The average individual inputs multiple passwords daily—or even hourly—to unlock their phones, access their medical records and bank accounts, log in to their work server, and so on.

Rotating passwords is rarely a welcome occurrence. It takes time and effort, and password update prompts usually come at inconvenient or inopportune times. If that is true personally, imagine the pain point of password rotations on the enterprise level. That may explain why the use of enterprise physical security devices with default or weak passwords is growing and is still a significant problem across every industry.

This blog explores the importance of regularly rotating passwords in the lifecycle management of physical security devices, looks at the impact of not rotating device passwords correctly, and discusses how automating password rotations can significantly impact the organization’s security.

Why Physical Security Devices are at Risk

According to the Unit 42 IoT Threat Report, 57% of IoT devices, such as physical security devices, are vulnerable to medium- or high-severity attacks, making those devices easy targets for hackers. 41% of attacks exploit device vulnerabilities, such as default, weak, and unchanged passwords. Unfortunately, the risk has not translated into action for many organizations. Forrester Research reports that 69% of companies estimate that at least half of all devices on their enterprise network are unmanaged or IoT, and 26% estimate that unmanaged devices outnumber managed devices on their network by three to one. It should be no surprise that 67% of enterprises have experienced an IoT security incident.

The Fuss about Passwords

Passwords are a fundamental first line of defense for physical security devices, such as security cameras, access control systems, alarm systems, and more. Research shows that password-related attacks are commonly carried out on devices due to unchanged manufacturer-set passwords and poor password security practices. This is because many physical security devices come with default credentials that are simply never changed or are changed to weak passwords, opening the door for hackers to compromise the organization’s network. One study concluded that trying just these five default credentials: support/support, admin/admin, admin/0000, user/user, and root/12345 – gives you or any hacker access to at least 10% of all physical security devices. That translates into millions of vulnerable targets.

Why Physical Security Device Passwords are Not Rotated

There are many reasons why organizations are not adequately maintaining their physical security device passwords.  

High manual effort: The work required to update or rotate passwords across devices regularly has yet to be widely adopted as standard. Typically, rotating passwords has to be done manually on each device, which is cumbersome and prone to error. This is a daunting task for any physical security operations team managing a fleet of devices. Therefore, most organizations simply skip the tedious, manual device password changes. 

Complex maintenance: An enterprise fleet often includes different brands and types of physical security devices. The various devices may require password updates differently or have limitations. For example, a device may allow only one Admin user, forcing the organization to share credentials with multiple people.

Remote deployment: Physical security devices may be deployed across multiple buildings and geographies. The fleet of devices may not be easily accessible to a central physical security team, making regular updates and password maintenance on each device an impossibility.

Lack of compliance: IT assets are traditionally tightly managed as the organization must meet various compliance standards. However, physical security devices have different strict compliance standards, deeming their maintenance less of an organizational priority.

Impact of Not Rotating Physical Security Device Passwords Correctly

In physical security, infrequent password rotation increases the risk that cyberattacks on vulnerable devices will endanger people or property. For example, compromised video surveillance or access control in an airport can impact the security of passengers and aircraft operations. At a casino, theft, fraud, and other security incidents abound. The risks are no less severe when physical security devices are compromised in university campuses, hospitals, prisons, or manufacturing facilities. 

The case for regular password rotations and how to achieve them

Once devices are deployed, regular password rotations are small tasks that play a critical role in overall device management, particularly when multiple people share login credentials. The good news is that rotating passwords can be a high-ROI security measure that can easily be implemented for a quick win. How? Through automation. 

Automated password rotations on devices are a tactical and practical way to achieve security compliance, enabling security teams to focus on higher-value tasks. Automation enables organizations to efficiently update passwords for any number of devices or device groups, regardless of their physical location. Ultimately, a platform allowing automated password rotations will be vastly more time-efficient and accurate than staff can be, especially when rotating passwords on different device models from various manufacturers and management systems. 

Solution: IoTOps for Automated Password Rotations

IoTOps is a practice that allows for the consolidated, automated, and secure operational management of physical security devices. IoTOps aims to maintain a fully functioning fleet of devices—no matter how large or geographically dispersed—and to ensure uncompromised compliance, constant availability, and high levels of security. When done right, IoTOps ensures that these devices stay up and running efficiently and securely, in compliance with standard IT security policies.

SecuriThings Enterprise is a software-only solution that introduces the concept of IoTOps to operationally manage physical security devices at scale in a consolidated and automated manner while providing real-time visibility and control. SecuriThings standardizes the operational management of devices, empowering Operational teams to ensure compliance and improve the cyber security posture of their physical security environments. Once deployed, the solution provides automated operations such as password rotations, risk detection with alerts, and predictive maintenance.

For more information about how your organization can benefit from automated operations for physical security devices, click here.

FAQs

How do rotating passwords on physical security devices benefit my organization’s overall security?

Rotating passwords on physical security devices significantly enhances your organization’s security by reducing the risk of unauthorized access. Cybercriminals often target devices with weak or unchanged passwords, and regular rotations make it difficult for them to exploit vulnerabilities and compromise your network. Additionally, automated password rotation solutions streamline the process, freeing up your security team to focus on more strategic tasks.

Why are physical security devices not routinely maintained with rotating passwords?

Due to several challenges, organizations often need to pay more attention to regular password rotations on physical security devices. Manual password updates are time-consuming and prone to errors, especially for large fleets of devices. Moreover, diverse device brands and models often have unique password management requirements, adding to the complexity. Remote device deployment and the lack of strict compliance standards for physical security devices further exacerbate the issue.

What are the potential consequences of not rotating passwords on physical security devices?

Failing to rotate passwords on physical security devices can have severe consequences. Compromised video surveillance or access control systems can jeopardize people’s and property’s safety, leading to theft, fraud, and other security incidents. These risks are particularly significant in airports, casinos, universities, hospitals, and critical infrastructure facilities.

How can automating password rotations improve my physical security management?

Automating password rotations offers a significant advantage in managing physical security devices. It streamlines the process, ensuring regular and accurate password updates across all devices, regardless of location or manufacturer. This saves time and resources, strengthens security compliance, and reduces the risk of human error.

What is the recommended frequency for rotating passwords on physical security devices?

The ideal frequency for rotating passwords on physical security devices depends on various factors, including the sensitivity of the data they protect, industry regulations, and your organization’s specific security policies. However, a general best practice is to rotate passwords at least every 90 days. More frequent rotations, such as monthly or quarterly, can further enhance security, especially for critical devices or those with elevated risk profiles. Implementing automated password rotation solutions simplifies the process, allowing you to consistently adhere to your chosen rotation schedule.