Cyber Threat to Security Systems a ‘Real Concern,’ Says IST Co-Founder Andrew Lanning
Lanning explains how IST is adapting to cybersecurity concerns and pleads for the industry to do its own due diligence on the subject matter.
When PSA Security Network began making cybersecurity a point of focus for the physical security integrator in 2014, Integrated Security Technologies Co-Founder Andrew Lanning quickly stepped up as one of membership’s most experienced and engaged proponents. “Our IST team is taking on a cybersecurity leadership role in the industry in Hawaii, just as our partner, PSA, is nationally,” says Lanning. “It was a natural fit for me to pitch in and help with the effort all around. I’ve always found that one of the best ways to learn is to teach, so the more I can share, the more I can learn.”
Why should the electronic security community be cognizant of cybersecurity issues today and what measures should be taken? Let’s see what Lanning has to tell us.
Why is the cybersecurity topic important to physical security integrators?
Andrew Lanning: The cyber threat to security systems is a real concern because some of the hardware used cannot be effectively hardened due to manufacturer bugs or hardening limitations in their firmware. Additionally, many of the integrators haven’t yet adopted sound cyber-hardening practices in their system implementations. Both of these factors increase vulnerabilities to the takeover of system components, and once compromised those components can be used as a launch platform to subvert physical security measures or for deeper network penetration if the physical security system hasn’t been securely isolated from the corporate network. The technicians are also a vector for malware introduction to their clients’ systems. If their test equipment has been compromised and they are unaware of it, they could introduce malware to their client’s network unknowingly. This is why sound in-house cybersecurity monitoring practices are critical to today’s integrators.
What do they need to know as a minimum?
Lanning: Comprehensive information security practices are already available for adoption across the spectrum of these operating departments. As a basis of understanding, NIST’s Cybersecurity Framework [nist.gov/cyberframework] is a great start. Distilling that information down to the SANS 20 Critical Security Controls [sans. org/critical-security-controls] makes it a little more digestible and can give ownership ways to begin assessing the three pillars of information security within their own organizations: people, processes and products. There are a lot of pertinent education and tools available at the Center for Internet Security [cisecurity.org]. Most physical security integrators I meet know very little about the basic cybersecurity problems that exist in our industry. I don’t believe that knowing the minimum is a viable strategy going forward. We all have a great deal to learn and we owe that to our clients.
What types of conversations should they be having with their suppliers?
Lanning: We are asking for current vulnerability-scrubbed documentation from their third-party auditors. We’re looking for audited evidence that demonstrates a manufacturer’s responsiveness to hardware, software and firmware bugs, and shows a timeline of consistent bug tracking and fixing. This type of transparency is just starting to flow to the PSA Cybersecurity Committee from manufacturers under a variety of NDA conditions. We have a long-term eye turned towards developing an assurance grading system at the manufacturer, component and firmware levels, not dissimilar to NSA’s Commercial Solutions for Classified Program, although specific to our PSA vendor equipment and systems. Hopefully these types of efforts will motivate all physical security equipment manufacturers to adopt sound information security standards in their product development cycles as well as firmware/software bug tracking transparency best practices.
What types of conversations should they be having with their end-user clients?
Lanning: Individual client risk appetites will vary but their risks should be known prior to additional networked system or equipment deployment. If their risks aren’t known, it’s time to take a step back for an assessment. Using a third party can help both sides. The convenience of client-side application functionality should never be accessible over the corporate network without a serious hardware/software/firmware assessment of the security equipment and the network monitoring controls being implemented.
What opportunities does this area offer physical security integrators?
Lanning: It’s clear the SMB supply chain to enterprise industries is under cyber-attack. We’re also under increasing scrutiny from government organizations. I am a fan of that scrutiny. If you believe that regulatory measures will continue to advance down the supply chain, as I do, then the opportunity is to remain relevant – and remain in business. Room will be available below the major verticals for integrators to work in less security-conscious, consumer-grade IoT markets. But if you want to be taken seriously by the health-care, finance, government, etc. vertical market suppliers, you’re going to have to raise your information security knowledge and harden your internal people, processes and products. Only then will you be able to credibly offer and support mature physical security equipment, configurations and services.
Why did you decide to be so proactive in this area and participate in PSA’s Cybersecurity Council?
Lanning: Our firm services DOD, municipal government, health-care, petroleum, and financial clients already. We began receiving cyber hardening requirements in our contracts last year and we only expect those requirements to increase in number and in frequency. Our IST team is taking on a cybersecurity leadership role in the industry in Hawaii, just as our partner, the PSA Security Network, is nationally. So it was just a natural fit for me to pitch in and help with the effort all around. I’ve always found that one of the best ways to learn is to teach, so the more I can share, the more I can learn.
What moves are you making in your own business relevant to this?
Lanning: IST was just as far behind the curve on cybersecurity a few years ago as the rest of our industry. We had to start by partnering with IT service offerings that improved our cyber posture internally. We’ve also committed to aggressive certification and education training for our team, so we’re improving on what we can organically and reaching out through PSA to our subject matter expert vendor partners where we need to.
To what extent do you feel progress is being made?
Lanning: Awareness has finally passed through the C-suite to the boardrooms. That has freed up funding for the layers of cybersecurity that we’re adding to our offerings. By that I mean they understand why we’re using more expensive equipment, switches for example, and if not we can have that discussion. Our clients also understand why we’re layering managed services on top of our systems so that we can monitor for any anomalous network activity associated with our equipment and/or systems.
What are the challenges moving forward?
Lanning: My personal challenge is making time to study for the certification exams. I’m committed to knocking a few of those out this year, and I’m considering another master’s degree in this field.
The challenge for our company IST is absorbing the expense of educating the Hawaii market about the risks associated with negligent cybersecurity practices. Cybersecurity maturation creates an additional but necessary training expense, both in time and materials, for our staff and for our clientele.
The challenges for the PSA Cyber Security Committee ar
e already being met. We’re introducing a cybersecurity playbook for our integrators this May at PSA-Tec. The playbook will give our integrator community some tools to mature from Tier Zero in cybersecurity posture all the way to Tier Four, or as far as their own risk appetites will push them.
The industry challenge is threefold:
- Our clients need to see our offerings come up to the same levels of assurance that meet their current or anticipated regulatory requirements.
- Our integrators need to adopt a sound set of information security practices within their organizations and their client-side system implementations.
- Our manufacturers need to embrace IT practices for bug reporting, tracking and fixing and adopt transparency efforts in line with DHS’s National Vulnerability Database if they want to be taken seriously in the long term.
No one is immune to the risk of the technology maturation process, we’ve just got to embrace the changes and continue to learn. Maintaining any kind of status quo, related to cyber hygiene, is a long dead idea in today’s networked business community. Market pressure is still coming from our brick and mortar competitor up the street, but it is also coming directly from technology itself. Organizations that can’t absorb the required technologies, either through adaptation or partnership, will fade away rapidly. The current rate of technology change has already caught government, education and the industry off-guard. Technology has proven that it will continue forward and we’re all being challenged by the journey.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.
A FREE subscription to the top resource for security and integration industry will prove to be invaluable.