someone who can communicate IT poli- cies and work with the integrator to ensure that devices are configured to fit within that policy. For example, a primary policy would be that any device that’s installed on the net- work, whether it’s a server, workstation or an IoT device, must communicate using encryp- tion over the customer’s local area network in order to lower the risk of cyberattacks.
Based on that policy, any IP camera that’s installed must enable encryption, and the video management system will need to be able to read the encrypted communica- tion from that camera. Going a step further, when drafting these policies, end users also have to take mobile devices into account and establish a policy that protects the organiza- tion’s network from being compromised by an individual’s personal device.
Policies play an integral part in overcom- ing the human element. Another factor is having tools that make it easy to maintain consistency when deploying cybersecu- rity features in IoT devices. For example, if someone has to individually configure hun- dreds of different devices one by one to make them secure—especially if you have multiple people doing it—the human factor takes over, and mistakes can be made.
Finding the Right Fit
For integrators, the road to strong cyberse- curity starts with selecting products that can deliver strong cybersecurity for protecting customers’ networks. When selecting solu- tions for end users, it’s important to look for products that offer features that fit into the customer’s security policy. This could include encryption, IP address filtering to restrict who and what can access a device, digitally signed firmware, or secure booting, which will halt the boot process if foreign
code is introduced to the device.
However, when installing and deploying
devices, it’s not practical to simply turn on all the security features, drop it into an enterprise environment and hope that it works. IoT relies on interconnectivity and communication be- tween devices, so there needs to be coordina- tion between the necessary connections, and communication has to be encrypted.
Keep in mind that not all encryption is the same, meaning that whatever encryption is running on the edge device must also be running on the server it’s connecting to. Oth- erwise, they simply can’t communicate, which completely undermines the core benefit of the IoT.
This means each end user will require some degree of customization in the configu- ration of devices, so integrators have to make sure they and their staff have the right skills and that they’re properly communicating with the end user to make sure their security needs are heard and addressed. Additionally, the level of customization and the end user’s cybersecurity needs must be dictated by estab- lished policies.
Many manufacturers also provide a hardening guide that details how to best secure their devices. This can be an invalu- able tool for integrators and end users, but it can’t replace the need for an organization to have a security policy in place and then use the hardening guide to determine which specific features can be implemented to fit into that policy.
Another key factor when looking at products is to identify a manufacturer that adheres to cybersecurity best practices such as strong encryption and a variety of addi- tional security features that deliver the high- est level of protection for devices. They must also be open and transparent so that when
a vulnerability is discovered in one of their devices, they will alert customers and provide a fix as soon as possible.
Managing IoT Device Lifecycles
An unfortunate reality is that all devices will eventually expire or at the very least, reach the end of their useful life. For example, an IP camera could have a functional lifetime of upward of 10 to 15 years. However, secu- rity vulnerabilities will change quickly and dramatically over that period, which makes it difficult for manufacturers to keep provid- ing the updates required to keep those cam- eras protected in an evolving cybersecurity threat landscape.
The good news is that in many cases, this can be predictable, provided an organization is engaged in some sort of structured life- cycle management program. Implementing, monitoring and managing life cycles provides organizations with the ability to better plan for introducing new technology into their environment. Lifecycle management also al- lows organizations to keep pace with new and emerging cybersecurity threats while ensur- ing they are using the appropriate and most advanced technologies to minimize security threats and vulnerabilities and avoid the neg- ative costs associated with cyber breaches.
This process also allows organizations to identify those devices that may be nearing the end of their useful life or that are too outdat- ed for the manufacturer to provide support- including firmware and operating system updates-making them susceptible to risk.
Regardless, these devices must be replaced with newer solutions that offer up-to-date cybersecurity features and are supported by the manufacturer. In addition to security, the hallmark of a good lifecycle management program is the ability for an organization to plan and budget for replacing a certain num- ber or percentage of devices each year rather than facing an expensive replacement of an entire system or major component.
Given the number and variety of net- worked devices available today, applications of IoT networks would seem to be limited only by the imagination. The combined data generated by these interconnected systems offer tremendous potential to deliver deep insights and intelligence that have never be- fore been possible, provided IoT devices and networks are properly designed, deployed, managed and secured. These best practices will help manufacturers, integrators and end users harness the true power of the IoT.
Ryan Zatolokin is the business develop- ment manager, Senior Technologist, at Axis Communications.
28
0919 | SECURITY TODAY
COVER STORY
SergeyBitos/Shutterstock.com