10 Steps Integrators Should Use to Ensure Manufacturers’ Products Are Cyber Secure
More and more security devices are being placed on networks and therefore need to tested and designed to withstand hacking attacks. Learn what to be aware of, look for and verify in a vendor.
DURING the past five years, explosive demand for mobile devices, home automation and network/ Internet-connected cyber-physical systems (CPS) has caused a paradigm shift from traditional design, installation and support methodologies. Physical security manufacturers have lagged in their level of technical proficiency in cyber-hardened devices to develop secure IP-based solutions to meet market demand, and jumped into the water (often without a life vest) to maintain competitiveness and relevance in the market. Previous systems that were maintained autonomously from the network were isolated and only required minimal computing resources.
The lack of technical proficiency has led to major breaches and cybersecurity incidents, causing unintended consequences by introducing vulnerable security gaps that open end users to a swath of unintended cyber risks, many of which are unobservable without significant knowledge of the tools and processes. Manufacturers that have committed to being cyber aware have undertaken significant investment through training, product technical reviews, product development and system engineering to bring legacy products into mainstream focus. These manufacturers deserve applause (and your business) for their efforts as they establish themselves as leaders in an ever-changing industry.
Achieving system/software security assurance (S/SSA) from a product perspective is the process of ensuring that systems and software is designed to operate at a level of security that is consistent with the potential harm that could result from the loss, inaccuracy, alteration, unavailability or misuse of the data and resources that it uses, controls and protects.
The 10 steps that follow provide guidance for systems integrators to understand and vet manufacturer products for cyber assurance, and resiliency for products required to be “cyber hardened” or “cyber secure.”
1. Has the manufacturer implemented a cybersecurity system security plan (SSP) for IT components in the product documentation?
Manufacturers with cyber-secure solutions will provide systems integrators and vendors with explicit information of the boundaries, subsystems, hardware, software, firmware and network connection rules demonstrating how the system is determined to be “cyber secure” when deployed in a specific system environment.
Emerging best practices in providing requirements and techniques for hardening or securing their products should include a system security plan. The SSP defines many of the security controls that are present in the system, and includes data encryption, data loss protection, key management, data classification, user roles and responsibilities, authentication, mobile security, etc.
The SSP also describes the information flows, ports, protocols and services, and how system capabilities will be protected from attack.
2. Is the supplier’s solution developed around a system development lifecycle (SDLC) approach?
Manufacturers should have detailed technical documentation to support a systems development and lifecycle approach. This SDLC process includes security requirements, design, build, test and deployment strategies.
Configuration management, risk assessment and vulnerability/flaw remediation, patch management and ongoing system monitoring and auditing capabilities of the solution should be addressed in the SDLC.
One factor that is often overlooked in the SDLC is ongoing cybersecurity training requirements. Ongoing training in cybersecurity development and awareness should be provided to manufacturers’ development teams as well as systems integrators.
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!