He that will not apply new remedies must expect new evils; for time is the greatest innovator.

—Francis Bacon, in “Of Innovations,” in Essays (1625)

The threat economy continues to evolve rapidly, as well as the technology, standards, and regulations that impact Intelligent Multi-modal Security Systems. Yogi Berra said, “it’s tough to make predictions, especially about the future.” Nonetheless, the people that look around the corner are the ones that are less likely to be surprised. To conclude this text, we will discuss emerging IMSS trends to watch to help you understand your needs for maintaining existing systems and specifying and designing new ones.

Growth of IMSS

While the days of 25% market growth may be behind us, market forecasts have the Physical Safety systems market growing at 6.7% to 8.5% over 2022 to 2026 and 2028. Footnote 1, Footnote 2, Footnote 3 The analytics market is estimated to grow even faster than that, at 16.3% according to Omdia.Footnote 4 Both the number of devices and the growth of analytics applications engender corresponding attractive targets for ransom, denial of service, and targeted attacks on valuable assets. Outside of the direct function of physical security, IMSS can be corroborated as attack vectors in botnets and as weak security entrance points into networks.

Cybersecurity General

These aren’t the droids you’re looking for

—Obi-Wan Kenobi – Star Wars IV

It turns out that hackers aren’t just asocial, hoodie-clad, 30-somethings living in their parent’s basement; the leaked records from the Conti Group showed us that the collectives can be run like legitimate businesses with HR departments, an R&D group, and an employee of the month award. The 350 members made $2.7B in cryptocurrency in two years.Footnote 5 This illustrates that exploit development takes special skills, but the actual deployment can be done by low skilled workers – the smart cow problem,Footnote 6 that is, it only takes one smart cow to unlatch the gate, and all the other cows can follow. This was accomplished in a corporate setting, but the same exploit development and malicious deployment economies apply generally, enabled by the anonymity of dark web marketplaces and digital currency.

The Digital Shadows Photon Research team reported in June 2022 that there are over 24 billion credentials for sale on the dark web.Footnote 7 This report shows that the market for selling these credentials is effective, providing services for purchasing the credentials.

Despite many botnets and nefarious tools markets that have been taken down, Footnote 8, Footnote 9, Footnote 10, Footnote 11 Distributed Denial of Services attacks continue to grow and the DDOS as a service marketplace offers services at $100 per day or $10 per hour.Footnote 12 This article from SpiceworksFootnote 13 and the science direct paperFootnote 14 have helpful best practices to prevent your systems from being participants in botnet attacks.

In 2021 and 2022, there were increasing Cyberattacks on critical infrastructure, attacking the basis of public safety, health, and the economy. In 2016, an elaborate multiple vector, coordinated attack sabotaged a Ukrainian power plant and several hundred thousand people suffered loss of power.Footnote 15 The ransomware attack on the Colonial Pipeline Company in 2021, on a Florida water protection plant,Footnote 16 many destructive attacks on Ukrainian systems and network infrastructure in the 2022 Military conflictFootnote 17 all illustrate the trend in critical infrastructure attacks. IMSS that are an element in perimeter protection or are connected to the Internet and to internal networks of critical infrastructure facilities are a necessary security component that can be an entry point for cyberattacks. Note these systems often have access via the Internet for devices like tablets and cellphones that may serve as another entry point into critical infrastructure networks.

Even attacks against individual consumers can have life-threatening consequences, as demonstrated by the “swatting” attacks on Ring doorbell owners.Footnote 18

Zero Trust has become a buzzword that people have come to distrust. The term is over-hyped, poorly defined, and often costly or even impossible to implement. Having to constantly prove you are who you say you are and that you have a legitimate need to access assets impedes business and information flow, not to mention it is annoying to be mistrusted. That said, technology is providing solutions in better identity verification such as passwordless access using cryptographically strong Multifactor Authentication (e.g., FIDO2Footnote 19) that mitigates the classic data theft where an attacker gains access to a system via phishing, logon credential stuffing, or man in the middle attacks, followed by network exploration. Defense in depth adds behavioral anomaly detection (bonus points for AI-based detection) to monitor for unusual compute activity and unusual network activity to thwart the exploration and exfiltration phases of an attack.

According to the 2022 Verizon data breach incident Report,Footnote 20 depending on the industry, financial motivation accounts for 78% to 100% of the breaches. Attackonomics, the cost of an attack vs. the return, will always be relevant. Until the costs are greater than the gains, market forces will continue to provide easy-(easier)to-use tools with which to demand ransom or steal assets that can be marketed for financial gains.

Technology

In the next few years, it is expected that there will be a diffusion of compute from cloud services throughout the network infrastructure. Infrastructure computing can provide lower latency compute resources that provide real world response times that cloud computing cannot guarantee. And networking providers will compete with Cloud Service Providers and with each other for this expanded market. IMSS that take real-world actions based on analyzing sensors can benefit from moving from proprietary on-premise compute resources to the network infrastructure when response times and economies of scale provide lower cost solutions that meet these stringent performance requirements. In this networking infrastructure, the infrastructure itself can become an attack vector. Consequently, the IMSS workloads, the data being processed, the analytics results, and corresponding actions must be securely protected against denial of service, tampering, and data exfiltration.Footnote 21, Footnote 22, Footnote 23

Piloted and pilotless balloons and airplanes have been used for reconnaissance and warfighting by the military for more than 100 years.Footnote 24, Footnote 25, Footnote 26 Modern Unmanned Aerial Vehicles (UAVs) or drones reduce the cost of aerial surveillance and make it easier to do, bringing these capabilities to border patrol, local law enforcement, emergency services, security services, and commercial enterprisesFootnote 27, Footnote 28, Footnote 29 and individuals. AI is being used for navigation, real time route planning, and the data gathered from on board sensors are used for classic object detection, identification, and tracking,Footnote 30 enabling UAVs to function as an IMSS. Designing and operating these systems requires security planning for potential hacking, signal jamming, and AI tampering and manipulation that will not only be an availability or accuracy problem but also could even turn the UAV in to a threat itself.

Artificial Intelligence and Machine Learning

The advancements in AI/ML (ChatGPT) highlight the growth of the capabilities of AI/ML. Nonetheless, we are still a long way from creating machines that have general knowledge and can think in the sense that humans are able to.Footnote 31 While ChatGPT has guardrails from preventing it from writing malware explicitly, this class of generative AI can be used to increase the efficacy of email Phishing and SMS Smishing attacks.Footnote 32 And ChatGPT has been used to improve and help generate working malware Footnote 33, Footnote 34, Footnote 35 and hacking tools.Footnote 36 It is not improbable that a worm whose destructive power will eclipse the NonPetya worm from 2017Footnote 37 could be inadvertently created with ChatGPT assistance and released into the wild. Basic cybersecurity hygiene, using workload and data provenance, and defensive AI-based tools all can be used in IMSS for layered defenses.

Another important aspect of the new generative AI models is the amount of data they are trained with and the size of the models. The models aren’t big because of the type or amount of data they produce, they are big because of the complexity of the information being processed. For IMSS applications, that means that models that can ingest multiple types of information from multiple sources and could potentially provide full situational awareness of large public venues or even cities in the near future. These models are very large, the biggest being 100s of billions of parameters, so the systems running those models will have to scale accordingly.

Being aware of the legal and ethical implications of not only the AI algorithm but also the training data behind it is becoming increasingly important because of privacy sensitivity, fair use vs. copyright laws, and new laws and regulations. See the Regulations section for more detail.

Applications developers and data providers now have a standardized way to include provenance information for their products. The Coalition for Content Provenance and AuthenticityFootnote 38 has defined a standard that consumers can use to trace the origin and verify the authenticity of different types of media. Using provenance verification tools, consumers can be assured that the content came from the source it appears to have come from and that it has not been altered in any way. These tools can also be integrated with web browsers and social media applications, raising trust in the veracity of content and reducing misleading information online.

In 2022, we learned that cyberwar is already a component of conventional war.Footnote 39 In the future, AI weaponized attacks, generative adversarial attacks, AI for defenses against said attacks, and weaponized defensive AI as a counterattackFootnote 40 will all be increasing in use. And once again, basic cybersecurity hygiene, using workload and data provenance, and defensive AI-based tools all can be used in IMSS for layered defenses.

You may want to revisit the exhortations from Chapter 5 on AI/ML Transparency, privacy, responsibility, and trustworthiness. Not only will these recommendations help your IMSS to be more robust and accurate, as you will read in the next section, they will help IMSS stay current with regulations.

Regulations

With the rapid advancement and adoption of IMSS, and extensive use of the AI/ML Technologies, there is a growing recognition of the need for comprehensive policies and regulations to address the many ethical, legal, and social issues raised by the use of the technology. The European Union and the United Nations are some of the international organizations that are developing policies and guidelines to govern the development and use of AI. In the United States, some states have begun to pass laws addressing the use of AI in areas such as law enforcement and hiring.

Because IMSS inherently may be used in identification, laws and regulations regarding privacy are a paramount design constraint for IMSS manufacturers. In addition, system operators must consider applicable legislation in the region where a system is located, and multiple regions where systems are interconnected across regions. Privacy laws and regulations have been enacted at national, and in the United States, at state and local jurisdictions.Footnote 41 Since the GDPR went into effect in 2018, many other nations have enacted similar legislation. In addition to the EU nations, at least 30 other nations have some form of privacy legislation.Footnote 42, Footnote 43 As of January 2023, the United States does not yet have national privacy legislation, but there are five states that have laws, all of which come into effect in 2023.Footnote 44, Footnote 45 Four more states have active bills, and 23 additional states have bills introduced or in committee. The article from the National Law Review provides a comprehensive comparison of the enacted state laws.Footnote 46

Some US states have laws specifically on surveillance.Footnote 47, Footnote 48 California, New York, and Rhode Island do not allow video cameras where a person has a reasonable expectation of privacy. Hotel rooms, rest rooms, and changing rooms are examples of prohibited areas. Some states allow exceptions to that as long as customers are notified. Surveillance in the workplace is used by many employers to mitigate violence, theft, abuse, and sabotage. Regulating workplace surveillance is mostly left to the states as well. Workplace surveillance must be used with the privacy rights of workers and state regulations in mind. The use of drones for surveillance present new significant considerations for privacy as well.Footnote 49, Footnote 50

Negotiating the complex legislation mapping is a dynamic problem and future proofing systems by monitoring legislation in process can give manufacturers, consultants, and integrators a competitive edge.

The European Union AI ActFootnote 51 is proposed to address the “risk or negative consequences to individuals or society” due to the use of AI. Like the GDPR is an example used in privacy regulations in many domains, the EU AI Act may also be exemplary or even become a global standard. Additionally, like the GDPR, the proposed legislation levies large fines for violations. The AI Act not only defines a methodology to define risk, it also mandates requirements and conformity assessment for trustworthy AI when high-risk AI is used in the EU. See thisFootnote 52 article from the MIT Technology Review for an informative overview of the proposal.

There are cyber-resiliency acts in both the EU and the United States. In 2019, the EU enacted a cybersecurity actFootnote 53 that strengthens the European Union Agency for Cybersecurity (ENISA) and establishes a framework for voluntary cybersecurity certification of products. The EU Cyber Resilience ActFootnote 54 in proposal addresses all the hardware and software elements in systems, requiring manufacturers to reduce vulnerabilities at launch and throughout the lifetime of products. It also requires greater transparency, enabling consumers to take cybersecurity into account when making purchasing decisions. In the United States, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 requires 16 critical infrastructure sectors (defined hereFootnote 55) to report cybersecurity incidents. Also, in 2022, the Securities and Exchange Commission proposed a rule requiring publicly listed companies to report cybersecurity incidents.Footnote 56 As of January 2023, Congress.gov reports 2414 house or senate bills on cybersecurity,Footnote 57 too many to even list here. The May 2021 Executive Order on Improving the Nation’s CybersecurityFootnote 58 orders the US government and private sector cooperation to protect public and private sectors and American citizens from malicious cyber actors. In addition to specific orders for federal government agencies, this order specifically calls for enhancing software supply chain security.

In October 2022, the US White House released an Office of Science and Technology Policy white paper on a Blueprint for an AI Bill of Rights.Footnote 59 This is not yet law, but it describes a future where citizen’s rights are protected from potential harms from improper design and use of AI. It provides “a set of five principles and associated practices to help guide the design, use, and deployment of automated systems to protect the rights of the American public in the age of artificial intelligence.”Footnote 60 For IMSS AI providers and integrators and consultants, adopting these principles will help futureproof your applications and systems.

The US Clarifying Lawful Overseas Use of Data (CLOUD) ActFootnote 61, Footnote 62 was enacted in 2018 to amend the 1986 Stored Communications Act allowing federal law enforcement with warrants or subpoenas to compel data and communications companies to provide data stored in their systems. This FAQFootnote 63 from justive.gov can help to understand the law. This is similar to the 2017 National Intelligence Law of the Peoples Republic of ChinaFootnote 64; however, the Chinese law lacks judicial oversight in the form of warrants or subpoenas and there are no exceptions for cross international border data that fall under foreign jurisdictions.Footnote 65, Footnote 66

The US–EU trade and Technology CouncilFootnote 67 released a statementFootnote 68 on December 05, 2022 establishing ten international working groups, portions of which may impact IMSS. The corresponding US White House statementFootnote 69 summarizes areas where these agreements may impact IMSS, such as evaluation and measurement tools for trustworthy AI, privacy enhancing technologies, post quantum encryption, and Internet of Things.

It’s important to note that IMSS-related policy is still in development, and it is expected to evolve as the technologies such as AI develop and impact on society becomes more apparent.

Standards

Standards play an important role in addressing regulations providing a common framework for the development, deployment, and use of IMSS systems. Standards can help regulators and other stakeholders to understand the capabilities and limitations of IMSS systems, as well as the risks and benefits associated with their use.

The state of the art in AI standards is constantly evolving as new research and developments are made. ISO/IEC, ETSI, CEN/CENELEC, IEEE develop set of standards related to AI/ML. It is expected that by 2025, conformity assessment schemes will be delivered based on the harmonized AI standards that cover a broad range of topics, such as functional concepts, data standards, interoperability, frameworks, etc.

The following are some ISO/IEC AI/ML related published standardsFootnote 70:

  • ISO/IEC 23053:2022 Framework for Artificial Intelligence (AI) Systems Using Machine Learning (ML)

  • ISO/IEC 22989:2022 Information technology – Artificial intelligence – Artificial intelligence concepts and terminology

  • ISO/IEC 38507 – Information technology – Governance of IT – Governance implications of the use of artificial intelligence by organizations

  • ISO/IEC TR 24029-1:2021 Artificial Intelligence – Assessment of the robustness of neural networks – Part 1: Overview

  • ISO/IEC TR 24030:2021 Information technology – Artificial Intelligence – Use cases

  • ISO/IEC TR 24029-1:2021 Artificial Intelligence – Assessment of the robustness of neural networks – Part 1

  • ISO/IEC TR 24028:2020 – Information technology – Artificial intelligence – Overview of trustworthiness in artificial intelligence

C2PAFootnote 71 addresses another critical problem of the modern systems, the prevalence of misleading information via developing and promoting technical standards and best practices for the protection of digital content, such as digital rights management, content protection, and content authentication. Technical specification is progressing, and the latest version can be found at C2PA Specification site.Footnote 72

Final Exhortation

There is a lot of change in cybersecurity, technology, regulations, and standards to keep up with. Automating the process – indeed an AI that automates it for you – will make maintenance as efficient as possible.

IMSS are used broadly and the risks depend on the environment they are used in. Not all of the trends cited earlier will impact all IMSS, but especially when valuable assets or high risks are at stake, it is important for system operators, consultants, system integrators to think about the future – not only the near term when the system is installed, but for the lifetime of the system. Future proofing your devices, software, the systems you recommend or specify, and the systems you operate will future proof your organization as well.