What do Manufacturers and installers of new technologies need to know about cyber security? by James Willison
In a connected world there are numerous manufacturers and installers of new technologies which are racing to launch the latest products and support their end users whether they are at home or in a corporate office. Some are committed to ensure these are designed with security and privacy in mind whereas others are not. Most it seems have high levels of connectivity and can be accessed from anywhere in the world from a smart phone. Increasingly standards bodies, governments and industry associations are publishing guidance on how to secure devices and systems from cyber attack. The customer is encouraged to download hundreds of apps and some of these can be used to control devices. What should manufacturers and installers be aware of in this new environment?
First it is important to recognise that many of these new technologies can be developed from the design stage with security and privacy built in. Certainly, if these are to be used in sensitive locations or health settings then this is crucial. But interestingly it is probably the EU GDPR which is having the most impact on manufacturers and installers of innovative technologies. Then Govts are working on legislation which will enforce basic security controls such as passwords, vulnerability disclosures and security updates.
On the 3rd February 2020, The UK Govt concluded its consultation process on IoT Consumer IoT and stated:
The regulatory proposals set out in the consultation advocated mandating the most important security requirements centred around aspects of the top three guidelines within the Code of Practice for Consumer IoT Security and the ETSI Technical Specification (TS) 103 645. These are outlined below:
1. IoT device passwords must be unique and not resettable to any universal factory setting.
2. Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
3. Manufacturers of IoT products explicitly state the minimum length of time for which the device will receive security updates.
Consultation outcome: Government response to the Regulatory proposals for consumer Internet of Things (IoT) security consultation. https://www.gov.uk/government/consultations/consultation-on-regulatory-proposals-on-consumer-iot-security/outcome/government-response-to-the-regulatory-proposals-for-consumer-internet-of-things-iot-security-consultation
Recent research from the Internet of Things Security Foundation (IoTSF) indicates that only 13% of manufacturers have a vulnerability disclosure policy and this probably indicates just how immature the industry is. (https://www.iotsecurityfoundation.org/just-13-percent-of-consumer-iot-firms-allow-vulnerability-reporting-despite-incoming-laws-and-international-standards/)
In the home environment hackers have proven to be successful in controlling CCTV, lighting, and smart televisions. As Ken Munro, Pen Test partners, explains, he says “the manufacturers are letting us down in terms of security in many cases”. He found over 15,000 homes and small businesses ‘without security being done properly’. This means they can be easily controlled by an attacker.
Can hackers control your home? BBC London. https://www.youtube.com/watch?v=oTmyYudMnN0
This paper is designed to raise awareness for those manufacturers and installers of these devices who want to improve and become more cyber resilient. For those who have walked this path for several years and seen the benefits we are grateful for their insights, help and guidance.
Key things you should know about cyber security
- The benefits of secure technologies to support the business
- Cyber security of building security systems -the impact of the Internet of Things
- Control measures
- The GDPR – security and privacy by design
- Opportunities for innovation and real time risk management
- Important International Security Standards and Frameworks.
- The benefits of secure technologies to support the business
Why should manufacturers and integrators go to all this trouble? In times past it was simply a case of purchasing a system which was good value, effective and easy to install. Is it worth this extra cost and effort when there are many devices which work as well and provide the controls required by the organisation? If we take the premise that security companies provide solutions to support the business and fulfil its requirements, then these now include network security and privacy. In the worst-case scenario, a new device could compromise these areas and at best they can enhance capabilities through real time secure response such as video analytics, people monitoring, incident management and other real time automated solutions. But all these technologies must be developed, according to the GDPR, using security by design and default. In this way manufacturers provide resilient products which can make the difference to a successful bid for a new project if their competitors lack cyber security maturity. So, a win-win?
The topic of trustworthiness of devices and systems has been at the forefront of NIST’s own work on cyber physical systems. In 2016 it published a foundational document, Framework for Cyber Physical Systems. “Trustworthiness is the demonstrable likelihood that the system performs according to designed behavior under any set of conditions as evidenced by characteristics including, but not limited to, safety, security, privacy, reliability and resilience.” NIST Framework for Cyber Physical Systems (p 67) https://pages.nist.gov/cpspwg/.
It emphasises several key points which clarified what was already accepted by many in the security industry and must be noted by manufacturers of physical security systems and devices. It identified an IP camera as an IoT/Cyber physical device in 2016 urging that it should be a ‘robust and valued component of a cyber physical system’ (ibid p 25).
It continues that there is a need to design CPS to fail safe so even if hacked the impact will not cause physical harm. It cites Stuxnet as an example indicating the relationship between physical and cyber risk can sometimes be reduced with better physical controls. Stuxnet: Computer worm opens new era of warfare: https://www.youtube.com/watch?v=6WmaZYJwJng NIST suggests, “if the centrifuges had been equipped with physical or analog controls that physically prevented the centrifuges from spinning faster than their design limit no matter what the digital system commanded, the cyber-attack would have failed.” (ibid p 90). There is an onus on manufacturers to design products with safety and security in mind.
- Cyber security of building security systems – the impact of the Internet of Things
Manufacturers and installers face increasing challenges when it comes to providing secure solutions for buildings. These are vulnerable to cyber attack.
In the movie,‘IT’, we see the dramatic impact of how one temporary member of staff can gain access to a CEO’s home and then disrupt an entire business. (I.T. Official Trailer (2016): Pierce Brosnan Movie
Manufacturers of these systems may face investigation and checks for failing to secure them. Certainly, if data has not been properly protected and there is a design flaw in the system the end user may well have recourse to the EU GDPR which we will consider in more detail later. It is not just the CCTV systems which are vulnerable. For many years hackers have exposed flaws in access control systems. Some companies have addressed these and improved their encryption and crypto key storage capabilities, but others have not. There are many older existing access systems (125 Khz) which do not conform to industry standards such as the Open Supervised Device Protocol. https://www.securityindustry.org/industry-standards/open-supervised-device-protocol/
Central to this is its support for high- end 128 AES encryption, PKI/FICAM and biometrics. It is important to use the latest generation PIV cards. You also need to have current encryption keys, standards based, vetted algorithms and proper key management.
- Control measures
Clearly there are many risks to cyber physical systems and new technologies. Some manufacturers are committed to cyber security and have developed guidance for installers to harden their devices and systems.
The CIS Controls version 7.1 – previously known as the SANS top 20 has been adopted by leading global manufacturers. Here are some examples of how these can be applied. CIS Controls: https://www.cisecurity.org/controls/
- CSC #1: Inventory and Control of Hardware Assets: Enabling IP filtering only for authorised clients will prevent the device from responding to network traffic from any other clients. Devices need to have appropriate certificates and settings in order to be accepted in a network infrastructure that is protected by IEEE 802.1X.
- CSC #2: Inventory and Control of Software Assets: During upgrades the device will check the integrity of the firmware and reject tampered firmware. Selected devices have secured the boot sequence.
- CSC #4: Controlled Use of Administrative Privileges: The password needs to be set for the device for it to become operational.
- CSC #5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers: Make sure that the product is in a known factory default state. The device will not operate until the administration password is set. Prevent people within the organisation from using a web browser to access the device.
- CSC #11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches: The device IP configuration depends on the network configuration, such as IPv4/IPv6, static or dynamic (DHCP) network address, subnet mask and default router. It is recommended to review your network topology when adding new types of components.
- CSC #14: Controlled Access Based on the Need to Know: Selected devices have a dedicated module for secure key storage.
Several leading manufacturers have produced guidance for installers, including AXIS Communications:https://www.axis.com/files/whitepaper/wp_hardening_guide_en_2006.pdf, Bosch: https://resources-boschsecurity-cdn.azureedge.net/public/documents/Data_Security_Guideb_Special_enUS_9007221590612491.pdf and Honeywell: https://www.security.honeywell.com/
It is significant that this subject is currently the focus of the British Security Industry Authority (BSIA). They have been concerned about the installation of safety and security systems for several years and have now produced their own guidance which will require certification in the future. Here are some key high-level principles from it.
As part of an overall cybersecurity strategy it is recommended that installing organisations consider a scheme such as Cyber Essentials. For more information visit https://www.ncsc.gov.uk/
Information and documentation relating to the design, installation, operation and maintenance of the installed system should be treated as confidential and stored securely.
Persons responsible for the design, installation planning, system installation, maintenance and repair of the installed system should have the appropriate training and/or experience in cybersecurity. Individual records of all training received should be retained and subject to regular review.
4.3. Security policy
The installing organisation should always maintain and apply a security policy. This is a documented policy outlining how to protect the organisation from cybersecurity threats.
The responsibility of maintaining and applying cybersecurity of an installed system is shared across the manufacturer, installing organisation and the client.
The BSIA provides a mandatory checklist for installers. Some of the key questions are:
- Confirm that encryption has been configured for connections for all installed devices and applications (wired and wireless).
- Confirm that wireless networks have the SSID changed to one that is not obviously associated with company / site, and to not broadcast the SSID.
- Confirm that port forwarding is not being used or where port forwarding is required by the system design, confirm that all other firewall ports have been closed except those chosen to be used in the system.
- Confirm that where remote access is used, that it only uses agreed secure protocols and services.
- Confirm that all software and hardware installed can be verified as being supplied by trusted sources, e.g. manufacturers or approved partners.
- Confirm that the network is configured so that installed devices and applications are segregated from any devices not part of the installed system, e.g. physical separation or VLAN (where required by the system design).
For further details please visit. BSIA: Installation of safety and security systems: Cybersecurity code of practice: https://www.bsia.co.uk/bsia-front/new%20pdfs/bsia_form_342-1_installation_safety_security_systems_-_cybercop_20200723.pdf
- The GDPR – security and privacy by design
The EU GDPR has probably had a greater impact on manufacturers and installers than any other piece of legislation. In part this is because there is so much content on what is expected and the importance of protecting citizens’ data on your devices and systems from design to the end of their life cycle. The key point is that they are secure, and the concern is that if a device or system is not and a data breach is proven there could be a large fine to pay to the UK Information Commissioners Office. The penalties for failing to protect this data by using technologies to prevent its loss can result in fines of up €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
Sarb Sembhi and James Willison, Unified Security Ltd, outlined hundreds of control mechanisms for manufacturers to consider in IoT projects to comply with the GDPR. Here is a selection.
Policies / Procedures / Guidelines / agreement control mechanisms
|Control mechanism||Stakeholders||Target type|
|Manufacturers should provide literature on privacy and security enhancing mechanisms built-in||Any||Manufacturers|
|Manufacturers should provide guidance on using built-in privacy and security hardening mechanisms||Any||Manufacturers|
|Manufacturers provide base level privacy / security certifications required by third parties dealing with their products||Any||Manufacturers, suppliers|
|Manufacturers provide base level privacy / security certifications required by third parties dealing with personal data of employees or customers||Any||Manufacturers, suppliers|
|Manufacturers must provide information on the impact to data and compliance regarding the use of out of life products in a non-scaremongering manner||Any||Manufacturers|
|Manufacturers to provide information on de-commissioning good practices||Any||Manufacturers|
|Manufactures of components to provide information of the breakdown of last updates of all software within each component||Any||Manufacturers|
|IoT product / system related control mechanisms|
|Design team ensures that the device / system uses principles of security by design and default||Any||Design Team|
|Design team ensures that it has threat modelled the device for privacy and security threats||Any||Design Team|
|Design team ensures that findings from any Data Protection Impact Assessment have been implemented||Any||Design Team|
|Design team ensures that any sourcing of components specify privacy and security requirements||Any||Design Team|
|Design team ensures that any sourcing of development libraries is for privacy and security purposes not just functionality||Any||Design Team|
|Design team ensures that where development libraries are used the developer company has a clear policy to update any vulnerabilities||Any||Design Team|
|Design team ensures that where it utilises any code in a product which will access personal data, it should only do so on the understanding that it accepts that it will have to manage privacy and security within the product regardless of any updates from external sources||Any||Design Team|
|Design team ensures that hardware components including chips (encryption, wi-fi, etc.) will at the very least not make the device vulnerable and at best provide a security functionality||Any||Design Team|
|Design team to ensure where required the system is designed with operational disruption in mind||Any||Design Team|
|Design team to ensure that power consumption or usage does not compromise security||Any||Design Team|
|Design team to develop test plans to ensure product or system will perform as expected||Any||Design Team|
|Testing team to verify products or system performs as expected||Any||Testing Team|
|Design team ensures that devices which are used in large numbers (e.g. CCTV cameras) come with tools to confirm security and privacy configuration and settings have not been tampered with, in the supply chain||Any||Design Team|
Smart GDPR assurance for a smarter world (p 20 – 24): http://www.axis-communications.com/smart-assurance-wp
Opportunities for innovation and real time risk management
Organisations today are facing more advanced and complex cyber physical attacks which are difficult to manage as the volume of data creates many false negatives. This means that there are opportunities for companies to develop new technologies to identify security risks in real time using AI and data analytics. As we have seen this needs to be done in compliance with legislation but the need for investment to help organisations prevent these attacks is clear. What sort of technologies are going to help? Surveillance, social distancing, social media analytics, logical/physical access control, contactless, healthcare, quarantining, and real time monitoring.
Of course, these new and developing technologies will bring even more data to control rooms and the need for AI to make sense of this will also be important. As cyber attacks on this data also develop in sophistication the benefits of bringing cyber and physical automated solutions will be clearer. As security teams and other end users including FMs, HR and Legal examine and use the same data the value of building converged security operations centres for Smart Buildings will also be recognised.
Attacks on building systems need to be identified in real time to prevent fraud, theft, and criminal damage. Security teams will need these new technologies and then be able to deny a remote attacker access if it is demonstrated that the authenticated member of staff is in the building. Those who work from home will be logged in securely but as the attacks online increase technologies that work with other platforms can ensure that identity management is effective. This includes the automation of new starters and leavers’ access being updated in real time. Many of these technologies will clearly make security more capable than before. Some will continue to resist the pace of change but as the World Economic Forum states,
“We must stop thinking in compartmentalised ways when making decisions – particularly as the challenges we face are increasingly interconnected…This will require collaborative and flexible structures that reflect the integration of various ecosystems and that take fully into account all stakeholders”. (The Fourth Industrial Revolution, K Schwab, p 112)
Such a philosophy is fundamental to a holistic approach to security risk management and validates one security ecosystem which can identify and prevent risk.
- International Security Standards and Frameworks
Department for Digital, Cultural Media & Sport: Code of Practice for Consumer IoT Security: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/773867/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf
E U GDPR: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
ETSI EN 303 645 V2.1.1 (2020-06) European standard: Cyber Security for Consumer Internet of Things: Baseline Requirements ETSI EN 303 645
ISO 27001: 2018 Information Security Management
ISA/IEC 62443‑3-3, System Security Requirements and Security Levels,
ISA-62443-4-2, Security for Industrial Automation and Control Systems: Technical Security Requirements for IACS Components,
National Institute of Standards and Technology, “Framework for Improving Critical Infrastructure Cybersecurity”
National Institute of Standards and technology, Risk Management Framework for Information Systems and Organizations