How to Evaluate Your Security System's Cyber Risk
Between security systems manufacturers, integrators and end users, is anyone fully prepared to mitigate cybersecurity risk?
Whether it’s an HVAC system, a point-of-sale terminal or a video surveillance camera, malicious attackers are looking for any way into your network and closer to your valuable data, systems and intellectual property. While enterprises are working to shore up the weak links of their cybersecurity systems, it’s necessary to take a close look at the cyber risks your own physical security system may bring to the enterprise.
A physical security system could let in cyber attackers or viruses in a number of ways, including weak password management, incorrect installation, a network conflict, or a lack of encryption. The greater interconnectivity of devices, while proving to be infinitely valuable for enterprises’ metrics, audits and security, also opens up new avenues of attack, as one weak access control panel could endanger the entire security system, if not the entire network.
State of the Industry
So how is the security industry doing, in terms of cybersecurity investment and preparedness? Not too well.
“Cybersecurity concerns seem to be addressed primarily as an afterthought by both the end users and the physical security hardware/software manufacturers,” says Joe Fairchild, CISSP, Security Technology Program Manager at Microsoft. “Many companies transfer the responsibility to the integrators to secure their systems, often with inconsistent results. … Some of the challenges arise as a result of IT security not being an area of expertise for many security integrators. Other challenges result from not being well versed in an organization’s cyber policies. Finally, the project scope of security integrators is often limited to installation, configuration and maintenance.”
In addition, he says, manufacturers may not have a secure, accredited supply chain for equipment sourcing, and they may not maintain rigorous security testing programs to minimize the risks associated with software and firmware updates, and to discover new vulnerabilities.
According to Andrew Lanning, Co-Founder of Integrated Security Technologies and chairman of the PSA Cybersecurity Advisory Committee, “Most manufacturers have been able to turn a profit for many years selling ‘ease of use’ and ‘ease of integration’ to their vendor partners. The default enablement of services like Universal Plug and Play simplified the discovery and implementation process for non-network-savvy installers, but it also contributes to the ready identification and exploitation of networked devices. Until the manufacturers of this equipment feel pain on the profit and loss statements, they don’t appear in a rush to improve their chipsets and firmware to enable truly ‘hardened’ configurations.”
One major risk is negligence related to due diligence, he adds: “The customers often presume that the integrator knows what they’re doing, and they have no clue about the vulnerabilities that may be getting added to their network by their security provider.”
Whose Job Is It Anyway?
So who is responsible for security systems cybersecurity? Honestly – everyone.
“Some end users have no idea how vulnerable a lot of the physical security systems installed on their networks are,” says Lanning. “And there are rarely any assurances run against physical security systems or scanning for evolving risks. … End users will have to start asking manufacturers for cyber protections, and regulated industries [such as those with high compliance requirements from the DoD] will likely be the first to switch.”
There are some security technology manufacturers and service providers that are making a concerted effort to improve cybersecurity and users’ and integrators’ awareness of vulnerabilities. IP camera manufacturer Axis Communications releases camera hardening guides for integrators; Tyco Security Products offers a subscription to end users so they can get alerts about cyber vulnerabilities; Bosch, Genetec and SecureXperts collaborated to design and develop an IP video solution that’s resilient against cyber attacks, using encryption for secure identification and authentication through smart cards; some access control providers announced the availability of TLS 1.2 encryption all the way from the reader to the server. These are just a few of the commitments the industry has seen toward cybersecurity, but there’s still a long way to go, with many more manufacturers and integrators on the market that aren’t progressing toward cyber-savvy practices and development. Conversely, there are just as many end users who aren’t demanding it.
“There’s really a shared responsibility for cybersecurity,” says Larry Movessian, Strategic Product & Solutions Manager for American Alarm, a Brivo Blue Dealer. “The integrator should have a trusted advisor position, and through a needs analysis with the customer, the integrator can make suggestions and bring up where there are cybersecurity pitfalls and steer them in the right direction. We can also look to manufacturers to get input. Cybersecurity needs to be part of the dialogue – it needs to be as important as all the other aspect of the security system.”
He adds: “The more awareness we as an industry bring to cybersecurity, the more manufacturers will add it to their product sets and offerings.”
People, Processes and Products
Despite the emphasis on technological pitfalls, addressing hardware and software vulnerabilities is only part of the problem. According to Lanning, cybersecurity is a three-legged stool consisting of people, processes and products. Even if manufacturers manage to lock down or contain their technology, there are still the issues of phishing, human error and engineering or configuration problems, and the risks change daily.
According to Dave Siler, CFI, Director of Loss Prevention for Bartell Drugs, “Malware and intrusion technology is a constantly evolving process for bad actors, and yet old technologies still cause as many issues for the business as the newest variants. There are only two types of companies in this world: those who have been hacked and those who will be hacked. My insight into physical security technology is the industry is more concerned about process improvement than they are about process integration. You can have the most secure programs in the world, but it is like a building with new locks on all the doors and windows. If the employee leaves the door unlocked or invites the bad actor into the building, the pain point is not the system, but the lack of training needed to support the system.”
“The bigger your castle, the more ways there are to get into it,” he says. “Companies must have a proactive training program as well as active testing of all new programs to ensure they are not installing an unlocked door into the castle. Many IT departments are just now getting a robust security program in place, and IT security teams are scrambling to back-check all the corridors, pathways, doors and windows into the castle. … Those who fail to recognize not only the value of IT security but the size of the threat outside of the castle will discover the cost of ignorance or negligence is more than they can imagine.”
Start Asking Questions
One of the key benchmarks to determine whether or not a security vendor or integrator is focused on cybersecurity is to ask them about it, says Lanning. Ask about their internal cybersecurity framework, their cyber maturity levels and the steps they’re taking to secure their own networks and data. Knowing that they’re investing in their own security will help to gauge whether they’re taking cybersecurity risks seriously, both for their own enterprise and – presumably – for their clients.
Some key questions to ask your integrator or security systems manufacturer to evaluate their cybersecurity buy-in-are:
Do you have a cybersecurity initiative, including a point-person for cybersecurity queries?
Do you provide training on best practices for your products, both for integrators and end users?
Do you have a system for notifying clients about critical cybersecurity updates?
How have you historically responded to reported cybersecurity issues?
How will cybersecurity alerts and services change as the system ages?
“Evaluation of technology requires full disclosure of what the end user is getting and what they are not getting, as well as allowing end users to get feedback from others who are using the same technology,” says Siler. “If you stand behind your product, let me talk to some of your other customers who bought it and see how well they like it and what they wish was better.”
Codify Your Expectations through Contracts
“Noteworthy attacks have been coming from low-hanging fruit, such as default passwords,” says Joe Gittens, Director of Standards for SIA (the Security Industry Association), and moderator of the SIA Cybersecurity Advisory Board. He recommends asking questions about the types of data encryption in use, procedures for data retention, background checks for contract service providers, vendors’ and integrators’ in-house testing procedures, and what their design process is, especially as they relate to cybersecurity.
“Ask the right questions, and codify them in a contract,” he says. “Add information to your contract about what your expectations are and what your response will be to lax behavior or failures to address patches and updates, or failing to share vulnerability information.”
Vendors and integrators should also be providing documentation about what they install and how it’s working, says Lanning. Enterprise security leaders should get scans of all networked equipment, including the device name, type, firmware version, MAC address, open ports, TLS level, encryption key information and more. CSOs should demand that components are accompanied by manufacturer cybersecurity hardening guidance, as well as information about the integrator’s in-house best practices.
Enterprises can get better insight when benchmarking these practices by comparing them against common cybersecurity standards and guidance, including the NIST Cyber Security Framework or the SANS Institute’s Top 20 Critical Security Controls.
“If your security partner cannot clearly demonstrate their internal cybersecurity policies, practices and controls, they may be a supply chain liability for your business,” Lanning says. “If you’re relying upon them to vet the systems that they’re installing, then they should be able to clearly demonstrate their method of assessing assurance and show you examples of the scanned system configuration, both prior to installation and post-installation to ensure that nothing has been changed. This documentation is then the root of the cybersecurity lifecycle management of your electronic security system.”
Breaking Up Over Cybersecurity
Sometimes your cybersecurity expectations aren’t met. Breaches and vulnerabilities do happen, as cybersecurity risk evolves at a breakneck pace. The challenge is when your security partner, whether that’s a manufacturer or an integrator, fails to communicate potential vulnerabilities or neglects to address or investigate them at all to begin with.
So when is it time to move on? Switching vendors or integrators is often an expensive, painstaking process, but compared to the cost of a large-scale data breach (and the downtime or loss of profits and reputation it could entail), it could be worth it.
“Organizations need to have policy and procedure alignment,” says Fairchild of Microsoft. “Having the right partner(s) and working through issues is critical to security operations continuity. Organizations should look to replace partners if unresolved gaps exist in compliance, certification or lack of performance.”
According to Rodney Thayer, Convergence Engineer at Smithee, Spelvin, Agnew & Plinge, Inc., a consulting firm specializing in software engineering and risk management, enterprises should “change partners when it’s clear it will or has cost you too much money to cope with your current vendor supply chain member. Look at the total costs of accommodating primitive physical security solutions in a modern enterprise. Total cost of ownership from the top level may well find ‘cost per badge swipe’ should be optimized. Cost of cleaning up after weak physical security vendors (like that time the camera guy plugged both ends of a cable into the Cisco switch and caused a network storm that melted the security network…) may be such that the (on paper) more expensive vendor is cheaper in the long run.
“Change partners when you identify that you have significant cyber risks not being addressed by components in the vendor supply chain. Don’t use security cameras from vendors who refuse to fix bugs. Buy the more expensive camera – it’ll be cheaper the next time someone tries to hack you,” he adds.
Additional warning signs include a lack of cyber hygiene (including default passwords), a lack of awareness that customers want secure systems and a lack of available solutions that address common cybersecurity controls, Thayer adds.
Siler says that “end users should evaluate vendor partners on an annual basis, evaluating what the vendor did for them each year and when issues arose. Did they get the same level of support as the first year they shared a partnership? Warning signs for me are when my vendor does not reach out to me to offer improvements to their systems and tell me about new products or process improvement (if you are not getting better, then, by the nature of things, you are getting worse). Did the vendor show concern for how I am doing with what I have in use from them? It is equally important to assess how your vendor is doing as a company: Are they struggling as a business? Did they get taken over, and did that change your partnership in any way? Are their competitors doing so much better that your partner is now behind in the technology curve with an outdated product?”
Cybersecurity is a complex problem, but ignoring it or leaving it in its IT-bound silo is no longer a functional strategy. In fact, that concept could ignore benefits as well as risks. According to Fairchild, “Industry professionals consider the lack of convergence to be the greatest barrier in evaluating and mitigating cybersecurity risks. An organization’s existing cybersecurity tools can be leveraged to secure physical security assets. Physical security can protect IT logical infrastructure. Synergy could be realized when both cyber and physical security are converged systematically, leveraging unified policies and procedures.”