Dave Hunt

Many of the most well-trafficked articles posted at SourceSecurity.com in 2015 were those that addressed timely and important issues in the security marketplace. In the world of digital publishing, it’s easy to know what content resonates with the market: Our readers tell us with their actions; i.e., where they click.   Let’s look back at the Top 10 articles we posted in 2015 that generated the most page views. They are listed in order here with the author’s name and a brief excerpt.  1. Video Analytics Applications In Retail - Beyond Security [Larry Anderson] Analytics can help catch suspects by alerting in real-time. After the fact, analytics used for search purposes are far more effective to identify a theft. Secondly, analytics can be used in retail to track customers, understand their age and gender, manage queue lines, know how long people dwell at an end cap, provide heat maps, etc. 2. Cybersecurity - Hackers Target SCADA Embedded Systems [Vicki Contavespi] “SCADA monitors devices on the grid many times per second and was never intended or designed to have virus protection or security protocols,” says Dave Hunt, an independent homeland security consultant and a founding member of the National InfraGard Electromagnetic Pulse special interest group. In fact, continuous monitoring makes it virtually impossible for a SCADA system to validate a security protocol. 3. Home Automation Standards And Protocols [Randy Southerland] As the home automation industry has expanded with an ever-growing number of devices and services, companies are placing bets on which wireless protocols will dominate. The past few years, the leaders have been Z-Wave and ZigBee. Companies are also using a variety of other standards including Crestron’s Infinet, Insteon, and proprietary technologies such as Lutron’s ClearConnect. Readers were interested in Prism Skylabs' retail applications, utilizing IP cameras as sensors to gather data on customer behavior    4. The Numbers Tell The Video Story At ISC West: 4K And H.265 [Larry Anderson] The latest in video surveillance equipment at ISC West [in 2015] is reflected by the numbers you hear repeatedly on the show floor, numbers like 4K and H.265. Big players like Panasonic have joined the 4K bandwagon in a big way. Sony introduced a 4K camera with a larger sensor size (1-inch) to increase light sensitivity, displaying the better view alongside a “Brand X” competitor in the Sony booth. 5. Video Analytics: Prism Skylabs Envision IP Cameras As Sensors To Expand Their Role In Retail [Larry Anderson] Prism Skylabs is helping to drive a re-evaluation of the role of video cameras in the market. Founded in 2011, the San Francisco cloud service company thinks of IP cameras as sensors that are capable of providing a range of data that can be managed and processed in the cloud to provide more useful information to end-user customers. Prism’s current implementations of the “software as a service” approach focuses on retail merchandizing and marketing applications, but Prism Co-Founder and Senior Vice President Bob Cutting sees many other opportunities too. 6. Video Analytics For Forensics: Analytics-Based Forensic Evidence Collection [Larry Anderson] Another aspect of video analytics is how the technology can be used for forensics. Basically, intelligent searches of video archives provide investigators faster access to any needed video clip based on the content of the video. It’s a monumental improvement over the old days of searching for hours while rewinding and fast-forwarding videotape. 7. IP Video Surveillance Market – Revealing The ‘Industry Standards’ Myth [Mark Collett] Considering the state of the IP surveillance industry, standardization would likely drive vendor consolidation and force companies to evolve in order to succeed. Many industries have successfully implemented standards – including energy, telecommunications, consumer electronics and aerospace. These are all vibrant industries; standards have not driven any of them to extinction, as some in the security industry believe they would. Another topic of interest was the public and private protection of public figures, spurred by the Pope's visit to America earlier this year    8. Physical Security Information Management (PSIM) – The Death Of An Acronym? [Larry Anderson] Lately, we have even begun hearing manufacturers starting to avoid the PSIM term and its historic baggage and preconceptions. When a buzzword takes on a negative stench, it loses its impact. If a PSIM is perceived as negative, the initials lose their usefulness even as a marketing term (which some say PSIM was all along). 9. Avigilon Acquires Fundamental Patents Covering Video Analytics [Larry Anderson] What are the ramifications when a major supplier in the video analytics space owns many of the patents that are fundamental to its competitors’ businesses? It’s one thing to pay licensing fees to a fading player like ObjectVideo (perhaps to avoid costly litigation?), but isn’t paying those fees to a direct competitor another matter? 10. How Public And Private Security Operations Protect Celebrities, Big-Name Executives And Dignitaries [Michael Fickes] According to the Secret Service, dozens of federal, state and local agencies combined forces to protect the Pope in his visits to Washington, D.C., Philadelphia and New York City. The Department of Homeland Security designated the Papal visit to New York City a National Special Security Event. For such an event, the Secret Service acts as the lead federal agency for the design, implementation and oversight of the operational security plan. See the full coverage of 2015/2016 Review and Forecast articles here

Forty-one percent of cyber incidents involved the energy sector The Bipartisan Policy Center, the Industrial Control Systems Cyber Emergency Response Team, which is part of the U.S. Department of Homeland Security, reports responding to 198 cyber incidents in fiscal year 2012 across all critical infrastructure sectors. Forty-one percent of these incidents involved the energy sector, particularly electricity, according to a February 2014 report. Considering the enormity of the system, it soon becomes clear that 198 events is the very tip of an enormous iceberg. Greg Foss, senior security research engineer for Boulder, Colo.-based LogRhythm, a security intelligence firm, says “an average breach lasts 480 days before a company knows they’ve been attacked.” He also says that most utilities are slow to address the problem because of upgrade costs, and that “some of them are still running Windows 98.” There is much talk about creating a “smart grid,” which, according to the Department of Energy is “computerising” the electric utility grid and includes adding two-way digital communication technology to devices associated with it. As DoE says: “Each device on the network can be given sensors to gather data (power meters, voltage sensors, fault detectors, etc.), plus two-way digital communication between the device in the field and the utility’s network operations center.” A key feature of the smart grid is automation technology that lets the utility adjust and control each individual device or millions of devices from a central location.  Therein is the problem. The whole concept of a SCADA system is that it provides a way to monitor a number of items within one facility, and it has worked so well that many companies run everything into a computer to control all facets of operation. Much of the equipment in the “smart grid,” including transformers and generators, are operated by SCADA (supervisory control and data acquisition), which is a system that operates with coded signals running over communication channels. The whole concept of a SCADA system is that it provides a way to monitor a number of items within one facility, and it has worked so well that many companies run everything into a computer to control all facets of operation. “SCADA monitors devices on the grid many times per second and was never intended or designed to have virus protection or security protocols,” says Dave Hunt, an independent homeland security consultant and a founding member of the National InfraGard Electromagnetic Pulse special interest group. In fact, continuous monitoring makes it virtually impossible for a SCADA system to validate a security protocol. Adding to the misery is that an evildoer can purchase a SCADA attack for about $500, not to mention that the systems were designed by engineers, not computer people, so they don’t necessarily communicate well. These systems are called embedded systems and the bad guys are fighting them hard. According to Daniel Geer, Sc.D, chief technical officer of @Stake, in Cambridge, Mass., “Cyber smart bombs are what nations are working on.” These bombs are designed to attack embedded systems like SCADA. He strongly feels that “Embedded systems either need to have a remote management interface or they need to have a finite lifetime. They cannot be immortal and unfixable because to do so is to guarantee that something bad will happen.” But to change them would cost the utilities more money. Todd Borandi, CISSP, an industry veteran and information security architect says, “The root to all security issues is the vendor supplying the hardware and software. This equipment is provided by a small group of companies that experience little to no pressure to provide specialized secure software or hardware, which is expected to last more than a decade with little chance of an update. Many of these devices can now be rebooted and even overwritten from anywhere and by anyone.” He adds that “Another important issue is the idea that regulatory compliance is a sustainable solution to cyber security challenges. Regulatory laws are often slow to implementation and provide little meaningful guidance or enforcement in a dynamic field like technology.”