Collaborating with IT on System Hardening

Collaboration with IT departments regarding network requirements for electronic physical security systems is common. This column’s question is about collaboration regarding system hardening.

Q:  I’m responsible for our physical security systems deployments. How should I prepare myself to discuss system hardening with our IT department?

A:  There two major steps involved: system documentation (you may already have a good starting point), and IT basic concept education. You need to perform the first step before meeting with IT. You can perform the second step after your meeting with IT, although the sooner the better.

System Documentation

The first preparation step is system documentation, something you likely already have a head start on. You don’t need to know about cybersecurity to perform this preparation, although these are the same actions that IT security folks perform regarding the information systems they are responsible for.

System Diagram. Provide a diagram that shows the system’s connected elements including servers, workstations, UPS, control panels, interface boards, and field devices such as readers, cameras, sensors, etc. plus network equipment, cables and wireless connections including connections to wide area networks and the Internet. Label servers and workstations for their operating system type and installed applications. Label readers, cameras, and so on with the brand name and model type (i.e. card reader, fingerprint reader, palm reader, fixed camera, PTZ camera, etc.). Identify servers that provide logical connection points for mobile device applications.

System Inventory. Typically recorded in a spreadsheet or database, a system inventory includes the make, model, and count of each device and software application, date purchased, and dates for end of factory warranty, end of sales, and end of support. Include the yes-or-no status for being under an integrator maintenance contract. For devices, include the current firmware version and its release date.

Product Hardening Guides. A hardening guide contains information about how to configure the cybersecurity features of the product, and usually contains additional recommendations for cybersecurity hygiene (good cybersecurity practices to apply). The best hardening guides frame their guidance in the context of an Industry-recognized cybersecurity framework, usually the NIST SP 800-53 for federal systems and critical infrastructure organizations, or the Center for Internet Security’s Critical Security Controls.

Hardening guides are what the IT folks will be looking for. They’ll also want to see each manufacturer’s Vulnerability Disclosure Policy and Vulnerability Management Policy, along with any available information on their product security programs. Only a handful of physical security industry vendors have those available.

Find and download the hardening guide materials available for your makes and models of products. Try locating your vendor on this list of 27 vendors who provide hardening guides and cybersecurity advice on this page: https://bit.ly/phys-sec-hardening-guides-2020. Familiarize yourself with the available cybersecurity information provided by the makers of your security system products.

Helpful Hardening Guide. A simple but very helpful Cybersecurity Hardening Guide is provided by Zenitel (download via the page above). On page 7, it contains a checklist, based on the CIS Controls, of security mechanisms to apply to Vingtor-Stentofon IP-based intercom products. It also provides a PLAN-DO-CHECK-ACT approach to maintaining security system cybersecurity. This approach is helpful in aligning the cyber hygiene management for physical security systems with management processes in IT.

IT Basic Concept Education

The second step is getting a good grounding in the basic concepts of cybersecurity for physical security systems. Non-IT people usually have two generally false assumptions about cybersecurity. First, they think that understanding cybersecurity requires deep technical knowledge of all aspects of information technology. It does not. Second, I believe that most IT technologists have a very good understanding of cybersecurity. Most do not because they are deeply immersed in their technical specialties. Cybersecurity is a specialty area of its own, although most cybersecurity practitioners have other areas of IT knowledge due to their previous experience. Most IT folks are aware of the cybersecurity aspects related to their specialty areas, such as encryption as applied to databases. That does not make them cybersecurity generalists.

Most physical security professionals already have a good grounding in physical asset protection basics, and the same basics apply for protecting electronic information assets. This gives them an advantage in learning about cybersecurity compared to many IT specialists. However, there are terminology specifics that also pose challenges for physical security practitioners trying to learn about cybersecurity.

This short article provides two charts comparing language similarities and differences between physical security and IT security professionals: https://bit.ly/separated-by-common-language. It’s easy to see that when it comes to security concepts – there are more similarities than differences.

As the Zenitel Cybersecurity Hardening Guide shows by example, hardening physical security systems are completely understandable to physical security professionals.

Cyber Security for The Physical Security Professional

The fastest and most effective way I know of for physical security professionals to get a great grasp on cybersecurity concepts is by taking the online course, Cyber Security For The Physical Security Professional. This course shows you how to use your existing physical security knowledge and experience to break through the physical/cyber barrier. See the five-minute introductory video here: https://bit.ly/cyber-for-physical, as well as a full description of all the course modules. I have taken a very close look at this course and I highly recommend it for physical security professionals.

This course is video-instructed by Dave Tyson, who has spent 35 years in the security profession – 15 years in physical security roles and 20 years in the cybersecurity space, where he has distinguished himself as one of the leading voices and has held leadership positions with eBay, Nike, PG & E, and SC Johnson & Sons, as well as being a past President of ASIS International.

Professionalism

When you perform good preparation for your IT collaboration, you demonstrate professionalism and a willingness to be helpful to IT in your collaboration. This generally makes the IT folks more than willing to explain the rationale behind what they do to help further your understanding of cybersecurity. It is a great way to start or improve collaboration with IT.

About the Author: Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s Top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS.

© 2020 RBCS

About the Author

Ray Bernard, PSP, CHS-III

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (www.go-rbcs.com), a firm that provides security consulting services for public and private facilities. He has been a frequent contributor to Security Business, SecurityInfoWatch and STE magazine for decades. He is the author of the Elsevier book Security Technology Convergence Insights, available on Amazon. Mr. Bernard is an active member of the ASIS member councils for Physical Security and IT Security, and is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).

Follow him on LinkedIn: www.linkedin.com/in/raybernard

Follow him on Twitter: @RayBernardRBCS.