In an increasingly interconnected world, where the boundaries between the physical and digital realms continue to blur, the imperative of cybersecurity has become paramount. Nowhere is this more evident than in the design and deployment of physical security products and systems, where the very technologies that are supposed to protect us are under constant threat from the hidden world of cyber adversaries.

Manufacturers and security integrators find themselves at the forefront of this battle, tasked not only with delivering cutting-edge security solutions but also with fortifying their products against relentless cyber threats. The stakes could not be higher. Cybersecurity Ventures estimates the cost of global cybercrime will hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025. This amounts to the greatest transfer of economic wealth in history, is exponentially larger than the damage inflicted from natural disasters in a year, and will be more profitable than the global trade of all major illegal drugs combined, according to the publication’s 2022 Cybercrime Report.

Ahead, security professionals from across the ecosystem explain the multifaceted cybersecurity issues that permeate the physical security industry. They uncover the proactive steps and innovative strategies being employed to navigate the ever-evolving terrain of industry-specific regulations, emerging technologies, shifting customer expectations and more.

Sizing Up Cybersecurity Best Practices

 As they install, configure and manage security systems, security integrators face the arduous responsibility of ensuring that the technologies they deploy are not the weak links in the security chain. More than anything, it’s the design and segmentation of the network itself and its nodes that can create or mitigate vulnerabilities, explains Carey Boethel, president Allied Universal Technology Services, Irvine, Calif.

“On many occasions, IIoT (Industrial Internet of Things) devices, such as surveillance cameras and HVAC controllers, have been used as attack vectors into a corporate network to create distributed denial of service (DDoS) attacks, and the associated damages have been immense,” he says.

“More than anything, it’s the design and segmentation of the network itself and its nodes that can create or mitigate vulnerabilities.”
CAREY BOETHEL, Allied Universal Technology Services

Boethel, who is featured on this month’s cover, says Allied’s best practices include segmenting and hardening the network itself; using strong passwords when configuring IIoT devices; selecting equipment that uses signed certificates for encryption whenever possible; configuring the system software such that administrative rights are clearly defined and partitioned; and ensuring that there is an accurate log of equipment installed so that patches and updates can be effectively administered down the road.

“We are also very keen on sharing ideas and best practices so that we stay in front of today’s ever-evolving threat environment,” Boethel says. “Rachelle Loyear, vice president of integrated solutions for Allied Universal, sits on SIA’s Cybersecurity Advisory Board, which has made tremendous strides in improving the cyber-resiliency of the physical security industry. We follow their guidance and fully endorse their efforts.”

Allied is also a big proponent of involving its clients’ IT departments in the design and implementation of the solutions they provide. “Most end-customers usually insist on this, but in the event they don’t, we always recommend it. As simple as that sounds, we feel it is critical,” Boethel adds.

One of Ollivier Corp.’s regional security operation centers
Improvements related to user and password management as well as SSO capabilities across enterprise systems and physical security systems can aide in a more secure operation of physical security systems. Pictured: One of Ollivier Corp.’s regional security operation centers. // IMAGE COURTESY OF OLLIVIER CORP.

Dean Drako, founder and CEO of Eagle Eye Networks, Austin, Texas, strongly advises that integrators establish absolute clarity with the end customer on who will take responsibility for cybersecurity measures. For example, if multiple Windows servers are installed at the customer site, who is going to make sure the equipment is constantly patched to safeguard the OS? There is also the necessity of making sure the antivirus software and other licenses are updated on all the servers.

How responsibility is assigned can vary depending on the project. An end user with a strong IT department will often keep cyber hygiene duties in-house, electing to follow their own policies and procedures. But other customers may say, “You installed this, you need to maintain it,” Drako says.

If the integrator assumes responsibility, then that obligation must be taken seriously. “And they need to charge the customer money for it,” Drako says. “It’s not something you can do once and be done. It requires continuous attention. There may be a firewall involved. Who configures the firewall? Who upgrades the firewall? Who maintains the firewall? Who makes sure that nobody makes changes to the firewall and puts vulnerabilities in it? It is a whole other area of agreeing who has responsibility — the IT department or the reseller?”

Wayne Dorris, program manager, cybersecurity, Axis Communications, Chelmsford, Mass., also invokes establishing responsibility as a key best practice for integrators. Along with firmware and software updates, another important aspect is vulnerability updates. Integrators, he says, must establish who is responsible for informing whom and have a plan in place if the patch update will need to occur outside of the normal update/change plan.

“Each end customer is different, so ensuring you are following their required polices is a good place to start,” Dorris says. “Some things to consider when building a strategy with your customer are pre-deployment user account and password policies; security controls like which encryption standards (AES 256, RSA 2048, etc.) and which TLS level are supported on the network; and which protocols on devices should be on or off (SSH, discovery protocols, etc.).”

Because physical security systems are becoming more and more similar to IT systems, as a general rule IT security best practices are therefore becoming more applicable for physical systems, says Mathieu Chevalier, principal security architect & manager, Genetec, Montreal.

“It’s critical that physical security practitioners understand that any application connected to the internet or to a broader network requires critical attention as it poses a potential risk to their organization,” Chevalier says. “IoT edge devices, such as cameras or card readers, are a known attack surface and organizations need to put solid governance in place with this knowledge in mind.”

Emerging Cybersecurity Trends: A Glimpse Into the Future

Peering into the horizon of cybersecurity, sources say the path ahead is rife with both formidable challenges and opportunities, with emerging technologies and evolving threats shaping a dynamic future for the industry.

“My view is that the video surveillance system that we sell and that the integrators sell is going to grow more complicated and more important to the customer,” says Dean Drako of Eagle Eye Networks. “And that’s because of the AI that the system will be able to do. The cameras are going to become more valuable, more integrated into the customer’s business, perform more functions than they have traditionally.”

As Drako explains, integrators will need to gain a deeper understanding of the customer’s business moving forward as end user expectations evolve. For example, where security cameras have long provided forensics, liability protection, and business intelligence, among other capabilities, nowadays customers increasingly want those functions to be automated. Thus, a tighter relationship with the customer will be requisite to meet these expanded expectations, Drako says.

“The challenges of the future are going to be that the systems that we do for video surveillance get more integrated into the customer systems, and so the cybersecurity dangers become larger,” he adds. “The importance of this cybersecurity is going to increase significantly for the dealers as they get plugged into the customer more.”

Justin Stearns of Chimera Integrations describes the future in almost existential terms, with a changing industry landscape potentially thrusting significant pressures on physical security integrators to alter the makeup of their organizations. An intensely competitive job market for technicians with cyber and IT IQ, not to mention spiking payrolls, is fueling such a scenario. For instance, a prominent communication technology company recently lured away from Chimera a skilled technician by offering him a hefty pay raise.

“I think down the road it’s us working with a lot more electrical contractors and doing almost zero wiring at all, and honing our team in on programming and termination and final hookup,” he says. “But then it’s also not allowing our industry to be hijacked by other industries. How do you stay relevant when you’ve got companies like Cisco selling to the customer? And how do we stop the MSPs from taking our industry? Our readers are PoE. Our controllers are PoE. Even light systems are all LED and PoE. Who is going to own that world?”

There has to be a closer partnership with cybersecurity companies and integrators that are providing physical security to better protect their clients and themselves, expresses Chris Maulding of AlchemyCore.

“A lot of people look at cybersecurity and they think, ‘Oh, that can’t happen to me.’ It’s not a matter of if; it’s a matter of when. And it’s just the ability to work closely together, staying each in our own lanes, but assisting one another in understanding the needs of the client and themselves,” he says. “We have to meet in the middle. Right now, there is a very big space in between the two. AlchemyCore’s goal is to try to bridge that gap and bring us together to work closer with integrators.”

With an ever-changing threat landscape and attacks on devices and networks only increasing, manufacturers in particular must adapt and improve cybersecurity capabilities in order to be accepted onto customers’ networks, says Wayne Dorris of Axis Communications.

“Customers expect manufacturers to keep up with major cybersecurity themes like Zero Trust, which utilizes zero touch onboarding of devices and auto provisioning of certificates and security controls — and many won’t implement solutions on their network environments without them,” he adds. “As physical security manufacturers adapt products and protocols for these types of capabilities, integrators will also have to adapt, and as a result their technicians will need more IT knowledge and skills.”

In terms of challenges, Carey Boethel of Allied Universal Technology Services says the continued proliferation of IIoT and distributed computing, coupled with improved connectivity made possible by 5G, will exponentially increase the number of network nodes that must be secured in a system.

“With the expanded IIoT ecosystem comes considerably more critical data, much of which is sensitive, that must be protected at the edge, on the network and at its core,” he says.

Another challenge is the industry itself, Boethel comments. Unfortunately, physical security controls are mostly implemented reactively. It often takes an incident to spur protective action or major infrastructure upgrades. “Aside from regulated industries, there is little proactive effort to modernize aged systems,” he explains. “This haphazard modernization creates ample opportunities for hackers to exploit vulnerabilities in systems that were not designed with today’s ever-evolving threats in mind.”

Boethel looks to artificial intelligence (AI) as an opportunity and a means to improve cybersecurity. He explains AI is capable of monitoring, analyzing, detecting and automatically responding to cyber threats in real time. Over time, AI algorithms are capable of developing a baseline of acceptable network behaviors.

“Comparing real-time activities using context analysis with that baseline, anomalies can be identified and addressed immediately,” he says. “By analyzing massive amounts of data to detect network access patterns that are indicative of cyberattacks, AI can quickly automate incident response by denying access until validation of the user’s intent.”

Will Knehr of i-PRO also points to the rising disruption of AI across the cybersecurity realm — both for malicious intent and the betterment of cyber hygiene.

“There is no doubt about it, ChatGPT has changed the game when it comes to AI. These cyber-attacks have become a lot more sophisticated. For example, one of the easiest ways to identify a phishing email was the bad grammar or the poor logos. Now ChatGPT can generate an outstanding fake email for you. ChatGPT can copy code off of sites that you can use to regenerate logos. There are thousands of these tools that can be used to make really convincing hacking emails.”

These days a cyberattack can look much different than those in the recent past. What used to be a manual exercise, now once inside a network a hacker can unleash automated, AI-enabled tools to carry out their network invasion in search of vulnerabilities.

“Now AI is capable of doing millions of tasks per hour,” Knehr explains. “So they could go in immediately and start scraping emails, immediately start pulling any usernames and passwords, they can immediately start exfiltrating data while simultaneously installing ransomware or installing Trojans or installing worms or viruses or whatever else on the systems. So, they’re capable of moving at the speed of computers, instead of moving at the speed of humans.”

Grim, indeed. But don’t color Knehr a pessimist. He is quick to explain that on the opportunity side of the house, AI systems will soon be capable of performing a lot of the manual cyber hygiene tasks such as device configuration and device hardening.

“I think we’re real close to that being like a regular piece of software. Someone is going to make a piece of software that just goes out, automatically touches your IoT devices, automatically logs in, configures them, hardens them, makes sure they’re pre-configured with best practices,” he describes. “It will go out and change the passwords. It will do a lot of these manual tasks that frustrates people and drives them nuts. And it’s going to do them automatically.”

As part of a testing and assessment regimen for their product deployments and integration processes, integrators should have some understanding of how to perform basic vulnerability scanning, says Chris Peckham, COO of Los Angeles-based managed security provider Ollivier Corp.

“Depending on how the products are specified or selected, many times known risks will need to be mitigated by deployment options as components are installed,” Peckham explains. “Ideally, vulnerability testing and pen testing for the software and user interface can be performed. However, the costs and skills necessary for some of these tasks cannot be supported by the integrator and other partners or OEM vendors need to be brought into the process.”

“Each end customer is different, so ensuring you are following their required polices is a good place to start.”
WAYNE DORRIS, Axis Communications

A “secure framework” in the context of cybersecurity typically refers to a structured and comprehensive set of guidelines, best practices and principles that organizations can follow to enhance their security posture. Following a secure framework — such as the NIST Cybersecurity Framework and ISO 27001 — can give integrators a solid foundation of practices to put in place, says Will Knehr, senior manager of information security and data privacy for i-PRO Americas, Houston. This includes how to deal with that ever vexing issue of password administration.

“What I would recommend for integrators is get a password vault,” Knehr says. “Get something that generates and stores passwords for you. That way you don’t have to memorize them all.”

He also suggests referencing manufacturer hardening guides as a best practice. Especially beware of deploying devices without applying good cyber-hygiene. Knehr says too many devices are essentially installed as-is straight out of the box, which can lead to dangerous vulnerabilities.

“Many of these devices have services like SSH (Secure Shell protocol), ONVIF and SNMP (simple network management protocol). A lot of times these services are turned on the device that don’t really need to be because they aren’t actively using them. An attacker can take advantage of them,” Knehr says. “I look at services like windows on a house or doors on a home. You only want to unlock the ones or leave open the ones that you absolutely need; otherwise, you’re creating all of these different avenues for someone to break into your house. Lock those devices down as much as possible.”

Need for Secure Installation & Integration

What are the top considerations for security integrators when installing and integrating physical security equipment to ensure cyber secured environments?

For starters, Chevalier advises, begin with a thorough assessment of potential physical and cybersecurity threats specific to the installation site. Identify potential risks, including physical threats, cyberattacks and insider threats.

“Develop and enforce clear security policies and procedures for the installation, operation and maintenance of all security equipment,” he says. “Establish protocols for incident response, access control and data handling.”

Chevalier also suggests the following:

  • Choose reputable vendors that prioritize cybersecurity and provide equipment with built-in security features. Verify vendor compliance with industry standards and best practices.
  • Use multifactor authentication (MFA) where possible to enhance authentication.
  • Use strong encryption protocols for communication between security devices and central systems.
  • Ensure that security equipment uses strong, unique passwords and secure authentication mechanisms. Regularly change default passwords and credentials.
  • Establish a process for monitoring and applying firmware and software updates to address vulnerabilities. Test updates in a controlled environment before deployment.
  • Ensure compliance with relevant industry regulations and standards and conduct regular audits to assess compliance with security policies and regulations.
  • Regularly back up critical data and configurations.
  • Conduct penetration testing and vulnerability assessments to identify and remediate weaknesses in the security infrastructure. Test the system’s resilience to various attack scenarios.

Chris Maulding
AlchemyCore CTO Chris Maulding works with security integrators to assist them in the role of subject matter expert on cybersecurity matters with their end customers. // IMAGE COURTESY OF CHRIS MAULDING

When integrating multiple systems together, it’s important to understand — as well as track and record — each component’s current version and the project update or upgrade frequency.

“Each manufacturer will continue to update and correct vulnerabilities in their latest releases, but in an integrated system all systems may not be able to support the newest updates, which could cause interoperability among the systems to break,” Dorris explains. “If this happens, and systems cannot be upgraded to the most recent release, it’s important to address vulnerabilities in an alternative way.”

Planning for future updates and patch management begins prior to installation and culminates with accurate record documentation at the completion of the installation, Boethel explains. Prior to deployment, Allied undergoes a patch compatibility check to mitigate the risk of introducing new issues to the environment. This phase ensures that patches are not only effective in addressing vulnerabilities, but also compatible with the current systems. Also as part of this planning, Allied develops a comprehensive rollback plan in case unforeseen complications arise during the deployment phase.

“Documenting physical security assets is a critical step in ensuring that future patches and updates are systematically implemented and that legacy vulnerabilities cannot be exploited,” Boethel says. “Only by knowing which devices are operating on specific versions of software and firmware will the end customer be able to identify potential vulnerabilities.”

Continuous monitoring and scanning tools can also be implemented to help identify vulnerabilities that might have been missed in routine updates, he adds. “This proactive approach to updates and patch management helps our client stay ahead of potential threats, reduce the risk of attacks and maintain optimal systems performance.”

Communication between the integrator and the end customer must play a central role if a cyber-secured environment is to be achieved. It’s an area of project planning that Drako finds sometimes lacking.

“I think what the channel could and should be doing better is discussing cybersecurity with their customer. So, first question: ‘We are bidding on the system and we’re putting this in. … How concerned are you about cybersecurity?’

“If the customer says they aren’t too worried about it, then you understand what you’re dealing with,” Drako says. “Most customers that are a reasonable size are going to say, ‘I'm concerned about it.’”

The integrator can then inform the customer that in order to ensure the system deployment is cyber-secured and remains secured, there will be a cost associated with achieving as much. Pose the question: ‘Would you like to take that cybersecurity responsibility? Or, do you want us to assist with it?’

“You can then talk about do we do some penetration testing on this? Do we do some SOC audits on it? Do we do password checks, password audits, etc.?” Drako suggests. “Getting to have a discussion about cybersecurity with the customer is an important missed opportunity and needs to be done.”

Navigating Cybersecurity Standards & Regulations

Deciphering the many requirements and compliance protocols found within industry-specific regulations or cybersecurity standards can often feel like navigating a complex labyrinth, or falling into a bowl of alphabet soup.

Cybersecurity regulations and standards are found throughout all industry sectors, and each has its own unique needs. Therefore, it’s important for security integrators to work with their end customers to understand the specific cybersecurity policies and regulations of their respective industries, explains Wayne Dorris of Axis Communications.

“For example, critical infrastructure has NERC/CIP regulations, particularly in the power generation sector. Healthcare has HIPPA and HiTech; government has FIPS, CMMC protecting CUI, and FedRAMP; and retail has PCI-DSS.”

Will Knehr of i-PRO says he likes to use the NIST Cybersecurity Framework (CSF) as his North Star. “I still think that’s the most comprehensive list of cybersecurity controls that exists out there.”

Oftentimes, Knehr explains, security professionals are unaware of what standards they are legally required to adhere to. For example, if you process any credit card data, compliance requires you to adhere to PCI DSS. If you don’t, the credit card companies can fine you and even take away your ability to process credit card data.

“So if an integrator is installing a security camera system or anything else inside of any environment that processes credit card data, that security system is technically supposed to meet PCI DSS standards,” he continues. “If it doesn’t they can be held accountable for that.”

Knehr says what he would really love to see is the security industry come up with its own security standard, and a good example to follow is PCI DSS.

“That standard was done by the credit card companies for credit card companies. And they did that ahead of getting federal regulation involved with it,” Knehr says. “They knew if they came up with their own standard, and they heavily enforced it, that they could then control it.”

Chris Maulding of AlchemyCore also advises that integrators familiarize their teams with NIST CSF, as well as the ISO 2700-1 standard. “The NIST CSF and the ISO 2700-1 aren’t necessarily certifications as much as they are compliance recommendations from the government,” he says. “Then you build off of those to get your other types of certifications, like your SOC 2 certification down the road for the client.”

SOC 2 is a widely recognized auditing standard developed by the American Institute of CPAs (AICPA). It is specifically designed for service organizations, which can include a wide range of businesses like data centers, software as a service (SaaS) providers, and managed IT service companies. Many organizations, particularly in the B2B space, require their service providers to be SOC 2 compliant. By achieving this certification, a company can meet a common customer requirement.

Aaron Saks of Hanwha Vision America notes that many customers are now asking for FIPS 140 compliance as a baseline for cybersecurity protection for security cameras. FIPS 140 does not directly apply to the manufacturing of video surveillance cameras themselves, but it can be relevant in the context of systems that incorporate encryption and cryptographic functions. For example, many security cameras have onboard storage capabilities. FIPS 140-compliant encryption can be used to protect the data stored on these devices, ensuring that recorded video footage remains confidential and tamper-resistant.

“There is also the UL Cyber Assurance Program that certifies a camera’s cybersecurity,” Saks says.

Also referred to as UL CAP, the certification program is specifically designed to assess and certify the cybersecurity of network-connectable products. The program helps manufacturers and organizations demonstrate that their products have met certain cybersecurity standards and best practices, assuring customers and stakeholders that the products are secure.

There are a number of specific industry standards for physical security products like UL 2900-2-3, but those are more relevant to manufacturers, explains Mathieu Chevalier of Genetec. He also notes among the many industry-specific cyber standards are those developed by the North American Electric Reliability Corp. (NERC), which are designed to secure the critical infrastructure of the North American electric grid.

NERC offers educational resources and training to industry stakeholders to ensure they understand and can implement the reliability and cybersecurity standards effectively. Chevalier stresses the importance of education to the channel.

“It’s essential for integrators to understand the specific cybersecurity standards and regulations applicable to their industry and projects. Adhering to these standards not only helps ensure compliance but also strengthens the overall cybersecurity posture of the systems and services they provide,” he says. “Additionally, staying informed about updates and changes to these standards is crucial to maintaining cybersecurity effectiveness.”

Justin Stearns, vice president of Syracuse, N.Y.-based Chimera Integrations, retells a conversation with a hospital end customer to emphasize the importance of communication and educating the client as a key part to cyber-secured systems.

“I asked the customer, ‘How do you handle your RFID credentials?’ He answered, ‘Well, that’s facility’s responsibility, not IT.’ I said, ‘OK, but there’s a policy right? If you fire an employee, you turn their credential off?’”

Stearns continues, “But those two worlds aren’t talking. And this is the back-and-forth pendulation that is the issue right now — it’s, whose responsibility is it? Is it the MSP, the MSSP or the integrator to talk about best practices as it pertains to cybersecurity, when all of these networks are all communicating through the same internet.”

Chimera Integrations sees an opportunity to assist in defining the scope of work on its projects, increasing its value to end users.

“We’re trying to be forward thinking and trying to help solve those problems and get those facilities directors and the IT directors to speak because it’s all the same thing,” Stearns says. “It’s all the same best practice. But integrators haven’t been educating their customers on best practices for cybersecurity because we’ve been quite ignorant on cybersecurity up until recent years.”

Password Admin & Other Common Pitfalls

Security integrators navigate a complex landscape where the missteps they make can introduce vulnerabilities in the very systems they endeavor to protect. There are common pitfalls to be vigilantly avoided.

For starters, never assume devices are set at the ideal configurations, especially when using multiple manufacturers for cameras, access control, VMS, etc., says Aaron Saks, senior technical marketing and training manager, Hanwha Vision America, Teaneck, N.J.

IIoT and distributed computing
The proliferation of IIoT and distributed computing, coupled with improved connectivity made possible by 5G, is expected to greatly increase the number of network nodes that must be secured in a system. // METAMORWORKS/ISTOCK / GETTY IMAGES PLUS VIA GETTY IMAGES

“Each vendor will have their own best practices, which may not all align perfectly. Don’t assume that just because you have a router and firewall that you are protected,” he says. “Use secure cloud services or VPNs instead of port forwarding for remote access.”

Saks also notes that advanced network intrusion detection systems can determine if activities outside normal behaviors are occurring and provide reporting along with remediation. “Make sure to talk to your insurance company about cybersecurity insurance and mitigation costs. Finally, keep firmware and software versions up to date and replace end-of-life products.”

Dorris of Axis Communications also stresses that keeping firmware and software on devices up-to-date — particularly on networks where large numbers of devices are deployed — is one of the most important things an integrator and end customer can do.

“Unfortunately, at times the ‘if it isn’t broke, don’t fix it’ mentality is used. This means devices can get many revisions behind — even months or years — which only makes the process of updating longer and more difficult when updates are eventually required to operate,” Dorris says. “In most cases, you can’t just update from a really old firmware or software to a new one, as along the way new software subcomponents are added or removed. Keeping to a quarterly or semi-annual schedule is much better.”

Dorris underscores another mistake is not consulting with an end customer on cybersecurity hardening if no direction is provided. “While this doesn’t usually happen in the enterprise space, it can happen both there and in the small and medium business space. In these cases, it’s an opportunity for integrators to differentiate themselves and provide additional value to their customers.”

Peckham of Ollivier Corp. notes that threats are always evolving and the techniques that were used in the past may not work against newer threats. Hence, staff training is something that should be kept up-to-date as the threats change. “Integrators must always be learning and working to stay abreast of recent industry announcements. When discussing opportunities and issues with customers, the cybersecurity aspect of the environment should not be ignored.”

Chevalier of Genetec cites a similar refrain. “Neglecting cybersecurity altogether or not considering it as a significant aspect of the project can be a common pitfall. It’s important to realize the fundamental importance of cybersecurity and make it an integral part of the project from the beginning,” he says.

Chevalier cautions not to fall into the trap of concentrating too much on sophisticated cyber threats and disregarding basic security fundamentals. It’s important to prioritize getting the foundational security measures right before dealing with advanced threats. And never believe that once security measures are implemented, the system remains secure indefinitely.

“Systems integrators should recognize that cybersecurity is an ongoing process that requires continuous monitoring, updates and adaptation to evolving threats. Security should evolve with the threat landscape,” he adds.

Based on the collective opinion of sources interviewed for this story, the mother of all common pitfalls would have to be the application and management of passwords. To suggest that password administration is a royal pain in the backside would be an understatement.

Drako of Eagle Eye Networks illustrates the industry’s lament: “I have to install 100 cameras. Do I put the same password on them? Or do I put 100 different passwords? What do you think the installer is going to do? I have 100 customers where I’ve installed a video management system. My techs have to go out there and work on the systems, but I have 10 techs. Am I going to have 100 different systems with 10 different techs each, and so 1,000 different passwords that I have to track and monitor? Do I have those passwords changed every month or every six months, every year? So, it is complicated.”

“What I’m learning as I’m diving into this world of cybersecurity is that the biggest vulnerability is the human engineering — how easy it is to compromise somebody’s password.”
JUSTIN STEARNS, Chimera Integrations

Chris Maulding, a security engineer and CTO of Plattsburgh, N.Y.-based AlchemyCore, a managed security service provider (MSSP), emphasizes the widespread reuse of passwords on multiple systems. Like Drako, he’s sees this shortcoming all too often.

“One technician sets up 10 fire systems and uses the same password on all of them. Or there’s a corporate specific password that is used as soon as everything is installed, and they forget to change it when they’re onsite or it’s used for backdoor access,” Maulding says. “And those are not typically strong passwords; people don’t want to remember all that. They want something easy, quick, pop it in and be gone. So reusing passwords on multiple clients systems is a huge failing.”

Maulding is partnering with integrators, including Chimera Integrations, to help mitigate, if not solve, the integrator’s password quandary.

“What I’m learning as I’m diving into this world of cybersecurity is that the biggest vulnerability is the human engineering — how easy it is to compromise somebody’s password,” says Stearns.

With the help of AlchemyCore, Chimera Integrations has begun applying a software tool that can run a data leak check instantly on any domain, scanning the dark web and the regular internet. Chimera is leveraging the software in sales presentations, as well as a continuous monitoring tool.

“I was going into a large hospital network to sell them on some of this stuff and I ran their scan before the meeting; within five minutes I had passwords for their C-level executives — the exact passwords, not encrypted at all,” Stearns describes. “[I also had] their credit card numbers for their organization, and the hospital they worked for. It took me five minutes. This is what I’m getting at: the biggest risk right now in cybersecurity is the human element.”

In an effort to button down its own operations, Chimera now provides all of its employees with logins to all of the different systems they install. “I’ve got technicians that have logins to do the programming side of it, which often gives them access to the video. They have security logins, the pins. How do you how do I protect all of those keys?”

Having a policy is step one, Stearns says, but that’s still not enough. Chimera is working with AlchemyCore to build out what is essentially a virtual machine with access only granted via IP verification and dual authentication. The technicians log into the virtual machine and only through it can they access any of the other systems, and only from the right IP address and with two-factor authentication. Technicians have no rights to add or subtract users from any system.

In Stearns’ view, Chimera’s biggest vulnerability to its customers is they control the passwords and the access to the systems they’re installing for remote access.

“That’s the only way I can think of to protect the hundreds or thousands of passwords for different systems and customers,” he says. “One customer has six different systems from us. That’s six different passwords times however many users times however many of my people have it. At least we are securing our touch points.”