Professional development

5 cybersecurity skills for physical security professionals

Dan Virgillito
December 16, 2020 by
Dan Virgillito

Introduction

Learning cybersecurity might sound odd to a physical security professional, but the reality is that it can be a game-changer for you and your company. 

Despite feeling cybersecurity controls are best left to information security analysts, your systems and devices will require some first-hand protection from network threats. The physical controls alone won’t mitigate network security risks. 

The potential threats go beyond networks. Today’s physical security professionals also need to ensure the safety of IoT devices that also use other technologies like applications, protocols and other embedded services. A skilled adversary can exploit any of these endpoints to gain access to mission-critical information. 

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

More IoT adoption means more risk

With the convergence of IoT and physical security devices in home and industrial environments, installers and maintenance staff have another threat vector to think about. 

According to Cision, PR Newswire, the global IoT market is expected to reach $1111.3 billion by 2026. Another report from Microsoft reveals that nearly 94 percent of businesses in industries like retail, manufacturing, government, and healthcare will be using IoT by the end of 2021. From EIDs to smart locks to connected medical systems, firms are increasingly implementing IoT technologies in their companies. 

It’s the same story with consumers. More and more people are installing surveillance and smart home devices on their properties without much regard to their security. Household devices can be potentially tampered with or switched off by hackers, but industrial IoT presents the greatest risks. An enterprise might deploy hundreds of IoT devices, and a cybercriminal often has to breach just one to gain access to the whole network. 

Common cyber threats for IoT devices

Below are some of the ways a criminal can breach an IoT system or device.

Exploit firmware

Insecure firmware and associated software used by IoT devices could result in a data breach. Adversaries can, for instance, exploit weak string handling functions and password hashes to execute bigger attacks. A popular example of this is the Mirai botnet. Mirai managed to exploit the default passwords in IoT devices to launch a DDoS attack, taking down the likes of Amazon, Twitter and Netflix, among others.

Hack interfaces

Cybercriminals can also compromise API interfaces, such as back-end APIs, that enable a device to connect to a wider network ecosystem (a 5G network, for instance). Interfaces become vulnerable when there is no integrated process to authorize or authenticate the user accessing the IoT device, filter incoming or outgoing traffic and address weak or missing encryption. Criminals can use common web app attacks like cross-site scripting and SQL injections to deliver API payloads since APIs, like web apps, are often made available on the public internet.

Remote compromise via P2P

Peer-to-peer (P2P) technology is present in millions of IoT devices to allow for better collaboration and resource-sharing. However, it’s been found to contain security flaws. Security researcher Paul Marrapese identified two vulnerabilities – now listed as CVE-2019-11220 and CVE-2019-11219 in the National Vulnerability Database – that enable adversaries to establish a direct connection to iLnkP2P devices while bypassing firewalls remotely. iLnkP2P is a P2P software that’s embedded into millions of devices, so hackers exploiting it could easily create a powerful botnet to carry out larger attacks. 

Cybersecurity skills are crucial for a successful physical security career

Before physical security systems turned smart, tips on doing well in physical security revolved around being vigilant of the devices and your surroundings: inspect hardware to ensure safety, track movements and changes in the environment and so on. However, it can be easy to get caught up in the physical safeguards. Now, it’s helpful to know that cybersecurity is another weapon in your line of defense. 

Various industry bodies and installation standards are starting to require cybersecurity skills for the installation of smart products. For example, some healthcare institutes now require medical device installers to be somewhat apt in cybersecurity. Therefore, acquiring some cybersecurity skills can help you do your job well and provide value to your organization.

Here are some crucial cybersecurity skills to learn.

Network security knowledge

For starters, you should understand the administration, architecture and management of networks. This would require you to learn the fundamentals of firewalls and IDS/IPS, VPNs and remote network access, wireless network security, endpoint security, mitigating network attacks and measures linked to securing your network. Basic OSI stack knowledge (around connectivity protocols) is also important. Since most smart devices rely on interconnected networks for optimal functioning, having some network security knowledge can help prevent intrusion attempts. 

Machine learning and AI

The enormous volume of data that IoT devices collect can be analyzed to discover threat vectors and potential attacks. With the technology expected to become more complex, AI will be at its forefront to enable more autonomous decisions. As a result, it will help to acquire machine learning and AI skills. Doing so can help you identify the most serious security threats and ignore ones that are not critical for your organization.

Automation

IoT’s value mainly lies in its operability. As there’s a wide variety of interfaces and data, physical security professionals who can blend manual testing with automatic API testing will be considered valuable to their organization. To gain expertise in this area, you can take up agile testing courses and gain as much knowledge about automating web testing as possible.

Business intelligence

A physical security professional must familiarize with the business space, which relates directly to how IoT functions (including storage, logging and analysis of data from smart devices). Skills in data center management, Hadoop and NoSQL programming, and predictive analytics can help you grasp business intelligence. IoT threats can affect different areas of your business, so combating them requires a rational and intelligent approach.

Attention to detail

You’ll also need some soft skills to help thwart cyber threats. One of them is attention to detail, which ensures that you’re complying with the standards and regulations. Often, you have to look at IEEE, NSIT and other standards while working to formalize robust security processes. Being detailed-oriented in these situations can help you identify vulnerable and low-quality devices that shouldn’t be making their way into your organization.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Conclusion

Physical security will rapidly evolve in the next few years, so it’s up to those in charge to keep their skills current. With cybersecurity expected to play an essential role in the management of physical devices, you will need to gain some expertise. 

Fortunately, it’s easier than ever to start learning cybersecurity with various skill-building courses available online. Additionally, you can get involved in dedicated online communities catering aspiring cybersecurity professionals to learn new things and contribute to the field.  

 

Sources

Internet of Things (IoT) Market to Reach US$ 1111.3 Bn by 2026, at a Ferocious CAGR of 24.7% - Market is Predominantly Driven by Rising Adoption of AI and Machine Learning: Fortune Business Insights, Cision (PR Newswire)

Microsoft Predicts 94 Percent Enterprises Will Employ IoT By End 2021, Analytics Insight

P2P Weakness Exposes Millions of IoT Devices, Krebs on Security

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.