What do unicorns have in common with the Internet of Things (IoT)? As it turns out, they are both hackable. Last year CloudPets, a range of stuffed animals that uses Bluetooth low energy (BLE) to communicate with a smartphone app, were shown by a U.K.-based cyber security consultant to be vulnerable to hacking.
While unicorns aren’t related to security, with BLE mobile credentials on the rise in the access control space, this may raise some concerns. Just last summer, Homeland Security issued a warning about “BrickerBot,” a Mirai-like attack aimed at Internet-of-Things devices that seeks out poorly secured IoT devices and renders them useless, or turns them into “bricks.”
A whitepaper conducted by Johnson Controls and Booz Allen Hamilton found that as data becomes more prevalent throughout buildings, so does the need to protect that data. “It is no longer enough for a building to be smart — it must be cybersmart,” the company reported in a press release. They are far from alone. From industry organizations to standards bodies, manufacturers and integrators, the cyber security threat has gone from virtually unknown to top of mind in just a few short years.
SDM spoke with six security industry players on the front lines of cyber security for a roundtable discussion about the impact of the IoT and how the industry is planning to protect it. Participants are: Matt Barnette, president of Mercury Security, Long Beach, Calif.; Phil Aronson, president and CEO of Aronson Security Group, Renton, Wash.; Jason Ouellette, global product general manager, access control, building technologies and solutions, Johnson Controls, Westford, Mass.; Chris Salazar-Mangrum, senior IT project manager, PSA Security Network, Westminster, Colo.; Per Björkdahl, chairman, steering committee, ONVIF; and David Bunzel, executive director, PSIA.
Matt Barnette
Phil Aronson
Jason Ouellette
Chris Salazar-Mangrum
Per Björkdahl
David Bunzel
Where does adoption of the (security) Internet of Things stand right now and what impact will it have on the industry?
■ Bunzel: The industry has been slow to adopt IoT technology, but there are some encouraging signs. As part of its drive to provide standard approaches to the sharing of identities and credentials for physical security, the PSIA has designed its Physical Logical Access Interoperability (PLAI) spec to be IoT ready. IoT is still at an early stage of development and adoption, with many issues and procedures dynamic and still developing.
■ Barnette: There is a lot of buzz about IoT in the industry and we are excited about the potential capabilities in the future. One of the ways in which we’ve prepared for the IoT is by adding MQTT protocol to our panels, which is a protocol for how devices communicate with each other in a more connected environment — specifically for the Internet of Things. When it comes to access control and integrated systems, the IoT will be an integral part of enabling systems to share data more easily and in a more standardized format. The role of the IoT may also make it possible for Mercury to open secondary and tertiary paths of communication to such things as preventative maintenance programs for integrators who have cloud-based maintenance applications. This is one of the many examples of how the IoT can impact the industry from the perspective of the panel hardware and deliver value to the systems integrator.
■ Björkdahl: The physical security industry is experiencing a convergence of disparate systems, largely due to the [residential] IoT and technologies like Z-Wave and Zigbee. The IoT is certainly in a more mature stage within the residential market, but still in the early stages of adoption within commercial systems. The IoT enables the automation of access control systems by utilizing common sensors and credentials across multiple applications.
■ Salazar-Mangrum: We have seen most of the residential market being impacted by IoT, and within five or so years, IoT will make its way into the commercial market. Once this convergence happens, integrators and manufacturers will inevitably adopt the IoT landscape and need to provide a stable and secure offering within access control among other solutions.
■ Ouellette: I would agree that we are still at the earlier adopter phase for the larger players in the physical security industry, but roadmaps, technology and new entrants to this space are driving a faster growth trend over the past year. I think we can expect to see a push for more open standards to provide for compatibility for devices and identities on the edge. We will see more and more of a reliance on cloud-based platforms to service the IoT trends and a much stronger leveraging of mobile platforms such as phones and tablets. All of this will generate further changes in how data is handled and stored to address privacy and security concerns as cyber security becomes increasingly important to the IoT environment.
■ Aronson: The promise of IoT is to make your technology assets smart and connected, from wearables and consumer devices to vehicles and industrial installations to safety and security. At ASG, we consider ourselves to be a leader in the Security Risk Management Services (SRMS) industry. (See “A New Role for the Integrator,” page 92.) However, we know that the physical access control market has finally begun to shift to information management and business intelligence. The success of their business will eventually depend on their level and ease of interoperability between disparate and, at times, competitive systems. Those manufacturers that have the notion that you can be a closed system in today’s IoT environment will have a challenge.
What challenges does the IoT bring to the security space?
■ Salazar-MANGRUM: The biggest issues are breached devices — for example, how will the mass amounts of data-in-flight be used to expose victims or steal intellectual property, and in the worst-case scenario, have a fatal outcome? If devices are released without good plans for remediation, manufacturers, as well as the customers and integrators may feel the negative impact of a breach. Depending on the size of the company breached, it may be enough to bring down a Fortune 1,000.
■ Aronson: With increasing awareness and breaches, our clients are waking up to the cold reality that the very security that was purchased to protect them may now be a threat. All the participants in the value chain that helped them make their original decision have to be prepared to proactively guide them to the appropriate risk mitigation efforts needed to support and protect them.
■ Barnette: There are many concerns when it comes to the IoT and electronic access control. Connecting more devices and systems, plus sharing more data opens new potential security threats, and work still needs to be done to better understand the potential associated risks.
What steps are manufacturers and others in the industry taking to prepare for the IoT and the cyber security needs around that?
■ Barnette: A major consideration to prepare for the IoT is a comprehensive cyber security strategy that begins at the hardware level to establish a solid foundation of protection against potential threats. For example, our approach includes secure design lifecycle practices; proactive testing of our products through third parties; and industry-standard data encryption methods for end-to-end secure communications. Beyond ensuring a multi-layered approach to cyber security at the hardware level, Mercury recommends that access control software manufacturers also carefully review their code and control all possible connection points supported by their software, given that vulnerabilities are discovered in commercial software platforms on a regular basis. It is also recommended that hardware and software manufacturers work with professional labs to conduct vulnerability analysis on a regular basis. In addition, Mercury encourages all end users to report any detected or suspected vulnerability discovered by their in-house IT professionals (or customers) to ensure a holistic approach to cyber security.
■ Ouellette: Manufacturers have to take an approach that includes cyber security as part of the full life-cycle process of software and hardware development. From the inception of product requirement through ongoing maintenance of a product, there will be a need to address things such as penetration testing, port scans, encryption and product vulnerability detection. Failure to have this approach will create products that could potentially create increased risk to companies and individuals. Within Johnson Controls we have instituted a six-part Cyber Protection Program, which addresses secure product development practices, inclusive protection of components and systems, configuration guidelines for compliance, testing procedures, rapid response to vulnerabilities, and education and advocacy.
■ Bunzel: Manufacturers have become more aware of how cyber security threats have compromised not only their products, but allowed access to a company network and critical data and systems. They have been improving security protocols, but often this is compromised because their customers do not establish procedures to take advantage of these features.
■ Björkdahl: We know that about 95 percent of the security breaches that occur today are due to some sort of simple password error or lack of organizational policies with respect to password management. Manufacturers can certainly help educate the security community on how detrimental it can be to choose convenience over cyber security and take steps to help take the cyber secure approach. They can ship products with default settings that require end users to change the default password on install, require password changes periodically, or make encryption part of their factory settings to increase the likelihood that encryption is left enabled on the device.
What should security integrators be doing right now to prepare themselves and their customers for the impact of the IoT and cyber security concerns it may present?
■ Barnette: The IoT will continue to be explored and discussed in the industry today. The biggest thing integrators can do is to educate themselves on IoT and implications on cyber security. Best practices should be continually used and implemented to ensure against potential threats.
■ Salazar-MANGRUM: Integrators should invest in IT education, awareness, and building a tool box of cyber offerings. Learn as much as possible from IT tradeshows, experts and vendors to build a framework of how the convergence of IT and security will impact their business opportunities and risk.
■ Aronson: Emerging technology often challenges pre-existing business models. The leading-edge companies will embrace it and find a way to append or integrate it into their business model. Others will be challenged to manage the inevitable tension between two very different ways of going to market and servicing their clients. That is why you will see many of them dipping their toe into the market and performing the minimum necessary to be able to resell the technology. Most integrators cannot afford to staff cyber subject matter expertise. Many clients will continue to buy on price, ignoring the risk. These are natural tensions when an industry begins to confront a new value proposition from their customers that challenges their current resource and financial model.
■ Ouellette: Integrators will need to make key decisions on the role that they want to play. Do they want to own and manage infrastructure? Do they want to manage applications and configuration but not own or manage infrastructure or just service the field hardware and not play in the hosted/managed space? A clear vision on where the security integrator wants to play in the new cloud/IoT will drive the steps they will need to take over the next few years in either investing in the infrastructure, investing in differentiation on managed services, or a focus on the field level support for IoT devices. All of these options will require training and changes in process and policy to provide the best cyber security options for their customers.
A New Role for the Integrator
Phil Aronson, president and CEO of Aronson Security Group, no longer refers to his company as a “security integrator.” Instead, he prefers the term “Security Risk Management Services” (SRMS). In fact, he suggests this is a whole new category for vendors who cover the entire lifecycle of the security program.
“If you consider the number of vendors that are typically involved in helping build a successful security program, you will see ways that we can help optimize time and money while mitigating risk and accelerating value,” he says. “However, it all starts with the risk profile of the organization — organization risk, security program risk and technology risk.”
With a focus on risk and an attention to value, integrators can leverage their expertise in technology and their pedigree in risk to create compelling innovations in performance, Aronson explains. “For example, the vendors will be able to apply subject matter expertise at the security architecture and device level to assess the risk of their current and future clients and provide strategies to protect them. Once the assessment is over, gap analysis informs a strategic plan. A strategic plan requires an understanding of how the people perform roles using technology within the security program, as well as how risk is owned and managed through the organization. Only after these steps are performed can a client then proceed to design an implementation roadmap with controls and metrics. And since cyber risk is a constantly shifting dynamic, a managed services plan to sustain the performance over time is needed.”
Aronson identifies five ways cyber security will potentially change the way integrators fit into the mix:
- Clients must demand cyber protection into the design of vendors’ products.
- Clients must demand documentation and training on how best to implement cyber hardening of the designed product.
- Consultants must specify products that have the above.
- Integrators must determine where cyber fits in their business model. This will require investment in training and delivering solutions.
- The client will often require a performance management plan to sustain the solution over time.
“The ‘insecurity of security’ requires a new business model for the industry,” Aronson says. “And the clients and consultants will drive market behavior and, ultimately, the new SRMS category.”
For more on cyber security, visitthe following articles:
- “Watch Out for Cyber Security Issues With IoT”
- “Cyber Security & IP Cameras: Everyone’s Concern”
- “Cyber Reality: How the Security Industry Is Adjusting to the New Normal”
- “Cybersecurity Threats, the IoT and Preparing for the Zombie Apocalypse”
- “The ‘Brave New World’ of Cybersecurity (And the Security Integrator’s Role in It)”