When the Biden-Harris administration announced its new national cybersecurity strategy, it made some significant changes to the previous national cybersecurity strategy document, which was published in 2018. Perhaps the most important shift is an increasing emphasis on requiring large tech companies to ensure best cybersecurity practices. 

But for those who work in physical security, there may be an even more noteworthy takeaway from the strategy document: its discussion of the risk posed by inadequately secured IoT devices (a category that includes physical security devices) and the importance of mitigating this threat.

That aspect of the new national cybersecurity strategy document reflects a growing awareness of the importance of hardening and maintaining physical security devices in order to prevent them from becoming a vector for serious cyberattacks. In addition to reflecting this changing reality, the announcement itself could have important implications for the steps organizations will need to take to protect themselves in the future. 

With that in mind, this post will explore what organizations should take away from the new U.S. cybersecurity strategy document’s stance on IoT devices.

Recognizing the importance of securing IoT devices, including physical security devices

The strategy document’s discussion of physical security devices starts by highlighting the increasing use of IoT devices for a variety of purposes by both consumers and organizations. It then notes some of the key problems with the way these devices are deployed and the resulting vulnerabilities. 

Specifically, it states that “many of the IoT devices deployed today are not sufficiently protected against cybersecurity threats… Recent IoT vulnerabilities have shown just how easily bad actors can exploit these devices to construct botnets and conduct surveillance.”

It then speaks in general terms about plans to address these issues going forward, highlighting “Federal research and development (R&D), procurement, and risk management efforts, as directed in the IoT Cybersecurity Improvement Act of 2020.” It also states that “the Administration will continue to advance the development of IoT security labeling programs,” in line with an executive order from 2021. 

Those points are notable both for their recognition of the serious cybersecurity risks posed by inadequately managed IoT devices and for their mention of plans to address those risks going forward. It’s also important to keep in mind their context – both within the strategy document and against the backdrop of the growing awareness of the importance of hardening and maintaining physical security devices and other IoT devices. 

The backdrop: The growing threat of cybercrime and data breaches

The new strategy document follows an increase in the risk of cyberattacks over recent years. Specifically, we have seen cyberattacks increase in frequency, scope, sophistication, and cost. 

Last year, IBM estimated the average cost of a cyberattack in the U.S. to be $9.44 million – a figure that has increased every year since 2013, when it was “only” $5.4 million. Notably, IBM’s 2022 numbers indicate that the average data breach in the U.S. costs more than double the global average of $4.35 million. 

And physical security devices have been affected by the increasing risk of cyberattacks. To date, the most high-profile data breach demonstrating that danger was the 2021 hack of Verkada, a video security startup. In that case, hackers managed to gain access to the feeds from roughly 150,000 cameras.

That incident underscored the reality that when devices intended to protect people and organizations from physical security risks are not properly hardened and maintained, the devices themselves can become a security risk. In fact, Genetec has estimated that almost 40% of security cameras have cybersecurity vulnerabilities because they use outdated firmware. 

The importance of improving IoT security as part of overall cybersecurity

In contrast to the previous national cybersecurity strategy document from 2018, the new strategy puts a stronger emphasis on requiring large tech companies to mitigate cybersecurity vulnerabilities. But it remains to be seen how the new cybersecurity strategy will play out in terms of specific legislation, especially given divisions within Congress. 

Still, the document’s discussion of the cybersecurity risks related to IoT devices is notable in that it reflects both the seriousness of the issue and the growing awareness of it.

One other important open question is how the new strategy will affect future executive orders and steps taken by federal agencies in order to protect physical security devices (as well as other IoT devices) from cyber threats. For physical security professionals, that question could have important implications as they try to prepare for any future rules that will impact them. 

That question comes after the past year has already seen newsworthy cybersecurity requirements being announced by U.S. federal agencies including the Federal Communications Commission (FCC) and Transportation Security Agency (TSA).

Automation as a tool for addressing both uncertainty and cybersecurity risks

In discussing both the cybersecurity risks stemming from inadequately managed physical security devices and steps the federal government will take to address those risks, the new document raises two issues that can be addressed through an automated approach to managing security devices.

First, automation offers an efficient and reliable way to harden and maintain physical security devices in order to protect them from threat actors. Specifically, organizations can easily automate best practices including rotating passwords, upgrading firmware, and managing certificates as needed. This offers an inexpensive way to mitigate the cybersecurity risks surrounding physical security devices.

And second, automation offers physical security teams an effective way to gain visibility into the operational health and status of their security devices – helping them steer clear of uncertainty that could leave them exposed to legal problems and other issues. 

For example, last November the FCC announced a ban on importing and selling products manufactured by certain companies operating in China. Because many items covered by the ban are components (such as microchips) used in other manufactured products, ensuring compliance with the new restrictions requires organizations to know whether their physical security devices include any banned items. In other words, complying with those FCC restrictions requires wide-ranging visibility into physical security devices.

Meeting that challenge, an automated approach to operationally managing physical security devices can give organizations an efficient and reliable way to get the visibility they need. By monitoring physical security devices around the clock, the automated approach used by SecuriThings offers our customers a simple way to ensure compliance with regulations like the FCC’s. Similarly, if rules enacted in the future require organizations to be aware of the status, health, and components of their physical security devices, technology like ours can help them get the information they need quickly and easily.

By using automation effectively, physical security teams can efficiently adapt to the new national cybersecurity strategy document – both by protecting their organizations from cyber vulnerabilities and by gaining the visibility they need to comply with present and future rules and regulations. 

To see how SecuriThings can help you to efficiently and reliably protect your physical security devices from cyber threats and ensure their legal compliance, schedule a demo.