Cyber security a recurring theme at PSA-TEC

Drako: ‘Where was your DVR made? Is it connected to the Internet?’
 - 
Wednesday, May 7, 2014

WESTMINSTER, Colo.—The data breach that brought down Target CEO Gregg Steinhafel is being used as a cautionary tale here at PSA-TEC.

While the Target breach was not related to a physical security device or system, it could have been, according to experts at PSA-TEC. The topic of what systems integrators need to know about Internet safety was discussed in at least three different educational sessions on May 6.

Some video surveillance components, namely Windows/Microsoft dependent DVRs and VMSs, are “fundamentally, extremely vulnerable [to a cyber attack],” Dean Drako, president and CEO of Eagle Eye Networks, said during an educational session entitled “Issues and Threats of Connecting Your Video Surveillance System to the Internet.”

Cyber attacks “are real and growing,” Drako said. The physical security industry has “flown under the radar” thus far, he said. But because the number of VMSs being deployed is rapidly increasing, “they will start to be targeted,” Drako predicted.

The Internet safety discussions at PSA-TEC touched on many of the same topics discussed at TechSec earlier this year, in a session called “Is your security system the most vulnerable point on your network?”

In addition to problems with DVRs and VMSs once they’re installed, they may have a virus before they’re even installed. One China-based manufacturer sent “tens of thousands of infected DVRs to the U.S., Drako said.

Drako recommended some possible solutions for integrators: Don’t connect the VMS to the Internet. This is a solution that works for some, for example corrections applications and nuclear power plants.

Another solution is to isolate the VMS and camera network. “This is a solution that I recommend we as an industry use more,” Drako said. “The VMS is vulnerable, but the rest of the company is not.”

Another option: Integrators can become network security experts or provide a network security expert for the end user.

A final solution is to outsource the VMS by going with a cloud solution or a professionally managed on premise solution. That is ultimately where these systems will end up, Drako predicted. “DVRs, VMSs, NVRs, they’re all going to the cloud.  Eventually no one will have any of this stuff on site."

The thing, or person, to keep in mind, he said, is Gregg Steinhafel. “Don’t be the reason the CEO loses their job."

There was more talk about cyber security at the Emerging Technology educational session. Darnell Washington, president and CEO of SecureXperts, said that integrators should practice “good cyber hygiene.”

An example of poor cyber hygiene: A systems integrator accepts a customer’s server regardless of its current state and deploys a PSIM on top of it.  The integrator’s attitude is that they’re helping the customer save money and the condition of the server is “not my problem.” But, Darnell said, “it’s irresponsible to go ahead [with the installation] without running proper scanning and tests on the server."

Washington believes there should be industry guidelines to ensure that in the course of doing their jobs, integrators do not create Internet safety vulnerabilities.

It’s not really a question of legal liability, Washington said. “What we’re really talking about here is the security lifecycle … and being responsible and diligent." He advised that integrators use a third-party to validate that they followed best cyber hygiene practices.

Lloyd Uliana, from Bosch, asked PSA Security CEO Bill Bozeman, who was moderating the discussion, what integrators want from a manufacturer like Bosch to help ensure cyber safety in physical security products. Bozeman answered that integrators want input and “want to be at the table, in the budgetary process, [giving the manufacturer information so they can provide] education that makes sense for us, and products that make sense for us.”

Integrators on the panel—David Sime of Contava, Chris Peckham of Kratos, and Eric Yunag of Dakota Security—agreed that best practices need to be observed. “We do not want to become a liability on the cyber side while we’re doing our physical security work," Yunag said.

Bozeman posed the question: If systems integrators don’t get more diligent with cyber hygiene is there an interest among IT integrators to take over the physical security work? Washington said yes. “There is an interest and a desire [among IT professionals] to control and maintain all things IT. … and the physical security world is a brand new horizon for IT.”