How to Protect Security Systems From Hackers, Cyber Attacks
Find out the technologies and practices being administered to keep unwanted code and intruders out of security networks and devices.
Historically, security panels were dedicated computing devices designed for the sole purpose of performing intrusion detection functions. The firmware running in the panel was designed by the manufacturer and embedded in the panel’s processor, and attached wireless devices used proprietary but unencrypted communication to these systems.
Today we live in the world of the connected home or business. Virtually all security systems are connected to broadband or cellular networks, and use an increasingly complex array of wireless technologies to create a unified connected security offering.
Wireless technologies commonly found in modern security systems include WiFi, Z-Wave, Bluetooth, ZigBee and often some additional proprietary RF technologies used to communicate with intrusion sensors and other peripherals.
It is critical that all of these communication systems be protected from potential hackers, utilizing the latest encryption technology available.
Protection Starts With the OS
Protection from threats has to not only cover radio technologies, but also the on-board operating environment where these radio technologies exist. In recent years, there has been a push by many panel manufacturers to promote open architecture security panels that run a version of Linux or Android, leveraging the wide range of application development libraries — and to some degree benefiting from continued investment by the OS community in establishing cybersecurity defenses.
The benefits of utilizing a widely available operating system is that new cyber protection technologies are constantly being added to the operating environment, helping these systems try to stay ahead of the cyber-attack curve.
There are modern platforms such as the Connect+ by Alula (formerly ipDatatel/Resolution Products) that deliver purpose-built operating systems, which strive to thwart attacks and include features such as:
- Not capable of installing or running arbitrary external processes like Android or Linux
- Significantly smaller than Linux or Android, greatly reducing the attack surface and making it more challenging for hackers to penetrate
- Avoids the complicated issues of when and how to update Android or Linux components that routinely need to be patched, often to address security vulnerabilities
- Firmware updates are extremely fast and can be accomplished without additional cost to dealers
While these provisions in themselves are not sufficient to protect against all threats, they greatly reduce the vulnerabilities experienced by many of the open operating system devices on the market today.
3 Levels of Protection
Any device that connects to a security system needs to be designed to provide multiple levels of protection. Generally, these fall into three categories:
Authentication — Ensuring the device is from a known and trusted source.
Encryption — Protecting the messages transmitted between devices to ensure the data can’t be easily understood and that messages are not able to be falsely replicated and retransmitted.
Supervision — Including algorithms that allow devices to check-in and make sure they are still able to effectively communicate with the platform.
Supervision is the technology most widely understood in the security market today. Most security systems at a minimum meet regulatory approvals for supervisory messages from their security sensors.
This capability hasn’t historically extended beyond intrusion and life-safety sensors, but in recent years manufacturers and service providers have extended supervision to include devices connecting over nonsecurity RF technologies such as Z-Wave, WiFi and ZigBee.
This capability is not driven by any standards or regulatory bodies, so it is up to the security dealer to understand how their system operates, and if it meets acceptable performance criteria for their customers.
Most of the work in recent years has been on implementing encryption and authentication services for RF links to the security platforms. Because each type of RF technology used in the security space has different characteristics, the level of encryption and authentication provided varies widely.
Design teams reflect on factors such as:
Bandwidth: How much data can be effectively transmitted between devices.
Processing capabilities of the devices: Some devices are battery powered and low cost, limiting how much computing and memory exists in the device.
RF regulatory rules (FCC): How often the device can transmit, at what power and for how long.
Cyber risk: How vulnerable the system is to an attack on any given node. These technology drivers greatly impact the level of protection added to each wireless node. For example, a wireless keypad may use WiFi technology.
Leaving a keypad vulnerable to attack would have extremely bad consequences on the security platform. Because these devices tend to have power and sufficient processing power, they will generally implement AES encryption methods with an out-of-band key exchange process initiated during enrollment.
This level of authentication and encryption is similar to your laptop securely joining a WiFi network. Alternatively, a door/window sensor is often a one-way RF, battery-powered device with limited processing capabilities.
This device should still provide full encryption of the messages to avoid retransmission risks (though many legacy security systems do not), but the authentication process is generally controlled by tight authentication on panel enrollment and programming tools rather than including that as part of device enrollment process.
New standards and certification procedures have recently been added to other wireless technologies to minimize exposure to cyber threats. The Security S2 standards were added to Z-Wave in 2017 to address security concerns.
This new standard includes multiple levels of “out of band” key exchanges for authentication and encryption techniques while still delivering efficient command latencies. Products certified after April 2017 will comply with these new standards. Other RF standards groups are taking similar actions to ensure their products stay ahead of emerging cyber threats.
Dealers should ensure their equipment providers are not only members of these standards groups, but also actively participating in developing these technologies.
Remote Upgrades Are Critical
The threat of hackers or cyber exposure is not a static problem. As security systems become more connected, the need to remotely upgrade these platforms becomes increasingly critical. This enables dealers to quickly and easily deploy the latest updates to minimize risk and maximize data protection of their platforms.
Some security systems are easier and less expensive to upgrade than others, so make sure you factor this capability into your buying decision. Cyber threats should not keep you from joining the world of delivering connected security and automation services, but you certainly need to select vendor partners that will actively work to ensure your customers are protected today and for the life of their monitoring contracts.
Dave Mayne is Vice President of Product Management for Alula (formerly ipDatatel/Resolution Products).
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!