Is my security technology also equipped against cyber attacks?
Digitalization has changed security technology, and increasing networking poses dangers. A new cyber security guide from the SES Association helps security installers protect their systems from hacker attacks. Two authors of the guide in conversation.
meet the requirements of cybersecurity.
Physical security systems must be secure - even when it comes to cyber threats. That's why the SES Association has responded with a new guide.
Edi Lehmann and Roger Hiestand, Cyber-Security Working Group of the Swiss Association of Security System Installers (SES): The constant change in technology and the digital transformation must also be taken into account in our industry. In building technology, the various trades such as access control, video surveillance, intrusion or fire protection are networked via a management system. Thus, physical security must also meet cybersecurity requirements. For this reason, the SES Association, or rather the working group commissioned with this task, began some time ago with the preparation of a new cyber security guideline. The document is an aid for system integrators of security technology, but not for a complex data center. The small and handy document shows in a simple and understandable way how security systems can be made fit with regard to cyber security by means of technical and organizational measures.
The guide does not address individual safety techniques. Why?
The primary goal is to raise awareness in the industry. We have already achieved a first goal if both the security technology provider and the planner and ultimately the user ask themselves what needs to be protected in the first place and how. The next step is network segmentation: The resulting transitions between the individual building technology trades allow connections to be controlled and efficiently prevented (see figure "Network segmentation"). Finally, the endpoint, for example the video surveillance camera or the fire alarm system itself, must be protected. It is no longer sufficient to work with antivirus software alone.
Which areas of each security technology are ahead in terms of cybersecurity?
There has been a lot of awareness in the video industry in recent years, but also in management platforms. Basically, everyone who has been switching from analog to digital for a while has taken this path. Because with this, protection against cyber attacks logically becomes relevant. All system integrators of security technology should be concerned with this topic today, because their solutions are almost always integrated into a network.
Shouldn't the SES association have raised the issue earlier?
Better late than never! It's not so bad that the association waited. IT security is a younger topic and awareness of it is not yet as great. It is often still neglected with the remark "we are not interesting for hackers". However, cyber criminals do not always take a targeted approach, but spread malware indiscriminately. The various cases that have recently become public clearly point to the problem. The security industry must also pay more attention to this and design its solutions accordingly.
The merging of information and security technology is a great challenge, says the guide. What does this mean for the individual installer of security systems?
The classic networks of yesteryear no longer exist. It used to be said "never touch a running system". Today, the opposite is true: If you don't intervene in existing systems, it can become very critical. Because without patch management (correction of a program) and updates, which the manufacturer of security technology must provide, it no longer works. In the past, these were isolated systems that were not integrated into a corporate network.
But with networking - the attack surface for hackers is inevitably becoming larger - this has changed radically and any security leaks must be rectified quickly. Security technology, i.e. operational technology (OT), must also be able to guarantee this.
Another point is important: the different lifetimes of information technology (IT) and security technology. IT is very fast-moving and is regularly renewed. The service life of security technology, on the other hand, is longer. The system integrator must take this into account, because his security technology must still be able to communicate securely with IT even when it is updated.
The issue of liability is not a topic in the SES Guide. Why?
As already mentioned, the installer of security systems should automatically provide the user with patches in order to quickly close security gaps. But with regard to liability, the new SES guidelines state right at the beginning: "The fundamental
Responsibility for self-protection lies with the respective companies and organizations." The risk therefore basically lies with the operator of a plant. We do not wish to comment further on the subject of liability in the guide.
Is cyber security included in maintenance contracts?
The security industry still has some catching up to do, and cyber security issues should increasingly be covered in maintenance contracts. This is an opportunity for smaller installer companies in particular, because they can offer their customers appropriate maintenance options, which strengthens customer loyalty.
We would also like to emphasize that a technician from a security provider today should have great know-how in the network area, because he must also be able to maintain a system in terms of cyber security.
There is always a tension between safety, comfort and costs. What can be said about the cost-benefit question?
It's the same with physical security: every company relies on different security requirements depending on its business activities. Every company manager can calculate for himself what it costs him per day if the business or even just parts of it are paralyzed.
Cyber security is about organizational and technical concerns. The extent to which a company needs to "upgrade" in order to fend off cyber attacks should be discussed jointly by users, planners and manufacturers. A better level of security usually costs more.
Shouldn't every security technology be tested or even certified with regard to cyber security nowadays?
In theory, that would be good. The fire protection ordinance contains insurance-related and fire-police requirements. But there are no such regulations in cyber security. What's more, if an inspection authority were to test a security system for cyber security today and find it to be good, such a test certificate would probably be outdated in a short time. In fire protection, recurring system tests are required annually. In cyber security, you would have much shorter intervals, which is cost-prohibitive. However, it would be conceivable for security technology to be tested or certified for the IT security aspect at the design stage.
Cyber security in the SES structure
The Association of Swiss Installers of Security Systems, or SES for short, is divided into the two areas of "Fire" and "Security". Cyber security now stands above security and fire protection technology in the SES organization chart. It currently consists of a working group in the association with the four members Edi Lehmann, Roger Hiestand, Patrik Kamber and Christian Sigrist. The change in the organization chart still has to be approved at the SES General Meeting on June 9, 2020. Only then will the new Cyber Security Commission officially exist within the SES Association.
Info: www.sicher-ses.ch
