Cybersecurity credentials critical for resilient physical security

Steven Kenny, Industry Liaison Architecture and Engineering at Axis Communications,  examines the potential threats that stem from improperly secured systems and looks at what measures can be taken to ensure their security.

Smart technologies and environments play an increasingly important part in our everyday existence. Smart cities are evolving, using connected devices and applications to manage and maintain basic services that capitalise on efficiencies, and generally improve our lives. Smart homes and businesses are adopting the ubiquity of connected devices to enhance productivity, reduce friction and transform how systems interact with one another.

The connected future, postulated by conversations around the Internet of Things (IoT) over the past 10 years, has arrived. Yet few realise that these technologies are still in their relative infancy. The devices, the connectivity touchpoints, the vulnerabilities – these present relatively new challenges that have to be overcome to ensure data, citizen and corporate security. For the IoT to succeed, it must be developed with a clear eye on both the physical and virtual environments, using best practice and reliable, certified partners to ensure a resilient security posture.

State of play
The cybercrime landscape continues to present a significant threat, particularly with regards to the IoT. According to Gartner, more than 13 billion connected devices are expected to be in use by 2020, and McKinsey estimates that, by 2025, IoT systems could contribute around £155-270 billion to the global economy thanks to more efficient energy and labour management[1].

Yet, amidst these statistics lies the concern, as highlighted by the UK government’s Cyber Security Of Consumer Devices report, that insecure devices can compromise privacy, they can be hijacked and they can be used to disrupt services and lives. The UK National Cyber Security Strategy was established specifically to focus on security across both the physical and cyber realms, and regulations are being continuously updated to ensure that security remains at the forefront of the technology conversation.

The introduction of regulations such as the General Data Protection Regulation (GDPR) and the NIS Directive (directive on the security of network and information systems) have been put in place to ensure that organisations are paying attention. With GDPR, an organisation is held liable for any breach, especially if this is found to have been achieved through poorly managed security systems and applications. One of the biggest threats to security is a lack of understanding around the vulnerabilities that exist in physical devices.

Often, cybersecurity – that is, security focusing on the virtual threat – is given priority. Few realise that a layered cybersecurity approach is critical, as is working with products, services and solutions that are certified, compliant and designed with these risks in mind. A truly robust and holistic approach to security recognises that each piece of technology plays a role in ensuring that a whole system is secure.

Credentials that ensure security compliance
Ensuring high levels of security throughout the supply chain continues to present a challenge. Physical IoT devices, such as IP cameras, that do not meet the required standards ultimately pose a threat to the entire chain, no matter how sophisticated or expensive the cybersecurity investment. An improperly maintained or insufficiently tested piece of equipment could enable backdoor access to malicious parties, putting systems, people and business operations at risk of attack. This risk can be mitigated by working with certified service providers that embed security at the granular level.

The right technologies are those that are deemed secure and fit the requirements of the NIS Directive. In the physical security arena, Secure by Default accreditation, awarded by the Surveillance Camera Commissioner (SCC), Secured by Design, a stamp of approval from the Police Crime Prevention Initiative (PCPI), and Cyber Essentials Plus, a certification awarded by the National Cyber Security Centre, are accolades that provide proof of a manufacturer’s security credentials and verification that its products and services are designed and built with security at the forefront.  

These credentials play a role in forming the strategic implementation of solid security goals that are aligned with regulation and best practice. It’s important that an organisation establishes that the solutions they are considering have appropriate certifications, will operate with other devices or as part of an overarching platform, and to discuss how security is managed and maintained across the ecosystem. Those installing security technologies can benefit from training and education, provided by an approved provider or device manufacturer, which will cover best practice and explore appropriate measures to ensure high levels of security throughout a project.   

The success of the IoT should not be hampered by weaknesses in physical systems. The potential for its continuing success is too great to be lost to a forgotten IP-flaw. The challenge does not lie in how to create the ultimate IoT platform, but in securing it across every touchpoint and unexpected vulnerability. Stakeholders should seek reassurance that those organisations operating with credentials that prove that they take security seriously, have achieved significant standards in security and design, and that they can demonstrate that their products meet the minimum requirements expected in terms of cybersecure surveillance and resilience.

Steven Kenny – Industry Liaison, Architecture & Engineering at Axis Communications

Steven Kenny has spent 15 years in the security sector taking responsibility for key elements of mission critical, high profile projects across a number of different vertical markets. For the last five years, Steven has focused his attention on how technology can best complement day to day business operations, specifically addressing operational issues and supporting the A&E consultant community across Northern Europe. Steven is the Director of Systems, Information and Cybersecurity for ASIS International – UK Chapter, and is the UK technology advisor for TINYg (Global Terrorist Information Network).