There are few discussions in the physical security business that don’t at some point focus on the topic of cybersecurity. One area frequently missing from these conversations is the importance of a trusted supply chain for manufacturers. Since a product is only as good as the hardware and software inside it, examining how something is built can give us rapid insight into its potential vulnerabilities and overall cyber worthiness. The NDAA (National Defense Authorization Act) ban is particularly focused on the subject of component sourcing for security devices. What is inside that device that could be exploited? Where did it come from? What do we know about the manufacturing process? These are all important questions about the manufacturing supply chain that need to be considered by anyone who cares about cybersecurity.
Supply chain responsibility
The easiest way to reassure customers that your system is compliant and cybersecure is to make everything yourself. However, that’s not always practical for many companies who rely on 3rd parties to supply critical components that they themselves do not manufacture. It’s also true that not every part, (resistors, transistors, and more) has a cyber aspect that can be exploited. So, worrying or restricting products over individual piece parts is unnecessary. There are, however, many OEM and re-labeled products on the market in which companies utilize external 3rd party technology in the form of processing chips, codec modules, network interface components, and more to perform certain complex tasks that could potentially be exploited. This is where knowledge of the supply chain and manufacturing process becomes so crucial. It might be very difficult to get information about a company’s supply chain and processes since it may not be seen as an asset or selling point to disclose such data. When in doubt, try and find a manufacturer who creates and assembles as much the technology ‘in house’ as possible. An ‘end-to-end’ solution will include not just the manufacturing and sourcing of trusted parts, but also the final assembly, QC and logistics including managing the entire product lifecycle including updates and fixes. Any reputable manufacturer should be willing to divulge where they source their parts, where their products are made and how they are tested, otherwise they may not be in full compliance with things like the NDAA.
Testing and certification
If a company tells you its products are cybersecure, should you just believe them? It’s important to look for independent verification. White hat hackers are frequently employed by responsible manufacturers to test products for vulnerabilities. Penetration testing specifically probes devices for a way inside. And since hacking techniques are always evolving, it’s important that testing is periodically updated to expose new exploits that must be patched with firmware updates. It may seem like a no-brainer, but not every company is as diligent about continual testing and generating updates. Being able to fix weaknesses that are discovered after a product has been released to market is a critical component to cybersecurity policy best practices.
Until recently, there hasn't been any internationally recognized standard for cybersecurity for IoT products such as security cameras and supporting devices and software. The UL CAP (UL Cybersecurity Assurance Program) is a newer certification service designed to help organizations manage their cybersecurity risks and validate their cybersecurity capabilities to the marketplace. Products that achieve UL CAP certification go through rigorous testing and have had their processes vetted by an independent, respected agency. Choosing a product with UL CAP certification should provide end users with additional peace of mind.
Pandemic cybersecurity challenges
When you think of traditional cybersecurity defenses, IT departments try to silo their critical systems behind firewalls, sometimes choosing to have an ‘air gap’ between the most sensitive systems and the internet. With the pandemic and people working from home, IT departments may have unwittingly made their systems easy targets in the rush to get employees the access they need. Likewise, there are fewer “eyes” watching systems when no one is in the NOC (network operations center) looking for threats and noticing anomalies like before. Companies may have rushed to install additional cameras and access systems knowing their buildings would be empty for prolonged periods. In their haste, did they properly lock down their systems or did they just create new vulnerabilities?
Opening up and forwarding ports can be a quick way to get people access but can be a very risky way to solve the challenges of remote access. For security professionals, it might be a great time to investigate secure cloud access to systems. There are options that allow users to log in and gain access to their VMS and video feeds in seconds. Adding remote access to law enforcement or loss prevention teams should to be simple, but not at the expense of cybersecurity and privacy. Remember to do your homework and choose vendors with a supply chain and process you can trust. Knowing your devices are cybersecure by design greatly simplifies the task of keeping your entire network safe during these challenging and unprecedented times.