Why IoT firmware updates for physical security devices are mission-critical
It’s the classic case of the tiny over the mighty….the mouse scaring the elephant, the faulty spark plug stopping a tractor-trailer in its tracks. In the technical domain, it’s software that provides low-level control for a device’s hardware – known as firmware – bringing down an entire enterprise.
Firmware updates play a critical part in the lifecycle management of physical security IoT devices, particularly when the devices have a long lifetime or are deployed in remote or inaccessible areas where manual intervention is cost-prohibitive or otherwise challenging. This blog does a deep dive into firmware and its critical role in physical security IoT device management, exploring how an upgrade for physical security IoT device firmware is a small task with a huge impact on the organization.
Should IoT devices always be updated?
Yes. Keeping IoT device firmware updated is critical for maintaining operational functionality, minimizing any cybersecurity risks, and eliminating compliance bottlenecks. With enterprises becoming increasingly reliant on IoT devices to ensure the physical security of their assets – people, IP, and materials — if IoT devices are not updated, the results can have a severe negative impact on the entire organization.
Impact of IoT device firmware in physical security
When firmware upgrades are not performed promptly, an organization can expect to pay a heavy operational price. For example, let’s say a Physical Security manager notices that CPU utilization has reached 100% on dozens of devices. If the root cause isn’t detected and corrected quickly, it’s only a matter of time before those devices stop working. And even before they stop working, they may not be operating correctly. This can quickly escalate into a critical situation. For example, incompatible firmware in a camera will cause unstable video streaming because device quality is compromised. If that video stream is required to secure a campus dormitory, restrict access control in an airport, or ensure quality on a factory production line, any loss of functionality can end in disaster.
Unmanaged firmware also harms device security. From a security standpoint, using an old firmware version with published vulnerabilities opens the door for cyber attackers. After exploiting the vulnerability to gain a foothold in the IoT network, hackers can move laterally within the network, jeopardizing the organization’s most valuable assets and data. This is not a theoretical scenario. According to the Unit 42 IoT Threat Report, 57% of IoT devices are vulnerable to medium- or high-severity attacks, making IoT the low-hanging fruit for attackers. Forrester Research reports that 67% of enterprises have experienced an IoT security incident. 41% of these attacks exploit device vulnerabilities, as IT-borne attacks scan through network-connected devices in an attempt to exploit known weaknesses. Firmware updates can fix IoT firmware security vulnerabilities and are considered to be an essential building block in securing IoT devices.
There is also regulatory demand for firmware upgrades. In the US, the IoT Cybersecurity Improvement Act of 2020 requires all IoT devices used by government agencies to comply with strict National Institute of Standards and Technology (NIST) standards. In addition, software upgradeability is one of the IoT Device Cybersecurity Capability Core Baseline (8259A) requirements. California’s regulations go even further, passing bill SB-327 that requires IoT device manufacturers to include “reasonable” security features and password rotation requirements to prevent attacks. Europe has their own Cyber Security for Consumer Internet of Things: Baseline Requirements that establish firmware updates as a necessity.
Some industries and their associated markets have their own specific compliance regulations. Any device serving the healthcare industry must have the technology in place to meet the Health Insurance Portability and Accountability Act (HIPAA) requirements. Financial institutions and their vendors must meet similar regulations required by the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act. Ensuring that an organization’s physical security IoT devices fully comply with governmental and industry regulations is a prerequisite for partnering with these valuable markets.
So just perform IoT firmware updates. What is so challenging?
Enterprises may have tens of thousands of physical security IoT devices to manage. And this number is on the rise. Forecasts indicate that more than 75 billion IoT devices will be in use by 2025. That’s a lot of firmware to manage.
The firmware updates must be performed regularly to ensure the device is working correctly and securely. Some companies schedule a firmware alignment process once a quarter, barring any critical vulnerability. Most simply upgrade on an ad-hoc basis when new firmware is available and validated to be officially supported by the management system they are using. But an available update may not be suitable if it is not fully compatible with the specific device model. Not always are the latest versions best; for example, a camera must be optimized for VMS compatibility for best results. If a problem does arise, the company must be able to roll back to the previous version. And, of course, full visibility into the upgrade progress and any possible issues are critical.
Most IoT firmware updates are performed manually (if at all). These device-level manual updates are costly and time-consuming. The result is that organizations rarely upgrade firmware versions – even those with known vulnerabilities – exposing their devices to potential cyberattacks or operational failures.
Bottom line: While unmanaged IoT physical security devices pose a real security risk to organizations, many companies are simply not equipped with the knowledge, and resources to sufficiently manage them.
Enter Securithings Horizon: Empowering automation to solve the IoT firmware challenge
The explosion of physical security IoT devices has raised the need for a reliable and secure firmware update mechanism suitable for devices across a vast enterprise deployment. Firmware updates are necessary to patch vulnerabilities, but they can also add new functionality and change configuration settings.
Incorporating automation into the firmware upgrade process enables organizations to eliminate many of the challenges related to unmanaged physical security IoT devices. IoT teams can stop worrying about whether firmware versions are frequently upgraded or whether vulnerable firmware is identified and patched. Instead, automated firmware upgrades make daily maintenance routines much more effortless. Manual updates are eliminated, while end users can operationally manage firmware quickly and efficiently — regardless of scale — with full process supervision and update validation. In addition, automated firmware upgrades ensure devices will always be protected from known issues that manufacturers have addressed in the latest version, improving the organization’s device availability, security posture, and compliance.
SecuriThings Horizon brings IT management standards and capabilities, such as automated firmware upgrade and password rotation, to the world of IoT. Horizon is a dedicated IoTOps solution that helps organizations manage device operations at scale using data, analytics, and automation. For more information about how your organization can benefit from automated operations for IoT devices, click here.