“Labeling” has become somewhat of a dirty word these days – and in most contexts, I get it, labels can be bad. I am a big fan, however, of labels that give me information about products that I purchase and use, and whether those products meet a certain standard.
I look for labels – whether it is meat and produce labeled as organic or FDA-certified, or if it is a tag on my extension cord that lets me know is designed not to cause electrical shock when used correctly, or if it is on an air conditioning unit that lets me know that it meets energy efficiency standards.
In today’s connected world, it would be great to have some labeling guidance as to which products are designed with cybersecurity in mind. For the physical security industry, the Security Industry Association (SIA) Cybersecurity Advisory Board is taking a few steps to provide such guidance.
Experts in physical security – the companies that produce video surveillance cameras, video management systems, locks, door controllers, access control cards, alarm panels and all kinds of devices that keep us safe – are trying to keep their products relevant and useful in an increasingly connected world; however, enabling these devices with network connectivity for user and managerial benefits unfortunately opens the door to cyber attackers.
The SIA Cybersecurity Advisory Board is looking into designing a program that would allow manufacturers of physical security equipment to certify their processes and ultimately their devices. This certification would designate that processes and products were designed with cybersecurity in mind.
This is by no means an easy task. Security devices are designed with on-board software that requires patching and periodic updates for performance and security. Sometimes, a performance upgrade opens a security hole, and a device that was once secure no longer is.
Certification of processes is not a magic bullet either. Engineering teams are not static – they change as most functional teams do. It is nearly impossible to guarantee that the same people and processes that were in place during one version of a product are the same in the next version.
In completing its labeling initiative, the SIA Cybersecurity Advisory Board will consider their own published guidance along with other industry guidance such as work done by UL in the UL 2900 Series standards, the National Institute of Standards and Technologies (NIST) and the Industrial Internet Consortium (IIC), among others, to devise a light-weight voluntary program that can drive awareness and responsibility within the physical security industry.
While cybersecurity is a constantly moving target, the industry must move forward however incrementally to ensure that the products keeping us safe are safe from attack themselves.
Other SIA Cybersecurity Resources
The goal of SIA’s Cybersecurity Advisory Board (established in in Oct. 2015) is to help prepare its members for challenges related to wider adoption of the Internet of Things and the use of personal devices for security access.
It is well known that the vast majority of cyberbreaches occur because of easily avoidable oversights, such as default or weak passwords, poor patch management and careless processes. The SIA Cybersecurity Advisory Board released guidance for mitigating many of these common oversights in the “Beginner’s Guide to Product and System Hardening.” In the guide, the Advisory Board explores the top 10 causes of cybersecurity failure in systems. The list is by no means exhaustive, of course, and cybersecurity processes and technologies are constantly evolving alongside the threat picture.
The Advisory Board followed with release of “Recommendations for Initiating an Enterprise Cybersecurity Solution.” The executive-level recommendations were offered as a solid starting point for developing a comprehensive cybersecurity strategy to mitigate business risk. The panel intends for those recommendations to drive discussion within an organization in consideration with other resources for in-depth guidance in development of an enterprise plan.
Access both of these resources are at www.securityindustry.org/Pages/[email protected].
Securing New Ground
This year, SIA’s Securing New Ground Conference (Oct. 26-27) in the Edison Ballroom in Manhattan, will focus on cybersecurity concerns. Learn more at www.securityinfowatch.com/12362658.
In a “TED Talk-style” discussion, former Dell CSO John McClurg, now Vice President and Ambassador-At-Large for cybersecurity software provider Cylance, will discuss the topic in his presentation, “Cyber Evolution – Vulnerabilities You Need to Know About.” It will focus on securing the Internet of Things (IoT), a concept in which SIA and SNG are deeply involved, and protecting connected devices against denial of service attacks. The talk will explore the following questions: Are practitioners confident their connected devices installed in thousands of IoT devices secure? What are the sources of attack leaders in the industry need to be aware of to address vulnerabilities?
Cybersecurity and the IoT is a focus throughout as SNG. Gartner Inc., has predicted that by 2018, more than six billion connected things will be requesting support, and half the spending for loT solutions will focus on integration. In addition, by 2020, more than 25 percent of identified attacks in enterprises will involve IoT, although IoT will account for less than 10 percent of IT security budgets.
Joe Gittens is Director of Standards for the Security Industry Association (SIA). Learn more about SIA at www.securityindustry.org.
