The Security Industry’s Cyber Problem

There was once a time when physical security professionals didn’t have to consider cyber vulnerabilities. Now, cybersecurity should be top-of-mind for everyone in the supply chain.

Fifteen years ago, cybersecurity wasn’t much of a thought for many in the physical security industry. Security systems were relatively simple — the integrator installed them as quickly as possible and moved onto the next job. But now that security technologies are advancing and everything is connected, cybersecurity should be a consideration for everyone.

“Cybersecurity and physical security are intrinsically connected,” says Jon Williamson, director, cyber experience, global product security, Johnson Controls, Milwaukee. “The convergence has been happening for years, and failure within one area can impact the other. Now more than ever the world is experiencing security threats both cyber and physical, which have been exacerbated by the current world pandemic.”

According to the FBI’s 2020 Internet Crime Report, their Internet Crime Complaint Center received a record number of complaints of breaches in 2020 — nearly 800,000, with reported losses in excess of $4.1 billion. This is nearly double the average number of reports the center receives in a year.

“The question isn’t if cybersecurity will impact your business,” says Josh Cummings, vice president of technology at VTI Security, Burnsville, Minn. “The question is when cybersecurity will impact your business, and will you be ready for it? Cybersecurity and physical security will continue to move closer together until you cannot distinguish them — similar to how IP and physical security are now intertwined.”

The U.S. Cybersecurity & Infrastructure Security Agency released a report on the convergence of cyber and physical security this year that pointed to the growing risk physical security products pose. The report reads, “The adoption and integration of IoT and industrial IoT devices have led to an increasingly interconnected mesh of cyber-physical systems, which expands the attack surface and blurs the once clear functions of cybersecurity and physical security. Meanwhile, efforts to build cyber resilience and accelerate the adoption of advanced technologies can also introduce or exacerbate security risks in this evolving threat landscape.”

It’s important to remember that physical security devices are network devices and must be protected like any other network device, says Wayne Dorris, business development manager, cybersecurity, Axis Communications, Chelmsford, Mass.

“Many times cybersecurity for physical devices is overlooked by the end customer internally, often due to organizational or ownership issues between physical security and IT security,” Dorris explains. “Additionally, from an external standpoint, integrators are sometimes not comfortable bringing up this subject due to lack of expertise in this area. In short, the physical security industry needs to better train the channel on cybersecurity in order to engage in these crucial discussions, which are necessary to put cybersecurity protections in place before an incident occurs.”

Training and education on cyber issues has improved recently, says Mathieu Chevalier, lead security architect at Genetec, Montreal — but it’s still far from enough.

“The industry has improved if we compare the current state [to] where it was five years ago,” Chevalier says. “However, the industry is still lagging far behind in terms of cyber compared to other high-tech industries. From an outsider’s point of view, the physical security industry might be perceived as shockingly immature in that respect.”

The past year, especially, has done a great deal to raise awareness of cyber risks, Dorris adds. “Several significant events have raised awareness and changed behaviors around cybersecurity. First, COVID-19 forced customers to change the way they remotely manage the protection of their facilities. Also, several front page news stories about major cyber breaches have encouraged everyone to reevaluate their security supply chain. Finally, enforcement of laws, like Section 889 of the National Defense Authorization Act (NDAA), has brought to light the importance of how and where products are manufactured and produced.”

What’s the Problem?

Why exactly is the physical security industry struggling so hard with cybersecurity? There are a few reasons, but the core of many of them is the separation of IT and security.

“Physical security devices are network devices and thus must be protected like any other network device,” Dorris says.

When deploying IP security systems on an IT network, there are precautions that need to be taken, explains Michael Ruddo, chief strategy officer of Integrated Security Technologies in Herndon, Va., featured on this month’s cover.

“Today’s physical security systems are connected to an IT network, making cybersecurity a foundational element of any on-site security protocol,” Ruddo says. “There are specific ways to deploy IP security systems on an IT network, and it has to be done within the security protocols of the IT network itself. At the same time, businesses need to harden their hardware security to maintain the security system’s integrity.”

When not deployed properly, security systems can be a dangerous gateway into a company’s network, as hackers only need a single access point to instigate a cybersecurity incident.

“Currently a majority of physical security devices are considered edge devices,” says David Brent, senior cyber and data security technical trainer, Bosch Security and Safety Systems, Fairport, N.Y. “In a majority of cases, security devices are based on an open Linux Kernel and are typically an afterthought by some IT departments. The current estimated number of IoT devices on the web is estimated at 39.5 billion and is expected to double in the next five years.”

As the number of IoT, or edge devices, increases, so will the attacks on those devices, Brent says. And while video is often seen as the biggest cyber risk in the physical security system, it’s not the only risk.

“We’ve heard a lot about video cameras being an entry point for potential hackers, but other IoT devices such as access control devices and other sensors can also present the same level of risk,” Chevalier says. “Access control systems must have a strong cyber defense or companies could be opening themselves up to increased cyber risk — and more worryingly, to actual physical threats of doors being opened or locked without their permission.”

This is why it’s important to look at the whole security system when considering cyber risks.

“Misconfiguration and not designing the installation as a whole system for protection against attack are a few challenges faced by the industry,” Williamson says.

“While a datasheet could list some important safeguards, such as encryption, those alone may be insufficient without proper application. Integrators must deploy according to hardening guide recommendations to only enable the functions and network ports that are required.”

Hardening guides offered by manufacturers aren’t always enough either, though. Physical security professionals should take it upon themselves to become proficient in cybersecurity.

“[There needs to be] better cybersecurity education and awareness throughout the entire industry,” Dorris says. “Most people are aware of cybersecurity but uncomfortable talking about it in depth — some people lack training on basic cybersecurity hygiene methods. Regardless of whether or not the devices are properly configured and protected on the network, if a person is unfamiliar with the basics and unknowingly clicks on the wrong link in an email, it can defeat all of the protection put in place. Investment in training the ‘human firewall’ on good cybersecurity practices is paramount in keeping businesses safe from cyberattacks.”

Aaron Saks, product and technical manager at Hanwha Techwin America, Teaneck, N.J., points to two other obstacles to becoming cyber-secure: the cost of more advanced, cyber-secure solutions, and the mindset of security systems being made up of different, separate pieces, rather than a comprehensive solution. And things become even more complicated with the number of vendors often involved in a single installation.

“Often you don’t just have a single vendor doing everything, so you might have an access control platform, VMS, all these different parts and pieces, and they may be talking to each other, but you have to make sure that connection is secure,” Saks says. “We’ve seen this with a lot of the different data breaches over the years — people leaving things open to make connections to different systems. And leaving firewall doors open — those can really affect a lot.”

Don Erickson, CEO of the Security Industry Association (SIA), Silver Spring, Md., also points to the supply chain as a major challenge.

“There is complexity involved throughout the security value chain — very few manufacturers are the original equipment manufacturers of all of the components of their products, so they must ensure the cyber hygiene of all hardware and software components,” Erickson says. “Integrators must ensure that the products within their solutions portfolios are cyber-hardened and configured in deployment environments correctly. End user environments add additional complexity as physical security systems interface with other equipment and systems and day-to-day operator risk is introduced to the system. Coordinating and agreeing on cybersecurity responsibilities throughout the value chain can be challenging.”

The plethora of outdated legacy equipment still in use certainly doesn’t help prevent cyber-attacks, either.

“If you utilize shodan.io, you will see there are thousands of older devices on the internet, all with active vulnerabilities that can be accessed easily,” Brent says. “It’s like putting a Windows 98SE2 machine on your network. All of these devices can be turned into bots or used for lateral movement. Customers need to start replacing older devices, as a system is only as strong as its weakest link. One of the most valuable targets to any hacker is just a platform that has bandwidth, and there are a lot of them out there.”

What’s the Solution?

Different members of the supply chain can point fingers at who they believe is truly ‘responsible’ for cybersecurity, but if the industry wants to solve its cyber problem, there will have to be action from everyone.

“While there has been some shift in perception, there needs to be more action,” says Sanjay Challa, chief product officer at Salient Systems, Austin, Texas. “Bid specifications need more thorough cybersecurity components. End users and integrators need to not just insist on products that have proper cybersecurity capabilities, but actually take the time to install, configure and use those capabilities.”

Communication amongst different departments is also essential.

“Decision makers must look at the entire picture across the organization to be successful,” says Greg Gatzke, president, ZAG Technical Services, an IT consulting firm and managed services provider in San Jose, Calif., “Operating in silos can be detrimental to an organization, so there has to be a focused effort to make sure IT professionals are involved when physical security investments are being made to make sure the network is protected.”

It is absolutely crucial to understand that cybersecurity is a shared responsibility, says Genetec’s Chevalier.

“All parties involved in the system development, implementation and operation have a critical role to play,” he explains. “It is important that manufacturers, integrators and end users embrace this fact and work together to address this risk. Given the nature of the technology used to implement physical security systems today, and the fact that these systems are more connected now than ever to achieve various business goals, it is imperative for physical security professionals to partner with IT/InfoSec experts. In this way they can work to ensure the technology used to implement the physical security system is designed and developed by a manufacturer that leverages cybersecurity best practices in making products and that the system is implemented according to those best practices and proper cyber hygiene.”

David Lathrop, vice president, utility strategic business unit, Unlimited Technology, Chester Springs, Pa., recommends automated risk detection tools in order to stop hackers in their tracks.

“The cybersecurity industry requires constant attention and adaptation to stay ahead of evolving threats,” Lathrop says. “A healthy and robust cybersecurity profile includes constant monitoring of external and internal attacks as well as a health-based monitoring platform. In today’s rapidly changing cybersecurity world, successful programs start with proactive automation tools. Proactive automation is a must-have due to the growing sophistication and sheer number of machine-on-machine attacks that we faced in 2020.”

Security integrators should consider offering cyber services to ensure the long-term safety of their solutions.

“The security industry needs to help companies achieve holistic security, including in digital spaces,” Ruddo says. “IT staff augmentation, managed services, digital hygiene best practice training and security system installs with a defensive posture in mind are key to achieving better outcomes for clients. … Developers are beginning to distribute hardening guides that empower dealers to install physical security systems that are cyber secure. At the same time, dealers and integrators need to follow these guidelines while equipping businesses to enact long-term cybersecurity best practices.”

Along with offering these services, integrators should put forth the effort to educate end users on why cyber hygiene is so important, says Dean Drako, founder and CEO of Eagle Eye Networks, Austin, Texas.

“It’s awareness, training, vendor selection and then installation,” Drako explains. “And there’s the education of the customer, or collaboration with the customer if they’re very cyber-aware. But sometimes they aren’t so aware, and then we have to take ownership and be responsible.”

To aid in education, SIA has created a Cybersecurity Advisory Board that provides guidance for cybersecurity strategies and solutions. “This leadership enables SIA to prepare industry stakeholders for challenges related to the wider adoption of the Internet of Things and the use of secured networked devices for security,” Erickson says.

In addition, SIA’s Membership Code of Ethics states that SIA member organizations and their employees must monitor and mitigate risks as much as reasonably possible, which includes securing and hardening networked solutions against cyber threats in accordance with industry best practices.

And in partnership with PSA Security Network and Security Specifiers, SIA recently developed the Security Industry Cybersecurity Certification (SICC) for physical security professionals. “We believe [the SICC] could become the gold standard for our industry,” says Ric McCullough, president of PSA Security, Denver.

“This program and certification process has been released and is ready for consumption.”

PSA also has its own cybersecurity committee, and has been preaching the importance of cybersecurity and cyber services for the past decade.

These industry associations will be especially useful in helping security integrators navigate future laws that might go into effect regarding cybersecurity.

U.S. President Joe Biden issued an executive order on improving the nation’s cybersecurity in May of 2021 — though it’s unclear what sort of impact it will have, since every president since Bill Clinton has issued a similar order. Core tenets of the order include applying the latest data encryption standards and bringing uniformity to cybersecurity standards.

“Cybersecurity will continue to be an ongoing challenge,” says Chris Peckham, chief operating officer,  Ollivier Corp., Los Angeles, and member of PSA’s Cybersecurity Committee. “Technical requirements are being issued in some areas by federal and state governments, and those will extend into commercial markets in the future. IoT regulations will impact the industry as well. Awareness and training are very important as solutions are developed and implemented.”

Before the government takes matters into their own hands, it would be in the best interest of the industry if physical security professionals create cybersecurity standards, says Axis’ Dorris.

“As a collective industry, it’s important that we develop our own cybersecurity standards, requirements and baselines,” he says. “We should not wait for these requirements to be pushed down from government via laws and regulations. … Cybersecurity is a complicated topic, but really it boils down to good documentation and solid processes for installing and maintaining devices on the network. The governance, regulation and compliance aspects of network devices are all geared around having clear procedures and security controls, and the same should hold true for physical security devices.”

The Future of the Industry

Security leaders and associations have been begging physical security professionals to take cybersecurity seriously for years. Now, if you haven’t already started educating yourself on best practices, you need to start now — before it’s too late.

“Cybersecurity issues will unfortunately worsen in the future,” says Salient’s Challa. “The industry can prepare by embracing cybersecurity as a core requirement and with wholesale investment across the supply chain into cybersecurity.”

Dorris predicts that the risk to IoT devices, especially, will grow worse in the near future.

“Currently there are 50 billion connected devices globally — that’s more than six devices for every person,” Dorris says. “In contrast, there is a shortfall of 3-6 million cybersecurity jobs currently. There are not enough IT administrators and cybersecurity personnel to protect what we have now, so we’re on a dangerous trajectory. Due to the overwhelming number of devices, and the dependency that our society has on being connected, the attack surface and number of vulnerabilities are endless. Clearly, we need to make up lots of ground in order to mitigate risk and prevent potential attacks that can be costly to companies and their customers.”

Chevalier of Genetec believes that while awareness around cybersecurity is improving, the severity of the attacks will likely worsen in the future.

“The impact and magnitude of attacks tend to increase over time,” he says. “It is likely that more high impact hacks will happen with real-life consequences. So, the industry will mature and get better but there will be more value for hackers to extract by attacking security systems.”

Largely because of a push from end users, most manufacturers are preparing for this future.

“In the last few years, we are seeing more manufacturers realize that they have to make the cyber investment, or their product will not be specified in major products,” says Bosch’s Brent. “While some are only designing higher end models with cyber in mind, we are at least seeing a shift in mindset.”

So while the industry may not be quite where it should be in terms of cybersecurity, it is moving in the right direction, Erickson says.

“We should be optimistic as an industry because, working together, we have been able to solve challenges that have threatened security in the past,” he explains. “Through information sharing, developing and adopting standards and best practices in physical and information security, we will learn as an industry to mitigate the current threats and be better prepared as cybersecurity threats evolve.” SDM