Attendees at the first annual Cyber:Secured Forum, held June 4-6 in Denver Colo. and co-sponsored by The Security Industry Association (SIA) and PSA Security Network, were in for some sobering information on cyber security. If anyone came into it thinking they had it pretty well covered they were likely quickly disabused of that notion. However, the overall tone of the event was far from hand wringing. On the contrary, the whole point was to bring together experts from nearly every angle of the problem to share information and ideas on how the security industry can stay on top of a crisis it only identified in recent years.
Welcoming the attendees — around 250 of them — PSA President and CEO Bill Bozeman congratulated those in attendance, adding, “Why are we here today? Why not is the real question? There are so many opportunities to attend a cyber security event; but to my knowledge this is the only one that focuses on our niche…. My concern is for the people who are not here.”
The event featured a full day of panel sessions on Tuesday and another half day on Wednesday. Two evening cocktail receptions, breakfast and lunch times provided much needed time to talk over what was being discussed and process the wealth of information. The first few panels on day one brought home the concept that there is virtually no part of the security industry ecosystem that is not at risk from cyber crimes. In the opening session Suneeta Hazra and Judy Smith, both of the United States Attorney’s Office in Denver, spoke about some of the ways cyber criminals attack and how companies can work with federal law enforcement in the event of a breach.
“We are seeing cameras that store information on the cloud that are subject to hacking as well as the home Internet of Things,” said Smith, who is chief of the cybercrime and national security section for the District of Colorado U.S. Attorney’s Office. “Vulnerabilities are being identified as hardware and software are not being updated. How do you push out an update to an Internet-connected refrigerator?”
These sentiments were echoed in the next session on harnessing cyber-physical technologies. Moderated by Ray Coulombe of Security Specifiers, the panel featured three tech industry experts from IBM, Microsoft and Intel talking about three key emerging technology trends and their impact on the security industry — IoT, AI and Blockchain.
“The way to think of IoT is we see everything around us a computer with a particular function,” said Jeff Crume distinguished engineer and security architect with IBM. “A car is a computer that takes us places. A refrigerator is a computer that keeps our food cold.” The problem, he added, is that computers can be hacked. “What does the world look like when everything in our lives can be hacked?”
Securing “everything” is a daunting task, but Crume stressed that it is not a time to “run for the hills.” The beginning of every solution is awareness, he added.
Artificial Intelligence builds on IoT in terms of capabilities, and also risk, said Matthew Rosenquist, cybersecurity strategist, Intel. “Malicious activity detection is kind of the holy grail of AI and security.... There is so much data being generated by everything that aggregating that and teasing out what is a security risk is a huge benefit, but with huge potential rewards come huge potential risks.”
While it can be misused, it is incumbent on the security industry to get the most benefit out of AI while minimizing risks. The question of course, is how?
Donal Keating, director innovation and research for Microsoft Corp. suggested one potential way is the future use of Blockchain, something he called a true digital disrupter. “This is Uber on steroids — a secure, distributed shared leger with an immutable and unchangeable record.”
Originally invented for bitcoin, Blockchain is now its own concept, and is used where trust is the most important factor. “In Blockchain you don’t need the central controller; the Blockchain itself will determine who owns what,” Keating explained. “This is super emerging technology we are talking about. Everything is still up in the air.”
Almost every session at the forum featured a healthy mix of concern with cautious optimism for a security industry that is now actively trying to get its collective mind around the problem and come up with a range of solutions.
The session that closed out the first day went in-depth into the NIST Cybersecurity Framework, using real world analogies to explain how it can benefit the security industry. Another session by John Savarese, senior cybersecurity advisor at UL, explained how the new standards are covering cybersecurity as well. “UL thinks of cyber security as an extension of safety,” he said.
Terry Gold, founder of research firm D6 went through a 10-step program the security industry could start to work towards. Pamela Passman, president and CEO of CREATe Compliance announced that her firm will be launching a cyber readiness program in the fall to help small and medium-sized companies be more cyber-resilient.
One of the more fascinating presentations came from the hackers themselves. A panel of “ethical hackers” explained some of the services they provide, as well as a variety of ways to “invite” the good hackers to find problems for you. Katie Moussouris, founder and CEO of Luta Security shared what bug bounties such as “Hack the Pentagon” can do and some of the other ways of going about it. However, the panel stressed the importance taking this process one step at a time.
“In general if you have at least started internally looking for some of the issues you are already way ahead of the game in regards to the physical security industry,” said Valerie Thomas, executive information security consultant with Securicon LLC, which specializes in the security industry. “If you want to invite some third parties in, start by locking down some of the more embarrassing vulnerabilities using internal or private resources,” she advised. “Don’t try to drink from the firehose too fast. Maybe do an internal bounty first. The last thing you want is a very silly vulnerability splashed all over the popular online news outlets.”
She also suggested making sure any third party hacking resources understand physical security systems. “Be sure to include in your RFI and RFP examples of what they have done in the physical security space. Walk before you run and be selective about your third party.”
Finally, she advised, “If you want to be a rock star of the integrator space, if you know you have 15 clients running a particular vendor you find has been impacted by a vulnerability, you would reach out to your clients and say ‘We have come into this information and we would like to talk to you about what this means to your environment.’”
In the panel “A CISO’s Perspective on Vendor Management,” Randall Frietzche, CISO, Denver Health, also stressed the importance of two-way communication between the security integrator and the end user’s information security officer, in addition to the other departments such as physical security, human resources, etc.
“You are the expert. You are the one I call to come put things on my network. If you don’t know about the [cyber] security, you are not giving great service. It is a big advantage if you can be the one that understands that.” Frietzche strongly encourage security integrators to work even more closely with CISOs going forward. “If you talk to the CISO he will give you ideas like changing the default port and other things the security director may not know about.”
If there was one thing that was clear in all of the sessions it was that virtually every level of the supply chain, from vendor to end user has a role to play in cyber security. In the session “Being a Responsible Partner,” manufacturers Bosch Security Systems, Dahua Technology USA and Milestone Systems discussed the responsibilities they see manufacturers shouldering as well as the role of the integrator and the end user.
“There are several things as a manufacturer we can be doing,” said Mike Sherwood, director, technical operations, Americas for Milestone. “Training is probably the most important, educating people on how to secure their systems, whether it is security by design, security by default or security by deployment.”
Sherwood admitted that as an industry overall, security is “a bit behind” others. “We have a bit of work to catch up.” However, he added, “I am really optimistic. It is a start just to have this conversation. The cure is in the awareness and if we are aware of it the cure is around the corner. I think it will be a different conversation next year.”
And rest assured, SIA and PSA are already planning for next year’s session. Stay tuned for more details as they are announced.