How Cyber Savvy Is Your Security Supplier?

Weakest Link

29.03.2017 - The melding of information technology and physical security has reaped many benefits for the security industry and its end users, making systems faster, smarter and easier to manag...

The melding of information technology and physical security has reaped many benefits for the security industry and its end users, making systems faster, smarter and easier to manage.

But the downside has been the real and perceived ­vulnerability that comes with network-based systems. Here are a few questions that come in handy while choosing a supplier to find out how cybersecurity ready they are.

Because of a perceived weakness in the industry, security products are often a favorite target of hackers and security researchers. But they are never the end target for a real cyber attack. Cybercriminals are in it for the money, state sponsored attackers want to cause damage or steal information and the “hacktivists” are trying to make a statement. So even if a malicious person could play with your locks or watch your video feeds, that gets boring pretty quickly. Besides, they probably have better things to illegally download and watch.

What an attacker really wants to do is get to something useful, something valuable and security products can provide the access.  When building security systems for a range of clients that include small stores, school systems or even government agencies, it becomes critical to understand how the cameras, video management systems and other components fit within those network architectures without introducing new vulnerabilities. So where to begin? How do you ensure your security products are not the weakest link in a network? Why not start by asking your suppliers a few crucial questions about the cybersecurity readiness of their products.

How Secure Is the Product?

Start with the obvious: How is security built into your products? You wouldn’t want a camera where the image quality was the last thing that the engineers considered during development. The same is true for the security of the products that make up any IP-based system. When security is not a consideration from the start of the development process through the final stages of its creation, it can result in a product that becomes impossible to secure at deployment.

Secure development for any product starts with a risk assessment with a key focus on confidentiality, integrity and availability. When applied to security products at a very basic level:

Confidentiality means keeping confidential information out of the hands of those to whom it does not belong. Consider if a camera requires authentication to view the video. There are websites dedicated to showing the live feeds of security cameras that don’t require a password to view the video.

Integrity means the information is accurate and the data has not been altered. This becomes especially true in an access control system where allowing changes to the database could allow an attacker physical access to the building.

Availability means just that – making sure the product continues to function and is probably the most important for security products. While DoS (denial of service) attacks are the most headline grabbing, availability is most often compromised because of functional errors in the product. Consider the impact of an intrusion system that fails to detect a sensor going offline or an access control system that cannot operate during a network or power failure. 

These are the types of security considerations that should be an integral part of the products that are being offered by security suppliers.

Ease of Use Versus Level of Security

A challenge for all product manufacturers is how to reconcile ease of use while supplying an appropriate level of security. A key selling point for most security products today is that they are easy and fast to install, saving the integrator and the end user valuable time and expense. But often the tradeoff is that when things such as authentication and encryption get ignored system vulnerabilities creep in. Additionally, while it would be great if everyone wanted the same level of security and were willing to undergo the additional steps for higher security features (such as requiring complex passwords) the reality is that some users are not as invested in it as others. What works for some, will not work for others.

With that in mind, consider products that provide some flexibility in the installation. For example, allowing for an integrator an easy set up process, but with the ability to enhance the security of the product before handing it to the end user. Features like enforcing complex passwords after the initial installation help secure the product without increasing installation time.

Cybersecurity immediately brings to mind threats from malicious external players, but there is always a risk from internal threats as well. A Phonemon Institute study showed that “malicious insiders” were the most expensive when weighted by attack frequency and were the longest attack type to resolve.  To help protect against this type of threat, it is important to seek products that can be set up with controls that separate responsibilities for individual users.

For example, a security officer at the front desk should be given privileges for the cameras that are necessary to do his/her job rather than allowing him/her access to all of the cameras or the entire video management system. Configuring user privileges can be complex, but is an essential part of any computer system. Systems that are able to connect to a central access control management system like Microsoft Active Directory make installation and management of large systems easier and more reliable.

Of course, cybersecurity is not static. Everyday new vulnerabilities and exploits are uncovered. This raises the question: What are product manufacturers doing on an ongoing basis to address these?

How to Handle the Unpredictable

If the supplier has the basics covered in development, they must also be prepared to respond to new vulnerabilities, to the unpredictable. It is easy to organize support when your product is being called out with threats of public disclosure, so judge a supplier on how they respond without the threats.

A successful product cyber-response plan requires a dedicated team with the capabilities to assess and mitigate issues when they arise. When executed properly, the team should be able to respond the same day with an assessment and mitigation plan.

A security weakness in a product could be devastating, so both speed and quality of response are critical factors to consider when selecting a supplier.

Independent or Third-Party ­Assessments?

Finally, ask about third-party assessments. Does the company undergo independent assessments of its products to look for areas of exposure? But include the more important follow-up question: Do they then take the proper steps to resolve the issues found? Getting a third party assessment is easy. Fixing the issues requires responsibility; responsibility you need in a supplier to ensure ongoing success.

Cybersecurity threats are ongoing and ever changing, but by being vigilant and seeking suppliers and products that can meet your installation’s needs, you can present to a client a system that will stand up to cyber threats today and tomorrow.


Johnson Controls

Building Technologies & Solutions
282 Bath R UB7 0DQ
Sipson, West Drayton

+44 (0) 7972 862 726
+44 208 750 5666