Last month, I mentioned that several interesting technologies caught my attention at Secured Cities (Baltimore) in November. There, I had the chance to speak with Darnell Washington, President and CEO of SecureXperts, an information security technology and consulting firm active within physical security — named to the top 10 of SD&I’s annual Fast50 last year. He emphasized the importance of the NIST Cyber Security framework as a driver of future cybersecurity efforts, and that includes access to video surveillance cameras and feeds.
Presidential Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” issued in Feb. 2013, calls for the development of a voluntary risk-based Cybersecurity Framework — a set of industry standards and best practices to help organizations manage cybersecurity risks. Version 1.0 of the framework was published by NIST one year later (see http://1.usa.gov/1GJ966G).
The framework focuses on business drivers to guide cybersecurity activities and on considering cybersecurity risks in the organization’s risk management processes. The document states: “Organizations will continue to have unique risks — different threats, different vulnerabilities, different risk tolerances — and how they implement the practices in the framework will vary. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, the framework is aimed at reducing and better managing cybersecurity risks.”
While the document is primarily focused on the Information Technology and Industrial Control Systems — elements of critical infrastructure — the objectives and cybersecurity thought process are broadly applicable. It relies on existing standards, guidelines, and practices and anticipates that these will be updated as needed to meet emerging threats. It provides a common taxonomy and mechanism for organizations to examine their current cybersecurity posture; to measure their progress towards a desired target state for cybersecurity; to identify and prioritize opportunities for improvement; and to communicate among stakeholders about cybersecurity risk.
Cybersecurity and Identity Management
One important set of guidelines is found in the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance, with which all federal IT systems are required under mandates to comply (see http://1.usa.gov/1swEBQP for more info). A primary objective is to enable trust across organizational, operational, physical and network boundaries by relying on two major components, the Federal Public Key Infrastructure (FPKI) and the Personal Identity Verification (PIV) framework to close security gaps in the areas of user identification and authentication, encryption of sensitive data, and logging and auditing. It supports the integration of physical access control with enterprise identity and access systems, and enables information sharing across systems and agencies with common access controls and policies.
The document states: “Identity management is the combination of technical systems, policies, and processes that create, define, govern, and synchronize the ownership, utilization, and safeguarding of identity information. The primary goal of identity management is to establish a trustworthy process for assigning attributes to a digital identity and to connect that identity to an individual. A digital identity is often comprised of a set of attributes that when aggregated uniquely identify a user within a system or enterprise…A credential is an object that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a person. Examples are smart cards, private/public cryptographic keys, and digital certificates… Access management is the management and control of the ways in which entities are granted or denied access to resources.”
The document frankly states that “While solutions are available, the ability for the 100 million-plus individuals and businesses that need to obtain re-usable credentials that are cost-effective has not been realized. In many cases, agency application owners continue to establish user ID/password relationships with their constituencies, thereby perpetuating the stove-piped approach to identity management. It is expected that the Federal Government will take advantage of a wide variety of identity schemes through the establishment of a government-wide approach to federated identity and the increased availability and acceptance of third party credentials and authentication services for use across federal agencies, state and local partners, and private entities such as commercial business partners seeking interoperability or compatibility with federal programs.”
“With the current state of worldwide cyber security, expect mandates early next year requiring the removal of username/password combinations for physical and logical security products, requiring the use of multi-factor authentication credentials,” Washington says.
Tying it into Video Surveillance
SecureXperts (www.securexperts.com), co-exhibiting with Bosch at Secured Cities, featured a dramatically new approach in IP camera security to fully address these new Federal government requirements for critical infrastructure. Forgoing the usual username and password login for credential verification, the two companies have cooperated to embed a chip — similar to those used in smart cards and the new EMV chip in credit/debit cards — within the camera that allows for secure authentication and encrypted data to and from the camera.
Credentialing may involve various multi-factor authentication measures, including biometrics. The system also uses digitally signed credentials that prove the authenticity of the video without the need for watermarking. The cost premium for this capability is about 10-15 percent. I had expressed a concern about the latency due to the encryption process, but was told that it added only 2-3 percent. Washington confirmed that cost/benefit analysis shows performance upticks far outweighing the costs of being breached using widely available cracking tools.
The two companies may actually be onto something.
What will it take to make this technology go mainstream? First, the broader security market has to get serious about cyber security and tolerate some incremental cost. Second, the parties who have developed this new chip technology must develop suitable business approaches to get it embedded in a critical mass of manufacturers’ products, enabling users to access it through their preferred vendors. This should become a standard.
Ray Coulombe is Founder and Managing Director of SecuritySpecifiers.com and RepsForSecurity.com. Reach him at [email protected], through LinkedIn at www.linkedin.com/in/raycoulombe or followed on Twitter @RayCoulombe
