Managing physical security systems in intelligent buildings throughout the lifecycle and beyond requires taking inventory, addressing threats and planning for the future, says Ryan Zatolokin, Senior Technologist & Business Development Manager, Axis Communications.

Cybersecurity and the intelligent building

Today’s smart buildings consist of many devices and sensors, including security devices and systems on which communication, data and daily operations occur.

Once a new security system or device is installed and functioning, it can be easy to forget about long-term maintenance.

However, just like any other internet of things (IoT) device that communicates, shares and provides data within the network, if left unmanaged or unsecured that device can pose cybersecurity risks or potential operational interruptions to the organization throughout the product’s lifecycle.

For this reason, it’s important for security professionals to approach cybersecurity and device management intentionally and holistically to keep devices and systems functioning to expectations, while ensuring the organization remains protected against cyber vulnerabilities, intelligence leaks and other risks.

A cybersecurity checklist is critical to protecting physical security infrastructure, but stakeholders should not approach the task with a one-and-done mentality.

To mitigate risk and efficiently maintain today’s intelligent buildings, comprehensive cybersecurity and device management strategies must evolve and mold to an ever-changing threat landscape, keeping the following steps in mind along the way.

1. Take inventory

Organizations must have a complete view of the inventory they are protecting, including every server, IoT device, user and type of data.

A comprehensive list will go a long way in helping to manage security devices and maintain a proactive line of defense.

If stakeholders don’t know the devices they are trying to support then it can lead to an environment of guesswork and reactive decisions.

When conducting asset inventory for the first time, it’s not uncommon to find devices that are no longer functioning or that have inactive, temporary or redundant users.

Every additional user, expired certificate or unsupported device on a network poses a potential security risk.

For smart buildings with hundreds or thousands of devices and sensors, a full inventory can be a daunting task.

Device management tools exist to help automate the job.

Such tools are helpful in pulling reports and recording model numbers and current versions of software and firmware – all of which come in handy to maintain a secure environment into the future.

2. Determine the risks

In addition to understanding what the organization is trying to protect and the specific threats against it, a risk assessment will help determine the likelihood of individual risks and what level of security needs to be deployed to mitigate them.

While each organization has a unique threat landscape, there are a few risks that most organizations have in common.

One set of assets potentially at a high degree of risk from an attack is data.

While the type of data being shared, communicated and/or collected may differ from one organization to another – steps must be taken to ensure the data is safe from inside and outside threats.

Older or outdated equipment presents an added vulnerability.

If any device – such as cameras, occupancy sensors or card readers – are no longer supported by the manufacturer, organizations can be left with additional holes in their lines of protection.

3. Define a clear policy

Though taking inventory and understanding potential risks is essential to device management, without an all-encompassing IT policy to equalize decisions and actions across the board, an organization is left to make decisions one device at a time – hardly a scalable solution.

A clearly defined IT policy takes ownership off one individual and creates a risk mitigation plan that is policy driven rather than individual driven.

It also allows the organization to execute long-term plans to ensure secure operations into the future without interruptions.

The most effective IT policies look at all buildings, devices, systems and services across an organization and establish a baseline of how everything is protected and the steps to be taken when something is not.

IT policies should define device management protocols as well as user access and other privacy and security tools the organization will deploy to protect its assets.

4. Address the risks

Just as in designing a physical security system, the best line of defense against cyber vulnerabilities and operational disruptions is layering mitigation tactics and device management procedures.

Organizations should look at the cybersecurity and privacy features in their existing devices and device management tools.

Potentially sensitive data and information should be encrypted across all devices on a network.

Many built-in security features can boost protection, including automating retention and encryption, blurring faces or other identifying features on camera footage and conducting reports to ensure compliance.

Take a look at what data can be shared internally and externally and how long that data is kept.

Automated tools can ensure file transfer protocols and secure shell protocols are closed to maintain up-to-date security compliance with the system’s data.

The role of lifecycle management and replacing and/or upgrading products with newer features, patches, bug fixes and tools is imperative to keep systems secure and operational as well.

Staying on top of system updates will help address vulnerabilities and mitigate larger risks.

While keeping large ecosystems of devices updated and in working order can seem like an uphill battle, automated device management tools can do the heavy lifting by tracking updates, warranties, etc. and alerting personnel when an update is available.

Even with device management tools, however, some organizations put off software or firmware upgrades for fear of operational disruptions or system instabilities.

The truth is, putting off updates can be risky and more painful than keeping devices current and properly managed throughout their lifecycle.

Why? If a device or software is five or six years old and no updates have been done, adopting the latest update to bring it up to speed will more likely disrupt operability versus staying current with small incremental updates.

The longer a device goes unmanaged, the higher the chance it will become incompatible across systems or cause an unexpected operational disruption.

For organizations concerned that new features may disrupt operations, some automated device management tools offer a long-term support (LTS) track, which gives the flexibility to freeze function or feature updates, while still ensuring devices are continually maintained with security fixes and patches.

5. Focus on least privileged accounts

Another layer of protection that will aid in proactively mitigating threats to physical security systems is focusing on user access.

Privileged access should be used to control and monitor who has access to the device and system data.

Perhaps ten people have access to view cameras, for example, but only two or three people have access to download and share video data.

Limiting access to sensitive data helps ensure the integrity and security of that data.

Once appropriate user access is determined, organizations should employ tools to ensure that the users accessing those systems are who they say they are.

Built-in password protections such as multi-factor authentication can help.

Organizations can employ biometrics, one-time passcodes, security tokens or access cards as an additional form of authentication.

Shared passwords not only pose a risk, but also make it difficult to manage forgotten users, track individual access and scale access at a growing organization.

Eliminating shared passwords to individual systems and devices will add another level of security and transparency to the infrastructure.

A beneficial strategy to help manage devices as well as access, is using a video management system (VMS) as the access point for security data within the organization.

By giving authorized users access to specific cameras through the VMS, for example, the users can accomplish the tasks they need to complete without having direct access to each individual device on the network.

Such a strategy yields a level of transparency to user access and gives flexibility to limit specific access to individual software features, cameras or reports.

6. Plan for the future

In order for daily operations to remain consistent, long-term planning should include device management that monitors how old devices are and where each is at in its lifecycle.

Keep track of the following information across the organization manually or with the help of a device management tool or built-in hardening tool:

• Is the device still supported by the manufacturer?
• Is the manufacturer still making upgrades and software for the device?
• Is the device still covered under a warranty?
• When is the end-of-support date upon which the manufacturer will stop making software for the device?

Looking at the inventory and lifecycle information of devices across the organization allows for long-term planning and budgeting before devices become a risk.

A clearly defined IT policy should stipulate when devices will be replaced.

For example, some organizations may replace or upgrade once a warranty is no longer valid, while others will replace devices before the end-of-support date when security patches and bug fixes are no longer provided.

While each organization’s policies and mitigation procedures may differ depending on the unique threat landscape, the universal steps for any organization should include taking inventory, analyzing threats, mitigating threats and planning for the future.

Taken together, those steps will help ensure a secure environment and an intelligent facility every step of the way.

This article was originally published in the April edition of Security Journal Americas. To read your FREE digital edition, click here.