Vetting Your Vendors

By Erik Schluntz

01 December 2019

December 2019

The physical security industry invests significantly in security for surveillance tools and systems that reside on their organization’s network, such as IP cameras, NVRs, and access control.

But as emerging technologies like security robots and drones are adopted to further the effectiveness of physical security operations, how are new risks identified and mitigated?

Robots and drones must be connected to networks so they can communicate with security operations centers (SOCs) and transmit information to stakeholders in real-time. When considering implementing new technologies that connect to the network, it is critical to think through the cybersecurity implications.

First, what is the impact on the security of the organization’s network? Will the robot be connected directly to the network? If so, security professionals should isolate sensitive assets and systems, and keep vendors on a segregated secure network—such as a dedicated Internet of Things network or a guest Wi-Fi network.

Practitioners should also pay close attention to how data is being transmitted using the organization’s network. To what Internet Protocol (IP) addresses does the vendor expect to send data? What ports are they using? Noticing a sudden change in a vendor’s network behavior could be a red flag.

Second, security professionals need to understand the device’s protocols to ensure it is secure. Transport Layer Security 1.2—a cryptographic protocol—allows devices to communicate securely, and Advanced Encryption Standard 256 encrypts data at rest. Using only known and proven encryption algorithms is a must; vendors who use custom, homegrown encryption are always a red flag.

Third, practitioners should understand how data from a device will be stored and accessed. And they should vet what type of data or information it has access to with its sensors. Security professionals need to ask vendors how they treat sensitive data and the process they use to decide what is sensitive.

For instance, asking if access to sensitive data will be restricted for authorized purposes only and if the vendor will conduct audits to prove where the device, such as a robot, went and what it saw.

Finally, security professionals should ask how vendors patch vulnerabilities and conduct software updates. What is the process of detecting and fixing new problems?

Like any network device, security robots and drones require software patches to address vulnerabilities and other cybersecurity risks to keep them secure. One of the advantages of network-connected robots is the ability for continuous improvement and upgrades to remain secure while becoming more effective at their jobs. These patches and upgrades can be managed remotely, making the process seamless and minimizing interruptions.

When reviewing security robots and other new technologies, security practitioners should look for a product that has a dedicated security engineering team that constantly makes improvements and offers regular software updates and patches.

The cybersecurity challenge for emerging technologies often lies in ensuring that manufacturers keep data and information security as a high business priority. Security professionals should evaluate their vendors to determine if cybersecurity was added as a last-minute consideration before going to market or if it was baked in since day one of the product’s architecture. This due diligence will help practitioners make informed decisions and prevent headaches—or worse—down the road.

Erik Schluntz is cofounder and chief technology officer at Cobalt Robotics.