As the IoT grows, so do the risks
- By Ryan Manship
- Aug 07, 2018
The advent of the Internet of Things brings with it a host of benefits to the public sector: greater efficiency in operations, expanded machine-to-machine communications, instantaneous access to new data points and much more.
In addition to the high-tech advances, however, widespread IoT adoption brings about a new concern of a comparatively low-tech variety for government entities: the impact on logical and physical security.
Doors, locks, cameras, sensors -- nearly all of these commonplace physical security controls are now networked in some way, which introduces additional complexity and additional risk. For federal IT executives, this gives rise to two critical security considerations: the role of physical security controls in the overall IT landscape, and the increased need for testing as a result of the growing logical and physical attack surface.
New devices, new risks
Whether it’s a biometric sensor at the door of a secure corridor or a LiDAR scanner collecting up-to-the-minute data from a public roadway, our new realm of connected devices are to thank for a rapidly evolving and ever-changing set of security requirements.
The pace of growth isn’t set to slow any time soon. In one example, a global growth forecast by Frost & Sullivan reports the market for sensors in security and surveillance applications is expected to reach $12 billion by 2023, up from $6.3 billion in 2016.
So how do these connected devices -- the physical layer of the IoT architecture -- contribute to the overall security of your organization? Consider their impact on perimeter security, intrusion detection, access control systems, and more.
Another mitigating factor in the evolving physical security landscape is our nation’s aging infrastructure. The American Society of Civil Engineers estimates that aging infrastructure will cost American businesses some $1.2 trillion by 2020.
As physical structures age and deteriorate, the risk grows for interconnected failures across diverse networks, systems, and applications. Where do connected devices come into play in your organization’s or department’s infrastructure investment?
There are no cut-and-dried answers to these questions, but they’re critical to consider with key stakeholders each time you review your cybersecurity plan, which should be at least annually.
New risks breed new testing needs
The introduction of new, networked physical security controls and the growth of the physical security landscape also means there will be an increased need for testing the cyber and physical aspects of security control implementations.
Compliance with standardized security guidelines is a good start, but on its own is not enough. It’s important to understand that compliance is the minimum required to protect your data, networks, applications, and facilities. Compliance should be viewed as a starting point, not a finish line.
The North American Electric Reliability Corporation recommends testing physical access control systems once every 24 months, but as evidenced here, a lot can happen in two years. We recommend federal entities conduct third-party physical penetration testing at least annually.
By being mindful of the connection between physical security controls and their implications for your overall security posture, you’ll be better equipped to respond to and safely thrive in the dynamic IoT space.
Ryan Manship is the president of offensive security firm RedTeam Security.