Cyber Reality: How the Security Industry Is Adjusting to the New Normal
Gone are the days when cybersecurity was someone else’s problem. With savvy and tenacious hackers who can use almost anything connected to a network to access systems, and evolving and seemingly implacable threats, just where does the security industry stand on the cyber preparedness spectrum?
Cybersecurity is a topic on everyone’s mind. Right now it seems there are more questions than answers, but one thing is certain: the issue is here to stay — cyberthreats are the new normal.
As with most new threats, ignorance and fear can lead to decisions that hindsight reveals were foolish or unhelpful; the case of Ryan White comes to mind. White was diagnosed with AIDS in 1984 after getting tainted blood in a blood transfusion. At the time, public understanding of the disease was almost nonexistent; teachers and parents rallied against allowing the 13-year-old to resume attending school, even though doctors said he posed no threat to other students. More than 30 years later, it seems hard to imagine a time when AIDS didn’t exist. However, understanding of the disease has improved dramatically, as has education and methods of preventing the spread of the disease.
While it seems hard to overstate the threats associated with cybersecurity, 30 years from now it will no doubt seem hard to imagine a time when cybersecurity wasn’t a normal part of life in the security industry — or in any industry, for that matter. By then, plans will be in place; prevention will be down to a science; and, hopefully, we will have found a way to at least effectively manage it. But it will always be here.
It is imperative that we get cybersecurity right even now, however. It seems a new story breaks almost daily about the latest breach, revealing the necessity of addressing the problem, managing it and preventing it. The good news is that as public awareness increases, more people are becoming educated about what they should be doing, or at least are asking what they should do.
The security industry’s foray into cybersecurity may be in its infancy, but in this zero-sum game, it is essential to start out with a head full of knowledge and both feet running.
AWARENESS ISN’T PREPAREDNESS
So where does the industry stand now? Well, although awareness is rising, and things seem to be moving in the right direction, we are nowhere near where we need to be. The industry in general has a long way to go, says Jeffrey Barkley, product manager, security products building technologies & solutions, Johnson Controls, Milwaukee. “We’ve talked to a number of integrators and a number of end users over the past year about cybersecurity specifically, and I would say that people are not as knowledgeable as they need to be; people are not doing some of the due diligence from a configuration and installation viewpoint; manufacturers are realizing that despite their efforts, there is still more they need to do on their end. Right now as an entire industry, we’re not all there.”
While there is still a great lack of understanding about the importance of cybersecurity, Bud Broomhead, CEO, Viakoo, Mountain View, Calif., says, there is less ignorance every day. “Not only is cybersecurity in the news frequently,” he says, “but end users now have more compliance and audit requirements on their physical security systems to address cybersecurity.”
The awareness that constant media coverage raises is a good start, says Dave Mayne, vice president of marketing, Resolution Products Inc., Hudson, Wis., but this high degree of awareness doesn’t necessarily translate into an understanding of what prevents a vulnerability or risk to any system. “People know devices can be hacked but don’t know how they can help minimize risk,” Mayne says.
There are other factors driving awareness as well. “As the scope of cybersecurity has broadened to a much larger portfolio of technology,” says Brad Hedgepeth, manager of technical services at G4S Secure Integration, Jupiter, Fla., “manufacturers are continuously addressing and notifying users of vulnerabilities in all types of security panels and everyday network appliances,” explaining part of the manufacturer’s role in raising awareness.
“End users are more and more aware of the importance of cybersecurity,” says Mathieu Chevalier, security architect, Genetec, Montreal, Canada. “We see more requests for proposals with cyber-related topics. I think the Mirai Botnet attack that hit last year (the botnet that enslaved an army of IP cameras) was kind of a wakeup call for a lot of people. Cybersecurity is frequently in the news, so end users are becoming aware of the importance and consequences of these issues.”
If the wisdom from 1980s G.I. Joe cartoons holds true and “knowing is half the battle,” then this is a good start, but with lots left to do. And as is the case with most threats, unless the risk is seen as a direct and catastrophic threat to a business, many fail to take steps to prevent a breach.
THE DATA-CRITICAL/NON-CRITICAL DISCONNECT
Ultimately, the biggest drivers of adoption of good cyber practices will be return on investment and risk mitigation. Companies are not going to invest heavily in cybersecurity unless it is profitable to do so — if good cyber practices either bring in more revenue or help their companies to run more efficiently, says Vince Ricco, technology partner manager for North America, Axis Communications, Chelmsford, Mass. Or they will need to see it as a necessary mitigation of imminent risks or liability.
“In many aspects,” Ricco says, “we are maybe just past the awareness phase over the past couple of years and moving into the understanding phase. There are, of course, entities with greater understanding and practical experience today.”
Those entities Ricco is referring to are the organizations that, because of the nature of their business, are forced to maintain the highest cybersecurity standards.
But is any one of the players responsible for taking the lead?
“We see the greatest participation [in cybersecurity] from people whose network is one of their key business processes,” Barkley says. “The interruption would be devastating to them — that’s the group we see pay the most attention to it, where there is the greatest collaboration between the IT team and the physical security team.”
Jeremy Brecher, CTO, Securitas Electronic Security, Parsippany, N.J., explains, “A bank has the money; they have information; they are staples of our economy in the U.S., so people want to destroy banks, steal from banks, and get information from banks. It’s so big, so massive, and so many different players will go after it — it forces them to pay attention to all the little details.”
End users fall into a couple of general categories, says Kristy Dunchak, director of product management, security products video and strategic programs building technologies & solutions, Johnson Controls. “We had customers where the network was critical to their operations, and those customers seemed to be much more knowledgeable of and care about cybersecurity. The second was really everyone else who maybe had the mindset that it probably won’t happen to me, and I don’t need be concerned about it.”
More than just whether a company sees the importance of securing its network, the particular risks an end user has will also determine its attitudes toward cybersecurity. Barkley describes cybersecurity as “what highly specialized teams in the IT group who are responsible for information are worried about. So what they’re worried about is the confidentiality, the integrity, the availability of data and systems. How to protect all of those things becomes very much a risk management issue, and so different companies have different issues.”
As general awareness rises, and the daily flow of media coverage about the latest breaches drives knowledge, regulations are sure to follow. Dunchak believes those regulations will help spread cybersecurity action to all verticals rather than just those that see it as critical. “Regulations are coming out that are requiring customers to put processes in place, and hopefully some more of those will drive the need in different verticals, and then that will hopefully help push the end user to set up their system so that it is cybersecure.”
Even for those who don’t see a cybersecure network as critical to their operation or who don’t face regulations, liability ought to give everyone pause, says Thomas Lienhard, director of business development, Artery Lock Security Integration, Reading, Mass. “There’s now the threat of litigation; if you screw up somebody’s security camera by having a power supply that fails, you pop a fuse when your coaxial goes down. But when you plug into someone’s network and that camera becomes an exploit portal for a denial of service attack, you’re on the hook. I don’t care what you signed; I don’t care about your terms of service agreement, what your maintenance contract says — if you designed it poorly, you’re on the hook.”
Lienhard says he believes attitudes have changed because liability is being enforced.
WHO SHOULD BE TAKING THE REINS?
Of the three major players in the security industry — manufacturers, dealers and integrators, and end users — everyone has a role to play in mitigating cybersecurity risks. Sean Murphy, regional marketing manager, Bosch Security Systems Inc., Fairport, N.Y., describes the roles like this: “As a manufacturer, we do our best to offer products that give dealers and integrators a set of smart tools to offer the system a robust level of protection. Those integrators and dealers that can adapt to the rapid pace have a significant opportunity to create extra value to the end users. They are in a unique position to offer initial planning and recurring support for the end user. End users play a big role here as well. This has to be a system-level approach. Would-be attackers are looking for the weakest spot to target.”
For many of the reasons already mentioned (especially return on investment), an integrator cannot singlehandedly take the lead. Brecher explains, “If I’m an integrator and I go to my customer and say, ‘I’m going to give you a differentiator. I am going to check your cameras every month and update them, update the firmware for vulnerabilities. I’m also going to run all the right security scans on your equipment; I’m going to certify all my technicians on cybersecurity practices — not only that, but I’m going to give all your cameras different passwords; I’m going to do all that for you.’
“And [the end users] say, ‘That sounds great, but I’m going to pay you only what I’m paying you today.’
“Now I’m going to say I can’t do that for free because my competitors aren’t doing that, and you’re not asking me to do it.”
For that reason, says Brecher, “if the requirement comes from the buyer, the customer, then people will be forced to elevate their training, their skillsets, their people — what they do.”
In essence, he says, a smart consumer will ultimately drive it.
Dean Drako, CEO, Eagle Eye Networks, Austin, Texas, also does not see the dealer as the main driver. “It really falls on the manufacturer and the knowledgeable end user to own the threat. Dealers in the IT space have never been expected to own this threat, so it seems unlikely that dealers in physical security will.”
Drako says that security systems and connected devices are not more cybersecure. “Many are still made and designed in different countries around the world. The focus is on price, not on cyber or software quality. Very little has improved here. Even the best vendors (still) do not provide adequate firmware updates, alerts or messaging around cyber vulnerabilities.”
This all points back to a market that will be driven and steered by an educated end user.
Paul Kong, technical director, Hanwha Techwin America, Ridgefield, N.J., seems to verify this when he says, “End users tend to be reluctant buying products from manufacturers whose products have been compromised through recent vulnerability incidents. It is clear that there is a growing awareness of the importance of security for products handling personal information.”
“Even if [cybersecurity] is OK today, you need to look at it tomorrow,” Barkley says. “That’s why the end user is really one of the important people in this, because at the end of the day, they have a system. And whether or not the integrator continues to service that system is a choice [the end user] can make, but they’re the one who defines their needs.”
That’s not to say the integrator doesn’t have an active role and shouldn’t be helping guide and educate. “It’s a collaboration,” Barkley says. “The integrator could be watching the industry landscape and say, ‘Hey, there’s all this new malware out,’ and have conversations with the end user about possibly changing things, but at the same time, the end user needs to say, ‘We’re now storing massive amounts of data on these systems, and we need to make sure that that is properly protected and secure with confidentiality, so we need to do things differently than we did yesterday.’”
So while the end user will really have to be the main driver, a close working relationship fueled by constant communication between the end user and the integrator will be fundamental.
This collaboration between all parties is a theme for industry cyber preparedness. “It’s not one-and-done; it’s never ending,” Dunchak says. “You have to keep up your systems and watch for vulnerabilities. It is just one of the things that companies are going to have to continuously invest in. It’s a moving target.”
PREPARING TO PREPARE
Cyber awareness is certainly there, but what steps can an integrator or end user take to be proactive?
Part of that, Dunchak says, is ensuring that customers understand the depth of what they need to know about cybersecurity. “We try to educate our customers so they know that cybersecurity is important. We can’t just give them one document or checklist; they need to understand what cybersecurity is as a whole so they can ask the right questions.”
Integrators have many opportunities to educate themselves, Lienhard says. “Security industry professionals can go to factories; manufacturers offer that training. If it’s a few hundred dollars or if it’s free, get to a training class.
“We go to Axis training,” Lienhard says. “We hang all of the cameras, we do the wiring and the infrastructure stuff over at the Axis Communication center over in Chelmsford because they’re around the corner.”
Lienhard says if dealers and integrators can’t afford factory training, many manufacturers offer YouTube and online videos.
“And even if that is not sponsored by a manufacturer,” he says, “some guy with his webcam or some guy with a camera on a tripod is willing to give you his knowledge because he wants a little bit of feel good or a little bit of fame as a YouTube expert.
“There’s more than enough training available; you’ve just got to take the time to do it.”
There is also a need for dealers and integrators to partner with IT to combat direct attacks coming from inside the data center or on the corporate network, says Stuart Tucker, vice president – enterprise solutions, AMAG Technology, Torrance, Calif. “The security dealers need to be aware of cyberthreats and remediation tactics and to partner with the IT folks to protect against direct internal attacks through better physical security and practices.”
It is a war that no one has ever completely won or lost, Kong says. “The bad guys will always attempt to find ways to exploit vulnerabilities and the industry will continue to make various technological developments and secure our devices through awareness and a stronger understanding of the potential vulnerabilities of networked devices.”
Drako agrees: “There is no real winner in this war. Neither side is particularly organized. Calling it a war is not really accurate. It’s more like a free-for-all. Some will get hurt and some will steal some money. There are not really sides.”
It is doubtful the landscape will look so much like a free-for-all in 30 years — or even in five. By then, roles will be established and anyone in the security industry, along with consumers, will understand the necessity of being educated and taking steps to shore up their systems the best they can with the technology available.
Until then, we’ve got our work cut out for us.