Leveling Up in Cybersecurity

Why Cybersecurity Is More Important Than Ever for Security Systems Integrators

The 2018 Foreign Economic Espionage in Cyberspace report, issued by the National Counterintelligence and Security Center, makes it clear that economic and industrial espionage against the United States continues to be a serious threat. The report names China, Russia and Iran as the top three adversarial countries from a supply chain risk perspective.

The public is numb to popular media stories announcing how our adversaries have yet again exploited our cybersecurity vulnerabilities to steal proprietary commercial or defense industrial base intellectual property. The public perception of infiltrators who compromise our supply chain companies or take over command and control of our critical infrastructure systems is limited by understanding of technology and the magnitude of the risk to our national economy.

We, as electronic security system integrators, don’t have the luxury of ignoring this information. It is incumbent upon us as partners in the security community to do all that is within our power to help defend against these espionage forces.

Industrial espionage is not a recent development. Foreign spies have been infiltrating our major technology centers for decades. As gaps in global technological advantage have narrowed, the efforts and stakes of this criminal enterprise have correspondingly risen. Our federal law enforcement partners have attributed hacking efforts during our 2016 election to the Russian government. In January 2018, Chinese hackers stole hundreds of gigabytes of data from a U.S. defense contractor. And while the data wasn’t classified, it did contain information about a submarine supersonic anti-ship missile they had plans to complete by 2020. In 2017, three Chinese hackers working for a state-sponsored intelligence contractor were indicted for stealing intellectual property from three technology companies. This past March, an Iranian hacking group was indicted for stealing 31 terabytes of data from 144 American universities, totaling $3.4 billion in intellectual property. And then there is the Massachusetts-based American Superconductor, who nearly went out of business because the Chinese company who represented over three quarters of their business purchases refused to pay, stole their source code and then installed a pirated version of their software into the wind turbines that it sold. The U.S. government is aware of these ongoing threats and expends significant resources combating them, but they need assistance from their commercial supply chain community partners. Here’s what you can do to help.

The Parts of the Problem

It’s only a matter of time before you or your customer get exploited and have your data corrupted, information stolen or systems disrupted. Maybe it’s a ransomware attack on a hospital infant abduction system, and someone’s child goes missing. Maybe it’s a U.S. military base that allows someone with a fake credential and ill intentions in the gate because no one could accurately verify the person’s identity because the system is compromised by a denial of service attack. Maybe your community’s critical infrastructure utility system goes down because a security systems integrator left a backdoor default password open on a piece of substation equipment, allowing a criminal a way in and providing a platform for them to launch their control system attack.

For the last 20+ years, our industry has deployed electronic security systems into the IT environments of our customers without much of a thought to cybersecurity. Strong passwords? Takes too much time and too difficult to manage, they say. Encryption? Slows the system down. Device certificates? Too expensive. Standards-based installation? Proprietary systems keep our customers coming back to us.

With access control systems (ACS), we’ve been using the same Weigand communication protocol since the early 1980s. The Wiegand protocol connects card readers to ACS door controllers and has never been updated. It’s widely known that readers are easily and continually hacked using very inexpensive replay attack tools – this is due to the lack of encryption in the Weigand protocol. Similar copying vulnerabilities are present in the old 125khz proximity cards too, yet companies continue to install systems with these openly exploitable vulnerabilities. In 2012, the Security Industry Association (SIA) began developing a new protocol called open supervised device protocol (OSDP). This protocol is considerably more secure because is supports high-end encryption, and it is available across a broad spectrum of ACS manufacturers, yet there remains a lag in adoption, partly because customers haven’t budgeted for system replacement. As an industry, we didn’t tell them about our shared “problems” early enough, and in truth there are still many integrators that don’t know about the advantages of OSDP.

To those issues, let’s add the growing prevalence of Internet of Things (IoT) connected devices. Our industry continues to install IP devices like cameras, intercoms, speakers, microphones and alarm systems, ignoring standard cybersecurity practices and procedures. A 2015 Computerworld article warned that 100 percent of IoT home security systems that they tested failed against routine brute force types of attacks. Using the popular website SHODAN.io, today you can view over 200,000 security cameras across the globe that are still using their factory default passwords, evidence of a lackadaisical deployment practice. You can peer into people’s homes and private businesses all because the installers didn’t take the time to change the default passwords, and the customers didn’t know to ask them about it. Oh, and if you think just changing the password solves everything, think again. A six-character password can be hacked using a brute force library attack in .02 seconds.

Why do systems integrators continue installing insecure systems? We have a duty and an obligation to protect the systems we deploy to make sure we aren’t contributing to the problem. I’ve heard many integrators argue that customers aren’t asking for cyber-hardened systems, or that they don’t have the budget for pay for the extra security configuration work that it takes to install and monitor these devices properly. We have to do better as an industry than just waiting for customers to ask. We owe it to our customers to educate them about why cyber-hardened security systems are necessary and not just a luxury.

Awareness Is Key

The first thing a security systems integrator can do is educate themselves. The good news is that there are a lot of great resources out there.

PSA Security (PSA) is the world’s largest systems integrator cooperative made up of the most progressive security and audio-visual systems integrators in North America. Its mission is to empower its owners to become the most successful systems integrators in the markets they serve. As a part of that mission, PSA has developed a cybersecurity committee, a cyber advisory board and cyber solutions partners. SIA, PSA and ISC Security Events partnered to host the first-ever Cyber:Secured Forum in June 2018; the conference discussed cyber-hardening of security systems, cyber standards and global cybercrime.

The PSA cybersecurity program provides educational programs and resources to integrators to assist them in navigating cybersecurity policies, processes and solutions ; the program website has a host of resources, including a cybersecurity playbook, information security small business fundamentals and a white paper on cyber risk.

Not a PSA Security owner or member? There are several federal agencies in the market to help your businesses with your cybersecurity, and they have a vested interest in doing so.

The U.S. Department of Homeland Security’s (DHS’) Office of Infrastructure Protection is dedicated to leading “the national effort to secure critical infrastructure from all hazards by managing risk and enhancing resilience through collaboration with the critical infrastructure community.” The office does this through risk management, education, regulation, coordination, operational support, outreach and conducting site surveys.

In accordance with the National Infrastructure Protection Plan, DHS has classified critical infrastructure into 16 sectors whose assets, systems and networks – whether physical or virtual – are considered so vital to the U.S. that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety or any combination thereof. Some of the more obvious sectors cover energy, communications, nuclear reactors and nuclear materials. Water and wastewater as well as health care are broken out with specific recommendations for their physical security. There are other obvious sectors, but many security integrators that I’ve met don’t know there’s a special subsection for commercial facilities like hotels and condominiums, a sector that consumes a lot of security technology

Two of the more important DHS programs are education/free training and site surveys.

The Critical Infrastructure Learning Series “provides one-hour, web-based seminars conducted by critical infrastructure experts on the tools, trends, issues and best practices for infrastructure security and resilience”. The series also offers instructor-led classes all over the country on a wide variety of topics, including active shooter, counter-improvised explosive device (IED) training and awareness, cybersecurity, chemical terrorism, retail security awareness and protecting critical infrastructure against insider threats.

Several of these courses are also listed on the Federal Emergency Management Agency website along with others, such as a workplace security awareness course, a surveillance awareness course and a protecting critical infrastructure course.

DHS has a free survey tool – the Infrastructure Survey Tool – created by its protective security advisors; this tool is requested by a facility and designed to identify facilities’ physical security, security forces, security management, information sharing, protective measures and dependencies related to preparedness, mitigation, response, resilience and recovery. The tool will also find security gaps in addition to creating protective and resilience measures indices that can be compared to similar facilities.

The FBI also has several programs available. As the lead agency for investigating cyberattacks, the FBI has developed a website – the Internet Crime Complaint Center – that allows users to report internet crimes, including ransomware, business email compromise, phishing, tech support fraud, data breaches and extortion. Users can fill out an online form, and it goes directly to the FBI for review.

The FBI also has a program called InfraGard, which brings together the FBI and the private sector to exchange information and promote learning opportunities relevant to the protection of critical infrastructure. There are 82 InfraGard chapters nationally; membership is free, but applicants must agree to a cursory background check.

As a part of its community outreach the FBI has established a Citizen’s Academy to foster a greater understanding of the FBI’s role in the community for business, civic and community leaders. These academies are usually held one night per week for eight to ten weeks, exposing students to the various investigative inner workings of the FBI.

If you don’t have time to participate in your local area groups, at least get to know your local federal agents from DHS and the FBI. Along with the wealth of information available to you as a systems integrator, it’s always best to have a relationship with them before something bad happens and you need to engage their services.

Regulation

Still not convinced of the importance of this issue? In 2017, the U.S. Department of Defense (DOD), fed up with its industrial base’s slow adoption of sound cybersecurity practices, augmented the Defense Federal Acquisition Regulations (DFARs) to force companies to comply with cybersecurity standards in their own businesses. DFARS regulation 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting details how a contractor is supposed to provide adequate security for information systems and how to report a cybersecurity incident.

Now, contractors doing business with DOD must attest to their compliance with the National Institute of Standards and Technology’s (NIST’s) Special Publication (SP) 800-171 standards to meet the contractual rules of the DFARs clause. The NIST 800-171 standards are a subset of basic security controls for information systems derived from the broader NIST 800-53 Recommended Security Controls for Federal Information Systems and Organizations. The idea is to protect the processing, storage and transmission of controlled unclassified information (CUI). CUI information that is sensitive and relevant to the interests of the U.S., including facility security drawings and device or network configuration information.

Does your company do business with DOD? Do you want that business to continue after 2017? Subcontracting does not exempt you from the DFARS clause, either – the clause flows down to subcontractors in cases where CUI passed to the subcontractor. The bottom line is if you don’t take cybersecurity seriously, you can expect to lose contracts. The Pentagon declared, “if your systems aren’t cyber-hardened, you won’t be doing business with us.”

The Pentagon isn’t the only agency considering cyber-hardened company selection. There has also been some talk about including security related to cyber hardening as a “fourth pillar” in the acquisition process, along with cost, schedule and past performance, which will force government contractors to consider their internal IT practices as well as their deployment of systems. They want your assurance that your own IT systems will provide an acceptable level of security. And having these regulations forced on government contractors will make those contractors more attractive to all customers seeking a more secure system.

Conclusion

In 2015, when the industry started paying attention, you were likely just procrastinating with cybersecurity, unsure of what the future would bring. In 2018, that same attitude probably makes you negligent. Cybersecurity negligence in our people, processes and products is no longer being tolerated in our client industries. Cybersecurity negligence is something our customers, our communities and our nation can no longer afford from their supply chains.
Maybe Acme’s Auto Body Shop doesn’t care about a fully encrypted, cyber-hardened security system at its facility, but it’s clear that the critical infrastructure sectors do. Supply chain scrutiny is increasing across the energy, health care, finance, transportation and food supply sectors. New regulations surrounding the supply chain companies in all sectors are being discussed, and many are considering adopting NIST 800-171 until they have time to build more sector-specific cybersecurity control sets. Expect cybersecurity clauses to appear in your next round of commercial negotiated contracts if you work with regulated industry sectors. If you want to continue to do business with companies in these sectors you’re going to have to prioritize the cybersecurity posture of your organization.

The writing isn’t figuratively on the wall any longer; it’s written contractually in the Defense Acquisition Regulation System. Cybersecurity vulnerabilities can’t be ignored. You’ll have to cover your liabilities with insurance, and the less you know about and mitigate those vulnerabilities, the more you’re going to pay. Continued negligence could potentially force you from the industry as your cyber-aware competitor’s offerings evolve beyond your own.

Remember Blockbuster, who didn’t want to send DVDs through the mail and missed out on the streaming video services that Netflix envisioned? Remember Borders Books scoffing at the Amazon threat? Recall how BlackBerry held onto its proprietary systems and insisted that no one wanted touch screen technology on their phones? Look at the taxi companies fighting the next evolution of ride sharing. These are all examples of failure to evolve in the era of digital transformation. Security system integrators are at a critical point at which their executive planning decisions must be made with cybersecurity awareness at the top of their agendas. People, processes and products must all be assessed and aligned with sound cybersecurity practices. Any decisions made without an eye towards the cybersecurity threats that we are experiencing daily might as well be made with the flip of a coin. For some, perhaps taking that chance is better than admitting that they’re completely blind.