Cyber threat landscape demands more of the Security Supply Chain – From the chip to the camera

0

Genetec™ Streamvault™ alliance with Intel and Dell Technologies creates a cyber-hardened ecosystem.

By Chris Cubbage, CPP, CISA, GAICD, Executive Editor

The current landscape and technical challenges of cybersecurity are largely being driven by nation-state actors and geopolitical tensions. With increasing warnings of foreign intelligence campaigns operating at unprecedented levels, the value of trust in global supply chains is now at the forefront. Within the context of a US and China trade war and reported compromise of hardware systems, including chip manufacturing, the supply chain demands a ‘full life-cycle’ security assurance. Apply this to the security systems supply chain itself, the concept requires securing the chip to the camera for the assurance of monitoring and surveillance systems.

Managing risk and the rapidly changing context of risk is the role of security professionals to mitigate. We need to constantly seek out ways to reduce and where possible, minimise the probability of a security event happening or its impact. There are a number of ways to mitigate risk but, in terms of impact, a critical one often underestimated in physical security is addressing the risk of cybersecurity breaches.

Cyber threats can be unforgiving. Operational disruption, theft of intellectual property (IP) and subsequent fines, and lawsuits are some of the known and measurable impacts. However, there is such increasing interconnectivity of systems, we also see human life potentially at risk, now and in the future. With business operations, IP, legal action and personal safety being put on the line, failing to manage any of these impacts will ultimately impact reputation standing with stakeholders and how significant the impact becomes.

Yet, the contemporary risk of an interconnected world is ever growing and continuous. Massive data breaches, government bans on technology supplies, political and military tensions have converged to make ‘supply chain risk management’ the ‘hot topic’ as we step into 2020 and the next decade. Super-microchip compromise, US bans on Chinese manufactured devices, and a global wave of privacy and cybersecurity regulations are unfolding at such a rapid, and somewhat unpredictable rate, the landscape of trade, trust, security, and privacy is shifting on a tectonic scale. We should anticipate that this trend will continue and will each be transformative, as symptoms of the digital revolution.

The estimated global cost of cybercrime is $5.8 trillion¹ with China reported to be responsible for up to 60 per cent of this activity, even to the extent of having privatised its cyber-attack capability. As security and risk professionals, being aware of these global trends, we want to help protect our companies, clients, customers, and country. In the context of security systems, such as video surveillance, it is not just the data and feeds from CCTV systems and networks. The cameras are essentially devices and network gateways that are deployed and intended for asset protection. To have them compromised and weaponised is an unacceptable derivative of their purpose. Yet in 2018, 90 per cent of IoT attacks were through routers and connected CCTV cameras.²

The traditional network of CCTV, being a closed-circuit TV system, has been an out of date concept for many years but we’re stuck with the terminology to avoid public awareness confusion. But with the growth in corporate network capability, security systems are increasingly merged and aside to corporate networks, despite network segregation. But despite not being connected to the internet or externally accessible, even air-gapped systems can still be compromised via malicious attacks and patient, sophisticated lateral movement operations. Insiders account for 56 per cent of data breaches and if randomly found, 45 per cent of employees will still plug in a USB device. Now compound the risk across a supply chain, the vulnerability from principal network access by service providers, third parties, and malicious insiders, the challenge of managing and mitigating this risk domain appears overwhelming – hence why 100 per cent security can never be guaranteed.

Questions to ask of the supply chain?

Stakeholders within the supply chain should be asking some fundamental questions:

  • Who’s liable if my equipment is used to access private information?
  • Who owns the company that manufactures my software and hardware?
  • Does foreign government ownership of a vendor matter?
  • How transparent is the vendor with cyber vulnerabilities?
  • Is there any security gap, including across its own supply chain, adding to a security gap to my security solution?
  • Do I need cyber liability insurance?

How Genetec is addressing supply chain risk within a security eco- system with Genetec Streamvault

A security risk mitigation model for security system deployment should have multiple layers of protection. These will be data encryption, authentication of users, auditing, third- party penetration tests, and coding vulnerability assessments. Ideally this is built around an ecosystem of trusted partners.

The strategic arrangement between Genetec, Dell Technologies, Microsoft, Intel, and Axis forms a shielded approach to technology delivery. Video is the biggest contributor to IP traffic and video analytics offer some of the most profound applications in the digital revolution — and some of the most adverse consequences if not protected. With human and critical infrastructure applications, such as MRI scans, driverless cars in real-time roadway assessments or for security of borders and across our utility services, the integrity and availability of these systems demand assurance.

There is a market driven need for standardisation and consistency across sites. The servers and workstations that are in the Operations Centre are part of the IT and corporate system. Technology, including security technology, needs to be repeatable across installations and predictable for maintenance and upgrades, as well as offering a reduced footprint and blended IT infrastructure environment.

As underlined by Philippe Ouimette, Director of Strategic Partnerships, Genetec speaking in Sydney at the Streamvault Solutions Day Seminar, “Genetec is particular about which organisations it accepts as part of its supply chain. They are all held to the highest of standards, especially when it comes to cybersecurity.”

Integrators have a responsibility to ensure the systems they are installing are secure, but it takes an estimated 13 hours to fully harden a new IP CCTV system. The risk is some integrators may cut corners due to the time and granular configurations required. With Streamvault, Genetec is seeking to make it easier to harden these systems, whilst identifying system related risk, wrapped around a network of trust and supply transparency.

Streamvault provides delivery of a turnkey security infrastructure solution, with preinstalled OS and applications, certified performance, and a cyber-hardened supply chain.
The recommended approach for security consultants and integrators is to ask the right questions, choose security vendors and manufacturers you can trust, follow cyber best practice, and invest in solutions to prevent costs and liability. The cyber threat landscape demands it.

MySecurity Media attended a Solutions Seminar Day courtesy of Genetec. For further information visit: https://www.genetec.com/solutions/all-products/streamvault-turnkey-security-infrastructure-solutions

¹ Source: http://www.eweek.com/security/global-cost-of-cyber-crime-reached-a-new-high-of-600-billion-in-2017
² Source: Symantec ISTR 2019

RELATED READING – Deep learning enriches Digital Video Analytics

 

Share.

Comments are closed.