Only connect

From corporate ransomware attacks to stolen sign-on details for personal social media, breaches in online security are rarely out of the news. Fuelled by such incidents, consumer worries about their personal data and how safe it is to use connected devices are increasing all the time.

A major survey of more than 10,000 US households conducted by Parks Associates back in 2017 showed that almost 50% of consumers described themselves as ‘very concerned’ about hackers gaining control of connected devices in their homes. Fast forward to late 2020 and Fiserve’s Fraud and Security Survey confirmed that such worries had risen still further. Some 79% of those interviewees polled observed that cyber security was ‘equally or more concerning’ for them than it was 12 months previously.

It's a sad fact that the connectivity bringing us closer together and delivering huge benefits (such as improved energy efficiency and reduced waste) can also make us more vulnerable to fraud, blackmail and identity theft. Rapid changes in our way of working and living, accelerated by the pandemic, are blurring the lines between domestic and business use, making responsibility for keeping data and devices secure more complex than ever. The careless opening of an e-mail or a simple click of the mouse can paralyse an entire company network or prevent a house from being heated.

As smart devices become increasingly common, the challenges around security tend to escalate. Connectivity is now rapidly expanding into intruder security through cloud-connected solutions affording options such as mobile apps, remote diagnostics and configuration. That means security installers, manufacturers and the wider industry must collaborate to address the cyber threat challenges posed in our sector as part of an ongoing battle to beat the hackers and the identity thieves.

The British Security Industry Association’s Cyber Security Product Assurance Group (CySPAG), with which we at Eaton work closely, was set up four years ago as a core pillar of the industry’s response. The CySPAG is made up of member companies and other stakeholders from a range of security industry sub-sectors and subject matter experts, all of them focused on reducing the risk of product-related cyber crime and supporting innovation.

The key question to address is: ‘What do the next steps look like for all involved in further strengthening the security industry’s operational and reputational integrity in the face of the ever-growing cyber threat?’

Greater connectivity

It’s literally decades since the conversation around connected home automation first began in earnest, starting with excited talk of the fridge that could sense when certain stocks were running low and then proceed to place orders that would replenish them.

Since then, a whole host of bright – and, possibly, more useful – domestic connectivity ideas have moved from the drawing board to reality. Screening house callers remotely by doorbell webcam is an everyday activity for many. Smart speaker ‘routines’ to switch on everything from the kettle and central heating to the lights and security systems are also now taken for granted.

The upshot is a massive expansion of the ‘cyber attack surface’ – a global upsurge in connected devices with the potential to multiply security vulnerability exponentially.

The numbers involved are mind-focusing. The McKinsey Global Institute estimates that 127 new devices connect to the Internet every second. Meanwhile, the 2021 Office of the Director of National Intelligence Report estimates that the Internet of Things will see 64 billion objects all monitored in real-time by year end. As security systems further embrace connectivity, effective cyber protection is simply non-negotiable. The answer lies in mitigating risk and safeguarding customer trust by engaging the entire supply chain, including industry organisations, manufacturers and installers. End users also have their role to play here, of course.

Malicious attack

Inevitably, those safety and security systems connected to internal and external networks are more exposed to malicious attack. This means that they must be appropriately designed, installed, commissioned and maintained to ensure effective cyber security.

Education and guidance that can cascade from a high level down to both security equipment manufacturers and installers is the best way of ensuring cyber security consistency and effectiveness. Central to the CySPAG’s work are its Codes of Practice: defined sets of Best Practice related to the installation of safety and security systems with cyber security exposure in mind. There’s also a version written specifically for manufacturers.

Although it’s not currently mandatory for installers to follow the Code of Practice that focuses squarely on installation, it’s highly recommended that they become fully conversant with its detail, adopting it in their normal working practices as soon as possible.

Likewise, the new manufacturer-specific CySPAG Code of Practice adopts an approach that the more forward-thinking players in the manufacturing space are already taking on board in the interests of future-proofing their products and processes.

The Codes of Practice are designed to assist each party in the supply chain in meeting their Duty of Care to their customers. They specify a logical order for addressing system cyber security that can be adapted to reflect circumstances alongside manufacturers’ process and specification recommendations.

Following the launch of the dedicated manufacturers’ Code of Practice, the BSIA’s technical manager Steve Lampett highlighted the criticality of collaboration right across the sector. Lampett observed: “We’ve long considered and debated how our industry sector can provide effective cyber secure solutions for end users via its supply chain. We feel that our supply chains must find ways in which to collaborate and support processes that achieve this goal.”

Embedding Best Practice

Leading manufacturers know that effective cyber security measures to protect connected systems and devices are more than simply desirable. Rather, they’re now an absolute necessity. Taking the BSIA’s Code of Practice on board makes perfect sense and is ultimately in their best interests. By working towards compliance now, they’re best placed not only to meet customer expectations, but also any industry regulation that may materialise further down the line.  

Along with other major names in the security manufacturing space, we’re fully committed to CySPAG compliance. For example, we offer software support over the lifetime of cloud-connected products and for an additional two years after a product becomes obsolete. Coupled with maintenance, this approach continues to patch Internet-connected panels and keep systems and users safe.

It’s an approach in stark contrast to that of the mobile phone industry, where support for handsets may only be available for a few years from launch and disappears at that point in time when a new model is released.

The post-obsolescence help is just one aspect of a company-wide cyber security policy known as ‘Secure by Design’. It synthesises Best Practice following in-depth analysis of all major global cyber security standards ranging from that of the US Department of Homeland Security and NIST through to the Electrical Manufacturers Association, UL and IEC. This ‘super-set’ of the most relevant norms is then used as the basis for cyber-secure engineering on a product-by-product basis.

Safety at installation

Building in protection at the design and manufacturing stage is only one part of the jigsaw. The installer’s role is every bit as important as that of the manufacturers whose security products they recommend and install. As the interface with consumers who are increasingly aware of and concerned about the growing cyber threat, installers need to be ready to answer their every question and respond with robust system solutions.

Product confidence, of course, is key to establishing customer relationships on a sound footing. By researching thoroughly and only working with manufacturers harbouring strong cyber security credentials, installers can build that all-important trust and retain it.

The recommended route is only to source products that comply with the CySPAG Code of Practice or meet other certification criteria (for example, by being tested to standards such as the NSI/CAN/UL Standard for Software Cyber Security for Network-Connectable Products Part 2-3: Particular Requirements for Security and Life Safety Signalling Systems.

Installer education is also vital such that everyone – no matter what their seniority in an installation business happens to be – knows precisely why cyber security is important and what they can do to stay on top of it.

Finally, it’s critical that all end users know exactly what they need to do to ensure connected security systems remain secure on a 24-7 basis. This requires installers to take on an educational role, although others in the supply chain can support their efforts by supplying relevant information in user-friendly and accessible formats, such as ‘How To’ videos and step-by-step guides.

Handover process

A focused cyber security briefing as part of the handover process should cover core ‘hygiene’ measures such as only setting up passwords and PINs that avoid the use of easily guessable names and number sequences.

Along with reminding users to change sign-on details regularly and only share them with the minimum number of people necessary, installers should also ensure that all user accounts have been set to the lowest level of privileges. For example, all such accounts should be ‘non-admin’, with only system administrators having admin access. Any redundant accounts, such as those created by employees who have left the company, should be immediately disabled.

As is the case with any installation, the handover process requires written consent from the nominated person that they accept the following responsibilities. They must understand the security update support mechanism and how security updates and cyber security-related matters will be communicated – all in accordance with the system’s cyber security policy.

A ‘cyber aware’ security industry is one in which everyone involved shares the responsibility of upholding the highest cyber security standards.

Max Wandera, director of Eaton’s Cyber Security Centre of Excellence, neatly highlighted this critical point when he explained: “The security of a network or system is only as strong as its weakest link. Organisations should employ basic cyber security hygiene and continuously analyse emerging threats to ensure systems deploy securely.”

By encompassing cyber security as an essential part of security product design, then, manufacturers can take the opportunity to make sure that their solutions continue to meet the ongoing needs of today’s connected world.

In parallel, installers can strive to build trusted relationships with customers, in turn always understanding their concerns and, importantly, what it takes to address them. • 

Glenn Foot is Chair of the BSIA’s CySPAG and Product Manager for Scantronic Systems at Eaton (www.eaton.com)