There is no custom code to display.

Physical Security Hardening Guides in 2020

Print Friendly, PDF & Email

This is Ray Bernard’s 2020 list of physical security industry product and system hardening guides.

For the latest list see Physical Security Hardening Guides in 2021.

Figure 1. The Security Industry Lags 5 Years or More Behind IT

The physical security industry lags the IT industry by five years in terms of adopting information technology for electronic security systems. Figure 1 to the right is one perspective on that from Brivo Systems. However, the security industry’s adoption of IT practices lags even further behind – as long as fifteen years when it comes to computer and network security issues.

Thus, even though the industry has been putting devices onto corporate networks for over 20 years, with one primary exception: Axis Communications, manufacturers did not start producing hardening guides for their products and systems until 2016.

In the past two years over two dozen companies have taken cybersecurity for physical security systems seriously. Let’s see what we find at ISC West 2019.

Cybersecurity Wakeup Call

2016 was also the year when networked security video deployments were hit hard by hacker malware. 1.5 million networked cameras and recorders were infected and commandeered into hacker botnets. Several highly publicized infections occurred between late 2016 and mid-2017, as reported by Krebs on Security, Forbes, Penta Security, Trend Micro and many others.

Several security industry manufacturers have also had product vulnerabilities publicly reported by security researchers, and most have responded well and are upping their cybersecurity game.

Taking Cybersecurity Seriously

As of January 2020 the following companies have published cyber security and/or product hardening guidance. One company provides a camera network hardening appliance. Congratulations to these companies for stepping up to the plate:

Network Planning Guidance

An indication of the IT maturity of a physical security industry vendor is the level of network planning guidance provided for systems whose networked devices span the full extent of a facility’s building network and especially where the devices must interact or be accessed across multiple geographically dispersed LANs. This applies, for example, to cameras, card readers & their controllers and intercoms.

I haven’t written about this before because I didn’t know that any good examples existed that I could point to. Several leading vendors, such as Axis, Cisco, Lenel, Milestone and Pivot3 have provided extensive network design guidance for large projects to both end user customers and systems integrators as the situation warranted. Sometimes this was in the context of paid professional services; often it was free of charge.

I’m not minimizing any manufacturer’s engineering services, just pointing out that it is very broadly helpful to provide to provide network planning guidance in the form of documentation, and these two items from Zenitel are good examples of doing that: the AlphaCom XE Network Design Guide and the Installation, Configuration & Operation Technical Guide. Such documentation can act as a force multiplier to manufacturer’s engineering team efforts, in some cases places replacing, and in others simplifying and optimizing, such engineering advisory engagements. Additionally, it can provide a competitive advantage at product/vendor evaluation time, as such decisions can take place much earlier than when an engineering team is engaged, which is helpful both to the customer and the manufacturer.

What Customers Expect

Cybersecurity for physical security systems is a top end user and system integrator consideration, especially for security surveillance camera systems. Product cybersecurity documentation is more important that is generally realized. For example, for large corporate customers, the cybersecurity profile of vendors is a significant factor in the cost and scope of end user cybersecurity insurance policies, which are usually negotiated annually.

The cybersecurity maturity of an IT product vendor is typically evidenced by four things:

  • Product hardening guide
  • Vulnerability disclosure policy
  • Documentation of key aspects of the vendor’s product security program, including the vulnerability handling policy.

In October 2020 the U.S. House of Representatives passed the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 that will now move to the Senate for consideration. The legislation sets minimum security standards for all IoT devices purchased by government agencies. In addition to requiring the National Institute of Standards and Technology (NIST) to provide the security standards based on feedback and input from standards organizations and industry leaders, the bill implements a disclosure program that requires manufacturers to disclose security vulnerabilities in their devices and how they were resolved for increased transparency to the end-users and goes deeper into the supply chain to hold more stakeholders accountable for security. Read more.

If your product carries the CE mark (Conformité Européenne) indicating that the product conforms to all applicable European standards, you should read the downloadable report, Software Vulnerability Disclosure in Europe: Technology, Policies and Legal Challenges from the Centre for European Policy Studies.

The hardening guide is the highest priority, as it is proof of attention to cybersecurity and deployment support.

Some examples of documenting key aspects of a vendor’s product security program are:

The broadly publicized cyberattacks on cameras and recorders elevated the public awareness of the importance of product and system cybersecurity protections. Hardening guides are now a standard expectation for physical security systems.

What’s In a Hardening Guide?

The National Institute of Standards and Technology (NIST) in its Special Publication 800-70 Revision 4 (February 2018), National Checklist Program for IT Products – Guidelines for Checklist Users and Developers , states:

A hardening guide is “a series of instructions or procedures for configuring an IT product to a particular operational environment, for verifying that the product has been configured properly, and/or for identifying unauthorized changes to the product.”

A good and practical hardening guide includes the following elements:

  1. Statement of vendor’s cybersecurity philosophy and commitment
  2. Guidance based on an Industry-recognized cybersecurity framework, usually the NIST SP 800-53 for federal systems and critical infrastructure organizations, or the Center for Internet Security’s Critical Security Controls
  3. Characterization of the deployment environments to which the controls typically apply
  4. Product configuration instructions, best done by reference to installation and/or user guides to minimize hardening guide document length and update requirements (meaning that referenced installation and user guides can be updated without having to update the hardening guide itself)
  5. Recommended use of product security features
  6. Considerations relating to deployment environment standard cybersecurity practices, such as IT networking requirements, use of corporate NTP time servers, and network device management
  7. Reference charts for network port and protocol usage
  8. Charts of as-shipped cybersecurity-related factory default product configuration settings
  9. An “About the Company” concluding page with contact information

Cybersecurity Frameworks

Medium and large size organizations typically use a cybersecurity guidance framework that helps ensure their management of security risk covers the full range of cybersecurity controls that have proven to be effective. Two popular frameworks are the NIST Cybersecurity Framework and the Center for Internet Security’s CIS™ Controls. Because electronic physical security systems are built on information technology including extensive use of IoT (Internet of things) devices, both NIST and CIS are producing IoT-specific guidance materials and tools. NIST has launched its NIST Cybersecurity for IoT Program, and CIS has recently released its CIS Controls Internet of Things Companion Guide that provide very clear guidance about the applicability of individual CIS controls to IoT devices and systems.

The Center for Internet Security just recently (July 11, 2019) its CIS Controls® Microsoft® Windows® 10 Cyber Hygiene Guide, which is a white paper that you can download from this page.

Specifiers Are Taking Action

SecuritySpecifiers.com will post for free links to manufacturer’s hardening guides and cybersecurity guidance, as well as their Architect and Engineer (A&E) specifications.

SecuritySpecifiers is working on cybersecurity specifications language for inclusion in A&E specs, and will be submitting to the Construction Specifications Institute (CSI) recommendations for physical security system cybersecurity items for including in the 2018 update of the CSI Master Titles and Numbers standard.

Over the past year, hardening guides have become a mandatory manufacturer qualifications item for many security system projects.

I recommend getting a free subscription to Security Technology Executive magazine, where my upcoming articles about Cybersecurity for Security Systems appear.

If you are a manufacturer who would like some guidance or assistance in producing a product or system hardening guide, or in implementing or documenting vulnerability disclosure and management, call me (949-831-6788) or email me (RayBernard@go-rbcs.com).