Cybersecurity is a topic on everyone’s mind. Right now it seems there are more questions than answers, but one thing is certain: the issue is here to stay — cyberthreats are the new normal.
As with most new threats, ignorance and fear can lead to decisions that hindsight reveals were foolish or unhelpful; the case of Ryan White comes to mind. White was diagnosed with AIDS in 1984 after getting tainted blood in a blood transfusion. At the time, public understanding of the disease was almost nonexistent; teachers and parents rallied against allowing the 13-year-old to resume attending school, even though doctors said he posed no threat to other students. More than 30 years later, it seems hard to imagine a time when AIDS didn’t exist. However, understanding of the disease has improved dramatically, as has education and methods of preventing the spread of the disease.
While it seems hard to overstate the threats associated with cybersecurity, 30 years from now it will no doubt seem hard to imagine a time when cybersecurity wasn’t a normal part of life in the security industry — or in any industry, for that matter. By then, plans will be in place; prevention will be down to a science; and, hopefully, we will have found a way to at least effectively manage it. But it will always be here.
It is imperative that we get cybersecurity right even now, however. It seems a new story breaks almost daily about the latest breach, revealing the necessity of addressing the problem, managing it and preventing it. The good news is that as public awareness increases, more people are becoming educated about what they should be doing, or at least are asking what they should do.
The security industry’s foray into cybersecurity may be in its infancy, but in this zero-sum game, it is essential to start out with a head full of knowledge and both feet running.
AWARENESS ISN’T PREPAREDNESS
So where does the industry stand now? Well, although awareness is rising, and things seem to be moving in the right direction, we are nowhere near where we need to be. The industry in general has a long way to go, says Jeffrey Barkley, product manager, security products building technologies & solutions, Johnson Controls, Milwaukee. “We’ve talked to a number of integrators and a number of end users over the past year about cybersecurity specifically, and I would say that people are not as knowledgeable as they need to be; people are not doing some of the due diligence from a configuration and installation viewpoint; manufacturers are realizing that despite their efforts, there is still more they need to do on their end. Right now as an entire industry, we’re not all there.”
While there is still a great lack of understanding about the importance of cybersecurity, Bud Broomhead, CEO, Viakoo, Mountain View, Calif., says, there is less ignorance every day. “Not only is cybersecurity in the news frequently,” he says, “but end users now have more compliance and audit requirements on their physical security systems to address cybersecurity.”
The awareness that constant media coverage raises is a good start, says Dave Mayne, vice president of marketing, Resolution Products Inc., Hudson, Wis., but this high degree of awareness doesn’t necessarily translate into an understanding of what prevents a vulnerability or risk to any system. “People know devices can be hacked but don’t know how they can help minimize risk,” Mayne says.
There are other factors driving awareness as well. “As the scope of cybersecurity has broadened to a much larger portfolio of technology,” says Brad Hedgepeth, manager of technical services at G4S Secure Integration, Jupiter, Fla., “manufacturers are continuously addressing and notifying users of vulnerabilities in all types of security panels and everyday network appliances,” explaining part of the manufacturer’s role in raising awareness.
“End users are more and more aware of the importance of cybersecurity,” says Mathieu Chevalier, security architect, Genetec, Montreal, Canada. “We see more requests for proposals with cyber-related topics. I think the Mirai Botnet attack that hit last year (the botnet that enslaved an army of IP cameras) was kind of a wakeup call for a lot of people. Cybersecurity is frequently in the news, so end users are becoming aware of the importance and consequences of these issues.”
If the wisdom from 1980s G.I. Joe cartoons holds true and “knowing is half the battle,” then this is a good start, but with lots left to do. And as is the case with most threats, unless the risk is seen as a direct and catastrophic threat to a business, many fail to take steps to prevent a breach.
THE DATA-CRITICAL/NON-CRITICAL DISCONNECT
Ultimately, the biggest drivers of adoption of good cyber practices will be return on investment and risk mitigation. Companies are not going to invest heavily in cybersecurity unless it is profitable to do so — if good cyber practices either bring in more revenue or help their companies to run more efficiently, says Vince Ricco, technology partner manager for North America, Axis Communications, Chelmsford, Mass. Or they will need to see it as a necessary mitigation of imminent risks or liability.
“In many aspects,” Ricco says, “we are maybe just past the awareness phase over the past couple of years and moving into the understanding phase. There are, of course, entities with greater understanding and practical experience today.”
Those entities Ricco is referring to are the organizations that, because of the nature of their business, are forced to maintain the highest cybersecurity standards.
But is any one of the players responsible for taking the lead?
“We see the greatest participation [in cybersecurity] from people whose network is one of their key business processes,” Barkley says. “The interruption would be devastating to them — that’s the group we see pay the most attention to it, where there is the greatest collaboration between the IT team and the physical security team.”
Jeremy Brecher, CTO, Securitas Electronic Security, Parsippany, N.J., explains, “A bank has the money; they have information; they are staples of our economy in the U.S., so people want to destroy banks, steal from banks, and get information from banks. It’s so big, so massive, and so many different players will go after it — it forces them to pay attention to all the little details.”
End users fall into a couple of general categories, says Kristy Dunchak, director of product management, security products video and strategic programs building technologies & solutions, Johnson Controls. “We had customers where the network was critical to their operations, and those customers seemed to be much more knowledgeable of and care about cybersecurity. The second was really everyone else who maybe had the mindset that it probably won’t happen to me, and I don’t need be concerned about it.”
More than just whether a company sees the importance of securing its network, the particular risks an end user has will also determine its attitudes toward cybersecurity. Barkley describes cybersecurity as “what highly specialized teams in the IT group who are responsible for information are worried about. So what they’re worried about is the confidentiality, the integrity, the availability of data and systems. How to protect all of those things becomes very much a risk management issue, and so different companies have different issues.”
As general awareness rises, and the daily flow of media coverage about the latest breaches drives knowledge, regulations are sure to follow. Dunchak believes those regulations will help spread cybersecurity action to all verticals rather than just those that see it as critical. “Regulations are coming out that are requiring customers to put processes in place, and hopefully some more of those will drive the need in different verticals, and then that will hopefully help push the end user to set up their system so that it is cybersecure.”
Even for those who don’t see a cybersecure network as critical to their operation or who don’t face regulations, liability ought to give everyone pause, says Thomas Lienhard, director of business development, Artery Lock Security Integration, Reading, Mass. “There’s now the threat of litigation; if you screw up somebody’s security camera by having a power supply that fails, you pop a fuse when your coaxial goes down. But when you plug into someone’s network and that camera becomes an exploit portal for a denial of service attack, you’re on the hook. I don’t care what you signed; I don’t care about your terms of service agreement, what your maintenance contract says — if you designed it poorly, you’re on the hook.”
Lienhard says he believes attitudes have changed because liability is being enforced.
WHO SHOULD BE TAKING THE REINS?
Of the three major players in the security industry — manufacturers, dealers and integrators, and end users — everyone has a role to play in mitigating cybersecurity risks. Sean Murphy, regional marketing manager, Bosch Security Systems Inc., Fairport, N.Y., describes the roles like this: “As a manufacturer, we do our best to offer products that give dealers and integrators a set of smart tools to offer the system a robust level of protection. Those integrators and dealers that can adapt to the rapid pace have a significant opportunity to create extra value to the end users. They are in a unique position to offer initial planning and recurring support for the end user. End users play a big role here as well. This has to be a system-level approach. Would-be attackers are looking for the weakest spot to target.”
For many of the reasons already mentioned (especially return on investment), an integrator cannot singlehandedly take the lead. Brecher explains, “If I’m an integrator and I go to my customer and say, ‘I’m going to give you a differentiator. I am going to check your cameras every month and update them, update the firmware for vulnerabilities. I’m also going to run all the right security scans on your equipment; I’m going to certify all my technicians on cybersecurity practices — not only that, but I’m going to give all your cameras different passwords; I’m going to do all that for you.’
“And [the end users] say, ‘That sounds great, but I’m going to pay you only what I’m paying you today.’
“Now I’m going to say I can’t do that for free because my competitors aren’t doing that, and you’re not asking me to do it.”
For that reason, says Brecher, “if the requirement comes from the buyer, the customer, then people will be forced to elevate their training, their skillsets, their people — what they do.”
In essence, he says, a smart consumer will ultimately drive it.
Dean Drako, CEO, Eagle Eye Networks, Austin, Texas, also does not see the dealer as the main driver. “It really falls on the manufacturer and the knowledgeable end user to own the threat. Dealers in the IT space have never been expected to own this threat, so it seems unlikely that dealers in physical security will.”
Drako says that security systems and connected devices are not more cybersecure. “Many are still made and designed in different countries around the world. The focus is on price, not on cyber or software quality. Very little has improved here. Even the best vendors (still) do not provide adequate firmware updates, alerts or messaging around cyber vulnerabilities.”
This all points back to a market that will be driven and steered by an educated end user.
Paul Kong, technical director, Hanwha Techwin America, Ridgefield, N.J., seems to verify this when he says, “End users tend to be reluctant buying products from manufacturers whose products have been compromised through recent vulnerability incidents. It is clear that there is a growing awareness of the importance of security for products handling personal information.”
“Even if [cybersecurity] is OK today, you need to look at it tomorrow,” Barkley says. “That’s why the end user is really one of the important people in this, because at the end of the day, they have a system. And whether or not the integrator continues to service that system is a choice [the end user] can make, but they’re the one who defines their needs.”
That’s not to say the integrator doesn’t have an active role and shouldn’t be helping guide and educate. “It’s a collaboration,” Barkley says. “The integrator could be watching the industry landscape and say, ‘Hey, there’s all this new malware out,’ and have conversations with the end user about possibly changing things, but at the same time, the end user needs to say, ‘We’re now storing massive amounts of data on these systems, and we need to make sure that that is properly protected and secure with confidentiality, so we need to do things differently than we did yesterday.’”
So while the end user will really have to be the main driver, a close working relationship fueled by constant communication between the end user and the integrator will be fundamental.
This collaboration between all parties is a theme for industry cyber preparedness. “It’s not one-and-done; it’s never ending,” Dunchak says. “You have to keep up your systems and watch for vulnerabilities. It is just one of the things that companies are going to have to continuously invest in. It’s a moving target.”
PREPARING TO PREPARE
Cyber awareness is certainly there, but what steps can an integrator or end user take to be proactive?
Part of that, Dunchak says, is ensuring that customers understand the depth of what they need to know about cybersecurity. “We try to educate our customers so they know that cybersecurity is important. We can’t just give them one document or checklist; they need to understand what cybersecurity is as a whole so they can ask the right questions.”
Integrators have many opportunities to educate themselves, Lienhard says. “Security industry professionals can go to factories; manufacturers offer that training. If it’s a few hundred dollars or if it’s free, get to a training class.
“We go to Axis training,” Lienhard says. “We hang all of the cameras, we do the wiring and the infrastructure stuff over at the Axis Communication center over in Chelmsford because they’re around the corner.”
Lienhard says if dealers and integrators can’t afford factory training, many manufacturers offer YouTube and online videos.
“And even if that is not sponsored by a manufacturer,” he says, “some guy with his webcam or some guy with a camera on a tripod is willing to give you his knowledge because he wants a little bit of feel good or a little bit of fame as a YouTube expert.
“There’s more than enough training available; you’ve just got to take the time to do it.”
There is also a need for dealers and integrators to partner with IT to combat direct attacks coming from inside the data center or on the corporate network, says Stuart Tucker, vice president – enterprise solutions, AMAG Technology, Torrance, Calif. “The security dealers need to be aware of cyberthreats and remediation tactics and to partner with the IT folks to protect against direct internal attacks through better physical security and practices.”
It is a war that no one has ever completely won or lost, Kong says. “The bad guys will always attempt to find ways to exploit vulnerabilities and the industry will continue to make various technological developments and secure our devices through awareness and a stronger understanding of the potential vulnerabilities of networked devices.”
Drako agrees: “There is no real winner in this war. Neither side is particularly organized. Calling it a war is not really accurate. It’s more like a free-for-all. Some will get hurt and some will steal some money. There are not really sides.”
It is doubtful the landscape will look so much like a free-for-all in 30 years — or even in five. By then, roles will be established and anyone in the security industry, along with consumers, will understand the necessity of being educated and taking steps to shore up their systems the best they can with the technology available.
Until then, we’ve got our work cut out for us.
Access Control Cybersecurity Checklist
To prevent the use of weapons of mass disruption, anti-hacking specifications for the access control system are not just a good idea, they are a must-have.
Farpointe Data created the following checklist for integrators to use as a guide for making access control systems more cybersecure.
Default Codes
-
Don’t leave default installer codes in an unarmed state to be viewed or changed to create new codes.
-
Find the default installer codes. Otherwise, hackers find them online using simple Google searches.
-
Don’t use passwords embedded into shipped software code, especially when unencrypted.
Wiegand Red Flags
Because Wiegand is no longer inherently secure:
-
Don’t provide credentials formatted in open, industry standard 26-bit Wiegand. Use custom Wiegand formats, ABA Track II magnetic stripe emulations or OSDP, RS485 and TCP/IP serial options.
-
Use the “card present” line commonly available on today’s access control readers.
-
Use MAXSecure, a higher-security handshake, or code, between the proximity card, smart card or tag and reader to ensure readers only accept information from specially coded credentials.
-
Deploy smart credentials using Valid ID, letting smart card readers verify that sensitive access control data programmed to a card or tag is genuine.
-
Provide two-factor readers including contactless and PIN technologies. Suggest users roll PINs on a regular basis. If required, offer a third factor, normally a biometric technology.
Employ These Simple Reader Implementation Techniques
-
Install only fully potted readers, negating access to readers’ sensitive internal electronics from unsecured sides of the building.
-
Use security screws, keeping reader mounting screws hidden from normal view.
-
Embed contactless readers inside walls, not outside, hiding them from view. If not possible and physical tampering remains an issue, upgrade to ballistic- and vandal-resistant readers.
-
Use reader cable with continuous overall foil shields tied to solid earth grounds in a single location to block signals from being induced onto the individual conductors.
-
Deploy readers with a pig tail, not a connector. Use extended length pig tails to assure connections are not made immediately behind the reader.
-
Run reader cabling through a metal conduit, securing it from the outside world.
Card Protection Solutions
-
13.56 MHz contactless smart cards provide increased security compared with 125 KHz proximity cards.
-
Offer a contactless smart card solution that employs sophisticated cryptographic security techniques, such as AES 128-bit.
-
Offer a cutting edge, highly proprietary contactless smart card technology such as Legic advant.
-
Deploy DESFire EV1, which includes a 128-bit cryptographic module on the card itself, to add additional encryption to the card/reader transaction.
Leverage Long-Range Reading Systems
Use non-traditional credentials with anti-playback routines, such as transmitters, instead of standard cards and tags. Long-range transmitters let a reader be installed on the unsecured side of the door up to 200 feet away.
Assure Anti-Hacking Compatibility throughout the System
Open Supervised Device Protocol (OSDP), the Security Industry Association’s communication standard, lets security equipment, such as cards and readers from one company, interface easily with control panels and equipment from another manufacturer.
— Contributed by Scott Lindley, president, Farpointe Data
Evaluating Video Surveillance Cybersecurity
In today’s world, it is imperative to protect all facets of your system — streaming and recorded video, edge and recording devices, and servers. This is key to achieving the highest standards in end-to-end data security.
The easiest way to assess strengths and vulnerabilities of video systems is to evaluate how data is handled at rest, in motion and in use with a threat vector.
Streaming Video (data in motion — threat low): The threat of streaming video being intercepted is low, but the knowledge that data from an IP address is video gives an attacker a non-PC target to leverage. Therefore, video devices should:
-
be able to utilize HTTPS communications with certificates to ensure secure communications, including control channels and video payload;
-
be equipped with a trusted platform module to store certificates utilized in secure network scenarios — 802.1x and public key infrastructure; and
-
have features for disabling certain protocols, such as ICMP, Telnet, and FTP.
Recorded Video (data at rest — threat medium): To be admissible in court, data must comply with Federal Rules of Evidence, and authenticity affects admissibility.
-
If video drives are accessible via network share, and the NVR writes video in a base file format such as AVI, G64 and MKV, they are subject to tampering.
-
If written in a readable format, video should be encrypted to reduce accessibility and tampering.
-
Hashing provides the “data fixity” of a file and is a form of authenticity that is admissible. Older forms of authenticity, such as water marking, can be considered tampering.
-
The VMS should protect original incident video beyond the system’s retention time for instances of prolonged court cases.
Playback and Export (data in use — threat medium): Unrestricted access to recorded video can cause legal and HR incidents.
-
The VMS should provide granular privileges concerning the export, deletion and protection of recorded video.
Weaponizing IP Cameras (threat high): There are several considerations that need to be reviewed before placing an IP camera on a network:
-
The OS should be closed and run in limited memory space.
-
Only digitally signed firmware should be able to be written to the device. Devices that can run third-party apps can be weaponized.
-
Common ports should be disabled by default. More open ports mean more opportunities to leverage a device or its services.
-
Devices should utilize the HSTS protocol to protect against protocol downgrade attacks and cookie highjacking, and to force an HTTPS connection.
-
Devices should have a built in firewall to prevent dictionary attacks from Botnets.
-
Devices should force passwords that adhere to policies, such as length and complexity.
-
Vendors should have a secure chain of custody during the manufacturing process and through to the final sale to prevent tampering.
Attacking Servers and NVRs (threat high): Most VMS servers and NVRs reside on a Windows or Linux operating system. Both have vulnerabilities. The most current updates and patches must be applied.
-
Ensure the VMS can work with a firewall up, with anti-virus software and within network policies. This includes hardened passwords, restricted physical and network access, and disabling USB ports.
— Contributed by David Brent, network video and cyber training engineer at Bosch Security Systems Inc.
Proprietary or Open Operating System?
Historically, security panels were dedicated computing devices designed for the sole purpose of performing intrusion detection functions. The firmware running in the panel was designed by the manufacturer and embedded in the panel’s processor.
In recent years, there has been a push by many panel manufacturers to promote “open-architecture” security panels that run a version of Linux or Android, leveraging the wide range of application development libraries — and to some degree benefiting from continued investment by the OS community in establishing cybersecurity defenses.
A downside of the proliferation of these types of platforms, however, is that they have become a popular target for nefarious activity. These operating systems are specifically designed to run multiple applications and on a broad range of device platforms. As a result, the benefits they bring to the manufacturer also become potential liabilities in the security world.
There are some modern security and automation platforms that deliver IoT connectivity, but do so while retaining the benefits of the dedicated security operating environment. For instance, Resolution Products offers the Helix, which was designed with several key cybersecurity measures in mind:
- The operating system was designed specifically for the target platform.
- It is not capable of installing or running arbitrary external processes like Android or Linux. All new services must be integrated directly into the Helix firmware, which can be accessed only by Resolution.
- It is significantly smaller than Linux or Android, greatly reducing the attack surface and making it more challenging for hackers to penetrate.
- It avoids the complicated issues of when and how to update Android or Linux components that routinely need to be patched, often to address security vulnerabilities.
- Helix doesn’t have a built-in user interface. Rather, user smart devices are leveraged for this function, and are isolated from the core Helix processes by encrypted connections. This frees the Helix operating system of the complexity and security vulnerabilities inherent in user interfaces.
- A side benefit is that firmware updates are extremely fast and can be accomplished without additional cost to dealers.
The benefits outlined above are common to many connected devices built around proprietary operating systems. The lack of any publicly available documentation for the operating system, the absence of any open-source tools or developer community, and the inability to modify the device firmware are all important roadblocks to would-be hackers. While these provisions in themselves are not sufficient to protect against all threats, they greatly reduce the vulnerabilities experienced by many of the open operating system devices on the market today.
— Contributed by David Mayne, vice president of marketing, Resolution Products Inc.