Cybersecurity talk currently dominates many events in the physical security industry. And it’s about time, given that we are all playing catch-up in a scary cybersecurity environment where threats are constant and constantly evolving. I heard an interesting discussion about cybersecurity recently among consultants attending MercTech4, a conference in Miami hosted by Mercury Security and its OEM partners.

The broad-ranging discussion touched on multiple aspects of cybersecurity, including the various roles of end user IT departments, consultants, and integrators. Factors such as training, standardisation and pricing were also addressed as they relate to cybersecurity. Following are some edited excerpts from that discussion. 

The Role Of The IT Department

Pierre Bourgeix of ESI Convergent: Most enterprises usually have the information technology (IT) department at the table [for physical security discussions], and cybersecurity is a component of IT. The main concern for them is how any security product will impact the network environment. The first thing they will say, is “we have to ensure that there is network segmentation to prevent any potential viruses or threats or breaches from coming in.” The main concern for IT departments is how any security product will impact the network environment”

They want to make sure that any devices in the environment are secure. Segmentation is good, but it isn’t an end-all. There is no buffer that can be created; these air gaps don’t exist. Cyber is involved in a defensive matter, in terms of what they have to do to protect that environment. IT is more worried about the infrastructure.

The Role Of Consultants And Specifiers

Phil Santore of DVS, division of Ross & Baruzzini: As consultants and engineers, we work with some major banks. They tell us if you bring a new product to the table, it will take two to three months before they will onboard the product, because they will run it through [cybersecurity testing] in their own IT departments. 
If it’s a large bank, they have an IT team, and there will never be anything we [as consultants] can tell them that they don’t already know. But we all have clients that are not large; they’re museums, or small corporations, or mom-and-pop shops. They may not be as vulnerable from the international threat, but there are still local things they have to be concerned about. 
It falls on us as consultants to let them know what their problems are. Their IT departments may not be that savvy. We need to at least make them aware and start there.

Wael Lahoud of Goldmark Security Consulting: We are seeing more and more organisations having cybersecurity programs in place, at different maturity levels. At the procurement stage, we as consultants must select and specify products that have technology to enable cybersecurity, and not choose products that are outdated or incompatible with cybersecurity controls. 
We also see, from an access control perspective, a need to address weaknesses in databases. Specifying and having integrators that can harden the databases, not just the network itself, can help.

The broad-ranging discussion touched on multiple aspects of cybersecurity, including the various roles of end user IT departments, consultants, and integrators
The impact of physical security products on the network environment was a dominant topic at the MercTech4 consultants roundtable discussion

The Need For Standards On Cybersecurity

Jim Elder of Secured Design: I’d like to know what standards we as specifiers can invoke that will help us ensure that the integrator of record has the credentials, knows what standards apply, and knows how to make sure those standards are maintained in the system. I’m a generalist, and cybersecurity scares the hell out of me.
We’re not just talking about access to cameras, we are talking about access to the corporate network and all the bad things that can happen with that. My emphasis would be on standards and compliance with standards in the equipment and technology that is used, and the way it is put in. It can be easier for me, looking at some key points, to be able to determine if the system has been installed in accordance. We are seeing more and more organizations having cybersecurity programs in place, at different maturity levels"
I’m taking the position of the enforcement officer, rather than the dictator. It would be much better if there were focused standards that I could put into the specification— I know there are some – that would dictate the processes, not just of manufacturing, but of installation of the product, and the tests you should run accordingly.

Pierre Bourgeix: With the Security Industry Association (SIA), we are working right now on a standard that includes analyzed scoring on the IT and physical side to identify a technology score, a compliance score, a methodology, and best-of-breed recommendation. Vendor validation would be used to ensure they follow the same process. We have created the model, and we will see what we can do to make it work.

Terry Robinette of Sextant: If a standard can be written and it’s a reasonable process, I like the idea of the equipment meeting some standardized format or be able to show that it can withstand the same type of cyber-attack a network switch can withstand. We may not be reinventing the wheel. IT is the most standardized industry you will ever see, and security is the least standardized. But they’re merging. And that will drive standardization.

Jim Elder: I look to Underwriters Laboratory (UL) for a lot of standards. Does the product get that label? I am interested in being able to look at a box on the wall and say, “That meets the standard.” Or some kind of list with check-boxes; if all the boxes are checked I can walk out and know I have good cybersecurity threat management.IT is the most standardised industry you will ever see, and security is the least standardised"

The Role Of Training

Phil Santore: Before you do any cybersecurity training, you would need to set the level of cybersecurity you are trying to achieve. There are multiple levels from zero to a completely closed network.

Wael Lahoud: From an integrator’s perspective, cybersecurity training by the manufacturer of product features would be the place to start – understanding how to partner the database, and the encryption features. 
We see integrators that know these features are available – they tick the boxes – but they don’t understand what they mean. Cybersecurity is a complex topic, and the risk aspects and maturity levels vary by organization. That would be a good starting point.

The Role Of Integrators

Wael Lahoud: Integrators like convenience; less time means more money. So, we see some integrators cut corners. I think it is our role (as consultants) to make sure corners are not cut. If you rely solely on integrators, it will always be the weak password, the bypass. We have seen it from small projects to large government installations. It’s the same again and again.

Even having an internal standard within an organization, there may be no one overseeing that and double-checking. Tools will help, but we are not there at this point. I will leave it up to manufacturers to provide the tools to make it easy for consultants to check, and easier for integrators to use the controls.

Before you do any cybersecurity training, you would need to set the level of cybersecurity you are trying to achieve
Cybersecurity is a complex topic, and the risk aspects and maturity levels vary by organization - so training is very important

The Impact of Pricing

Pierre Bourgeix: The race to the cheapest price is a big problem. We have well-intended designs and assessments that define best-of-breed and evaluate what would be necessary to do what the client needs. But once we get to the final point of that being implemented, the customer typically goes to the lowest price – the lowest bidder. That’s the biggest issue.

You get what you pay for at the end of the day. With standards, we are trying to get to the point that people realise that not all products are made the same, not all integrators do the same work. We hope that through education of the end user, they can realise that if they change the design, they have to accept the liability.It’s not just the product that’s the weakest link, it’s the whole process from design to securing that product and launching it"

The big picture

Wael Lahoud: The Windows platform has a lot of vulnerabilities, but we’re still using it, even in banks. So, it’s not just the product that’s the weakest link, it’s the whole process from design to securing that product and launching it. That’s where the cybersecurity program comes into play. There are many vulnerable products in the market, and it’s up to professionals to properly secure these products and to design systems and reduce the risk.

Pierre Bourgeix: The access port to get to data is what hackers are looking for. The weakest link is where they go. They want to penetrate through access control to get to databases. The golden ring is the data source, so they can get credentialing, so they can gain access to your active directory, which then gives them permissions to get into your “admin.” Once we get into “admin,” we get to the source of the information. It has nothing to do with gaining access to a door, it has everything to do with data. And that’s happening all the time.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Larry Anderson Editor, SecurityInformed.com & SourceSecurity.com

An experienced journalist and long-time presence in the US security industry, Larry is SecurityInformed.com's eyes and ears in the fast-changing security marketplace, attending industry and corporate events, interviewing security leaders and contributing original editorial content to the site. He leads SecurityInformed's team of dedicated editorial and content professionals, guiding the "editorial roadmap" to ensure the site provides the most relevant content for security professionals.

In case you missed it

Disruptive Innovation Providing New Opportunities In Smart Cities
Disruptive Innovation Providing New Opportunities In Smart Cities

Growth is accelerating in the smart cities market, which will quadruple in the next four years based on 2020 numbers. Top priorities are resilient energy and infrastructure projects, followed by data-driven public safety and intelligent transportation. Innovation in smart cities will come from the continual maturation of relevant technologies such as artificial intelligence (AI), the Internet of Things (IoT), fifth-generation telecommunications (5G) and edge-to-cloud networking. AI and computer vision (video analytics) are driving challenges in security and safety, in particular, with video management systems (VMSs) capturing video streams and exposing them to various AI analytics. Adoption of disruptive technologies “Cities are entering the critical part of the adoption curve,” said Kasia Hanson, Global Director, Partner Sales, IOT Video, Safe Cities, Intel Corp. “They are beginning to cross the chasm to realize their smart city vision. Cities are taking notice and have new incentives to push harder than before. They are in a better position to innovate.” “Safety and security were already important market drivers responsible for adoption of AI, computer vision and edge computing scenarios,” commented Hanson, in a presentation at the Milestone Integration Platform Symposium (MIPS) 2021. She added: “2020 was an inflection point when technology and the market were ripe for disruption. COVID has accelerated the adoption of disruptive technologies in ways we could not have predicted last year.” Challenges faced by cities Spending in the European Union on public order and safety alone stood at 1.7% of GDP in 2018 Providing wide-ranging services is an expanding need in cities of all sizes. There are currently 33 megacities globally with populations over 10 million. There are also another 4,000 cities with populations over 100,000 inhabitants. Challenges for all cities include improving public health and safety, addressing environmental pressures, enabling mobility, improving quality of life, promoting economic competitiveness, and reducing costs. Spending in the European Union on public order and safety alone stood at 1.7% of GDP in 2018. Other challenges include air quality – 80% of those living in urban areas are exposed to air quality levels that exceed World Health Organization (WHO) limits. Highlighting mobility concerns is an eye-opening statistic from Los Angeles in 2017: Residents spent an average of 102 hours sitting in traffic. Smart technology “The Smart City of Today can enable rich and diverse use cases,” says Hanson. Examples include AI-enabled traffic signals to help reduce air pollution, and machine learning for public safety such as real-time visualization and emergency response. Public safety use cases include smart and connected outdoor lighting, smart buildings, crime prevention, video wearables for field agents, smart kiosks, and detection of noise level, glass breaks, and gunshots. Smart technology will make indoor spaces safer by controlling access to a building with keyless and touchless entry. In the age of COVID, systems can also detect face mask compliance, screen for fever, and ensure physical distancing. 2020 was an inflection point when technology and the smart cities market were ripe for disruption, Kasia Hanson told the MIPS 2021 audience. Video solutions Video workloads will provide core capabilities as entertainment venues reopen after the pandemic. When audiences attend an event at a city stadium, deep learning and AI capabilities analyze customer behaviors to create new routes, pathways, signage and to optimize cleaning operations. Personalized digital experiences will add to the overall entertainment value. In the public safety arena, video enables core capabilities such as protection of people, assets, and property, emergency response, and real-time visualization, and increased situational awareness. Video also provides intelligent incident management, better operational efficiency, and faster information sharing and collaboration. Smart video strategy Intel and Milestone provide video solutions across many use cases, including safety and security Video at the edge is a key element in end-to-end solutions. Transforming data from various point solutions into insights is complicated, time-consuming, and costly. Cities and public venues are looking for hardware, software, and industry expertise to provide the right mix of performance, capabilities, and cost-effectiveness. Intel’s smart video strategy focuses around its OpenVINO toolkit. OpenVINO, which is short for Open Visual Inference and Neural network Optimization, enables customers to build and deploy high-performing computer vision and deep learning inference applications. Intel and Milestone partnership – Video solutions “Our customers are asking for choice and flexibility at the edge, on-premises and in the cloud,” said Hansen in her presentation at the virtual conference. “They want the choice to integrate with large-scale software packages to speed deployment and ensure consistency over time. They need to be able to scale computer vision. Resolutions are increasing alongside growth in sensor installations themselves. They have to be able to accommodate that volume, no matter what causes it to grow.” As partners, Intel and Milestone provide video solutions across many use cases, including safety and security. In effect, the partnership combines Intel’s portfolio of video, computer vision, inferencing, and AI capabilities with Milestone’s video management software and community of analytics partners. Given its complex needs, the smart cities market is particularly inviting for these technologies.

What Are the Physical Security Challenges of Smart Cities?
What Are the Physical Security Challenges of Smart Cities?

The emergence of smart cities provides real-world evidence of the vast capabilities of the Internet of Things (IoT). Urban areas today can deploy a variety of IoT sensors to collect data that is then analyzed to provide insights to drive better decision-making and ultimately to make modern cities more livable. Safety and security are an important aspect of smart cities, and the capabilities that drive smarter cities also enable technologies that make them safer. We asked this week’s Expert Panel Roundtable: What are the physical security challenges of smart cities?

New Markets For AI-Powered Smart Cameras In 2021
New Markets For AI-Powered Smart Cameras In 2021

Organizations faced a number of unforeseen challenges in nearly every business sector throughout 2020 – and continuing into 2021. Until now, businesses have been on the defensive, reacting to the shifting workforce and economic conditions, however, COVID-19 proved to be a catalyst for some to accelerate their long-term technology and digitalization plans. This is now giving decision-makers the chance to take a proactive approach to mitigate current and post-pandemic risks. These long-term technology solutions can be used for today’s new world of social distancing and face mask policies and flexibly repurposed for tomorrow’s renewed focus on efficiency and business optimization. For many, this emphasis on optimization will likely be precipitated by not only the resulting economic impacts of the pandemic but also the growing sophistication and maturity of technologies such as Artificial Intelligence (AI) and Machine Learning (ML), technologies that are coming of age just when they seem to be needed the most.COVID-19 proved to be a catalyst for some to accelerate their long-term technology and digitalization plans Combined with today’s cutting-edge computer vision capabilities, AI and ML have produced smart cameras that have enabled organizations to more easily implement and comply with new health and safety requirements. Smart cameras equipped with AI-enabled intelligent video analytic applications can also be used in a variety of use cases that take into account traditional security applications, as well as business or operational optimization, uses – all on a single camera. As the applications for video analytics become more and more mainstream - providing valuable insights to a variety of industries - 2021 will be a year to explore new areas of use for AI-powered cameras. Optimizing production workflows and product quality in agriculture Surveillance and monitoring technologies are offering value to industries such as agriculture by providing a cost-effective solution for monitoring of crops, business assets and optimizing production processes. As many in the agriculture sector seek to find new technologies to assist in reducing energy usage, as well as reduce the environmental strain of modern farming, they can find an unusual ally in smart surveillance. Some niche farming organizations are already implementing AI solutions to monitor crops for peak production freshness in order to reduce waste and increase product quality.  For users who face environmental threats, such as mold, parasites, or other insects, smart surveillance monitoring can assist in the early identification of these pests and notify proper personnel before damage has occurred. They can also monitor vast amounts of livestock in fields to ensure safety from predators or to identify if an animal is injured. Using video monitoring in the growing environment as well as along the supply chain can also prove valuable to large-scale agriculture production. Applications can track and manage inventory in real-time, improving knowledge of high-demand items and allowing for better supply chain planning, further reducing potential spoilage. Efficient monitoring in manufacturing and logistics New challenges have arisen in the transportation and logistics sector, with the industry experiencing global growth. While security and operational requirements are changing, smart surveillance offers an entirely new way to monitor and control the physical side of logistics, correcting problems that often go undetected by the human eye, but have a significant impact on the overall customer experience. Smart surveillance offers an entirely new way to monitor and control the physical side of logistics, correcting problems that often go undetected by the human eye. Video analytics can assist logistic service providers in successfully delivering the correct product to the right location and customer in its original condition, which normally requires the supply chain to be both secure and ultra-efficient. The latest camera technology and intelligent software algorithms can analyze footage directly on the camera – detecting a damaged package at the loading dock before it is loaded onto a truck for delivery. When shipments come in, smart cameras can also alert drivers of empty loading bays available for offloading or alert facility staff of potential blockages or hazards for incoming and outgoing vehicles that could delay delivery schedules planned down to the minute. For monitoring and detecting specific vehicles, computer vision in combination with video analysis enables security cameras to streamline access control measures with license plate recognition. Smart cameras equipped with this technology can identify incoming and outgoing trucks - ensuring that only authorized vehicles gain access to transfer points or warehouses. Enhance regulatory safety measures in industrial settings  Smart surveillance and AI-enabled applications can be used to ensure compliance with organizational or regulatory safety measures in industrial environments. Object detection apps can identify if employees are wearing proper safety gear, such as facial coverings, hard hats, or lifting belts. Similar to the prevention of break-ins and theft, cameras equipped with behavior detection can help to automatically recognize accidents at an early stage. For example, if a worker falls to the ground or is hit by a falling object, the system recognizes this as unusual behavior and reports it immediately. Going beyond employee safety is the ability to use this technology for vital preventative maintenance on machinery and structures. A camera can identify potential safety hazards, such as a loose cable causing sparks, potential wiring hazards, or even detect defects in raw materials. Other more subtle changes, such as gradual structural shifts/crack or increases in vibrations – ones that would take the human eye months or years to discover – are detectable by smart cameras trained to detect the first signs of mechanical deterioration that could potentially pose a physical safety risk to people or assets. Early recognition of fire and smoke is another use case where industrial decision-makers can find value. Conventional fire alarms are often difficult to properly mount in buildings or outdoor spaces and they require a lot of maintenance. Smart security cameras can be deployed in difficult or hard-to-reach areas. When equipped with fire detection applications, they can trigger notification far earlier than a conventional fire alarm – as well as reduce false alarms by distinguishing between smoke, fog, or other objects that trigger false alarms. By digitizing analog environments, whether a smoke detector or an analog pressure gauge, decision-makers will have access to a wealth of data for analysis that will enable them to optimize highly technical processes along different stages of manufacturing - as well as ensure employee safety and security of industrial assets and resources. Looking forward to the future of smart surveillance With the rise of automation in all three of these markets, from intelligent shelving systems in warehouses to autonomous-driving trucks, object detection for security threats, and the use of AI in monitoring agricultural crops and livestock, the overall demand for computer vision and video analytics will continue to grow. That is why now is the best time for decision-makers across a number of industries to examine their current infrastructure and determine if they are ready to make an investment in a sustainable, multi-use, and long-term security and business optimization solution.