Cybersecurity is now one of the most important topics of discussion around boardroom tables today; but let’s face it, the physical security industry as a whole ignored cybersecurity for as long as it could.
Starting in the early 2000s, the products that security integration companies began to deploy were designed to leverage TCP/IP communications on the network so that integrators could scale security applications across the enterprise. It opened up a whole new world of possibilities when it came to offering truly integrated solutions to end-users. “Ease of installation” became the name of the game, and integrators quickly figured out that enterprise-based security was the ticket to increasing market share.
During this time, proper network security of those products fell to the wayside and standard information security practices that had been long adopted within the broader IT world were simply ignored. Security integrators could now deliver powerful, networked solutions but did not have the awareness or expertise to ensure cyber-secured solutions to their clientele. Information governance, cybersecurity policies and networking best practices were all given less than adequate attention.
Wake Up Call
In 2014, I sat in a room with more than 100 of North America’s leading security system integrators at the PSA Security Network Cybersecurity Congress. As a group, the integrators admitted to having very little information security awareness. Our “cyber IQ” was collectively near zero, and the room was filled with integrators who have been acknowledged in their own right as some of the “best of the best” in the physical security industry. Fortunately, we were all there with the intent to improve our own cyber savviness. At that event, we all realized we were staring one of our biggest threats right in the face, and that the industry needed to take a step forward.
PSA has continued to lead the charge in this endeavor. The organization had seen great success leveraging the knowledge of PSA integrators and staff to bolster committee think tanks focused on sales and marketing, project management, technology and leadership. Over the years, these committees have developed playbooks that provide step-by-step answers to the questions a security integrator might have about any aspect of their business. The answers spring from the collective wisdom of hundreds of successful years of experience by some of the brightest minds in the security industry. PSA formed its Cybersecurity Committee based on this successful model with the intent of bringing security integrators the tools and resources they need to effectively face cybersecurity issues head on.
However, the Cybersecurity Committee recognized early on that creating a playbook for integrators on this topic would be a different story. The PSA owners lacked much of the information security knowledge that would be needed, so for the first time a PSA committee reached out to its vendor community for committee support and the response was tremendous. We pulled together enough collective wisdom and expertise to get started down the information security awareness path and the PSA Cybersecurity Playbook series was born.
The Research
At first glance, the information available on cybersecurity was overwhelming. Digging deeper, the Cybersecurity Committee discerned that much of the work that we were interested in had already been distilled by others. The National Institute for Science & Technology (NIST) had been driving research into this area since the Federal Information Systems Management Act (FISMA) was adopted into law in 2002. In the wake of the Sept. 11th attacks, FISMA re-emphasized the role of information security within the economic and national security interests of the United States.
Concurrently, the Department of Homeland Security was developing the National Infrastructure Protection Plan (NIPP). The 2006 guidance within the NIPP originally focused on critical infrastructure but Presidential Policy Directive-21: Critical Infrastructure Security and Resilience — signed into law in 2013 — broadened that focus to include 16 distinctive areas of commerce that contribute significantly to the U.S. economy and national security interests. Information security was identified as a vulnerability to varying degrees within each of the 16 NIPP sectors.
During this same timeframe, for the team at NIST, the cybersecurity threat had become of increasing concern. NIST focused in on cybersecurity guidance and the outcome of that guidance was published in 2013 as the Cyber Security Framework (CSF).
The CSF is a comprehensive set of information security standards and guidelines designed to protect critical infrastructure. It was a straightforward choice by The PSA Cybersecurity Committee to adopt the CSF as the basis of our research into cyber maturity. The problem for us was that the CSF has literally hundreds of categories, sub categories and sub-sub categories of controls (security measures) to measure oneself against. We needed an implementation methodology that integrators could understand and, more importantly, one that they would actually use.
Of all the methodologies we reviewed, the SANS (SysAdmin, Audit, Network, Security) Institute had mapped the CSF security controls into a “top 20 list” of controls — the top five of which were evaluated to mitigate approximately 85 percent of the observed cybersecurity vulnerabilities across the global internet infrastructure. The SANS top 20 became our jumping off point.
Tier Zero
Cybersecurity maturity within an organization has been characterized in different ways according to which research you study. The PSA Cybersecurity Committee looked to the Capability Maturity Model Integration (CMMI) program as a way of explaining the levels of cyber maturity within our integrator organizations. In that way, any company could measure where it stood within the total spectrum of maturity.
Since internal polls of the PSA integrators indicated very little awareness or knowledge about cybersecurity, we felt that a Tier One initial effort would seem overwhelming to our owners. So we created a Tier Zero, and the only place to go was up.
The PSA Cybersecurity Committee Playbook One: Tier Zero was created as a living document designed to guide integrators through a series of key questions focused on their people, their internal processes, and their products and systems they use in their business.
Questions such as “Does your company have password management policy?” or “Does your company have a cybersecurity insurance policy?” are simple, yet critical questions integrators must ask themselves. Regardless of the answer (yes or no), the playbook points the integrator to solutions that move them towards increasing levels of cyber maturity.
The committee researched solutions for the yes and no responses to each question and Playbook One: Tier Zero provides our integrators with suggestions for no-cost solutions they can implement internally, low-cost, open-source solutions, and PSA Business Solutions providers offering specialized expertise, as well as references to commercial resources that they could consider while working on their cyber hygiene.
In addition, the playbook includes a glossary of cybersecurity terms, a sample cybersecurity insurance application, and a listing of educational resources with descriptions of the various cyber and information security certifications available from the corresponding educational body.
Beyond Tier Zero
The PSA Cybersecurity Committee presented Playbook One: Tier Zero during a panel discussion at PSA TEC in May of 2016. The session was attended by more than 30 security integrators, none of whom were able to answer “yes” to all 16 questions presented in the playbook questionnaire. In fact, most respondents needed help with several areas — which means this initial playbook seems to have hit the nail on the head in terms of a reasonable starting point for integrators to begin to improve their cybersecurity posture.
Over the last 18 months, members of the PSA Cybersecurity Committee have been speaking at events across North America as our work continues to develop the next playbook, focused on moving integrators to Tier One and beyond. Subsequent playbooks will be forthcoming over the next few months.
We have already seen cybersecurity requirements appearing in contracting verbiage already, and the goal of the PSA Cybersecurity Playbook series as well as other tools and resources under development is to help integrators prepare internally with their own personnel and processes to deliver cyber savvy products and services.
We also want to help them gauge the proper level of cybersecurity solution hardening that will be necessary within the solutions they are preparing to deliver. NERC/CIP, PCI, HIPPA and other regulated industry solutions require greater levels of cyber assurance to maintain regulatory compliance. As those compliance requirements push further down their supply chains, we are anticipating the need for better cybersecurity hardening in the products as well.
PSA Security Network integrators are preparing diligently to be ready for these forthcoming requirements. Who’s got your back?
Andrew Lanning is Co-Founder, Integrated Security Technologies, a Hawaii-based integration firm. He is also Chairman of the PSA Cybersecurity Advisory Committee. Learn more about the committee at www.psasecurity.com/education. Request more info about PSA at www.securityinfowatch.com/10214742.
