Internet is replete with literature encompassing Physical Security (PS) and the Internet of Things (IoT). However, not much is available on a clear association between the two and the implications of these two combined for facility management. Everyone, let alone people in the security industry, has some concept about Physical Security, however, not many, are aware of the Internet of Things, its linkage with physical security and implications for a security manager. This article will attempt to touch upon the lesser-known areas to draw pertinent lessons.
There are innumerable definitions available on the internet, however, to serve an ordinary reader, the following definition has been chosen:-
“Physical security is the protection of men, material and physical assets from actions or events that could cause damage or loss to any extent”.
In simpler terms, physical security means security measures designed to deter or deny unauthorized access to people, facility, equipment, etc. and protect them from any harm. The harm could be theft, espionage or physical attacks. Keenly intellective utilization of multiple layers of interdependent systems including but not limited to the following can better explain Physical Security:-
- Armed security guards
- Close Circuit Television (CCTV) surveillance
- Perimeter intrusion detection systems
- Barriers to protect facilities
- Complex locks
- Modern access control systems
- Latest fire protection systems etc.
Internet of Things (IoT)
The term Internet of Things was coined by a British Consumer Sensor expert, Kevin Ashton in 1999 to describe network connecting objects in the physical world to the Internet.
What is IoT?
Owing to huge technological advancements over the years resulting in low priced, high speed computer and sensors, it is now possible to turn/connect anything and everything into the IoT. We connect to the internet/digital networks using our smartphones, laptops, computers, etc. with a view to chat, share information, so and so forth. This means that the Internet, essentially, enables us to connect to “things” already connected to the internet. A collective term, for all these connected devices (things) is known as the Internet of Things or IoT.
In simpler terms, the Internet of Things refers to an array of devices, machines, or even objects that are interconnected, able to gather and transfer data over a wireless network without human intervention. The ‘thing’ in the IoT refers to any connected device, a mobile, a connected automobile with sensors alerting the driver to dangers/other issues (fuel, tire pressure, etc). Adding sensors (indispensable enablers of IoT) to these interconnected devices adds a level of digital intelligence to these devices that are otherwise not intelligent. This enables these devices to communicate without human involvement. As per the data from Juniper Research, the number of connected IoT enabled devices, sensors and actuators will reach over 46 billion by the end of this year. With insufficient security standards supporting the proliferation of these devices, organizations, individuals, and in fact, everyone will remain exposed.
The dark side of IoT-enabled devices is that many smart devices like security cameras, smart televisions, smartcard readers are shockingly easy to be hacked into. Microsoft, in 2019, in its annual Black Hat Conference revealed that a group of hackers had been using IoT-enabled devices to carryout corporate attacks which could have serious repercussions had it not been detected.
Applications of IoT
Smart Homes: IoT has made homes far more secure and smarter whereby it can connect a host of sensors, alarm systems, cameras and even microphones to provide security at all times. All of this can simply be controlled with the help of a simple smartphone. Imagine a world where your IoT-enabled coffee maker automatically turns on and brews a cup of coffee, only after you wake up without pressing a single button, switch off the lights even after having left the home or switch on the air conditioner well before reaching home and so on.
Wearable Devices: Wearable devices have changed the dynamics altogether and seen a huge market around the globe. Companies like Samsung, Apple, Google, etc. are investing a lot in these devices. These devices have sensitive sensors installed in them which collect and later process the data for user benefit. From sensing your temperature to getting data for entertainment purposes, these low-powered, highly sensitive, energy-efficient devices have revolutionized the tech industry in the domain of IoT.
Industrial Security and Safety: Cameras along with the sensors can be integrated to monitor the perimeter of sensitive locations and detect any trespassers in un-authorized areas. Likewise, leaks of hazardous materials/chemicals or changes in pressure can also be gauged and fixed well before they can cause graver problems with the help of IoT-enabled detection devices.
Motion Detection: Sensors/IoT-enabled devices can be used to detect not only the minor vibrations in larger buildings to detect disturbing patterns that could lead to catastrophic failures, these can also assist in anticipating landslides, earthquakes, or even avalanches.
Physical Security and IoT – The Linkage
The rapidly changing advancements in emerging IoT enabled devices have already begun to transform electronic security systems that protect physical assets. As per one estimate from Fortune Business Insights, the global IoT market stood at USD 250.72 billion in 2019 and is projected to reach USD 1,463.19 billion by 2027.
IoT Affecting Security Systems
Imagine a scenario where an intruder is able to bypass the security mechanism and access a facility’s IoT enabled devices, unlimited information, secret authorization codes etc. Once able to access the system, the hacker can play havoc with an otherwise well placed, well-articulated Physical Protection System (PPS).
Smart Cards: Almost all important facilities/installations in today’s environment are secured with modern physical access control systems using smart cards for identification/verification. By merely placing the card near the access control system card reader, authorized persons can access the facility. Alarmingly, most access control systems are operated via a web-based dashboard allowing a user to log-in remotely either to access the facility individually or grant access to someone else in the facility. This can be potentially dangerous as the bad guys (hackers) may try to intrude in; grant access to unauthorized individuals that could possibly lead to theft, damage or even corporate espionage.
Smart Locks: Smart locks are IoT-enabled keyless entry devices that offer convenience by allowing users remote access to door locks through their smartphones or any other internet connected device. While some smart locks are totally independent, many also allow a physical key that can act as a backup in case something happens to the smart lock. While there are few benefits associated to smart locks like checking on lock’s status once you have already left; giving remote access to people whom you want and getting pop ups the moment door is opened, these smart locks can always be hacked into and exploited.
Digitally Operable Barriers/Gates: Though, intelligently placed IoT enabled electronic barriers/gates reduce human intervention and chances of error to a considerable extent, such a system is vulnerable to hackers who can access these IoT enabled devices, open the gates and lift the barriers remotely at free will. This would expose, no matter how strong/well placed, the PPS is.
Smart TVs: Smart TVs offer a host of attractive services including streaming apps, internet access, microphones, high definition cameras etc., however, since they are connected to the internet, they also send your data and viewing activity to anyone capable of getting it. Imagine a situation where you have an excellent PPS in place at a facility whereas the attackers do not have to physically come to the facility and can gather required information through your smart TV.
IoT affecting Safety Systems
IoT has given the concept of safety a whole new dimension. With IoT-enabled devices connected all around us, physical threats have merely become optional or even undesirable. In a world where biometrics, facial recognition, verbal instructions, etc. are becoming the new norm, safety aspects can never be overlooked.
Categories of Hazards affecting Safety
Direct Hazards: These hazards are associated with the direct use of IoT devices. For example, it is comforting to be able to switch on (preheat) your microwave oven remotely while you are away from or on your way to your building, however, it can be hazardous if a faulty instruction is sent while no one is watching it or some hacker can sneak in and switch it at a very high temperature or re-program it.
Indirect Hazards: These hazards are not directly associated with the IoT-enabled devices but could trigger a safety or even security issue. For example, imagine a situation where a building’s smart door starts to open automatically either due to malfunction or due to a deliberate attempt by a hacker over a weekend when no one is watching creating a safety as well as a security concern.
Fire Alarm System
The most important application in the domain of safety is probably the use of sensors in buildings. IoT-enabled temperature sensors are placed in the buildings to gauge the normal temperature at all times, however, special programmable humidity and heat proof sensors are generally used to detect temperatures of fires. These sensors not only record the temperature change but also indicate its intensity, location, and direction of spread which helps the firefighters in overcoming the fire.
However, these IoT-enabled sensors can become a threat. Imagine an experienced hacker able to sneak into a fire suppression system and either disable or even trigger it at a time of his choosing. The worst part is if a hacker can hack the IoT-enabled fire control system and portray that everything is fine whereas actually, it is not. This could certainly be extremely undesirable.
Personal Protection Equipment
IoT-enabled devices can share data automatically into a Health and Safety (H&S) software system that can track who is using which equipment and when. This will allow only authorized and well-trained employees to use the equipment. If the employee’s RFID card is linked with his/her completed safety training record, they will only be able to use machines/equipment that they have been trained on. The system will also be able to send a notification to his/her line manager as regards his/her training needs, access attempts, etc. However, owing to the internet, the hackers can also access the sensor technology and breach the system.
We live in a world where everything will be connected to the internet in days to come. Hence, the solution does not lie in getting away from this rather in finding alternatives to make the internet as well as things that connect to it more secure. Few measures to achieve this are:-
Interaction between Security Managers and Engineers: While physical security is primarily managed by security professionals, IoT is rather the domain of developers. These two sides need to interact with each other and transfer knowledge both ways – something that is not very easy. If the security managers – the custodians of physical security standards, policies, and PPS lag behind the developers, this digital divide may further deepen. Security protocols/methods need to be built into IoT-enabled devices at the beginning of the development process and not after its implementation.
Introduction to Cyber Security: To protect the buildings, facilities, physical assets, etc., cybersecurity will need to expand. It is very convenient these days to get a degree in computer sciences without taking any course in cybersecurity. As a result, software developers are woefully unprepared and lack even the basic cybersecurity knowledge which is why this aspect is not embedded in the devices they are developing. As per Harvard Business Review, even at Stanford, the only practical security course for computer science is offered as an elective. Our universities need to make curricula related to cybersecurity and offer subjects on cybersecurity as core courses and make developers realize its importance.
Diversity of Things and the need to have a Standardized Policy: Billions of diverse IoT-enabled devices will have to be secured. This diversity makes it difficult to adopt a standardized policy to cater to their protection. There are different standards by the host companies, for example, Apple, Google and Amazon have their own IoT standards for their IoT devices making the issues of compatibility and interoperability even more pronounced. There is a need to collaborate and develop and stick to standardized protocols to achieve protection from hackers.
Autonomous Behavior of ‘Things’: IoT devices communicate with each other at all times invisibly and in a way that is difficult to predict. There could be associated dangers in it that require extensive research.
Security testing/Feedback: In the development phase, testing should be given due importance. Detailed security scanning before implementation of code should be a matter of routine. Feedback needs to be sought from security managers and their opinion should be taken into account while re-designing devices/networks.
Non-Availability of Internet: What happens if the internet is compromised? Would it hamper the physical security of a facility; or allow intruders entry without resistance or jam the doors and not allow insiders to be able to get out. If the internet goes down, the security manager would be under the illusion that everything is secure unless they get notified by the ISP that the internet connection has been lost. One probable suggestion could be that all IoT-enabled devices employed in a facility should have a basic feature of alerting the security manager if it losses internet connectivity so that appropriate countermeasures can be incorporated in the PPS. In the development phase, testing should be given due importance. Detailed security scanning before implementation of code should be a matter of routine. Feedback needs to be sought from security managers and their opinion should be taken into account while re-designing devices/networks.
Though tech companies are working hard with security to protect their systems from cyber-attacks using the latest encryption principles and a strong authentication system to achieve secure communication between all elements of the system, the risk of getting exposed by the hackers will always remain. This warrants a modern end-to-end, reliable encrypted system without which the access control system will be the weakest link in the network that would expose the PPS to anyone.
Despite the sophistication of modern access control systems, such as card and biometric readers authorizing access via computer software, the traditional mechanical lock and key remain the most commonly used system for restricting access to corporate or institutional facilities and assets.
IoT is no more in its infancy stage and presents a lot of vulnerabilities as well as threats attributed mainly to rapid technological advancements and proliferated through lack of knowledge/awareness amongst all stakeholders. The problems identified above concern both the security managers and the developers, particularly at a time where the borderline between the physical and virtual/digital life is difficult to draw. The article offers only the basic understanding of problems and vulnerabilities to create awareness amongst the masses in general and security managers/software developers in particular in the larger public interest. Further in-depth analyses for each vulnerability and threat may be carried out.