work together. The good news is that organizations like the Security Industry Association (SIA) have created working groups such as its Cybersecurity Advisory Board, to bring together industry experts, vendors and stakeholders, to discuss and solve the challenges of securing the products sold in the security industry.
Another example of vendors working together is the 2019 efforts coming from the U.K.’s Surveillance Camera Commissioner, who coordinated video camera vendors to work together to create the Secure by Default program for video surveillance cameras. This groundbreaking work established a set of basic cybersecurity standards for vendors to support in their products.
While the first iteration of this program addressed some of the more basic cybersecurity controls, the plan was to add more controls over time. This allows the vendors to bake security into their products instead of trying to bolt them on all at once.
Some Progress in Washington
Fortunately, there are reasons to be optimistic about progress in cybersecurity in the IoT space. In December H.R. 1668: The IoT Cybersecurity Improvement Act of 2020 became law. This legislation marks a pivotal step toward securing the Internet. The bill enjoyed widespread bipartisan support, and was also endorsed by several tech companies, including BSA (The Software Alliance), Cloudflare, CTIA, Mozilla, Rapid7, Symantec and Tenable.
The new law stipulates the creation of “standards and guidelines for the federal government on the appropriate use and management by agencies of Internet of Things devices owned or controlled by an agency and connected to information systems owned or controlled by an agency, including minimum information security requirements for managing cybersecurity risks associated with such devices.”
The National Institute of Standards and Technology (NIST) was tasked with creating the standard and guidelines, which include secure development, identity management, patching and configuration management and more.
The law gives the U.S. Office of Management and Budget (OMB) six months to come up with recommendations based on the NIST standards and guidelines. Wisely, the law requires OMB to consult with cybersecurity researchers and private sector industry experts as it puts together its recommendations.
States are getting into the action as well. In the past two years, California and Oregon passed IoT security laws, while Illinois, Kentucky, Massachusetts, Maryland, New York, Rhode Island, Vermont and Virginia are considering similar legislation, according to BTB Security. The consideration and passage of legislation signals growing awareness of the threat unsecured IoT devices pose to the Internet and to our collective digital security.
Next Steps for the Security Industry
While the security industry has made some great advances in cybersecurity over the past four years, there is a lot more to be done. In addition to standards and laws, the industry as a whole, needs more cybersecurity education and awareness. There needs to be vendor-neutral cybersecurity courses and certifications for the security industry.
Companies need to hire experts to build cybersecurity into their products and services, educate their employees and help to educate the industry. Thankfully, there is evidence of a lot of this work starting already.
We will hopefully see some rapid advances in the next few years. Some of it will be driven by customer demand, some by legislation and some by companies working together to defend against a common foe. The true enemy of any computing devices is criminal hackers, and we all need to work together as allies to create a safer cyberspace.
Chuck Davis, MSIA, CISSP-ISSAP is Senior Director of Global Cybersecurity for video surveillance provider Hikvision. This article premiered on CS sister publication Security Sales & Integration.