With what seems to be a never-ending stream of breaches and reported vulnerabilities of various systems, cybersecurity issues have come to dominate conversations in the physical security industry. Whether it is implementing more stringent authentication measures to restrict data access, evaluating the latest malware schemes or wading through newly passed or impending regulations, trying to stay up to date on the latest cybersecurity threats can be an exhausting exercise.
On top of that, the hardware and software systems that the industry has come to rely to protect the physical premises, such as video surveillance and access control, is also being increasingly targeted and compromised by hackers. Perhaps the best known example of this was the Mirai botnet, which leveraged large numbers of hijacked IP cameras and DVRs to launch several prominent distributed denial of service (DDoS) attacks in 2016.
In the wake of Mirai and various other reported vulnerabilities in IoT devices, there has been a greater push within the industry to ensure the cybersecurity of security products themselves to provide peace of mind for both end-users and integrators. Some of these efforts involve following sound, simple cybersecurity hygiene practices, such as changing default passwords and applying security patches when they’re provided, but there is also a growing demand for manufacturers to better harden devices themselves against cyber-attacks.
Last year, Underwriters Laboratories (UL) launched a new cybersecurity standard, UL 2900, which was developed specifically for the physical security industry to assess the software vulnerabilities and weaknesses of products and review their exposure to exploitation and known malware. Johnson Controls became the first manufacturer in the industry to launch a UL 2900-certified product with the release of its American Dynamics VideoEdge NVR earlier this year.
SecurityInfoWatch (SIW) recently caught up with Gonda Lamberink, Cybersecurity Senior Business Development Manager at UL, to discuss the progress of the UL 2900 standard and how far the industry still needs to go in ensuring the cybersecurity of its products.
SIW: How has the development of this standard been received by security manufacturers thus far?
Lamberink: There has been a growing awareness, in general, in this industry compared to some other industries. With cameras growing in functionality… commercial-grade IP cameras and NVRs are products that are considered to need relatively high levels of security assurance similar to medical equipment and some other product categories, so overall the UL 2900 standard and the cybersecurity assurance program has been well-received by manufacturers in both the U.S. and China. We have also seen some traction and customer engagements focused on preparing manufacturers for cybersecurity certification, especially those that hadn’t had a lot of experience yet with product security and are now putting product security teams in place, so we’ve been focused on training services as well.
SIW: What is the biggest challenge in getting buy-in from manufacturers to have their products certified?
Lamberink: One of the barriers is lack of maturity to actually be prepared for a security certification. What we see, by and large, is that security hasn’t been implemented yet as part of the product development lifecycle. That means in designing your product you haven’t taken into consideration any security controls, you don’t subject your products regularly to testing, and for maintenance you don’t think through your software updates and how you are going to maintain security. If you haven’t built those processes and documented them, then it is really hard to qualify even for being taken into consideration for certification. As more leading brands follow, that will incentivize others to, first of all, try and qualify to be taken in for evaluation, and then second try and get certification for their products.
SIW: Aside from achieving UL certification among others, what else can manufacturers do to bolster the cybersecurity of their products?
Lamberink: Definitely making sure they buy into secure software development lifecycle frameworks across the organization, but similar to general maturity development models like TMMi, there are real benefits for organizations to try and implement processes and rank themselves on how well they do on these processes for secure software development. There are frameworks they can leverage – both open source frameworks like OpenSAMM or proprietary ones like BSIMM – and that’s definitely a good first step to create organizational awareness for security and have some type of guidance as to what processes should be focused on, where the major gaps are and where we need to improve organizationally. From there, it is much easier to manage product security.
SIW: What is the biggest mistake that companies make from a cyber perspective when it comes to building surveillance cameras and other IoT devices?
Lamberink: At a high level across verticals, it is not properly building security in by design and managing it as part of the entire lifecycle. There is a lot of firefighting after the fact or it’s not very well embedded from the start. It’s kind of putting a Band-Aid on a big wound whereas you should be fixing the wound to begin with. If you are just doing a penetration test or running a vulnerability scan and thinking you’re done, think again because that’s not going to solve your problem and you need to take a more holistic view of security.
SIW: What kind of impact are regulatory concerns having on the industry?
Lamberink: Privacy regulations for sure are having an impact. In Europe, the European Commission is stepping up and will set some precedent with GDPR. Once there are some case laws and precedents, I would be curious to see how that drives products to higher levels of security. With privacy, my theory is that most organizations think that it is an enterprise infrastructure problem… but they are not really thinking it through yet as being a product-level issue for the security of private and sensitive data. Once we see some type of precedent in court that could incentivize manufacturers to take privacy protections to the next level. If sensitive data is captured at the device level – biometric data, such as iris and facial recognition, for example, are highly privacy sensitive – then these devices need to securely store and communicate that data.
About the Author:
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].