The term Internet of Things (IoT) has almost been beaten to death at this point, as more and more security integrators, manufacturers and customers take advantage of the ability to increase connectivity between devices (and therefore take on the dangers this introduces).

But the methods by which we interact with the IoT and protect its devices are still catching up, which means security manufacturers must take part in shifting their focus toward safeguarding data, engaging in vulnerability testing of products and incorporating stringent protections at every stage of the product development process. One small leak or breach on a single connected device can potentially cause significant damage across an organization

Who Is Responsible For IoT Security?

One small leak or breach on a single connected device can potentially cause significant damage across an organization, creating a disruption within a company, affecting its assets, employees and customers. The continued question seems to be: Who is ultimately responsible for the security of IoT devices?

In a recent survey from Radware, a provider of application delivery and cybersecurity solutions, there was no clear consensus among security executives when asked this question. Thirty-five percent of respondents placed responsibility on the organization managing the network, 34 percent said the manufacturer and 21 percent chose the consumers using the devices as being primarily responsible. 

Several schools of thought Exist For Each:

  • The Organization

It's not surprising that most people see the organization as the main stakeholder for IoT security responsibility; after all, if a company is managing a network, one would expect it to protect the network as well.
One way that the organization can embrace this responsibility is by adopting a user-centric design with scalability, tactical data storage and access with appropriate identification and security features (for example, the use of multilevel authentication through biometrics in access control).
Organizations must also use their IT team to strengthen the overall cybersecurity of the IoT by keeping up with the latest software updates, following proper data safety protocols and practicing vulnerability testing.

  • The Manufacturer

Manufacturers that provide IoT-enabled devices as part of a security system must be fully knowledgeable of the risks involved and effectively communicate them to the integrator or end user.
Providing the education necessary and dedication to protecting users of its equipment makes a manufacturer more trustworthy and understanding in the eyes of an end user. Ensuring encryption between devices is a key step that manufacturers can take to work toward achieving complete protection in the IoT.

  • The User

Despite the protection delivered by the organization and manufacturer, there's always the option for IoT security to be enhanced or possibly even diminished by the individual user. It's critical that best practices for data protection are in place every time an individual uses a device that is connected to the network.
These include disabling default credentials, proper password etiquette, safe sharing of sensitive information and the instinct to avoid any suspicious activity or requests. Manufacturers that provide IoT-enabled devices as part of a security system must be fully knowledgeable of the risks involved

The short answer to the responsibility question is this: everyone. Each sector has a responsibility to contribute to the protections needed for IoT-enabled devices.

However, as a manufacturer, it is imperative that our teams think about each level of protection when developing products for public consumption, including how the organization implements the technology and how the integrator engages in training with users. 

IoT issues caused by organisations
Organizations must also use their IT team to strengthen the overall cybersecurity of the IoT by keeping up with the latest software updates

Manufacturer Vulnerability Testing

One way that manufacturers can implement added protections against outside threats is by boosting their attention to security protocols in the product development stage. For some, this requires a different approach in the design and development of security systems. Identifying vulnerabilities is at the core of this.

A security vulnerability in a product is a pattern of conditions in the design of a system that is unable to prevent an attack, resulting in weaknesses of the system such as mishandling, deleting, altering or extracting data. Increased connectivity makes these vulnerabilities more of a liability, as IP-enabled (or networked) devices are more likely to be breached by outsiders looking to permeate an organization and collect valuable data. 

A security vulberability in a product is a pattern of conditions in the design of a system that is unable to prevent an attack, resulting in weaknesses of the systemWhile some of these hacks are a little more “simple” in nature — such as outsiders trying to guess a password using manufacturer-set passwords — others are more complex, such as a denial-of-service, where attackers attempt to overload the system by flooding the target with excessive demands and preventing legitimate requests from being carried out. This makes it virtually impossible to stop the attack by blocking a single source.  

As a result of these potential threats — and to help manufacturers deliver best-in-class products — it's imperative that vulnerability testing is done throughout a product's development, starting at phase one in the process.

This includes analysis of the type of cyberattacks that can potentially attach, breach and disable a system. Many manufacturers attempt to hack their own products from within the organization — or even go as far as hiring a third-party professional group to do it for them. 

Success In A Volatile Technology Landscape 

This kind of development puts a product through rigorous levels of testing, and once weaknesses are exposed, they can be patched up and the cycle of attack-and-defense can take place until the product is protected fully and ready for market.

Skipping this step in the development process can open manufacturers up to significant liability, so it's important for this testing to take place and corrective actions be taken to rectify gaps in security. The more extensive an organization's security testing approaches are, the better are its chances of succeeding in an increasingly volatile technology landscape. 

But the testing doesn't stop in the development stage. Attacks on a system continue long after the product has been introduced to market, requiring continued updates to be made available in an effort to protect customers. Manufacturers are tasked with implementing further firmware updates to keep a product in the field readily prepared to revoke the latest critical bugs that can affect the market. 

What End Users Demand From Security

We're seeing a significant shift in the education and demand from a customer perspective. In the past, consumers took the advice of integrators and consultants as far as the “right” security systems to install for their needs. Today, the self-education of end users is on the rise as more and more IT departments become involved in the selection and investment of physical access control systems. We're seeing a significant shift in the education and demand from a customer perspective

A larger number of end users are demanding security products that meet IT standards of network protection, and they take these considerations into account when working with integrator partners on the selection of systems to meet their needs.

As a result, manufacturers are tasked with not only developing robust IoT-centric products, but also continuing to be involved on a regular basis in an effort to continuously keep organizations safe. 

A comprehensive security strategy from manufacturers must involve multiple levels of product selection, testing and integration — centered on the team-based approach to implementing training and protocols within an organization.

While manufacturers are stepping up their game in the development of robust products, this remains a team effort that must be addressed every week — not something you implement, then forget about. The safety of data — and the entire organization — depends on it.

Download PDF version

Author profile

Kim Loy Director of Technology and Communications, Vanderbilt Industries

In case you missed it

Is The Physical Security Industry Doing Enough To Prevent School Shootings?
Is The Physical Security Industry Doing Enough To Prevent School Shootings?

School shootings continue, as does a search for answers. What solutions are there to prevent school shootings and/or to improve the response (and thus minimize the death toll)?  In the physical security industry, we like to think we have solutions that can help, if not “solve”, the problem, but realistically speaking, how effective are they at the end of the day? We like to think we have solutions that can help, if not “solve”, the problem: but how effective are they at the end of the day? The sad answer – even after dozens of school shootings and even in the wrenching aftermath of the latest one – is that we don’t know. There is a gaping lack of knowledge and research when it comes to measuring the effectiveness of preventative measures as they relate to school shootings. Scarce Resources For Preventative Measures The dearth of knowledge on the subject leaves schools at risk of spending scarce resources on measures that don’t have any real impact, or worse, that have a negative effect on education environments. The natural impulse following a school shooting is to do something – anything – to prevent the tragedy from happening again at any school, but especially at my school. But how is money best spent?Successful businesses are a good thing, but not at the expense of misspending education resources on solutions that don’t solve anything Congress has passed the Stop School Violence Act of 2018 to provide $50 million per year to develop programs to train students, teachers and law enforcement to prevent violence, and to create anonymous reporting systems, such as hot lines, for school violence threats. The bill authorizes another $25 million for improvements to school’s physical security infrastructures. Congress also provides $1.1 billion in Title IV block grants, which districts can use to pay for diverse needs such as security systems. Several states are providing additional funding for physical safety measures and campus police, and local districts are also stretching their budgets to address security concerns. But is that money being targeted to measures that will help the situation? What is the role of technology in preventing school violence, and are we as an industry at risk of over-selling our preventative capabilities and diverting money from other measures that might have more impact? Successful businesses are a good thing, but not at the expense of misspending education resources on solutions that don’t solve anything. More metal detectors, armed guards and police officers could cause anxiety in some students and even interfere with the learning process Studies On School Safety And Protection Researchers, advocates and educators gathered this fall at American University to consider the need for better research to inform decision-making on safety, reported Education Week.The field is in desperate need of more evidence on what works, and schools want this information presented to them" A 2016 study by the Rand Corp. points to the problem: Lack of data and research on what works and what doesn’t. “Despite growth in the school safety-technology sector, rigorous research about the effectiveness of these technologies is virtually non-existent,” according to Rand. “The field is in desperate need of more evidence on what works, and schools want this information presented to them in vetted, digestible ways to help them with procurement.” Jeremy Finn, a professor of education at the University of Buffalo, has pointed out the difficulty of assessing the effectiveness of measures designed to deter events that likely won’t occur anyway. “How do you know when you have deterred a school shooting?” he asks. “It didn’t happen.” The Effects On Our Students  Might technologies aimed at making schools more secure have an adverse effect on the learning environment? More metal detectors, armed guards and police officers could cause anxiety in some students and even interfere with the learning process. The physical security industry should freely acknowledge that the technologies we offer are only part of the solution to school violence Do security measures aimed at preventing active shooting incidents absorb resources that might better be used to address a more general and/or likely security threat such as vandalism or student discipline? Theoretically, security measures in general should help to prevent the probability of an active shooter at the same time they are addressing a wider range of concerns and threats. But do they? At the very least, we in the physical security market should be aware, and should freely acknowledge, that the technologies we offer are only part of the solution to school violence. Schools should take the broadest possible approach to the range of security challenges, and technology should be one tool among many. Furthermore, better data to measure what works is sorely needed to illuminate the best path forward.

What’s New In U.S. Government Procurement For Security?
What’s New In U.S. Government Procurement For Security?

Last week, the Schedule 84 Suppliers Research Panel participated in reviewing the 2018 contracting year with the GSA Schedule 84 leadership team. Our panel group consists of experienced contractors and consultants meeting for a monthly conference call. Schedule 84 is the GSA Schedules Contract for Total Solutions for Law Enforcement, Security, Facilities Management, Fire and Rescue. Our opinions are part of a research program to provide valuable feedback to the GSA Schedule 84 program and on to the GSA central office. The director of GSA Region 7 Schedules Program, the Schedule 84 Branch Chief and the Category Manager Subject Matter Expert who manages our suppliers' panel gave us their full attention as we discussed the successes of the program, hot topics, problems and the future. We determined 2018 under the Schedule 84 team to be a year of innovative thoughts, cooperative effort and renewed enthusiasm Innovative Review Team We determined 2018 under the Schedule 84 team to be a year of innovative thoughts, cooperative effort, renewed enthusiasm and productive changes building upon the successes of 2017. There was high praise for the accessibility to the Schedule 84 staff. Their consistent quick response to questions and concerns, thinking outside the box and supporting the program by partnering with their contractors was much appreciated. There has been a renewed spirit of partnering to cooperatively bring the best to agency customers. It seems to be working as per the Center Director sales are growing for GSA Schedule 84. Advocating For The Security Industry In my experience, business development starts with the Administrator from Region 7 in Ft. Worth, TX. As the annual Schedule 84 Industry Day at the SSAC begins he is shaking every hand and passing out his cards looking folks right in the eye asking, “how can I help you?” They have the best practices and most organized paperwork. The SSAC director has chosen well in her staff and is hands-on in every endeavor to direct things along when challenges occur or to improve the program. The new 84 Branch Chief is knowledgeable, innovative, tireless and has been heavily involved in advocating for the security industry It continues with the center’s CASE Manager encouraging the contractors at events, visiting agency customers and promoting the GSA Schedules Program by helping coordinate the partnering. The new 84 Branch Chief is knowledgeable, innovative, tireless and has been heavily involved in advocating for the security industry for adding new technology, meeting with industry associations, understanding the complexity and challenges of Homeland Security Presidential Directive 12 (HSPD12) and advocating for the purchasing Physical Access Control Systems (PACS) utilizing the appropriate standards and the GSA Program among other innovations. As far as the supplier panel, we gave our GSA Schedule 84 team and leaders high praise for 2018.   GSA also added new categories or SINs for clearly identifying Physical Access Control Products that appear on GSA’s Approved Product List Changes In The GSA Program Some changes this year in certain GSA programmes included the creation of a new category of products/services Special Item Number (SIN) for Order Level Materials (OLM) developed to assist with solution procurements. This new SIN was added to Schedules 03FAC, 56, 70, 71, 00Corp, 738X and 84. Under Schedule 84 it is SIN 84-500. GSA Schedule 84 consolidated many Special Items Numbers (SINs) to make finding products and services less complex Essentially this SIN allows agencies procuring under the aforementioned GSA Schedules’ programmes to purchase and the contractor to add items and services not known prior to the task as a Contract Line Item Number (CLIN) not to exceed 33% of the order. For more information and FAQs on OLMs go to www.gsa.gov/olm. This is not to take the place of “Open Market” items for adding products only that are not listed on a company’s GSA Contract. Physical Access Control Products Previously, GSA Schedule 84 consolidated many Special Items Numbers (SINs) to make finding products and services less complex for the agencies. GSA also added new categories or SINs for clearly identifying Physical Access Control Products that appear on GSA’s Approved Product List according to the standards created under FIPS201. These products appear under SIN 246 35-7 after being tested and approved by GSA. To be qualified to install these products under the GSA Program at least one individual from the GSA Contractor company must complete the class and be CSEIP certified before applying for labor SIN 246 60-5. Additionally, the company must demonstrate certain qualifications and have past performance for this type of work. The Security Technology Alliance offers the training class and certification. Certified individuals and approved products are listed at www.idmanagement.gov. Companies listed with SIN 246-35 7 and SIN 246-60 5 may be found by searching at www.gsaelibrary.gsa.gov. Updates To Guidance For Procurement Updates to guidance for procurement of PACS will continue to be posted to the GSA PACS Ordering Guide Updates to guidance for procurement of PACS will continue to be posted to the GSA PACS Ordering Guide. The ordering guide posted at www.gsa.gov/firesecurity is a valuable support tool created to assist agencies with understanding the requirements of FIPS201 and procuring a PACS. The guide includes relevant regulations, FAQs, sample systems designs, sample statements of work, a list of key points of contract for additional help and questions. In partnership with GSA and guided by the GSA Ombudsman group, the Security Industry Association and the Security Technology Alliance members and their contractor companies participated in a GSA Reverse Industry PACS Training Day on September 17, 2018. We presented from an industry perspective important fact on PACS system requirements, procurement planning, providing information on resources and further educating with panel discussions, individual presentations and amusing skits to over 300 Government agency staff and acquisition specialists. You can find some of the unedited recording of the PACS Reverse Industry Day Training on YouTube. Some changes included the creation of a new category of products/services Special Item Number (SIN) for Order Level Materials (OLM) GSA Schedules Program A hot topic about the GSA program for 2018 was also an issue for the prior year. The GSA Schedules Program is a streamlined contracting vehicle incorporating specific Federal Acquisition Regulations for more efficiently purchasing commercial items. Companies may apply per a continuous open season for a 5-year contract with three 5-year options to renew. Contractors are vetted for past performance, corporate experience and financial capability. Products and services are considered for offering to Federal, State and Local customers (for Schedule 84) with pricing that is determined to be fair and reasonable through negotiations with GSA. To make the determination for fair and reasonable pricing GSA carefully reviews the commercial practices of the contractor To make the determination for fair and reasonable pricing GSA carefully reviews the commercial practices of the contractor as well as the competition of identical or similar item pricing. The most vocal complaint of concern from the contractors was regarding the consideration of competitor contractors offering identical items with out-of-date pricing or holding a Letter of Supply not authorized by the manufacturer. GSA Pricing Tool Since the GSA utilizes a pricing tool to determine if the pricing offered is competitive, a rogue competitor can cause a pricing action to possibly be rejected due to out of date information even as the manufacturer offers an update of the product. This is an issue on all GSA Contracts that the supplier panel hopes will be reconsidered by GSA policymakers at the central office. Most of us believe the Letters of Supply should only be issued by the manufacturer or with documented specific permission of the manufacturer to a reseller. Manufacturers may want to have a better understanding of the Letter of Supply, how it is considered by GSA and more carefully choose their Government partners for experience and compliance. Another challenge for the security community is regarding the lack of accessibility of participating dealers to GSA eBuy Overcoming Challenges For The Security Community Contractors may only see RFQs which are posted under the Special items Number(s) that were awarded to their GSA Contract Another challenge for the security community is regarding the lack of accessibility of participating dealers to GSA eBuy. GSA eBuy is an online Request for Quotation (RFQ) program that is for GSA Contract holders only. Agencies will post their requirements by Special Item Number for at a minimum 48 hours. Contractors may only see RFQs which are posted under the Special items Number(s) that were awarded to their GSA Contract. GSA Participating Dealers may take orders on behalf of a manufacturer if they are authorized under the manufacturer’s GSA Contract. They may also have an online PO Portal to receive orders. But they have no access to GSA eBuy to response to RFQs. Usually, under these arrangements, the manufacturers do not respond directly, so there is a problem using GSA eBuy for opportunities as their GSA Participating Dealers have no access to respond. GSA Schedule 84 Leadership In some instances, a contracting officer may allow an emailed quotation. However, with the use of the electronic ordering system, this has become a common problem we hope to bring to the attention of policymakers. Some changes to the programmes may make the presentation of documentation more effective going forward The GSA Schedule 84 leadership has been helpful to explain the challenges to the agencies to try and resolve such issues. So, what’s up for 2019? GSA modernization is coming. There will be improvements to their tools and more consolidations of SINs and more. There have been discussions of a revival of the GSA Expo. The Expo offered training for contracting staff both Government and private industry. Valuable Tools For Vendor Training Equally important is the networking, meetings and the exhibits of the contractors. Expos have been discontinued since 2012 but smaller events have been growing as well as online webinar training. Webinars are valuable tools for GSA and vendor training, but they do not take the place of being able to meet your customers face-to-face. GSA online eOffer and eMod program have made processing actions more efficient. Some changes to the programmes may make the presentation of documentation more effective going forward. The GSA online website for viewing the items on the GSA Contract and for purchasing items, GSA Advantage could definitely use an update as it has been basically the same for 20 years. Keep an eye on GSA Interact for the latest happenings with GSA.

How Internet Of Things (IoT) Aids Facility Management And Physical Security
How Internet Of Things (IoT) Aids Facility Management And Physical Security

As buildings become more complex and smarter, the age-old traditional maintenance methods that are based mostly on hands-on human monitoring are becoming more and more inadequate. Instead, the world is fast adopting building automation as a key component of smarter and more proactive maintenance strategies. The aim is to free up maintenance staff and give them time to focus on other tasks while machines monitor the different systems that work together to make the facility functional. Specifically, Internet of Things - or, IoT - enablement appears set to transform the way facility managers deliver service to building occupants. The trends are many and the possibilities are almost mind-boggling, from inventory management, to work scheduling and energy efficiency, the list goes on and on. Below, we look at a few ways in which IoT is being used for Facility Management and Security. Revolutionize Maintenance Through Condition-Based Maintenance For years now, the norm among maintenance professionals has been a time-based approach, or in simpler terms, performing maintenance operations after a set period of time. But a major flaw of this system is that components were being replaced periodically whether the parts were actually worn out or not. Of course, that meant some of these maintenance activities simply weren’t cost-effective. To avoid this waste from continuing, a subset of IoT known as IIoT can now be used to optimize the maintenance process. IIoT works as a centralized network of connected systems and devices that can talk to one another and generate and relay data Rather than changing parts on a time-based schedule, IIoT works as a centralized network of connected systems and devices that can talk to one another and generate and relay data. Selected equipment are fitted with sensors that monitor specific operational parameters and let maintenance professionals know how the machines under supervision are working, understand their current condition, and then pinpoint the optimum time they need to be maintained. The information generated this way is vital as it allows maintenance staff to intervene just in time to avoid costly downtime and other associated inconveniences. This is, in a nutshell, the basics of predictive maintenance and condition-based maintenance. These days, by implementing condition-based maintenance, IIoT is being used to effectively monitor a wide range of systems such as lighting, HVAC, fire suppression, security, etc. The applications are numerous and so are the benefits. On page 52 of this guide by the US Department of Energy, they state that a functional predictive maintenance program could yield up to 10 times ROI, reduce maintenance costs by 25% to 30%, and reduce downtime by 35% to 45% Along with fire suppression, IIoT is effectively monitoring a wide range of systems such as lighting, HVAC and security Remote Monitoring Of Facilities Physical inspections have been a critical condition for the success of conventional maintenance programs, even in hazardous environments. But, with the increasing emphasis on personnel safety, organizations want alternative solutions that allow staff to examine assets without being physically present. Facility managers and their team working in industries like manufacturing, oil and gas, and mining can relate with these constraints. And these industries can benefit greatly from deploying predictive maintenance solutions. For example, in the oil and gas industry, IIoT sensors can be used to monitor remote and highly critical assets. These sensors can be used on pipelines to detect anomalies (especially corrosion) and pass that information to supervisors for necessary action. By doing this, potential failures are quickly predicted to avoid often disastrous incidents. Managing Energy Consumption Sensors are also being embedded in building components and devices like HVAC systems, lights, doors, windows to understand energy consumption and proactively manage it. Facilities that use this technology could achieve substantial energy savings. In a press release by IT research and advisory company, Gartner, they stated that IoT can help reduce the cost of energy - as well as spatial management and building maintenance - by up to 30%. Looking at HVAC systems very closely, we see that they are a major source of energy usage in any building These sensors work by monitoring different conditions in the building and causing a power-saving action based on the data received. For instance, occupancy sensors can order lights to turn on when it senses motion in a room and then turn off the same lights when there is no presence there. That way, there is no need to wait for someone to remember to switch off the lights when they are not needed.   Another very common use is in HVAC monitoring. Looking at HVAC systems very closely, we see that they are a major source of energy usage in any building. So, the issue is how can one use IIoT to manage HVAC and possibly reduce their energy usage? Well, in its most common form, IoT-enabled HVAC works as a connection of sensors and thermostats that monitor factors like indoor air quality, temperature, and environmental changes then communicate with the rest of the HVAC equipment and make needed adjustments for occupants’ comfort. Not only that. IoT-enabled HVAC works as a connection of sensors and thermostats that monitor factors like indoor air quality, temperature, and environmental changes The Technology Can Be Configured To: Track energy consumption at different distribution points throughout the building. Track usage from the power source right down to the consumption point. Detect sudden voltage drops or spikes (usually an indication of some fault). These are essential benefits because HVAC units are notorious for consuming large amounts of energy when they are working inefficiently. Security And Access Control Smart surveillance is another important area of application for IoT in facilities management. It takes several forms such as the monitoring of life-saving systems like intruder or fire alarms, invisible barriers, and other safety installations. Facility managers are using IoT across different industries to obtain live information about potential emergency situations with a view to responding before the issue escalates. In such cases, quick detection of any strange activity is key because many of these installations have tangible negative effects when they fail or when they are intentionally sabotaged.Smart surveillance is another important area of application for IoT in facilities management Fortunately, the surveillance equipment can also be setup to send alerts to cellphones to aid emergency response or evacuation as the case may be. Smart surveillance is also priceless for monitoring the situation in partially or fully automated remote facilities (especially oil and gas installations and mines), and in hostile environments with critical equipment where humans cannot work for extended periods of time. If you are not yet using IoT in your facility, you may be wondering where to start from. To avoid getting overwhelmed, a good place to start would be to try a small-scale deployment of this technology then review its ROI and impact on your operations before adopting a more widespread IoT implementation. This way you can gradually scale up as you and your staff come to understand and adapt and to this new way of doing things.