A Security Expert Talks Cybersecurity Preparedness In the Industry
Joshua Cummings from VTI Security talks about the state of cybersecurity preparedness in the physical security industry.
As part of researching for the 2017 SSI Physical-Logical Security Assessment, SSI spoke to Joshua Cummings, director of engineering services from VTI Security about whether or not manufacturers, dealers and integrators are prepared to address cybersecurity issues.
Are manufacturers doing enough to address cybersecurity issues?
There are many manufacturers that are making great strides to address cybersecurity issues. Several manufacturers have started to develop hardening guides for their devices or software. These guides tell integrators the steps to take to turn off features they are not using, to make passwords more secure and how to patch the product to mitigate vulnerabilities that are discovered.
We’ve seen a lot of manufactures moving that direction and many now have a plan in place to get to there. It’s clear that manufacturers recognize this is an important issue that needs to be addressed. Some manufacturers have added content to their website to serve as an informational resource on cybersecurity. They use these areas to post known vulnerabilities and patches so that integrators can in turn address the issue.
For manufacturers, the best practice to adopt is one where they don’t hide product vulnerabilities or try to sweep vulnerabilities under the rug. It’s important to have an open dialogue so that customers install a patch to resolve the issue. This is a major shift for the security industry.
Dealers/integrators continue to rate themselves much higher than manufacturers for being responsive when vulnerabilities become known, with an average 8.21 (vs.8.04 in 2016). Are they more responsive?
I think our customers expect faster responses to these types of concerns and because of that, integrators are focusing more on education and service. It really requires a collaborative approach. We have seen an escalation in the number of requests we receive from our customers in regards to potential vulnerabilities.
It’s not uncommon for our customer to share with us the results of a scan from their IT department identifying vulnerabilities that they would like us to work through with them. We take these requests very seriously. We will review the scan results with the customer and identify a plan to mitigate each item.
During this process we engage with the manufacturer to help explain and/or address the potential vulnerability manufacturers vary in their responsiveness.
This seems to be dependent on their stance on cybersecurity as well as their development process.
Do dealers have concerns about the Cloud and the security of Cloud based applications/solutions?
I believe many do. I think their level of comfort can also depend on the type of data they are hosting in the cloud. If someone hacks into your streaming video in the cloud it may not be as big of a deal as it would be if they hack into your access control system.
Viewing video of a hallway has a different level of risk than having access to unlock a door. Ensuring that cloud-based systems are cybersecure comes down to due diligence, protocols and the processes in place.
How is VTI changing its business to address the rising need for IT skills. Are you hiring and recruiting more sales/technicians with this expertise?
We are investing in education and partnering with several cybersecurity groups to educate our staff , learning how to mitigate risks and be more cyber-conscious about what we are doing. For example, we work with SecureSet, a local company in Colorado, which is one of the countries first cybersecurity universities.
We currently have employees enrolled in their curriculum from both the sales and technical perspective. It’s a two-way partnership because we are also teaching their students about physical security. We also partner with PSA Security as they have a strong cybersecurity educational program.
Does cybersecurity issues drive the need for more physical security standards?
There is a need for standards, especially as it relates to cybersecurity. There have been a few groups trying to make headway in that area, such as ONVIF and PSIA. We still have a long way to go, but working towards standards is going to make the security of deployments easier.
When it comes to cybersecurity, interoperability between devices is important. Today, manufacturers have to write custom drivers to integrate their products. This means that each integration is different and can’t be leveraged from one manufacturer to another.
A standard framework would allow manufacturers to develop to a standard and increase interoperability. It would also allow them to leverage best practices and security features.
Are integrators prepared?
I think there are very few integrators who are completely prepared. Most are on the path somewhere and taking the steps to become more focused on cybersecurity. VTI Security and other members of Security-Net are well on their way down the path, but it’s a pretty long path and we are at varying stages of the journey.
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!