In a constantly evolving cyber-physical security landscape, the security industry, and security integrators in particular, need to prioritize strong cybersecurity and cyber-readiness practices. In this month’s column, the Security Industry Association (SIA) spoke with experts Jim Cooper, chief technology officer at Integrated Security & Communications, and Josh Cummings, executive vice president, technology, at Paladin Technologies — contributors to SIA’s Security Industry Cybersecurity Certification (SICC) program, SICC credential holders and instructors in SIA’s SICC Review Course – to learn about the changing threat landscape and how integrators and the industry at large can improve.
In terms of the threats and attacks you’ve seen lately, what’s new and what’s changing for people protecting the cybersecurity of physical security systems?
Cooper: I think the biggest threat for physical security systems integrators is that the systems are no longer on an isolated network, or a black box system that nobody has any information about. In the past, a lot of cybersecurity was “security through obscurity” where integrators and manufacturers would try and use nonstandard ports, operate closed source systems, omit crucial steps like vulnerability assessments and ignore the larger cybersecurity threat landscape. The reality is there are a lot of individuals and teams now specifically targeting physical security systems, attacking everything from the card through the reader, panel, network and head end software. There are quite a few videos on YouTube showing detailed attacks and hacks against physical security systems. Tools like Flipper Zero add a gamification element to RFID hacking, making it easy to get into card cloning and fuzzing. Integrators need to design and install every system like it is going to be attacked as soon as the van pulls out of the parking lot.
Cummings: We have to be constantly on our guard. We have seen exploitation of password managers, firmware vulnerabilities and misconfiguration of products, which have all made the news recently in the area of cybersecurity. Cyber is not a box you check, but rather a mindset and a posture that you have to continually work at. It’s a partnership between the integrator, the manufacturer and the customer to deploy, maintain and operate these systems in a secure manner. We also have to realize that there are always going to be new vulnerabilities, and we have to identify them and address them quickly and efficiently. To be able to do that, we have to change from a break-fix mentality to a regular, programmatic approach to managing these systems.
You’re both integrators on the front lines of physical security and cybersecurity. What are the top challenges you’re facing? Where can we improve as an industry?
Cummings: We’ve got to continue to mature as an industry when it comes to cyber. That means we need to replace technology when we can no longer secure it, and we need to focus on secure configurations of the products we sell and deploy. We saw that with the session at Black Hat last year highlighting the vulnerabilities of SIA Open Supervised Device Protocol (OSDP) when not configured properly. We also need to invest in training our people on cybersecurity and how to securely deploy technology. (SIA note: Josh’s comments underscore the importance of implementing OSDP properly. See SIA’s guidance here.)
Cooper: The biggest challenge for the industry is recognizing we are WAY behind on cybersecurity and hardening when compared to a “traditional” IT environment. We are being required to follow customer cybersecurity policies and procedures, rightfully so, and any cybersecurity issues or potential vulnerabilities are being given a lot more attention. As integrators, we need to comply with customer third-party risk assessments, which include not only our internal infrastructure and edge computing devices (tech laptops), but also assessments on the products that we are installing. Customer information security departments can refuse to allow unvetted products on their networks or allow integrators with poor security posture to perform projects. Having a clear understanding of the potential risks an unsecured system can pose to a customer’s network infrastructure, as well as how to mitigate those risks and communicate with the information security team, will be critical to move the industry forward. Also, do your updates! Windows updates on servers and workstations and firmware updates on edge devices are all critical to maintaining the security and stability of a system.
SIA’s next SICC Review Course will be held April 9 during ISC West 2024; learn more about the course and register here.