This is the 56th article in the award-winning “Real Words or Buzzwords?” series about how real words become empty words and stifle technology progress, also published on SecurityInfoWatch.com.
By Ray Bernard, PSP, CHS-III
Keeping IoT devices from compromising the cybersecurity of physical security systems
★ ★ ★ GET NOTIFIED! ★ ★ ★
SIGN UP to be notified by email the day a new Real Words or Buzzwords? article is posted!
Real Words or Buzzwords?
The Award-Winning Article Series
#1 Proof of the buzzword that killed tech advances in the security industry—but not other industries.
#2 Next Generation (NextGen): A sure way to tell hype from reality.
#3 Customer Centric: Why all security industry companies aren't customer centric.
#4 Best of Breed: What it should mean to companies and their customers.
#5 Open: An openness scale to rate platforms and systems
#6 Network-friendly: It's much more than network connectivity.
#7 Mobile first: Not what it sounds like.
#8 Enterprise Class (Part One): To qualify as Enterprise Class system today is world's beyond what it was yesterday.
#9 Enterprise Class (Part Two): Enterprise Class must be more than just a top-level label.
#10 Enterprise Class (Part Three): Enterprise Class must be 21st century technology.
#11 Intuitive: It’s about time that we had a real-world testable definition for “intuitive”.
#12 State of the Art: A perspective for right-setting our own thinking about technologies.
#13 True Cloud (Part One): Fully evaluating cloud product offerings.
#14 True Cloud (Part Two): Examining the characteristics of 'native-cloud' applications.
#15 True Cloud (Part Three): Due diligence in testing cloud systems.
#16 IP-based, IP-enabled, IP-capable, or IP-connectable?: A perspective for right-setting our own thinking about technologies.
#17 Five Nines: Many people equate high availability with good user experience, yet many more factors are critically important.
#18 Robust: Words like “robust” must be followed by design specifics to be meaningful.
#19 Serverless Computing – Part 1: Why "serverless computing" is critical for some cloud offerings.
#20 Serverless Computing – Part 2: Why full virtualization is the future of cloud computing.
#21 Situational Awareness – Part 1: What products provide situational awareness?
#22 Situational Awareness – Part 2: Why system designs are incomplete without situational awareness?
#23 Situational Awareness – Part 3: How mobile devices change the situational awareness landscape?
#24 Situational Awareness – Part 4: Why situational awareness is a must for security system maintenance and acceptable uptime.
#25 Situational Awareness – Part 5: We are now entering the era of smart buildings and facilities. We must design integrated security systems that are much smarter than those we have designed in the past.
#26 Situational Awareness – Part 6: Developing modern day situational awareness solutions requires moving beyond 20th century thinking.
#27 Situational Awareness – Part 7: Modern day incident response deserves the help that modern technology can provide but doesn’t yet. Filling this void is one of the great security industry opportunities of our time.
#28 Unicity: Security solutions providers can spur innovation by envisioning how the Unicity concept can extend and strengthen physical access into real-time presence management.
#29 The API Economy: Why The API Economy will have a significant impact on the physical security industry moving forward.
#31 The Built Environment: In the 21st century, “the built environment” means so much more than it did just two decades ago.
#32 Hyper-Converged Infrastructure: Hyper-Converged Infrastructure has been a hot phrase in IT for several years, but do its promises hold true for the physical security industry?
#33 Software-Defined: Cloud-computing technology, with its many software-defined elements, is bringing self-scaling real-time performance capabilities to physical security system technology.
#34 High-Performance: How the right use of "high-performance" can accelerate the adoption of truly high-performing emerging technologies.
#35 Erasure Coding: Why RAID drive arrays don’t work anymore for video storage, and why Erasure Coding does.
#36 Presence Control: Anyone responsible for access control management or smart building experience must understand and apply presence control.
#37 Internet+: The Internet has evolved into much more than the information superhighway it was originally conceived to be.
#38 Digital Twin: Though few in physical security are familiar with the concept, it holds enormous potential for the industry.
#39 Fog Computing: Though commonly misunderstood, the concept of fog computing has become critically important to physical security systems.
#40 Scale - Part 1: Although many security-industry thought leaders have advocated that we should be “learning from IT,” there is still insufficient emphasis on learning about IT practices, especially for large-scale deployments.
#41 Scale - Part 2: Why the industry has yet to fully grasp what the ‘Internet of Things’ means for scaling physical security devices and systems.
#42 Cyberspace - Part 1: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#43 Cyber-Physical Systems - Part 1: We must understand what it means that electronic physical security systems are cyber-physical systems.
#44 Cyberspace - Part 2: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#45 Artificial Intelligence, Machine Learning and Deep Learning: Examining the differences in these technologies and their respective benefits for the security industry.
#46 VDI – Virtual Desktop Infrastructure: At first glance, VDI doesn’t seem to have much application to a SOC deployment. But a closer look reveals why it is actually of critical importance.
#47 Hybrid Cloud: The definition of hybrid cloud has evolved, and it’s important to understand the implications for physical security system deployments.
#48 Legacy: How you define ‘legacy technology’ may determine whether you get to update or replace critical systems.
#49 H.264 - Part 1: Examining the terms involved in camera stream configuration settings and why they are important.
#50 H.264 - Part 2: A look at the different H.264 video frame types and how they relate to intended uses of video.
#51 H.264 - Part 3: Once seen as just a marketing term, ‘smart codecs’ have revolutionized video compression.
#52 Presence Technologies: The proliferation of IoT sensors and devices, plus the current impacts of the COVID-19 pandemic, have elevated the capabilities and the importance of presence technologies.
#53 Anonymization, Encryption and Governance: The exponential advance of information technologies requires an exponential advance in the application of data protection.
#54 Computer Vision: Why a good understanding of the computer vision concept is important for evaluating today’s security video analytics products.
#55 Exponential Technology Advancement: The next 10 years of security technology will bring more change than in the entire history of the industry to now.
#56 IoT and IoT Native: The next 10 years of security technology will bring more change than in the entire history of the industry to now.
#57 Cloud Native IoT: The next 10 years of security technology will bring more change than in the entire history of the industry to now.
#58 Bluetooth vs. Bluetooth LE: The next 10 years of security technology will bring more change than in the entire history of the industry to now.
More to come about every other week.
While IoT is a well understood term and is widely used correctly, it is applied uniformly to two very distinct categories of devices: legacy products that are connected to the Internet but remain highly vulnerable to cyber-attack, and devices that were engineered from the start to be IoT devices that are not only cyber-hardened devices but communicate securely over the Internet and maintain full data and remote control communications protection. This latter category of devices is referred to as IoT Native.
The Real Words or Buzzword series focuses on terms that – in the physical security industry – are commonly misused, misunderstood, incorrectly defined or aren’t broadly enough known and thus don’t shape our thinking in the ways they should.
The term IoT is well-known and well-understood, because it simply means all the “things” that are connected to the Internet that are not general purpose computing/networking devices, but rather are purpose-built devices that operate autonomously without an Internet connection.
The miniaturization of computer chips made it possible to add a small amount of narrowly-focused computing intelligence to purpose-built devices (washing machines, refrigerators, thermostats, and sensors) to give them one or both of two new capabilities: the ability to transmit data about themselves and the ability to be controlled or programmed remotely. As of 2020 there were 26.66 billion active IoT connections, more than double the amount of non-IoT connections. (Non-IoT devices include all mobile phones, tablets, PCs, laptops/notebooks and fixed line phones.)
Smartphones are not considered to be IoT devices because they are mobile phones that were given general purpose computing capabilities to make them essentially pocket computers with phone functionality, as opposed to getting intelligence that would simply make the phone functionality work better, provide data about the phone device, or enable remote control of the phone. The phones now include sensors that have nothing to do with telephony, but let them be used for taking photographs, providing map-based GPS navigation, and so on.
Video cameras are considered to be IoT devices because the intelligence added to them was for the purpose of improving their camera functionality, not to make them more like general purpose computers or give them non-video device functionality.
So, while IoT is a well understood term and is widely used correctly, it is applied uniformly to two very distinct categories of devices: legacy products that are connected to the Internet but remain highly vulnerable to cyber-attack, and devices that were engineered from the start to be IoT devices that are not only cyber-hardened devices but communicate securely over the Internet and maintain full data and remote control communications protection. This latter category of devices is referred to as IoT Native.
When the physical security industry first adopted Ethernet networking, it did so from the perspective that the security computers and devices would be the only things on the “security LAN.” The expectation was that instead of pulling coax or RS-485 cable, they would pull Ethernet cable.
Thus, most security devices weren’t “network friendly,” didn’t support the many existing network protocols, and worse – would crash if the device received network traffic it was not expecting. It took about a decade for standard IT networking practices to become part of the industry’s device design thinking.
As a result, the cyber-attack surface of most deployed physical security systems is extensive as are the device and system cyber vulnerabilities.
Although many physical security system devices, like network cameras, aren’t and won’t be redesigned from the ground-up to be IoT Native devices, they should take into account the key requirements for IoT Native devices, as that would drastically improve the cybersecurity landscape for electronic physical security systems. Many companies have applied some of these requirements. I believe that we can expect the industry to adopt them more widely in the near future. Until then, it is prudent to pay attention to them when purchasing networkable physical security system devices.
IoT Native Design Requirements
The following requirements are critical for IoT Native devices:
- Designed from the start to be IoT devices
- Cloud-managed including digital certificates
- Software and firmware updated automatically
- Certificate-based hardware authentication
- Certificate-based end-to-end data encryption
- Fully-Managed Digital Certificates
- Using only outbound cloud data center connections
- Refusing all inbound connections in a way that results in device operation being impervious to denial-of-service network attacks (although networks may not be)
- Able to perform their functionality with continuous, periodic or intermittent Internet connection
Some of the leading security video cameras can comply with the last requirement using SD memory cards in the cameras. But most often the recovery aspect of downloading the cached video data is not automatic.
Eagle Eye Networks’ video buffering appliances and recording appliances are IoT Native products. What’s more, Eagle Eye Networks takes things a step further by accounting for the fact that network cameras are cyber-vulnerable, and existing camera deployments may already have infected cameras. Thus, they have engineered their video buffering appliances, recording appliances and network switches to include firewall functionality that prevents malware-infected cameras from being able to spread infections into or beyond the appliance they are connected to.
Similarly, Brivo Systems access controllers are IoT Native devices. Brivo Systems and Eagle Eye Networks are the first companies I know of to design IoT Native devices and appliances.
As this is a changing landscape, with physical security industry companies becoming increasingly more cybersecurity aware, it is important to check these basic IoT Native requirements when considering upgrades to physical security systems.