Passwords. Understood to be a necessary nuisance, the average individual inputs multiple passwords each day – or even each hour – to unlock our phones, access our medical records and bank accounts, or login to our work server, and so much more.

Rotating these passwords is rarely a welcome occurrence. It takes time and effort, and password update prompts usually come at inconvenient or inopportune times. If that is true on the personal level, imagine the pain point of password rotations on the enterprise level. Perhaps that explains why the use of enterprise physical security devices with default or weak passwords is growing and is still a significant problem across every industry.

This blog explores the importance of regular password rotations in the lifecycle management of physical security devices, looks at the impact of not rotating device passwords correctly, and discusses how automating password rotations can have a huge impact on the organization’s security.

Why Physical Security Devices are at Risk

According to the Unit 42 IoT Threat Report, 57% of IoT devices such as physical security devices are vulnerable to medium- or high-severity attacks, making those devices easy targets for hackers. 41% of attacks exploit device vulnerabilities, such as default, weak, and unchanged passwords. Unfortunately, the risk has not translated into action for many organizations. Forrester Research reports that 69% of companies estimate that at least half of all devices on their enterprise network are unmanaged or IoT, and 26% estimate that unmanaged devices outnumber managed devices on their network by three to one. It should come as no surprise then that 67% of enterprises have experienced an IoT security incident.

The Fuss about Passwords

Passwords are a fundamental first line of defense for physical security devices, such as security cameras, access control systems, alarm systems, and more. Research shows that password-related attacks are commonly carried out on devices due to unchanged manufacturer-set passwords and poor password security practices. This is because many physical security devices come with default credentials that are simply never changed, or are changed to weak passwords, opening the door for hackers to compromise the organization’s network. One study concluded that trying just these five default credentials: support/support, admin/admin, admin/0000, user/user, and root/12345 – gives you or any hacker access to at least 10% of all physical security devices. That translates into millions of vulnerable targets.

Why Physical Security Device Passwords are Not Rotated

There are many reasons why organizations are not adequately maintaining their physical security device passwords.  

High manual effort: The work required to regularly update or rotate passwords across devices has not been widely adopted as standard. Typically, rotating device passwords has to be done manually on each device, which is cumbersome and prone to error. This is a daunting task for any physical security operations team managing a fleet of devices. Therefore, in practice, most organizations simply skip the tedious, manual device password changes. 

Complex maintenance: An enterprise fleet often includes different brands and types of physical security devices. The various devices may require passwords to be updated differently or have limitations. For example, a device may allow only a single Admin user, forcing the organization to share credentials with multiple people.

Remote deployment: Physical security devices may be deployed across multiple buildings and geographies. The fleet of devices may not be easily accessible to a central physical security team, making regular updates and password maintenance on each device an impossibility.

Lack of compliance: IT assets are traditionally tightly managed as the organization must meet a range of compliance standards. However, physical security devices do not have the same strict compliance standards in place, deeming their maintenance less of an organizational priority.

Impact of Not Rotating Physical Security Device Passwords Correctly

In the world of physical security, infrequent password rotation increases the risk that cyberattacks on vulnerable devices will endanger people or property. For example, compromised video surveillance or access control in an airport can impact the security of passengers and aircraft operations. At a casino, theft, fraud, and other security incidents abound. The risks are no less severe when physical security devices are compromised in university campuses, hospitals, prisons, or manufacturing facilities. 

The case for regular password rotations and how to achieve them

Once devices are deployed, regular password rotations are small tasks that play a critical role in overall device management, particularly when multiple people share login credentials. The good news is that rotating passwords can be a high-ROI security measure that can easily be implemented for a quick win. How? Through automation. 

Automated password rotations on devices are a tactical and practical way to achieve security compliance, enabling security teams to focus on higher-value tasks. Automation enables organizations to efficiently update passwords for any number of devices or device groups, regardless of their physical location. Ultimately, a platform that allows for automated password rotations will be vastly more time-efficient and accurate than staff can possibly be, especially when rotating passwords on different models of devices from a range of manufacturers and management systems. 

Solution: IoTOps for Automated Password Rotations

IoTOps is a practice that allows for the operational management of physical security devices to take place in a

consolidated, automated, and secure manner. The goal of IoTOps is to maintain a fully functioning fleet of devices – no matter how large or geographically dispersed – and to ensure uncompromised compliance, constant availability, and high levels of security. When done right, IoTOps ensures that these devices stay up and running efficiently and securely, in compliance with standard IT security policies.

SecuriThings Enterprise is a software-only solution that introduces the concept of IoTOps to operationally manage physical security devices at scale in a consolidated and automated manner, while providing real-time visibility and control. SecuriThings standardizes the operational management of devices, empowering Operational teams to ensure compliance and improve the cyber security posture of their physical security environments. Once deployed, the solution provides automated operations such as password rotations, risk detection with alerts, and predictive maintenance.

For more information about how your organization can benefit from automated operations for physical security devices, click here.