Download PDF version Contact company

The term Internet of Things (IoT) has almost been beaten to death at this point, as more and more security integrators, manufacturers and customers take advantage of the ability to increase connectivity between devices (and therefore take on the dangers this introduces).

But the methods by which we interact with the IoT and protect its devices are still catching up, which means security manufacturers must take part in shifting their focus toward safeguarding data, engaging in vulnerability testing of products and incorporating stringent protections at every stage of the product development process. One small leak or breach on a single connected device can potentially cause significant damage across an organization

Who Is Responsible For IoT Security?

One small leak or breach on a single connected device can potentially cause significant damage across an organization, creating a disruption within a company, affecting its assets, employees and customers. The continued question seems to be: Who is ultimately responsible for the security of IoT devices?

In a recent survey from Radware, a provider of application delivery and cybersecurity solutions, there was no clear consensus among security executives when asked this question. Thirty-five percent of respondents placed responsibility on the organization managing the network, 34 percent said the manufacturer and 21 percent chose the consumers using the devices as being primarily responsible. 

Several schools of thought Exist For Each:

  • The Organization

It's not surprising that most people see the organization as the main stakeholder for IoT security responsibility; after all, if a company is managing a network, one would expect it to protect the network as well.
One way that the organization can embrace this responsibility is by adopting a user-centric design with scalability, tactical data storage and access with appropriate identification and security features (for example, the use of multilevel authentication through biometrics in access control).
Organizations must also use their IT team to strengthen the overall cybersecurity of the IoT by keeping up with the latest software updates, following proper data safety protocols and practicing vulnerability testing.

  • The Manufacturer

Manufacturers that provide IoT-enabled devices as part of a security system must be fully knowledgeable of the risks involved and effectively communicate them to the integrator or end user.
Providing the education necessary and dedication to protecting users of its equipment makes a manufacturer more trustworthy and understanding in the eyes of an end user. Ensuring encryption between devices is a key step that manufacturers can take to work toward achieving complete protection in the IoT.

  • The User

Despite the protection delivered by the organization and manufacturer, there's always the option for IoT security to be enhanced or possibly even diminished by the individual user. It's critical that best practices for data protection are in place every time an individual uses a device that is connected to the network.
These include disabling default credentials, proper password etiquette, safe sharing of sensitive information and the instinct to avoid any suspicious activity or requests. Manufacturers that provide IoT-enabled devices as part of a security system must be fully knowledgeable of the risks involved

The short answer to the responsibility question is this: everyone. Each sector has a responsibility to contribute to the protections needed for IoT-enabled devices.

However, as a manufacturer, it is imperative that our teams think about each level of protection when developing products for public consumption, including how the organization implements the technology and how the integrator engages in training with users. 

IoT issues caused by organisations
Organizations must also use their IT team to strengthen the overall cybersecurity of the IoT by keeping up with the latest software updates

Manufacturer Vulnerability Testing

One way that manufacturers can implement added protections against outside threats is by boosting their attention to security protocols in the product development stage. For some, this requires a different approach in the design and development of security systems. Identifying vulnerabilities is at the core of this.

A security vulnerability in a product is a pattern of conditions in the design of a system that is unable to prevent an attack, resulting in weaknesses of the system such as mishandling, deleting, altering or extracting data. Increased connectivity makes these vulnerabilities more of a liability, as IP-enabled (or networked) devices are more likely to be breached by outsiders looking to permeate an organization and collect valuable data. 

A security vulberability in a product is a pattern of conditions in the design of a system that is unable to prevent an attack, resulting in weaknesses of the systemWhile some of these hacks are a little more “simple” in nature — such as outsiders trying to guess a password using manufacturer-set passwords — others are more complex, such as a denial-of-service, where attackers attempt to overload the system by flooding the target with excessive demands and preventing legitimate requests from being carried out. This makes it virtually impossible to stop the attack by blocking a single source.  

As a result of these potential threats — and to help manufacturers deliver best-in-class products — it's imperative that vulnerability testing is done throughout a product's development, starting at phase one in the process.

This includes analysis of the type of cyberattacks that can potentially attach, breach and disable a system. Many manufacturers attempt to hack their own products from within the organization — or even go as far as hiring a third-party professional group to do it for them. 

Success In A Volatile Technology Landscape 

This kind of development puts a product through rigorous levels of testing, and once weaknesses are exposed, they can be patched up and the cycle of attack-and-defense can take place until the product is protected fully and ready for market.

Skipping this step in the development process can open manufacturers up to significant liability, so it's important for this testing to take place and corrective actions be taken to rectify gaps in security. The more extensive an organization's security testing approaches are, the better are its chances of succeeding in an increasingly volatile technology landscape. 

But the testing doesn't stop in the development stage. Attacks on a system continue long after the product has been introduced to market, requiring continued updates to be made available in an effort to protect customers. Manufacturers are tasked with implementing further firmware updates to keep a product in the field readily prepared to revoke the latest critical bugs that can affect the market. 

What End Users Demand From Security

We're seeing a significant shift in the education and demand from a customer perspective. In the past, consumers took the advice of integrators and consultants as far as the “right” security systems to install for their needs. Today, the self-education of end users is on the rise as more and more IT departments become involved in the selection and investment of physical access control systems. We're seeing a significant shift in the education and demand from a customer perspective

A larger number of end users are demanding security products that meet IT standards of network protection, and they take these considerations into account when working with integrator partners on the selection of systems to meet their needs.

As a result, manufacturers are tasked with not only developing robust IoT-centric products, but also continuing to be involved on a regular basis in an effort to continuously keep organizations safe. 

A comprehensive security strategy from manufacturers must involve multiple levels of product selection, testing and integration — centered on the team-based approach to implementing training and protocols within an organization.

While manufacturers are stepping up their game in the development of robust products, this remains a team effort that must be addressed every week — not something you implement, then forget about. The safety of data — and the entire organization — depends on it.

Share with LinkedIn Share with Twitter Share with Facebook Share with What's App Share with Facebook
Download PDF version Download PDF version

Author profile

Kim Loy Director of Technology and Communications, ACRE, LLC

In case you missed it

The Post-Pandemic Mandate For Entertainment Venues: Digitally Transform Security Guards
The Post-Pandemic Mandate For Entertainment Venues: Digitally Transform Security Guards

As the COVID-19 pandemic wanes and sporting venues open-up to full capacity, a new disturbing trend has hit the headlines - poor fan behavior. Five NBA teams have issued indefinite bans on fans, who crossed the line of unacceptable behavior, during the NBA playoffs. Major League Baseball stadiums have a recurring problem with divisive political banners being strewn over walls, as part of an organized campaign, requiring fan ejections. There was a brawl between Clippers and Suns fans after Game 1 of their playoff series. And, the U.S. vs. Mexico Nations League soccer game over the Fourth of July weekend had to be halted, due to fans throwing objects at players and screaming offensive chants. Cracking down on poor fan behavior Security directors are consistently reporting a disturbing uptick in poor fan attitude and behavior With players across all major sports leagues commanding more power than ever before, they are demanding that sports venues crack down on poor fan behavior, particularly when they are the targets of that behavior. Whether it’s an extension of the social-media divisiveness that’s gripped society, or people unleashing pent up negative energy, following 15 months of social isolation, during the COVID-19 global pandemic, security directors are consistently reporting a disturbing uptick in poor fan attitude and behavior. They’re also reporting a chronic security guard shortage, like many businesses that rely on relatively low-cost labor, finding candidates to fill open positions has been incredibly difficult. Low police morale To add the third component to this perfect storm, many police departments are struggling with morale issues and officers are less likely to put themselves into positions, where they could wind up in a viral video. According to the Police Executive Research Forum, police officer retirements in the U.S. were up 45% in the April 2020 - April 2021 period, when compared to the previous year. Resignations were up 18%. In this environment, officers may be less likely to undertake fan intervention unless it’s absolutely necessary. This can seem like the worst of times for venue security directors, as they need more staff to handle increasingly unruly patrons, but that staff simply isn’t available. And, because the security guard staffing industry is a commoditized business, companies compete almost solely on price, which requires that they keep salaries as low as possible, which perpetuates the lack of interest in people participating in the profession. Digital Transformation There is only one way out of this conundrum and that is to make security personnel more efficient and effective. Other industries have solved similar staffing and cost challenges through digital transformation. For example, only a small percentage of the total population of restaurants in the U.S. used to offer home delivery, due to cost and staffing challenges of hiring dedicated delivery personnel. Advent of digital efficiency tools But with the advent of digital efficiency tools, now virtually all restaurants can offer delivery But with the advent of digital efficiency tools, such as UberEATS and DoorDash, now virtually all restaurants can offer delivery. Likewise, field-service personnel are digitally connected, so when new jobs arise, they can be notified and routed to the location. Compare this to the old paper-based days, when they wouldn’t know about any new jobs until they picked up their work schedule at the office, the next day and you can see how digital transformation makes each worker significantly more efficient. Security guards and manned guarding The security guard business has never undergone this kind of digital transformation. The state-of-the-art ‘technology’ has never changed - human eyes and ears. Yes, there are video cameras all over stadiums and other venues, but behind the scenes is a guard staring at a bunch of monitors, hoping to identify incidents that need attention. Meanwhile, there are other guards stationed around the stadium, spending most of their time watching people who are doing nothing wrong. Think about all the wasted time involved with these activities – not to mention the relentless boredom and ‘alert fatigue’ from false-positive incident reporting and you understand the fundamental inefficiencies of this labor-based approach to security. Now think about a world where there’s ubiquitous video surveillance and guards are automatically and pre-emptively notified and briefed, when situations arise. The fundamental nature of the security guards profession changes. Instead of being low paid ‘watchers’, they instead become digitally-empowered preventers. AI-based screening and monitoring technology This world is happening today, through Artificial Intelligence-based screening and monitoring technology. AI-powered weapons-detection gateways inform guards, when a patron entering the venue is carrying a gun, knife or other forbidden item. Instead of patting down every patron with metal in their pockets, which has been the standard practise since walk-through metal detectors were mandated by sports leagues following 9/11, guards can now target only those who are carrying these specific items. Video surveillance and AI-based analytics integration Combining surveillance video with AI-based advanced analytics can automatically identify fan disturbances Combining surveillance video with AI-based advanced analytics can automatically identify fan disturbances or other operational issues, and notify guards in real time, eliminating the need to have large numbers of guards monitoring video feeds and patrons. The business benefits of digitally transformed guards are compelling. A National Hockey League security director says he used to have 300 guards manning 100 walk-through metal detectors. By moving to AI solutions, he can significantly reduce the number of scanning portals and guards, and most importantly redeploy and gain further operational efficiencies with his overall operational strategy. Changing staffing strategy This changes the staffing strategy significantly and elevates the roles of guards. Suddenly, a US$ 20-per-hour ‘job’ becomes a US$ 40-per-hour profession, with guards transformed into digital knowledge workers delivering better outcomes with digitally enabled staffs. Beyond that, these digitally transformed guards can spend a much higher percentage of their time focused on tasks that impact the fan experience – whether it’s keeping weapons out of the building, pro-actively dealing with unruly fans before a broader disruption occurs, or managing business operations that positively impact fan patron experience. Digitally transforming security guards Perhaps most important, digitally transforming security guards elevates the profession to a more strategic level, which means better pay for the guards, better service for clients of guard services, and an overall better experience for fans. That’s a perfect storm of goodness for everyone.

ASSA ABLOY’s Code Handle Protects Fylab Physiotherapy Practice With Secure PIN-Operated Handles
ASSA ABLOY’s Code Handle Protects Fylab Physiotherapy Practice With Secure PIN-Operated Handles

In all medical settings, people are coming and going all day. Therapists leave their personal belongings in changing rooms, patients want privacy in consulting rooms, open or unlocked doors can be an invitation to opportunists. Yet keeping track of mechanical keys can be a tiresome task for a small practice. There is a solution: the Code Handle PIN lock from ASSA ABLOY. In Irun, in Spain’s Basque country, Fylab sought easy electronic door security for their consulting rooms. These rooms house expensive specialist equipment for the various therapeutic disciplines offered by Fylab. Requirements were straightforward: a simple, secure, keyless access solution designed to work in a facility that gets a lot of daily traffic from professionals and the public. They needed a locking device that is easy to retrofit and incorporates a contemporary device design to match with Fylab’s modern medical workplace. Adding electronic security to room doors The Code Handle PIN-locking door handle added electronic security to three consulting-room doors at FylabThe Code Handle PIN-locking door handle added electronic security to three consulting-room doors at Fylab – without wires or cables. Two screws fit a Code Handle to almost any interior door (between 35mm to 80mm thick). One doesn’t even need to change their existing door cylinder. “I am no artist or handyman, but I managed to fit the handles within 10 minutes,” says Fylab founder, Borja Saldias Retegui. Code Handle adds electronic security to almost any interior door without disrupting its aesthetics. If one needs to secure a door facing a public space, Code Handle does it subtly and with zero hassle. At Fylab, Code Handle devices locks both wooden and glass doors, keeping equipment and therapists’ personal belongings safe. Allows up to 9 different PIN numbers “We like the solution a lot because we can do away with keys,” adds Borja. Code Handle removes the need to track cumbersome keys or install expensive access control. Because every Code Handle allows up to 9 different PIN numbers (4 to 6 digits), all authorized staff at Fylab can have their own security code. Two standard batteries (CR2) slot inside the handle, typically lasting 30,000 lock/unlock cycles before replacement The practice manager cancels or amends PINs at any time using the master PIN. Two standard batteries (CR2) slot inside the handle, typically lasting 30,000 lock/unlock cycles before replacement. It’s simple. “Code Handle is unique in comparison to common code door locks: it has the code function and battery incorporated inside its handle, so you don’t need to make extra modifications to your door,” explains Lars Angelin, Business Development Manager for Code Handle at ASSA ABLOY EMEA. Auto-Locking feature of Code Handle Auto-locking is another helpful feature. When the door closes, Code Handle locks it automatically. One doesn’t need to put down whatever they are carrying, and no one can open it from the outside while they are not looking. To keep the door open briefly, one can simply hold Code Handle down for 5 seconds and it remains temporarily unlocked. For convenience, Code Handle always opens freely from the inside. “Code Handle provides the simplest solution for access control in a small facility,” says Borja. To learn more about Code Handle please visit: https://campaigns.assaabloyopeningsolutions.eu/codehandle

Why Visualization Platforms Are Vital For An Effective Security Operation Center (SOC)
Why Visualization Platforms Are Vital For An Effective Security Operation Center (SOC)

Display solutions play a key role in SOCs in providing the screens needed for individuals and teams to visualize and share the multiple data sources needed in an SOC today. Security Operation Center (SOC) Every SOC has multiple sources and inputs, both physical and virtual, all of which provide numerous data points to operators, in order to provide the highest levels of physical and cyber security, including surveillance camera feeds, access control and alarm systems for physical security, as well as dashboards and web apps for cyber security applications. Today’s advancements in technology and computing power not only have increasingly made security systems much more scalable, by adding hundreds, if not thousands, of more data points to an SOC, but the rate at which the data comes in has significantly increased as well. Accurate monitoring and surveillance This has made monitoring and surveillance much more accurate and effective, but also more challenging for operators, as they can’t realistically monitor the hundreds, even thousands of cameras, dashboards, calls, etc. in a reactive manner. Lacking situational awareness is often one of the primary factors in poor decision making In order for operators in SOC’s to be able to mitigate incidents in a less reactive way and take meaningful action, streamlined actionable data is needed. This is what will ensure operators in SOC truly have situational awareness. Situational awareness is a key foundation of effective decision making. In its simplest form, ‘It is knowing what is going on’. Lacking situational awareness is often one of the primary factors in poor decision making and in accidents attributed to human error. Achieving ‘true’ situational awareness Situational awareness isn’t just what has already happened, but what is likely to happen next and to achieve ‘true’ situational awareness, a combination of actionable data and the ability to deliver that information or data to the right people, at the right time. This is where visualization platforms (known as visual networking platforms) that provide both the situational real estate, as well as support for computer vision and AI, can help SOCs achieve true situational awareness Role of computer vision and AI technologies Proactive situational awareness is when the data coming into the SOC is analyzed in real time and then, brought forward to operators who are decision makers and key stakeholders in near real time for actionable visualization. Computer vision is a field of Artificial Intelligence that trains computers to interpret and understand digital images and videos. It is a way to automate tasks that the human visual system can also carry out, the automatic extraction, analysis and understanding of useful information from a single image or a sequence of images. There are numerous potential value adds that computer vision can provide to operation centers of different kinds. Here are some examples: Face Recognition: Face detection algorithms can be applied to filter and identify an individual. Biometric Systems: AI can be applied to biometric descriptions such as fingerprint, iris, and face matching. Surveillance: Computer vision supports IoT cameras used to monitor activities and movements of just about any kind that might be related to security and safety, whether that's on the job safety or physical security. Smart Cities: AI and computer vision can be used to improve mobility through quantitative, objective and automated management of resource use (car parks, roads, public squares, etc.) based on the analysis of CCTV data. Event Recognition: Improve the visualization and the decision-making process of human operators or existing video surveillance solutions, by integrating real-time video data analysis algorithms to understand the content of the filmed scene and to extract the relevant information from it. Monitoring: Responding to specific tasks in terms of continuous monitoring and surveillance in many different application frameworks: improved management of logistics in storage warehouses, counting of people during event gatherings, monitoring of subway stations, coastal areas, etc. Computer Vision applications When considering a Computer Vision application, it’s important to ensure that the rest of the infrastructure in the Operation Center, for example the solution that drives the displays and video walls, will connect and work well with the computer vision application. The best way to do this of course is to use a software-driven approach to displaying information and data, rather than a traditional AV hardware approach, which may present incompatibilities. Software-defined and open technology solutions Software-defined and open technology solutions provide a wider support for any type of application the SOC may need Software-defined and open technology solutions provide a wider support for any type of application the SOC may need, including computer vision. In the modern world, with everything going digital, all security services and applications have become networked, and as such, they belong to IT. AV applications and services have increasingly become an integral part of an organization’s IT infrastructure. Software-defined approach to AV IT teams responsible for data protection are more in favor of a software-defined approach to AV that allow virtualised, open technologies as opposed to traditional hardware-based solutions. Software’s flexibility allows for more efficient refreshment cycles, expansions and upgrades. The rise of AV-over-IP technologies have enabled IT teams in SOC’s to effectively integrate AV solutions into their existing stack, greatly reducing overhead costs, when it comes to technology investments, staff training, maintenance, and even physical infrastructure. AV-over-IP software platforms Moreover, with AV-over-IP, software-defined AV platforms, IT teams can more easily integrate AI and Computer Vision applications within the SOC, and have better control of the data coming in, while achieving true situational awareness. Situational awareness is all about actionable data delivered to the right people, at the right time, in order to address security incidents and challenges. Situational awareness is all about actionable data delivered to the right people Often, the people who need to know about security risks or breaches are not physically present in the operation centers, so having the data and information locked up within the four walls of the SOC does not provide true situational awareness. hyper-scalable visual platforms Instead there is a need to be able to deliver the video stream, the dashboard of the data and information to any screen anywhere, at any time — including desktops, tablets phones — for the right people to see, whether that is an executive in a different office or working from home, or security guards walking the halls or streets. New technologies are continuing to extend the reach and the benefits of security operation centers. However, interoperability plays a key role in bringing together AI, machine learning and computer vision technologies, in order to ensure data is turned into actionable data, which is delivered to the right people to provide ‘true’ situational awareness. Software-defined, AV-over-IP platforms are the perfect medium to facilitate this for any organizations with physical and cyber security needs.