The trusted supply chain and cybersecurity

Strong Cybersecurity: The Critical Role of Lifecycle Management

October 23, 2020

There are few discussions in the physical security business that don’t at some point focus on the topic of cybersecurity. One area frequently missing from these conversations is the importance of a trusted supply chain for manufacturers. Since a product is only as good as the hardware and software inside it, examining how something is built can give us rapid insight into its potential vulnerabilities and overall cyber worthiness. The NDAA (National Defense Authorization Act) ban is particularly focused on the subject of component sourcing for security devices. What is inside that device that could be exploited? Where did it come from? What do we know about the manufacturing process? These are all important questions about the manufacturing supply chain that need to be considered by anyone who cares about cybersecurity.

Supply chain responsibility

The easiest way to reassure customers that your system is compliant and cybersecure is to make everything yourself. However, that’s not always practical for many companies who rely on 3^rd parties to supply critical components that they themselves do not manufacture. It’s also true that not every part, (resistors, transistors, and more) has a cyber aspect that can be exploited. So, worrying or restricting products over individual piece parts is unnecessary. There are, however, many OEM and re-labeled products on the market in which companies utilize external 3^rd party technology in the form of processing chips, codec modules, network interface components, and more to perform certain complex tasks that could potentially be exploited. This is where knowledge of the supply chain and manufacturing process becomes so crucial. It might be very difficult to get information about a company’s supply chain and processes since it may not be seen as an asset or selling point to disclose such data. When in doubt, try and find a manufacturer who creates and assembles as much the technology ‘in house’ as possible. An ‘end-to-end’ solution will include not just the manufacturing and sourcing of trusted parts, but also the final assembly, QC and logistics including managing the entire product lifecycle including updates and fixes. Any reputable manufacturer should be willing to divulge where they source their parts, where their products are made and how they are tested, otherwise they may not be in full compliance with things like the NDAA.

Testing and certification

If a company tells you its products are cybersecure, should you just believe them? It’s important to look for independent verification. White hat hackers are frequently employed by responsible manufacturers to test products for vulnerabilities. Penetration testing specifically probes devices for a way inside. And since hacking techniques are always evolving, it’s important that testing is periodically updated to expose new exploits that must be patched with firmware updates. It may seem like a no-brainer, but not every company is as diligent about continual testing and generating updates. Being able to fix weaknesses that are discovered after a product has been released to market is a critical component to cybersecurity policy best practices.

Until recently, there hasn't been any internationally recognized standard for cybersecurity for IoT products such as security cameras and supporting devices and software. The UL CAP (UL Cybersecurity Assurance Program) is a newer certification service designed to help organizations manage their cybersecurity risks and validate their cybersecurity capabilities to the marketplace. Products that achieve UL CAP certification go through rigorous testing and have had their processes vetted by an independent, respected agency. Choosing a product with UL CAP certification should provide end users with additional peace of mind.

Pandemic cybersecurity challenges

When you think of traditional cybersecurity defenses, IT departments try to silo their critical systems behind firewalls, sometimes choosing to have an ‘air gap’ between the most sensitive systems and the internet. With the pandemic and people working from home, IT departments may have unwittingly made their systems easy targets in the rush to get employees the access they need. Likewise, there are fewer “eyes” watching systems when no one is in the NOC (network operations center) looking for threats and noticing anomalies like before. Companies may have rushed to install additional cameras and access systems knowing their buildings would be empty for prolonged periods. In their haste, did they properly lock down their systems or did they just create new vulnerabilities?

Opening up and forwarding ports can be a quick way to get people access but can be a very risky way to solve the challenges of remote access. For security professionals, it might be a great time to investigate secure cloud access to systems. There are options that allow users to log in and gain access to their VMS and video feeds in seconds. Adding remote access to law enforcement or loss prevention teams should to be simple, but not at the expense of cybersecurity and privacy. Remember to do your homework and choose vendors with a supply chain and process you can trust. Knowing your devices are cybersecure by design greatly simplifies the task of keeping your entire network safe during these challenging and unprecedented times.

Aaron Saks is Product and Technical Manager at Hanwha Techwin America.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 November

This month, Security magazine brings you the Security 500 Report, Rankings and Thought Leader Profiles. How does your enterprise compare to others? Which security programs are leading the way? Also this month, we highlight how to plan, prepare for and build resilience to protests and other unplanned events, video surveillance tools for SMBs and more.

View More Create Account

The trusted supply chain and cybersecurity

Supply chain responsibility

Testing and certification

Pandemic cybersecurity challenges

Recent Articles by Aaron Saks

How Artificial Intelligence is Going to Make Your Analytics Better Than Ever

High Megapixel Cameras – It’s Not Just About Quality

Modular Cameras Provide Flexibility, Ease of Installation and Cost Savings

AI – Where Are We Now and Where Are We Going?

Security Magazine

2020 November

The trusted supply chain and cybersecurity

Supply chain responsibility

Testing and certification

Pandemic cybersecurity challenges

Recent Articles by Aaron Saks

Related Articles

Report Abusive Comment