Physical Security Hardening Guides in 2019

Print Friendly, PDF & Email

Ray Bernard’s March 2019 update on physical security industry product and system hardening guides.

Figure 1. The Security Industry Lags 5 Years or More Behind IT

The physical security industry lags the IT industry by five years in terms of adopting information technology for electronic security systems. Figure 1 to the right is one perspective on that from Brivo Systems. However, the security industry’s adoption of IT practices lags even further behind – as long as fifteen years when it comes to computer and network security issues.

Thus, even though the industry has been putting devices onto corporate networks for over 20 years, with one primary exception: Axis Communications, manufacturers did not start producing hardening guides for their products and systems until 2016.

In the past two years over two dozen companies have taken cybersecurity for physical security systems seriously. Let’s see what we find at ISC West 2019.

Cybersecurity Wakeup Call

2016 was also the year when networked security video deployments were hit hard by hacker malware. 1.5 million networked cameras and recorders were infected and commandeered into hacker botnets. Several highly publicized infections occurred between late 2016 and mid-2017, as reported by Krebs on Security, Forbes, Penta Security, Trend Micro and many others.

Several security industry manufacturers have also had product vulnerabilities publicly reported by security researchers, and most have responded well and are upping their cybersecurity game.

Taking Cybersecurity Seriously

As of March 2019 the following companies have published cyber security and/or product hardening guidance. One company provides a camera network hardening appliance. Congratulations to these companies for stepping up to the plate:

What Customers Expect

Cybersecurity for physical security systems is a top end user and system integrator consideration, especially for security surveillance camera systems. Product cybersecurity documentation is more important that is generally realized. For example, for large corporate customers, the cybersecurity profile of vendors is a significant factor in the cost and scope of end user cybersecurity insurance policies, which are usually negotiated annually.

The cybersecurity maturity of an IT product vendor is typically evidenced by three things:

  • Product hardening guide
  • Vulnerability disclosure policy
  • Documentation of key aspects of the vendor’s product security program, including the vulnerability handling policy.

If your product carries the CE mark (Conformité Européenne) indicating that the product conforms to all applicable European standards, you should read the downloadable report, Software Vulnerability Disclosure in Europe: Technology, Policies and Legal Challenges from the Centre for European Policy Studies.

The hardening guide is the highest priority, as it is proof of attention to cybersecurity and deployment support.

Some examples of documenting key aspects of a vendor’s product security program are:

The broadly publicized cyberattacks on cameras and recorders elevated the public awareness of the importance of product and system cybersecurity protections. Hardening guides are now a standard expectation for physical security systems.

What’s In a Hardening Guide?

The National Institute of Standards and Technology (NIST) in its Special Publication 800-70 Revision 4 (February 2018), National Checklist Program for IT Products – Guidelines for Checklist Users and Developers, states:

A hardening guide is “a series of instructions or procedures for configuring an IT product to a particular operational environment, for verifying that the product has been configured properly, and/or for identifying unauthorized changes to the product.”

A good and practical hardening guide includes the following elements:

  1. Statement of vendor’s cybersecurity philosophy and commitment
  2. Guidance based on an Industry-recognized cybersecurity framework, usually the NIST SP 800-53 for federal systems and critical infrastructure organizations, or the Center for Internet Security’s Critical Security Controls
  3. Characterization of the deployment environments to which the controls typically apply
  4. Product configuration instructions, best done by reference to installation and/or user guides to minimize hardening guide document length and update requirements (meaning that referenced installation and user guides can be updated without having to update the hardening guide itself)
  5. Recommended use of product security features
  6. Considerations relating to deployment environment standard cybersecurity practices, such as IT networking requirements, use of corporate NTP time servers, and network device management
  7. Reference charts for network port and protocol usage
  8. Charts of as-shipped cybersecurity-related factory default product configuration settings
  9. An “About the Company” concluding page with contact information

Specifiers Are Taking Action

SecuritySpecifiers.com will post for free links to manufacturer’s hardening guides and cybersecurity guidance, as well as their Architect and Engineer (A&E) specifications.

SecuritySpecifiers is working on cybersecurity specifications language for inclusion in A&E specs, and will be submitting to the Construction Specifications Institute (CSI) recommendations for physical security system cybersecurity items for including in the 2018 update of the CSI Master Titles and Numbers standard.

This year, hardening guides will become a mandatory manufacturer qualifications item for many security system projects.

I recommend getting a free subscription to Security Technology Executive magazine, where my upcoming articles about Cybersecurity for Security Systems appear.

If you are a manufacturer who would like some guidance or assistance in producing a product or system hardening guide, call me (949-831-6788) or email me (RayBernard@go-rbcs.com).

If you are a security systems specifier and you’d like to contribute to the SecuritySpecifiers initiative, please do write or call me.