Dealer-operated and third-party central monitoring facilities are by no means exempt from the growing threat and risk of cyber-crime. In fact, their risk is expansive, covering internal operations, dealers (in the case of third-party monitoring) and subscribers. It extends from technicians in the field with laptops working on the customer’s network, to the client who loses an access control credential. While these facilities have historically been extremely hardened to protect their infrastructure and mandated by compliance and regulations such as UL, FM and now the NIST Cybersecurity Framework, new threats are emerging daily, especially as the world moves to an IP-connected landscape.
There is so much at risk that it’s hard to wrap your head around all the possible consequences. There is the risk of compromised customer data. Also to be considered is the new General Data Protection Regulation (GDPR), now governing the European Union, which can fine businesses millions of dollars for non-compliance and loss of privacy data. There is the reputation of the company at stake — difficult to put a price tag on.
What about the monitoring operations themselves? What if the power generator is hacked so backup is impeded in an emergency, or, if an alarm doesn’t come through? Unlikely, but these are the days and times in which we now live. How about internal email — where phishing and spoofing now runs rampant? Fact is, with many devices now IP-based the possible threats will continue to increase and magnify.
The Evolving Landscape
Cyber security is such a prevalent, overarching issue that the Security Industry Association (SIA) in its 2019 Security Megatrends Survey identified it as the No. 1 top factor influencing both short-term and long-term change in the global security industry — with a sweeping impact on almost all businesses.
Yet the central monitoring part of the story hasn’t been told. For the last several years the industry has focused on manufacturer equipment or large enterprise customers. Central monitoring stations have a critical need and obligation to protect signals and make sure the facility is hardened, inside and out.
“2018 was the year we finally started to take cyber security seriously,” says Rich Lyman, global technology manager for Netronix Integration, Danville, Calif., a Security-Net Partner. “It’s a complex subject and you need to have all kinds of internal methods for dealing with threats. Physical access control is how they are getting in and the biggest point of exposure is also people. Our industry is changing and now our systems are the ownership of the IT group. The balance of power has shifted and there is more risk; ignorance is no longer an excuse and it won’t protect you. You have to invest in employees and subject matter experts and it’s expensive,” he says.
Some in the industry say you’re only as good at your last software patch, but in addition to patches, passwords and firewalls it takes a comprehensive, holistic approach.
Cyber-crime is a growing and perpetual threat, according to Jim McMullen, president and chief operating officer of COPS Monitoring, Williamstown, N.J. “We’re always concerned and remain vigilant against threats to our systems by outside intruders. Anything with an IP connection, including IP alarm receivers, is potentially vulnerable. We use state-of-the-art firewalls and other security measures to ensure our network is protected. Even with the best protection, companies need to make sure they perform routine maintenance and have the latest software upgrades. For instance, the May 2017 Equifax breach that affected over 145 million Americans could have been prevented if they had implemented the security patch that was available for more than two months earlier.”
McMullen says COPS Monitoring has spent millions on its technical infrastructure and makes continual investments in leading technology to protect the integrity of its systems and customer data. “In 2017, we went a step further by hiring an outside firm to perform a Service Organization Control (SOC) 2 Type 1 attestation engagement report. The audit is a thorough process that examines and documents a company’s systems for security, availability, processing integrity, confidentiality and privacy. In 2018, we went a step further by obtaining our SOC 2 Type 2 certification, which ensures the operational effectiveness of our internal controls. In addition to our SOC 2 certifications, we have contracted with a leading firm to perform periodic network resiliency and penetration testing to ensure we are protected against hackers,” McMullen says.
Starting From the Inside
Untrained employees who aren’t educated on potential cyber risk and what to look for are often one of the greatest exposures to businesses, including professional monitoring operations.
“At The Protection Bureau, we are constantly working to make sure our customers and the central station is at the highest level of cyber competency,” says J. Matthew Ladd, president of the Exton, Pa., company, a Security-Net Partner. Ladd is an executive board member and Security-Net marketing chairman.
“It’s an interesting problem that’s been growing,” Ladd says. “In the early days of the alarm industry you didn’t have the internet, you had dial-up and analog, so with IP the threats are changing. We are dealing with our clients and our own networks. With our clients, we set up push notifications, so information from their systems is pushed out of their networks and nothing gets connected within. On our end, we are taking everything in, so it’s a little different. We have to make sure our ports are protected; that we have a way of information coming in from the customer that’s appropriate for the level of security we require. We are a managed service provider so we leverage the cloud. Information goes from the client to the cloud and back out to The Protection Bureau. With the cloud you have layers of security.”
There are multiple vulnerabilities for the central station, according to Ladd. “If a central station is left vulnerable or hacked your client’s data and their security is at risk. Your operators are your first line of defense and it takes continual education. Yes, it’s expensive. But that’s our business, keeping people updated. Now that we are connected into clients’ networks there’s a tremendous amount of work to do. Our technicians also have to be trained. Our technicians are working on computers, but where are these laptops they are using and how are they being secured? And what if they go to a client to program a system and pick up a virus and give it to another customer?” he asks.
Putting the Pieces Together
Cyber security is an all-encompassing practice that is best defended using multiple layers of process and technology. These range from thorough employee training and testing, solid IT practices and change management to the obvious steps of making sure that your network and systems are secure. The infrastructure should include these basics:
• physical components such as firewalls, spam filters, DMZ networks, network segmenting and isolation;
• software components such as endpoint protections, network monitoring applications, intrusion detection, logging applications;
• change management and process management;
• intrusion/penetration testing;
• employee training, testing and effective policy management;
• patch management for all hardware and software applications;
• multifactor authentication and password rules; and
• forensic tools to analyze any incidents that occur.
— Contributed by Morgan Hertel, vice president of technology and innovation, Rapid Response Monitoring Services
He also says that while The Protection Bureau has never been attacked successfully, attempts happen daily — defeated with the latest firewalls, intrusion detection hardware and other safeguards.
Baird Larson, vice president and director of technology at EMERgency 24 in Des Plaines, Ill., agrees that taking steps to protect the monitoring operations and customers from cyber threats starts with people and moves to technology.
“We have everyone background checked and in Illinois they are required to have a PERC or Permanent Employee Registration Card. Internally, we have redundancy beyond redundancy, including physical protection that includes underground fiber, multiple carriers and multi-homing for internet service providers and Border Gateway Protocol (BGP) to achieve internet connection redundancy. The next level is fully redundant routers, separate for each carrier. Behind those routers are multiple firewalls and hardware. Monitoring that equipment is important. We make sure we always have the latest software version and patching. Dealer web services go to a different network than our alarm communications. Our core monitoring system is on its own separate internal network, a proprietary umbilical cord so our core services aren’t affected.”
Larson says EMERgency 24 regularly sees attempts to gain access from all over the world — sequel attempted attacks and Distributed Denial of Service (DDOS) attempts. He adds that today, his dealer customers are tuned into cyber security because their end-user customers are asking what steps monitoring operations are taking to prevent possible attacks.
NMC, Lake Forest, Calif., is continually training its employees on safe cyber security practices, such as how to spot phishing emails, and focuses primarily on that area as well as the customer portal and network security. “We have added multiple layers of security to protect against malicious email and websites. Having the ability to quarantine and sandbox traffic is a key ingredient in preventing threats from spreading,” says Faraaz Kolsy, network administrator, NMC.
What’s Installed Counts
Kolsy says many risks are inherent to the business. “As most of the veterans in the industry know, equipment that deals with security can, at times, be very old. We need to encourage our dealers and customers to stay on top of their security practices. We are monitoring the hardware and equipment they place in the field, which means we are also at risk if we don’t enforce policies to ensure the devices that are part of the traffic flow are up-to-date and hardened by the same policies we have on our own systems.”
NMC deploys 24/7 SEIM (security information and event management software) that logs all server events in a central location and provides an index for researching and alerting on predefined problems, errors, attacks and patterns in real time, says Demian Valle, director of engineering. “We also use an external network monitoring service that provides port scans and notifies us of security vulnerabilities. We have sophisticated cloud-based antivirus and multiple layers of security in place for all web browsing. We have added a quarantine network to provide a way to silo threats if they come into the organization. It’s important to have a middle ground as no system will be 100 percent accurate. Creating security zones and isolating portions of the network is also important. The business requirements do not always allow for a perfect environment, however those slightly vulnerable portions can be zoned off. Using best practices with VLANs, DMZs and lateral firewalls we can create a secure environment.”
ION247, an IT-centric monitoring, cloud and SMB-focused business unit of parent company Star Asset Security, Orlando, a PSA Security Network member, offers a data/cyber Security Essentials program for clients and internally to all Star Asset and ION247 locations, employees and end points. The integrated managed service platform includes IT, data, cyber and physical security.
“We focus on intrusion, video, access control and all IP end points,” says Scott Anderton, vice president and managing partner, ION247. “We sell the whole IT and physical security piece to the small-to-medium business market as an outsourced managed services platform. The threat profile has moved to the SMB and cyber security is a new operating expense they have never had before. Although we work in the small- to mid-market, there were large enterprise customers that required these SMBs to have cyber security if they wanted to be a vendor, and that started driving SMBs to have these programs,” he describes.
Anderton says that the two different markets —IT and physical security — are now seeing physical security tucked under the CIO or IT stakeholder. “The main threat is the end point that is unprotected and that becomes the first point of attack. When you read about the Target attack, it was the operational systems that caused the hack so these are becoming the threat. Maybe it’s a Windows 2000 operating system that hasn’t been updated in years. The user thinks that because it’s opening and closing doors it doesn’t need to be updated and it’s doing a fine job. Security patches aren’t updated and then it’s vulnerable to attack.”
The Security Essentials program focuses on the user, often the starting point of an attack. “It starts with a simple email executable or a web page. We conduct an awareness and web-based training program every quarter to employees who are required to complete the program.
More Online
For more information about cyber security, visit SDM’s website where you’ll find the following articles:
“The Top 3 Misconceptions About Cyber Security & Access Control”
www.SDMmag.com/top-3-misconceptions-cyber-security
“When All Else Fails — Why Cyber Liability Insurance Matters”
www.SDMmag.com/why-cyber-liability-insurance-matters
“Cyber:Secured Forum 2019 Dates and Location Revealed”
Morgan Hertel, vice president of technology and innovation for Rapid Response Monitoring Services, Corona, Calif., also referenced the Target attack as a call-to-action for the industry. “It is crucial for us to maintain a safe network infrastructure and we will continue to explore future opportunities for service offerings in this area. However, an area that the industry should focus on now is keeping subscribers’ networks safe from exposure when adding tech to their networks. With the Target incident, the hackers came in through the energy management gear. Dealers add cameras, alarm panels, access control, etc., to networks daily. We need to focus on how to keep that equipment up-to-date and protected from exploits. Some larger integrators are starting up their own networks for security or selling cyber security through an acquired company. Independent dealers need to understand the exposure and partner with a provider that can help them develop a strategy to keep the devices they install safe and protected.”
Costly, but Necessary
Providing cyber security solutions entails investments and commitments, according to Morgan Harris, senior director, enterprise solutions for ADT, Newark, Del. “We have invested in building out the required infrastructure, which includes an advanced security operations center and two network operations centers. We have made several strategic acquisitions to build out our portfolio and have partnered with companies to offer firewall, endpoint and email security solutions.”
Harris says central stations are subject to the same threats as any other organization with the added complexity that comes with the amount of data that is processed daily. “Larger operations could handle up to 15.6 Petabytes of data per year from a wide variety of system events including app logins, panel arming and disarming, door locking, video captures and thermostat and lighting adjustments. At ADT, our central stations can expect to handle as many as 18 billion system events a year. Couple that with the number of IP devices that are monitored by the central station such as vulnerable cameras, alarm panels, access control systems and third-party networks — and the attack vectors increase exponentially. ”
Cyber security for the central station is an expensive endeavor that requires continuous process improvement to proactively identify threats that are continually changing with the rising sophistication of hackers or those with malicious intent. That means central station operators as well as technicians in the field must understand the potential impact.