Cybersecurity concerns are everywhere. From Target to Home Depot, to the Social Security Administration, to the recent [possibly foreign] hacks of the U.S. Democratic National Committee, it is almost impossible to turn on the news or read a paper without seeing something about cybersecurity.
The documentary “Zero Days,” released in July (and highly recommended as a must-watch by several experts) demonstrated with frightening clarity the speed and breadth of damage cyberattacks can have — thanks to the burgeoning Internet of Things we are all hearing about and striving toward today. But for the security integrator, who is down in the trenches of everyday problems and solutions for making things talk together, much of this discussion on cyber has remained on a higher level and still seemed like a “not us” problem. Not anymore.
As the Target hack showed the HVAC industry, contractors and others in the supply chain — such as physical security integrators — can unwittingly be the weak link that bad actors look for in an enterprise. And unlike other security concerns, cybercrimes cross all types of businesses, from government to the local drycleaner.
“In the past people would talk about cyber as firewalls and all the dark things that happen in data centers,” says Bryan Viau, COO, VTI Security, Burnsville, Minn., featured on this month’s cover. “Now manufacturers and CEOs have woken up and said, ‘These panels and cameras and readers are also portals into our networks.’”
Stephen Fisher, VTI’s director of business development, adds: “We are no longer hanging cameras; we are actually opening doors to the network at our client’s business.”
Even the word “cybersecurity” itself has undergone a revolution of its own in recent years. First used in 1994, Merriam-Webster defines it as “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.” However, in 2013 the research firm Gartner felt the need to expand this definition: “Cybersecurity encompasses a broad range of practices, tools and concepts related closely to those of information and operational technology security. Cybersecurity is distinctive in its inclusion of the offensive use of information technology to attack adversaries.”
Herb Kelsey, chief architect of Palo Alto, Calif.-based guardtime, a company specializing in digital integrity for clients such as nuclear labs and other high-profile targets, says the current meaning of the term is less than 10 years old. “The idea of understanding what that network perimeter is, maintaining the integrity of that and monitoring it were best practices that got pulled into the terminology [over time].” What’s more, he warns, with the IoT, “We are about to create a much larger attack surface.”
At the highest levels, people are listening. In June, the European Union published a new directive requiring critical infrastructure to improve cybersecurity. This directive will require suppliers of services such as energy, transport, banking, health or cloud services to achieve minimum standards of cybersecurity. For enterprise-level U.S. integrators, that could have implications for their global clients, and eventually themselves, says William L. Brown Jr., senior engineering manager, regulatory and product security, Tyco Security Products, Westford, Mass. “We have had conversations where the integrator is asking, ‘If I have an installation in Europe and the U.S. and they are all sharing the same physical security data, how do we meet the EU privacy laws?’”
This is just the tip of the iceberg. “The end user is going to definitely ask for it,” says Paul Cronin, senior vice president of the IT services company Atrion, Warwick, R.I., and SDM’s “Today’s Systems Integrator” columnist. (See this month’s column on page 50.) “They will ask the integrator some qualifying questions to make sure what they are implementing fits in. The small company under 100 employees probably won’t ask. At 200 to 3,000 they probably will and the ones above that at the enterprise level won’t just ask — they are going to tell them what they need done.”
While the size of the company asking today may be the largest enterprise, that won’t be the case for long. The Providence Group, Washington, D.C., is a strategic consulting firm that specializes in cybersecurity and enterprise risk management. “There are a lot of needs in what we used to describe 10 years ago as physical and logical security,” says Dan Caprio, co-founder. “We are seeing a lot of clients and companies or industry sectors that have been traditionally only concerned about physical that we are helping to now understand cyber.”
Chicken Little ran around saying the “sky is falling” and nobody believed him. In the case of cybersecurity, those spreading the word may initially have gotten the “deer in the headlights” reaction, but increasingly, organizations from the U.S. government to industry to security organizations, manufacturers, dealers and integrators are listening.
“There is a tremendous amount of noise in our industry,” Fisher says. “There are manufacturers with hardening guides; industry organizations forming groups; the media; and our own IT and IS contacts that have come to us to say ‘How can we work together?’”
This is key, says Scott Sieracki, CEO, Viscount Systems Inc., Vancouver, B.C., Canada. “At a certain point we are going to get pushback from the CIO or IT saying, ‘Sorry, this system can no longer play in our enterprise. Freeze it where it is and you will either have to replace it or upgrade it.’ But the challenge is when that starts to happen, a different type of player may try to fill that space…. It is just a matter of time. Something is going to happen in the near future that will truly cause a point where if you haven’t already prepared yourself you will be standing there without enough business and you can’t play in this space.”
There are three primary drivers for cybersecurity today, says Ross Federgreen, CEO of CSR Professional Services, Jensen Beach, Fla., a company that specializes in data lifecycle management and breach reporting; and none of them have to do with being a “good guy”: 1. Regulations, 2. Others deciding they will or will not play with them, and 3. Insurability. “All of these cut to the core of any company…. Whether the end user wants to do it or not, they have to. And if the integrator doesn’t broach the issue, someone else absolutely will.”
Caprio adds, “The reason for convergence has radically changed. We are under attack and the adversary is winning. We have to be able to protect ourselves. The mistake we have made in physical and in cyber over time is in thinking we could just protect the perimeter and keep the bad guys out; but with the IoT and IP and phishing and malware and botnets, it is the technical and tactical expertise that is very important. You really have to figure out as an integrator how you do this strategically. You can’t protect the castle with a mote anymore. They have figured out how to get over it and we are all being challenged.
“The Target breach is a good example of a company that was considered to be doing best practices. And low and behold, the breach came through their HVAC operator. What that really points to in terms of physical and cyber is a failure of imagination. In today’s environment you have to plan for those scenarios so you don’t become the next Target.”
THIS IS NOT JUST AN ‘IT’ PROBLEM
As recently as a few years ago, much of the physical security industry still considered cyber to be someone else’s domain, and that attitude still persists today for some. Industry organizations like SIA, PSA, and ASIS have begun to loudly proclaim that this is an “everyone” problem. But it can be hard to see the forest for the trees of daily business concerns, particularly for the bulk of dealers and integrators whose customers have not been pushed themselves to consider cybersecurity — yet.
“The physical security industry hasn’t really understood the threat and they should if they are paying attention,” says Dan Dunkel, vice president of strategic partners, Eagle Eye Networks, Austin, Texas, and member of the cyber advisory board for SIA and PSA. “Every end point attached to an IP network is potentially vulnerable. What our industry has been doing for years is attaching cameras on IP networks without any thought of cyber protection. Hackers are now going after the low-hanging fruit, which is that connection point.”
Dunkel and many others speculate that this has already happened. It is only a matter of time until it makes the news. “The way we silo everything now and connect without any security practices in place, we are asking for a breach,” he says.
“I am not sure there is as much concern over this as there should be,” adds Steven Dillingham, senior director of software and integration, Oncam Grandeye, Billerica, Mass., and chair of the ONVIF Profile Q Working Group (Profile Q covers data encryption). “A lot of these systems are running over IP networks and using these standard protocols and there is a much greater opportunity for those to be disrupted by cyberthreats.”
Yet, integrators have been doing things this way for years without major incident, and customers are more interested in making their business processes work together than they are worried about what happens when they do. This was the mindset Andrew Lanning, co-founder of Integrated Security Technologies, Honolulu, had just two years ago, he says. “In 2014 we attended PSA’s cyber symposium and that got our attention because we didn’t have a lot of awareness, if any, in that space at that point. We weren’t aware of the impact to our company or our people or products we were installing and we took that as a real wake-up call.”
Not only did Lanning start educating himself and his staff about the issue, but he eventually became chairman of the PSA Cybersecurity Committee, advising others on the topic. “I began to study much more deeply what the IT industry had done related to cybersecurity and I realized we as integrators were doing none of those things.”
With customers in the DOD and government space, Lanning’s company was on the forefront of the cybersecurity push. “Business concerns drove me. In 2015 the NSA came out with guidance for the commercial industry that wanted to service the DOD. I met with NSA out here and asked, ‘Will this continue to push down the supply chain?’ and he told me, ‘The writing is on the wall.’
“I am already seeing contract verbiage that requires us to have cyber assurance.... We are included in that supply chain and we are surely a very weak link. It is not paranoia; it is a recognized vulnerability.”
Regulations don’t exist just at the government level. There are regulations for many vertical markets from banking to healthcare to schools, much of them revolving around data privacy. (See chart, page 70.)
“We are heavily involved in the energy industry so we are impacted by the NERC CIP requirements,” Viau says. “Similarly, banking and financial is another heavily regulated [customer block], and we are seeing it both with new opportunities and existing customers. They are asking about size, structure, training, insurance. Do we have a cyber plan? Cyber insurance? These are things we had never heard before that have nothing to do with the work we do. But we have to jump those hurdles to be qualified to even be considered as bidder.”
This is a situation that is going to start happening more and more, says Bill Bozeman, CPP, president and CEO, PSA Security Network, Westminster, Colo. “It is soon going to be true that [integrators] won’t be able to walk into many end users’ facilities without having some cybersecurity strategy to discuss. Even the local donut shop is plugged into the network.”
Bozeman stresses the business case for integrators to be proactive — not reactive — when it comes to cybersecurity. “They actually could probably get by without bringing it up today. However, that is ... about as risky as choosing strategically to save money by foregoing continued education and new technology. That company will go out of business.”
This sentiment is echoed by others, such as Vector Security, Warrendale, Pa. (SDM’s 2015 Dealer of the Year). “When we look across the range, there are quite of few of those customers that won’t know to ask until they have had a breach or problem,” says Steven White, vice president of business development. “In my mind that is not the time to do that. We should be leading this, not waiting for residential and small business to have a breach before we offer them solutions.”
And more and more will start to ask these questions, Federgreen stresses. “The actual regulations that drive this are completely blind to size. There is no mention of employee count or revenue.”
For themselves and their customers, whether large or small, integrators cannot afford to ignore the need to do something about cybersecurity today, Kelsey says. “The stakes are higher. The front page for cybersecurity breaches is not restricted to the Fortune 500. In fact, they can weather that storm better than you.”
BUILDING A CYBER PLAN
For most security dealers and integrators today, the thought of cybersecurity is not only a little scary — it is overwhelming. The most common question to cyber experts and educators is “Where do I start?” Unanimously they agree on the starting point — protect your own “house” first. After that make sure you have enough expertise to at least talk intelligently about cyber to the client, and be able to harden what you are putting on their network to the best of your ability.
“We did a gap analysis with one of our auditing firms and identified areas that we were satisfactory in and ones we weren’t,” says Thom Helisek, vice president, information services group for Vector, of how the company began the process. “It all started with our interest in becoming responsible from a cybersecurity standpoint and putting together a plan to achieve that.”
For VTI it started with insurance — something a particular project required them to have in order to even bid. “We already had disaster recovery plans and business continuity plans but we were never challenged that we were truly protecting data. Quite frankly we went back to our customers and said this insurance is about firewalls and stuff; but they insisted we had to have it. It was quite a task, but at the end of the day it put us at an advantage. It was required of us, but it became a no-brainer.”
PSA has a list of questions that can help integrators determine where they are in cyber-preparedness. In a tiered protection scheme based on government NIST standards there are levels 1 through 5. Most security integrators are at “Tier Zero,” Lanning says. The PSA framework is loosely based on the NIST Cybersecurity Framework, a document that describes 800 separate controls. PSA also looked at guidance from the National Infrastructure Production Plan (NIPP), the SANS Institute and the Cyber Security Center (CSC) to adapt the best of these resources for physical security providers.
Starting with a Tier Zero playbook, PSA developed a list of questions (see chart, page 60 for examples) to help integrators and dealers understand where they stand. “We have a list of 16 questions that are so basic they are considered Tier Zero,” Lanning explains. “If you can answer yes to all of those, then you are ready for Tier 1.” So far in his presentations, Lanning says, he has yet to find anyone that can answer “yes” to every question.
Checklists are only a beginning. In the case of the PSA list, the self-assessment portion is there to help you understand where to start. But while it is possible to do the actual gap assessments yourself, it is not recommended, Federgreen says. “When we get called in to do an audit, the first thing you hear is the IT director saying they have done a self-assessment and they have it all handled. Immediately we find 5,000 problems.”
After their assessment, VTI was able to get the insurance, and win the job. More importantly, it put them on the path towards cybersecurity, Fisher says. “The insurance was just one piece of the investment we have made. We have a program that defines user names and passwords and how we collect and store them in our database. We make sure we are changing passwords when we are supposed to be.”
Almost everyone has a variation of the same story about doing a self-assessment first — even PSA went through an audit, Bozeman says. “We found a minor issue that we corrected,” he reports.
While most are concerned going into a gap analysis, they generally find weak areas, but also find other areas where they are doing it right. In some cases it is a complete overhaul, but many more just require some tweaking.
IT and physical security distributor Synnex Corp., Greenville, S.C., has partnered with PSA as well as formed independent relationships with integrators that help with cybersecurity issues — including providing free assessments to integrator clients. Bill Black, information consultant, says these assessments have been enlightening in a couple of ways. “We have probably done close to 350 of these free vulnerability assessments for resellers and their end customers. Out of all of those five have passed [meaning they didn’t need to do any mitigation]. “With physical integrators what I have found is that I would run this against their own network first and a lot of the camera systems were accessible online but they weren’t secured. I could just pull up the video feeds and it didn’t require a username or password and if it did, it was the default. Those resellers said they had no idea it was set up that way. It was a wake-up call.”
Default passwords are a very common weakness, he says. Many of them are overlooked, or even unknown. “Some of these systems have multiple subsystems and you may change one password and not even know the other four exist. But if you open up the manual it will clearly state that to log in the first time, type in ‘admin admin.’”
Another weakness is possession of sensitive information such as passwords and other customer information and how the integrator handles it. Are the plans to the bank sitting in the integrator’s truck? “At the end of the day it is information we are talking about,” Lanning says. “I may have all the IT addresses or passwords for their equipment or credit card information. That is valuable information for a hacker.”
All dealers and integrators are different and not all of them will be as impacted as others — but everyone will eventually have to do something.
“It’s a cliff for some, a leap for others and a small marathon for most,” Cronin says. “Most of them aren’t even protecting themselves. It is just too far off what they typically think about. They aren’t even conscious of the fact that they aren’t doing it. They are depending on the manufacturer to secure the products and … expecting the IT guys and customer to have implemented the right cybersecurity solutions.”
If it is a marathon for the majority, expect to never cross the finish line, experts add. The line is constantly moving.
“It can’t be a point-in-time effort,” Helisek says. Not only does it require constant training to stay on top of the latest developments, but also a mindset shift in terms of sales and service to the customer.
“Far too often these devices are installed as if they were a toaster,” White says. “You can’t treat these devices this way. You have to have a plan to upgrade software and patch and this is something not all are prepared to support.”
And if the IoT keeps moving in the direction it is headed, even toasters may not be safe. But one thing is for sure, slow and steady wins the race.
“You can’t take it on all at once,” Cronin says. “I like the way we are rolling it out with PSA. First secure your own environment because you are a point of exposure. Then, now that you know that, make sure you have the skills and knowledge to secure your client.”
INCREASING YOUR CYBER IQ
Knowing your own weaknesses is a universal place to start. But figuring out where to go from there is more difficult. This is not like the IP situation where learning to “talk IT” was a critical but very doable step for most integrators.
“Cyber talent is expensive and in short supply,” Dunkel says. “When I hear physical security integrators talking about hiring someone, I think they had better get ready to pay them; otherwise you end up with young talent, work with them for a few years while they get certified, then recruiters get to them and offer them much more money working for cyber companies,” Dunkel says.
Cronin says “partner, build, buy” is the best way to approach cyber expertise. “Finding talented cybersecurity professionals is expensive and [difficult]. It is a significant investment…. Don’t think you are going to be able to necessarily handle it organically.”
Cronin recommends starting with your clients and asking them: “Are you working with anyone really good in cybersecurity?” Then ask that company if they are interested in partnering with you.
Cronin, Lanning and others strongly recommend that dealers and integrators look into cybersecurity conferences such as RSA (scheduled for mid-February 2017 in San Francisco) and seek cybersecurity training from organizations such as CompTIA.
“Right now if I were a physical security integrator I would figure out a way to get this PSA framework into your hands and start to get educated on it,” Dunkel adds. “I would go to these trade shows. I am amazed when I go to RSA that very few physical security integrators are at any of these shows. There really should be more of a cross pollination. We are still in this mindset that we are separate and siloed. But no board member in the country can say ‘I had no idea cyber was a problem.’ Not in 2016. That excuse is off the table and it is the same for the integrator. They can’t say ‘I didn’t know.’”
Vector chose to acquire, White says. “Almost three years ago we acquired a managed network services provider. We saw the industry changing and knew we needed to adapt to it. To do it organically was more of an uphill climb.”
Vector’s Helisek adds, “As a company we have taken cybersecurity very seriously; so while we practice those good habits internally, we also extend it out to our product and service offerings both through the security and the managed network side.”
VTI formed a strategic partnership with Secure Set, a cybersecurity university (www.secureset.com), Fisher says. “A couple of our colleagues are going through the program so they can speak intelligently about cyber. We have made investment in education through that partnership.”
Viau adds that in addition to training, the company is also hiring, including those with a higher level cyber IQ, although he acknowledges that there is a price for that. “We are experiencing the need to pay higher wages for people that are far beyond the traditional merit increase because they could be poached by another industry if we are not careful.”
But whether you partner or grow from within, the minimum is to have the same level of “cyber IQ” as you do IT, which is something the security industry has worked hard to gain in the past several years. Even if you don’t plan to become an expert, training is a huge component of being able to “talk cyber” like you talk IT now, Helisek says.
“I don’t think many physical security integrators are well positioned to become cybersecurity experts, even the top flight,” Bozeman says. “It makes more sense to be educated and provide hardened products and to partner with cybersecurity experts.”
Whatever you do, do something, Cronin emphasizes. “You have to be somewhere different a year from now. There is no standing still. It is not Chicken Little, but customers are going to start to ask about this. Your people need to be more astute…. There is a cultural shift that needs to take place, which is one of the hardest things to do.”
But, he adds, the consequences of not doing it are dire. “The more exposed we are and the more action we don’t take, the more we as a country are exposed. I use the analogy of how many people had a Home Depot card. Don’t let this be your client or your employees. Don’t be the next one in the newspaper and be saying ‘Why didn’t I do something as simple as obtain a CompTIA cybersecurity certificate for $150.’”
TAKING IT TO THE CUSTOMER
As next steps become clearer for all it can only benefit the dealers and integrators. The more tools you have in your box, the better you will be able to discuss, prepare, and implement a good cybersecurity plan for your customers. What’s more, it can act as a differentiator for those that have done the steps to become cyber-knowledgeable.
White says his company’s cyber-preparedness has definitely helped with business. “It is absolutely part of the discussion with our customers. It has been extremely helpful, especially when installing devices onto a customer’s primary network when they have requirements that other [integrators] couldn’t meet.”
As the IoT takes hold, cybersecurity is going to become mainstream and integrators need to be prepared. “That is the way the industry is going to go,” says Joseph Holland, vice president of engineering, LifeSafety Power, Mundelein, Ill. “If you can control your home temperature from your cellphone people will want that same capability in every system that they have. Regardless of the fact that for some period of time it will make things more exposed and dangerous, people are going to do it and approach it and have to solve those problems as they come up. It won’t stop anyone from going down that road. But if something does happen they will come back and blame the integrator.”
Viau recommends taking things one step at a time. “Do some benchmarking with PSA or Security-Net or other partners. Find the early adopters and decide whether you want to do that or start taking things piecemeal and create a path. This is not a topic that is going away. Even if you are not able to make large investments in training or insurance, start making smaller changes.”
But don’t delay because things are moving fast, Viscount’s Sieracki adds. “A year ago I would have said recognize the threat. Now I would say make it a strategic part of your company’s DNA. Whether you are going to resell cybersecurity offerings or not (see sidebar, page 58), it needs to be discussed at every board meeting. Not choosing to get this education or understand how it impacts your customer is irresponsible.”
This is important for any company that wants to move forward, say Tom McConnell and David Brinkley, managing directors at Headwaters MB, a Denver-based investment banking firm that specializes in the security industry.
“It is tough to represent yourself as the most forward-looking security integrator if you haven’t already implemented the most robust cybersecurity on your own end,” Brinkley says.
“If I had to paint a picture of an ideal security company I would have the full gamut of an organization’s risk management: access control, video, alarm monitoring, and also be able to protect the data and information we are getting from these systems,” McConnell adds. “That is the holy grail of what a security company should look like if you want to be a market leader. CISOs of enterprise are overwhelmed with these point solutions and data and information and alerts.”
Kirk Nesbit, vice president of design and support services, Synnex Corp., agrees. “I think it can be a somewhat natural play [for physical security integrators]. Given that they are working with the client on a physical security solution, they are trusted in some capacity to take care of the customer’s security. If they can bring up the topic of caring for those devices and showing the concern and knowledge of what it will take to keep the devices they just installed cyber secured, and they show they have credibility and knowledge, then they will get into the conversation.”
Even more than that, Viau says, the security integrator has worked hard to achieve that “trusted adviser” role with the client — a status they stand to lose to someone else if they can’t provide cyber knowledge in some way.
“If we achieve the goal of trusted business partners we are truly at the table and that is what brings us to the forefront of knowing about cyber as a risk. We haven’t really seen our customers panic, but this is the next risk we need to mitigate before it becomes a forest fire.
“What is going to keep you in a position of trusted partner is to say, ‘In addition to all the things you are already doing, I also want to talk about cyber because you may not be aware of it yet. Our responsibility is to keep you informed.’ There you are really showing your value.” n
EDITOR’S NOTE: How prepared is your company? Take our online poll: www.SDMmag.com/polls/41-cybersecurity-plan.
6 Steps to Basic Cyber Preparedness
Select products/vendors carefully. Vet their commitment to security, support and resiliency.
Partner with IT to explore ways existing systems, networks and requirements impact the project.
Incorporate network security into system designs.
Install and follow manufacturer guidelines and best practices such as eliminating default credentials, using complex passwords and disabling unnecessary services or features.
Establish internal, external and ongoing training programs that incorporate cybersecurity.
Provide ongoing monitoring, management and update services.
Source: Vector Security
Tier Zero Sample Questions
Answer yesor noto the following questions:
Have you conducted cyber awareness or information security training with your staff in the past three to six months?
Have you conducted anti-phishing or social engineering training with your staff in the past three to six months?
Does your company use data encryption for internal information?
Does your company have a cyber insurance policy?
Does your company use a mobile device management system?
Does your company use a multi-factor authentication physical access control system for premises entry?
Source: PSA Security Network
This is a sampling of PSA’s “Tier Zero” playbook. If you answered no to any of the questions, you are at Tier Zero. The full list of questions and more can be found at www.psasecurity.com/resources/tools.
Cybersecurity Regulations by Vertical Market
Banking– GLBA (Gramm-Leach-Bliley Act)
Law Enforcement/Public Safety – CJI (Criminal Justice Information)
Education– FERPA/CIPA (Family Educational Rights and Privacy
Act/Child Internet Protection Act)
Any facility that takes credit cards– PCI-DSS (a baseline of technical and operational requirements designed to protect cardholder data)
Source: Synnex Corp.
From healthcare to education to almost everyone, there are regulations and laws that impact privacy and cybersecurity and may impact what physical security providers do going forward. These laws are blind to size, revenue or employee count.
While many integrators are struggling to figure out ways to boost RMR, cybersecurity has some ready-made opportunities already available to them to resell.
Keeper Security Inc., Chicago, offers a password manager and digital vault that organizes and secures passwords, for example. “We have a reseller program, strong inside sales teams, support and engineering,” says Darren Guccione, CEO and co-founder. He says there are several different approaches to cybersecurity, from prevention to detection to remediation, and integrators should decide which prong to market.
“This is absolutely the fastest growing segment of the security and IT space,” Guccione says. “With the prevalence of cloud computing and cybersecurity we are going to see massive investment over the next 10 years…. I can’t think of a better fit for a security vendor to come in and sell a cybersecurity solution as part of their business.”
CSR Professional Services offers breach reporting and gap analysis both for integrators to use and resell. “The most logical and least painful way of doing it is to attach a service agreement to an installation agreement, which many do anyway,” says Ross Federgreen, CEO. “As part of that agreement they partner with a company like mine that can provide under a white label relationship some service that we provide. It is too specialized and too complicated to do on their own.”
Synnex also offers third-party auditing and more for their integrators to resell. The distributor also has an in-house Network Operations Center (NOC) that performs breach detection. “Physical security integrators are keenly interested in RMR. This delivers on that,” says Kirk Nesbit at Synnex.
PSA’s Bill Bozeman says his organization is actively working to find opportunities to monetize cyber, but it isn’t easy. “Now that we have pointed them in the right direction concerning products that might be cyber hardened and have a program to provide them with insurance partners, best practices, etc., we are finding the most difficult part is identifying how they can actively participate and make a profit.”
Steven White of Vector Security recommends thinking like an IT buyer to figure out what to offer. “IT mandates that you design a system that can be serviced well and you plan for those costs on the front end. We started with a basic offering around network health monitoring for customers with NVRs or IP cameras who wanted to understand uptime. Now we have true remote network monitoring measuring and monitoring patch levels, responding to outages, being proactive about the way we report information. As those devices become smarter we plan to really expand into the business intelligence space.”
Stephen Fisher of VTI says his company is still looking at how to monetize cyber. “Where there is potential revenue it is a balancing act with the kind of investment it would require. You can’t take a security integrator and make them a fire company overnight. And you can’t become a cyber expert overnight either. We have chosen to partner with the experts. There is opportunity out there but we are still looking into that.”
For the right integrator there is a lot of opportunity in this space, adds Tom McConnell of Headwaters MB, an investment banking firm specializing in the security industry. “If you look at the physical security market for integrators alone, that is certainly growing, but not as quickly as the cybersecurity market…. [The security industry] is a relatively mature industry. In cybersecurity the growth is really off the charts. The most recent numbers I saw was that cybersecurity was at about $75 billion in 2015 and expected to go to $170 billion in 2020.
“It is clearly a robust opportunity. And the market for SMB is really just emerging. If I am a mid-sized integrator it is an almost green field opportunity.”
The Role of Manufacturers
What is the role of the security manufacturer in cybersecurity? Are they hardening their products too? The answer is, of course, yes; but in the physical security space it is not as simple as it might seem.
Dan Dunkel of Eagle Eye Networks says his company is working to provide a product to the integrators that is hardened. “We encrypt our video in the cloud. We want to make the video stream tamper-proof. Nothing is hacker-proof. Then if you change the password at the end point automatically, those are a couple of things you can do to markedly improve your cybersecurity. If integrators can start to sell products with a little bit better security embedded in them, that is a step in the right direction.”
Tyco recently launched a six-part cyber protection program, says Kristy Dunchak, director of product management, integration solutions and programs, Tyco Security Products. “We want to make sure we have development practices in place to make sure we are developing products with cybersecurity mindsets. We have teams in place that are dedicated to that, making sure that a product we release today is secure tomorrow. They are watching for vulnerabilities and notifying customers when there is a concern.”
Dunchak says end users and integrators alike can sign up to be notified when a vulnerability to their product is found so that they can mitigate it, which is particularly critical in an industry where the parts and pieces of an integrated system can range from brand new to 20 years old or more.
“One of the unique things about the physical security industry is our products are built to last, similar to the industrial control side of the world,” Dunchak adds. “How do you handle those types of systems? It is up to us to find a way of patching the system. It is a unique challenge and it comes down to creative engineering.”
Some see this challenge as a liability. Scott Sieracki of Viscount Systems says the security manufacturing industry is somewhat unique in the technology sector.
“So many of these manufacturers have all of their revenue tied to the perfection of a 25-year-old device. You don’t see that in the rest of the enterprise world. Technology has evolved in the IT space every single year by leaps and bounds. Our industry ... seems to be granted a lot more leniency on its necessity to evolve its technology.”
It’s a waiting game, says Joseph Holland of LifeSafety Power. “Manufacturers are waiting to see what happens with regulations and frankly they are not going to put a bunch of money into something they don’t understand or could be the wrong direction once regulatory agencies get their act together.”
Bill Bozeman of PSA says manufacturers are on a similar track to the integrators in terms of awareness and change. “In my opinion the manufacturers now see the threat. They are addressing the challenges and doing a much better job. They were slow to the game, but I do understand why. As one CEO told me [a year or so ago], ‘I am not going to go spend a fortune on all this cybersecurity stuff until I am losing money because of it and right now I am not.’ They are spending that money now. Our key partners are all stepping up.”
For now, this means integrators who are becoming cyber aware need to be careful when selecting products.
“We are very selective about which products we support and their commitment to cybersecurity is a key part of that,” says Steven White of Vector Security. “There are leaders in the space that are doing an excellent job of contributing to that discussion and conforming to standards around updates. But there are many manufacturers that are still trying to answer some of the questions we have talked about today. Not all of them have risen to the challenge.”
Stephen Fisher of VTI Security agrees. “Every time a manufacturer comes into our office we ask them what they have in this regard. Some of them are ahead of the game and others are trying to figure out where they stand on this.”
But Bryan Viau of VTI adds that he is optimistic that manufacturers are at least on the right track. “The manufacturers are getting smart very fast. We have seen how quickly manufacturers are changing their training protocols on how to harden devices. Many are reacting at the appropriate pace.”
Q&A With Bill Bozeman of PSA
SDM spoke recently with Bill Bozeman, CPP, president and CEO of PSA Security Network. Bozeman has been an outspoken and determined spokesperson for the need for physical security integrators to learn about cybersecurity.
SDM: How has the attitude of your integrators changed over the past few years since you began talking about cybersecurity?
Bozeman: There has been a real big swing in attitude. When we started this some three years ago, approximately, it was like I just scratched my head and said why am I even doing this? There was no interest or cooperation from integrators or the vendors. It was very frustrating. I knew this was something we had to be all over. The good news is that has really changed. We no longer even bother having pitches to our community about the importance of cybersecurity. It isn’t even necessary.
SDM: Where does the industry stand now in terms of preparedness, in your opinion?
Bozeman:Our integrator community is 100 percent on board understanding the risks and challenges. Do they all have plans? I didn’t say that. They all recognize it. Most of our key manufacturers are working hard to improve the situation as well.
Our objective is to educate our community as efficiently as we can about the risk and opportunities and how they can protect themselves, whether it be with proper insurance or using products that have been vetted.
SDM: Do you see cybersecurity as an opportunity for integrators?
Bozeman: I really believe this is a game changer, just like when we went from tape to digital or coax to Cat 6 and analog to IP. This is one of those opportunities or challenges. Watch that movie “Zero Days.” Those who choose to turn away, what an amazing loss that is.
[Our playbooks] are sitting there waiting for you to use. You do not have to be PSA members to take advantage of this. We believe this is such an important thing, our education is open to all and we think that serves the entire industry.
While a cybersecurity plan for your company and your clients is the best, first steps you can be taking right now, the industry as a whole is facing a much longer and harder transition toward network and physical security merging. From day-to-day systems that sit on the customer’s network to IoT type projects, all the trends have pointed to a merging of physical and cyber, which is something that almost no one is truly prepared for (not even IT departments and integrators).
As a whole the industry is working on things and looking to the next steps in the climb to cyber awareness.
PSA’s Maturity Tier Zero is now complete and available for members and non-members. The organization plans to present guidance on Tiers 1 and 2 of its framework this fall and complete all 5 by the end of the year, Lanning says. “This is a work in progress. The first layer, for example, asks about your policies. Having the tool is one thing but people need guidance on how to come up with the policy.” The full maturity path presentation will be delivered in sessions at PSA TEC 2017.
The goal is to organize several existing guidelines with the security market in mind, so that integrators will know which piece of the cybersecurity framework they are implementing, he says. “There isn’t a one-size-fits-all. The work our committee does is to help the integrator respond and move up [to their appropriate tier]. Some of them that work with NERC CIP will probably aspire to get all the way to maturity level 5.”
ONVIF’s Profile Q, released this summer, is aimed at the encryption side, Dillingham says. “This is very different than our other profiles. All the others deal with a specific feature set. Profile Q is device-centric of the IP device itself. There are requirements about what state it is in out of the box so that when you put it on the network you know what that device will do.” For example, a conforming video camera may not be able to stream in factory-default mode, he explains.
UL, Northbrook, Ill., recently launched a Cybersecurity Assurance Program (UL CAP), says Ken Modeste, cybersecurity technical leader. “We started the program about three to four years ago by looking at how to help clients like typical manufacturers or vendors address the cybersecurity risk. Beginning last year the department of Homeland Security and the White House reached out to us to develop a voluntary program to help shore up cybersecurity.”
From this the UL 2900 series was born to assess software from manufacturers as well as provide larger integrators with a baseline of how well a manufacturer is addressing cybersecurity within the supply chain. Beginning last spring, UL expanded the program to include process evaluation, and the final piece will be doing an assessment of installation.
The end result, the organization hopes, will be to provide integrators with a UL listing not unlike a UL-certified central station — a highly regarded measure of high standards and excellent processes and procedures.
Dillingham stresses that the goal is for these certifications to involve a lot of what many are already doing as common practice. It just needs to be organized and certified.
“As they start working more with organizations, those clients will start to say more and more, ‘I see you as a very important part of my organization,’ and our goal is to help the industry respond to those clients in an effective way. There is no magic bullet that will solve cybersecurity, but if you have the foundational steps you can make it harder for bad actors to infiltrate. Organizations traditionally have been turning to IT for that but looking at physical products from the integrator. This gives those integrators the opportunity to offer a larger value to their customer.”
Lessons Learned in Providing Cybersecurity to Critical Infrastructures
Wurldtech, a company specializing in cybersecurity for operational technology, sees many parallels between that world and the world of physical security — and many lessons to be learned. The following essay, contributed to SDM by Wurldtech’s Tom Le, explores some of those parallels as well as the differences, and how cybersecurity is approached as a result of them.
Many organizations have not prepared adequately for critical infrastructure and operational technology (OT) risks. Most of these companies understand Information Technology (IT) security, protecting data but lack a clear understanding of shielding high-value, well-defined industrial processes. These processes execute across a mix of proprietary devices from many different manufacturers. Cyberattacks on oil and gas, utility, healthcare and transportation infrastructures can result in significant downtime and productivity loss. OT cyberattacks can also put human safety and the local environment at risk when industrial assets fail unpredictably. Ignoring the security of the OT side of the business and concentrating only on the IT side can be perilous.
These organizations need to be taught the differences between IT and OT cybersecurity. For instance, factory production systems, refineries, medical systems and transportation networks utilize communication protocols and network architectures not often shared with IT systems and require different security tools that are purpose-built to operate on those protocols and architectures. Many of the industrial control systems (ICS) and software used in operational environments are between 10 and 30 years old. These assets were not originally designed to be connected, are infrequently patched and were not devised to withstand modern cyberattacks. Surprisingly, many operators have no visibility of what is actually transpiring on their OT network and, even if hacked, have no knowledge of the assault.
Because many security professionals don’t understand the Industrial Internet’s role in today’s chase for increased productivity, they don’t understand the threat. “Intruders can’t get into my critical infrastructure to create havoc because my industrial network is air-gapped” is a common, incorrect belief. This is a legacy technique that too many professionals still rely upon. They believe that their industrial networks are truly and physically isolated from such unsecured networks such as the public Internet, business partner networks, or unsecured local area networks. They don’t appreciate that air-gapping, which may have been somewhat useful several years ago, is no longer effective in an interconnected and mobile digital industrial world.
The cornerstone of IT enterprise security is the use of software patching to eliminate underlying implementation vulnerabilities. However, patch management is a particularly painful operation in an OT system; many organizations don’t have the infrastructure for qualifying patches to ensure patching will not add any operational risk to system availability. In addition, maintenance periods for industrial assets are infrequent, where some equipment may run for years between planned downtime. Organizations, therefore, have to depend on their vendors to test and ensure new patches will not impact control of their processes.
Secondly, many of the security controls that are effective in IT are not effective in OT; they have to be adapted to the technical requirements of OT systems. For example, shutting down or rebooting an OT system in response to a cyber event is often not possible because production availability is a higher priority than protection of data. The only solution to address this industrial patch and vulnerability lifecycle is to install patches virtually, while the system is running, by using a security solution that resides in-line in the network directly in front of the control system.
Lastly, the people component of security cannot be ignored. Management needs to assure that the security experts they hire are highly certified and trained to carefully assess, design and implement OT security in their industry environments. If the goal is to help secure operational assets, reduce compliance penalties and enforce supplier security, they need such expertise. — Contributed by Tom Le, vice president-engineering, Wurldtech, part of GE Digital
‘We are no longer hanging cameras; we are actually opening doors to the network at our client’s business.’— Stephen Fisher, VTI
‘The way we silo everything now and connect without any security practices in place, we are asking for a breach.’ — Dan Dunkel, Eagle Eye Networks
‘We are very selective about which products we support and their commitment to cybersecurity is a key part of that.’— Steven White, Vector Security.
‘It’s a cliff for some, a leap for others and a small marathon for most.’— Paul Cronin, Atrion
‘I began to study much more deeply what the IT industry had done related to cybersecurity products and services and I realized we as integrators were doing none of those things.’ — Andrew Lanning, Integrated Security Technology.