Steve Kenny, Industry Liaison, Architecture and Engineering at Axis Communications; ASIS UK Chapter Director of Systems, Information and Cybersecurity, looks at the challenge of security and IoT implementations.
The demand for connected IoT devices is increasing. Buoyed by the productivity, security and efficiency benefits, firms worldwide have been flocking to install the latest IP technologies on their IT networks. However, this has often been done with little thought to the security ramifications. That is perhaps why new vulnerabilities are being reported all too regularly, and why personal data is being left exposed to malicious third parties.
A recent, and incredibly concerning, example details how hackers broke into many schools’ CCTV systems and streamed live footage of pupils on the internet. This is a big problem, especially with recent advent of the GDPR legislation.
At Axis, we believe that as a result of the increasing use of IoT devices in facilities across the world, security consultants should consider providing more information regarding the cybersecurity of such technologies. This should be included within the video surveillance system performance specifications.
Detailing security information from the outset
Traditionally, performance specifications have been based on operational requirements alone. Under the EU GDPR, privacy must be built into all IoT devices from the beginning and at the design stage, as the new regulation requires manufacturers to adopt a ‘data protection by design’ approach to any product or service being developed. The problem is that without detailing such information within a performance specification, a user can be put at great risk.
It is well documented that some devices are inherently more secure than others, but when the only available comparison is product or technical features on a datasheet, rather than ‘data protection by design’ and security hardening information, an end user could end up installing a system that doesn’t have effective cybersecurity measures built in.
That is why we strongly believe that areas beyond the technical capabilities of a system should be included within a performance specification. The UK Government’s security design review, developed by the National Cyber Security Centre (NCSC), makes it clear that companies should integrate sufficient security mechanisms into all devices. This information should also be reflected in a device’s performance specifications, allowing end users to make informed decisions with a greater understanding of how secure the technology they are procuring actually is.
The security information supplied shouldn’t end there. Vendors and suppliers should also be providing installers and end users with best-practice security advice to ensure continued cybersecurity post-installation. This should include vulnerability policies and hardening guides, as well as adherence to government endorsed accreditations, including Cyber Essentials. These all highlight a manufacturer’s dedication to cybersecurity and ‘data protection by design’ within its technology and business processes.
In the example given previously, where a number of school video surveillance systems were hacked and video streams put onto public websites, after analysing the reports we felt that this breach could have been mitigated by specifying a ‘secure by default’ technology.
If the correct security information had been given to the end user within a device’s performance specification, a more secure solution may have been installed in the first instance.
Increased security transparency is crucial to ensure the enhanced, and continued, cybersecurity of IoT technologies.