Networked surveillance cameras fit the definition of IoT devices. They’re an evolution of formerly closed-circuit analog products that have been upgraded with advanced computing and networking capabilities, so they may be connected over a standard LAN/WAN or even via the cloud. So why don’t the security teams that use them or the IT departments that eventually have to support the data they create see them as IoT deployments? And how can we bridge this gap between the security and IT teams?
Lack of coordination leads to unsupported devices
Part of the problem may be something as simple as shifting definitions: The security professionals who use networked surveillance cameras don’t recognize them as IoT devices because they haven’t traditionally been thought of that way. But advancements in technology, new use cases and declining prices have caused an explosion in demand for these devices. This is also what’s causing video security to move into the data center and put new pressures on IT.
In the end, it comes down to competing priorities — security’s focus on risk management and IT’s focus on managing complexity.
Without some level of coordination, you get scenarios like this: Security professionals purchase a large number of networked security cameras, alarm sensors and card readers. This equipment comes with a full rack of servers designed to serve as compute and storage devices, and it’s often bought and installed without consulting IT staff.
There are only so many IT staff members in this organization, and they already spend most of their time maintaining what they consider to be core systems. They don’t have time to maintain these new systems, and they don’t think it’s their responsibility anyway. As a result, these cameras turn into a security hole — a huge number of them sit unprotected on the internet, in plain view of anyone who knows how to use Shodan.
Shodan is a search engine for unprotected IoT devices. Assuming that you know an organization’s IP address, you can plug it into Shodan and see if there are any undefended IoT devices attached to it. If those devices are cameras, you can actually tap into the camera feed and see what it’s seeing. An attacker can even see the version number of the camera’s firmware. If it hasn’t been patched, an attacker can convert it into part of a botnet such as Mirai, which brought down the internet in much of the United States back in 2016.
When IT admins and security professionals don’t collaborate, in other words, they can end up in a nightmare where strangers have a view onto their premises and can use their own devices for use in criminal acts. Not good. How can we avoid this?
Turning vulnerabilities into an IoT roadmap
Let’s take another approach to this problem. Instead of working separately, security professionals and IT administrators would work collaboratively to support an overall IoT strategy, one that would eventually encompass more than just video surveillance. How would that work?
It starts with security and compliance — if an organization is subject to regulations such as ITAR or FSMA, they are required to keep records of everyone entering or leaving their facility. Deploying digital video surveillance and creating an archive of its data output is a central pillar of these requirements.
The next step is technically supporting the digital video implementation. This won’t be easy — digital video surveillance creates a large amount of unstructured data. Administrators need to work with security to categorize this data, store it — no easy feat, as this could mean terabytes of video per day — and then be able to retrieve it at will.
Once this data is under some kind of structure, however, administrators can use it for things other than security. Digital video is a huge storehouse of data about the organization — for some organizations, it may be the largest data storage application there is. Being able to use this data for purposes other than security — to increase productivity, optimize customer conversion rates and mitigate unplanned downtime — is a huge win. Some potential use-cases include:
- Allowing retailers to monitor their foot traffic and use this data to reorient their shelves and displays in order to maximize engagement;
- Providing targeted advertisements to consumers based on their location within a store, mall or stadium;
- Pinpointing the source of equipment failures within industrial facilities; or
- Enabling smart cities to improve safety in areas like pedestrian crosswalks.
As administrators push a digital surveillance strategy to maturity, they can begin piloting other IoT technologies using the same model. Eventually, IT can use the digital video strategy to build a highly instrumented organization that sees the IoT as a central underpinning, not an afterthought.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.