Cybersecurity Approaches for the System Integrator
By: Jon Polly | Jun 04, 2021
Turn on the evening news or pick up a security industry publication and the senses are inundated with cyber breaches. The security industry is reeling from breaches like the Verkada security camera data breach and the claims of open backdoors into HikVision and Dahua cameras. Even homeowners have felt the effects, as companies like Eufy have experienced self-made breaches. These breaches have and will continue to influence policy and law regarding manufacturers. As such, many security equipment manufacturers are now including cyber-hardening guides for their products. Security system integrators must now implement good cyber hygiene habits to ensure the security product is not the source of the attack. While there is no magic toothbrush for good cyber hygiene, system integrators must take responsible steps to ensure the delivered product is secure.
Cybersecurity and cyber-hardening are on the mind of every Information Technology (IT) professional because they do not want the hack to come on their watch. As companies and technology continue to converge, the Information Technology (IT) (such as processes), and the Operational Technologies (OT) (such as the physical security devices), will place more emphasis on OT technology providers to implement IT controls with their installations. The problem that occurs is that most in the security industry are not prepared today to implement these controls.
Unless the security system (Video Surveillance, Access Control, Intrusion, etc.) is off-grid with no access to the outside world, cybersecurity must be part of every implementation. System integrators, and any of their employees implementing systems, must remember that as soon as the first network cable is plugged into a production switch with access to the outside world, the customer may be vulnerable. In case of a breach, the customer will try to put blame and recover lost revenue from any party culpable in the action. The system integrator’s approach can prevent a system from being vulnerable and hedge themselves from any culpability.
Scope of Work
As a former police officer, it was drilled into my brain that articulation is everything. Likewise, the failure to articulate is everything as well. A precise and concise scope of work document must be presented to every customer when it comes to systems that will connect to the network. The scope of work should include not only how they will be secured by the system integrator, but also the exceptions. Not everyone is a cybersecurity genius, and those that are not should NOT take on securing a customer’s network. Some system integrators will accept the job but supply a 3rd party cybersecurity company as a sub-contractor and mark up the services. Other systems integrators will not touch the network aspect. These exceptions should be clearly written in the scope of work as, “provided by others.” Many customers may already have internal cyber-hardening resources or have cybersecurity companies on retainer for insurance auditing purposes. Either way, failure to call out either of these options will leave a door of liability open. There are many customers that know they need to worry about cybersecurity but have no idea how to implement solutions. System integrators who call this approach out in a scope of work may prompt acceptance.
Industry Cyber Posture
Most security device manufacturers have begun to provide system hardening guides to educate the system integrator on the best way to program their devices to prevent a cyberattack. These hardening guides run the gambit of detail and functionality. Most of them suggest changing the username and password, and to upgrade the firmware on the devices as often as the manufacturer releases the firmware. Many have supplied a simple software tool to be able to do this for all security devices on the network. Additionally, some Video Management System (VMS) manufacturers, as well as switch manufacturers and third-party dashboard software, now offer device health monitoring and network monitoring. This allows the customer and a system integrator to receive alerts if a device is being attacked by an outside force. System integrators providing support for customers are more likely to prevent a cyber breach or find the breach faster than integrators who do not.
Implementing Cybersecure Systems
Training in any company can be difficult. The fear of an employee leaving, especially one who has received training, prevents many companies, including system integrators, from investing in people. A shocking statistic here is that 91% of all millennials expect to stay less than three years with the same employer (Forbes, Gigaom). The problem is this number incorporates many installers and technicians. If training is to be a requirement, then hope the trained individual doesn’t leave. In June 2021, the Security Industry Association (SIA) released a Security Industry Cyber Certification (SICC) written in conjunction with Security Specifiers to provide a cybersecurity certification for any security industry person who would design, commission, implement, or support a security installation. It is recommended that anyone who is working on a security implementation that will connect to an open network have this certification as a minimum.
Another option is to hire a cybersecurity resource to be part of the commissioning and support of customer systems. There are typically two options available to system integrators today. Option 1: hire a seasoned resource with the required certifications, such as the Certified Information Systems Security Professional (CISSP), and spend six figures on their salary. Option 2: hire an intern or recent graduate with some cybersecurity schooling for close to six figures. Option 3: The third option is not much of an option in today’s world: the system integrator could continue business as usual, follow hardening guides, and hope that the customer does not experience a cyber incident.
Any system integrator who is connecting a network cable from any device to a network that touches the outside world, even if the security network is segmented off, should be investing in an Errors and Omissions Insurance (E&O) that covers both technology and cyber liability, different from the professional liability E&O. Yes, it is a thing; and almost every customer has decided this is the first line of defense. From an insurance provider standpoint, many of these E&O policies have specific requirements that must be met before the insurance company is required to pay out. To that reason, many companies have multiple E&O policies that complement each other. In the event of a cyber incident, where the customer’s E&O insurance considers the breach occurred on a security device or appliance, the system integrator’s regular E&O insurance will not cover this. As a note, it is suggested that the technology or cyber-E&O policy is provided by the same company supplying the professional liability E&O policy, or there is a risk that the policies will negate each other, leaving the system integrator having paid for insurance that will not cover the indemnity.
Security installations in today’s world are not what they were even 5 years ago. Companies are spending vast amounts of money every year to prevent being the next statistic of cyberattack. Security system integrators have limited options on how to approach cybersecurity for their customers. Those options are 1) Hire an expensive internal resource or a 3rd party to harden a system during the commissioning phase; 2) Train existing technicians to do this work as they go; 3) Write it out of scope; or 4) Do nothing. Choosing to do nothing is like holding onto a ticking time bomb. At some point, the bomb will go off and the company cannot afford the destruction left in the aftermath. All options include system integrators buying cyber-E&O insurance to transfer risk as part of the solution. Most systems integrators will find that by training existing technicians, they can have each employee cybersecure a customer site during every visit, versus keeping one or two expensive internal or external resources busy on a limited number of sites. In this volatile time, those system integrators who choose to implement good cyber hygiene habits will keep customer networks safe, decrease liability, increase profits, and create new revenue streams while doing so.