All Security Is Cybersecurity

At the most recent ASIS Annual Seminar in September, I spoke on two different panels about the rise of the Internet of Things (IoT) and its likely impacts on commercial security. In both cases, the conversation started off describing all the amazing new capabilities that these billions of tiny new sensors and controllers would bring. But the talks soon flipped to the threat posed by cybersecurity breaches, and whether that wouldn’t cripple IoT right out of the gates.

At first I wondered if the gravitational pull of cyber was just symptomatic of the IoT topic, but soon I noticed that all of the conversations I had at ASIS veered into the same ditch. I began to wonder if we could talk about anything in electronic security without getting mired in the cyberquestion, or whether we should.

My own favorite example of the dark future that may await us is the world depicted in the computer game called “Watch Dogs.” The game features an anti-hero can “can hack into the physical infrastructure to obtain and control information or destroy such devices completely.” The result of this dystopian vision is a paradoxical world in which the more electronic security devices we deploy, the less safe we are from those who can hack them.

But is this really what’s going on? And, if so, what can we do to stop it?

I think there are three broad directions we need to explore as an industry:

• Standards
• Voluntary testing
• Public registries

First, we need to agree on some minimum standards for device security. There are many models and existing reference works from which to choose, so we don’t need to start from scratch. A great example of how this can work is what the payments industry did with PCI compliance. We should tailor standards for the unique risks posed by cameras, controllers, readers and other common security devices.

Second, voluntary testing is a way for companies to distinguish themselves and show customers that they care enough about cybersecurity to have their products certified. Mandatory testing would face huge resistance, but voluntary compliance offers the ability of leveraging peer pressure and market forces to accomplish the same goal in a much less painful way.

Finally, end users need to be able to find out whether the security products in their properties pass muster. This is one of the issues I heard directly from a security practitioner in one of my ASIS audiences. He said they often lack a connection to the manufacturer of a particular device because the relationship is mediated by their integrator, and they don’t always forward information about product vulnerabilities. For this, we need public registries like the U.S. National Institute of Standards and Technology’s Common Vulnerability Scoring System for software-related cybervulnerabilities.

These three initiatives together would allow us to channel the discussions we’re all having into something constructive that moves the ball forward.

Various efforts at the Security Industry Association (SIA), including SIA Standards and soon-to-be-formed leadership groups focused on security industry cybersecurity, will look toward these directions and formulate some answers to the cybersecurity question so we can focus on the more fun capabilities of IoT-enabled commercial security.

The views and opinions expressed in guest posts and/or profiles are those of the authors or sources and do not necessarily reflect the official policy or position of the Security Industry Association (SIA).