That is a lot of background, but what does it mean for security specifically? Ultimately, it is up to end customers to decide which security frameworks to adhere to, but manufacturers and devel- opers can be confident that NIST CSF will continue to be among the most common, especially in the United States. That means they have a vested interest in ensuring that their devices make it easy to integrate with cybersecurity systems and implement effec- tive governance capabilities.
Security integrators, especially those that do business with the government or government contractors, will do quite a bit of compliance work, and NIST CSF is likely to be one of the frameworks they use. Working directly with those integrators can help manufacturers and developers better understand how to en- able their devices to adhere to NIST standards, which will in turn make them more attractive to customers.
NEW “U.S. CYBER TRUST MARK”
PROGRAM LAUNCHES FOR IOT LABELING
While NIST CSF applies to general cybersecurity readiness, the government recently introduced a new measure aimed specifically at IoT devices. The U.S. Cyber Trust Mark initiative is a volun- tary labeling program for IoT devices designed to help consum- ers make more informed purchasing decisions when it comes to security sensors and other connected devices. Like the “Energy Star” label found on energy efficient appliances, the Trust Mark logo will serve as an FCC-backed certification that devices have met the minimum-security standards outlined in NIST IR 8425.
This initiative has been a long time coming. Attackers have been exploiting poorly secured IoT devices for as long as these devices have been around, as anyone who remembers the Mirai Botnet can attest. Back in 2016, Mirai became one of the most disruptive pieces of malware in history, exploiting default pass- words settings to infect millions of IoT devices, which were then used to conduct massive, distributed denial of service (DDoS) attacks.
While there were some security standards implemented in the wake of Mirai, such as requiring password updates for new devic- es—IoT devices remain broadly vulnerable today. While the pro- gram is a voluntary one, it is clear that both integrators and end users will want to prioritize devices that bear the Trust Mark logo.
The United States has traditionally been slow to adopt these measures, which means this is a crucial step in the right direction. Interestingly, Singapore has been one of the nations at the fore- front of IoT labeling, and the country’s “Cybersecurity Labeling Scheme” has helped pave the way for other regulations across the globe. There is certainly some overlap with the U.S. program, and while official reciprocity doesn’t yet exist, it’s likely that global IoT regulations will continue to converge over time.
THE CHALLENGE OF AI AND CYBERSECURITY
AI-based analytics have been used for security purposes for some time, helping organizations adopt a more proactive and predic- tive security posture rather than a reactive one. What’s more, AI has enabled much more effective data processing at the network
edge, which means businesses no longer need to send all of their data to the cloud to be analyzed.
An IoT device with deep learning capabilities can apply the AI model as the entire data set is being generated, which is particu- larly important for video, as it allows the device to run AI models on the raw imaging data, rather than the compressed data sent to the cloud. This dramatically reduces both bandwidth and cloud storage needs and has made AI more accessible than ever to a wide range of organizations.
At its core, AI is just data science, and understanding how to secure the data AI both uses and generates continues to be a challenge. The updated NIST guidelines underscore the fact that data governance is a growing priority for both organizations and regulatory bodies, which means today’s businesses need a plan.
Responsible AI use is also an important consideration, as pri- vacy and ethical concerns remain significant. Employees need to be trained in appropriate use of AI solutions, but manufacturers and developers also need to take precautions to limit the potential for misuse. This, too, ties into governance. Ensuring that person- ally identifying information (PII) is obfuscated can help address privacy concerns while also reducing the data’s value to attackers. It is also important to protect the AI model itself, as it represents valuable intellectual property and could be an attractive target.
While AI security can be a challenge, organizations have more guidelines than ever to help them shape their security programs. A growing number of regulations are emerging, including the recent EU AI Act and the Biden administration’s Executive Order 14110—to govern the development, use, and protection of AI, providing orga- nizations with a helpful set of guardrails to ensure they are using AI securely and responsibly. With more regulations on the horizon, both manufacturers and end users of security devices should set themselves up for success by prioritizing compliance from an early date.
DON’T WAIT FOR A BREACH
TO PRIORITIZE CYBERSECURITY
Physical security and cybersecurity are no longer as separate as they once were, and understanding how to secure IoT devices, particularly those equipped with AI-based capabilities—is in- creasingly critical for today’s organizations. This is particularly true as a growing emphasis on responsible governance, risk and compliance (GRC) practices has put more scrutiny than ever on the way physical security devices are secured.
Fortunatly, both government and nongovernment entities are putting forth regulations and frameworks designed to help organi- zations do a better job protecting their devices, data and users. As at- tacks on IoT devices continue to increase in both volume and sever- ity, maintaining compliance with those frameworks will be essential. Modern businesses cannot afford to wait until a
breach occurs. They need to ensure that securing their physical security devices is a priority.
Wayne Dorris, CISSP, is the program manager, Cybersecurity at Axis Communications.
   24
MAY/JUNE 2024 | SECURITY TODAY
CYBERSECURITY