Just returned from speaking at the annual PSATec Conference (www.psasecurity.com) and was thoroughly surprised by the strong emphasis on Cybersecurity… For those that don’t know PSA, it is an organization that supports a large national group of physical security integrators. While there, I had the opportunity to speak with industry experts to build on my understanding of current trends. The two topics most interesting personally came from David Wilson, CISSP, a lawyer providing professional services relating to InfoSec liability and best practices and Per Bjorkdahl of Axis Communications representing ONVIF (www.onvif.org).
Cyber Event Impact
My conversation with David was fascinating and ranged across a broad array of topics, but the greatest impact came from a discussion of current Cyber vulnerability mitigation strategies. The content of our discussion prompted me to do some research online. I subscribe to a newsletter published by Information Week that I find covers important current topics relating to Cyber (www.darkreading.com). Recent articles confirmed the conversation with David at PSATec. The current thinking is to move away from prevention and towards CONTAINMENT. Here is a link to an upcoming webinar on the topic: Dark Reading Webinar. This was shocking to me. This represents a veritable open admission that Black Hat Hacking is pervasive AND attacks are inevitable! I had previously thought the threat was moving slowly to the private sector and primarily to global enterprise. This conversation blew a hole through that fantasy!
As a trained Cybersecurity professional (CISSP cert) AND lawyer, David has a fascinating perspective on Cyber liability issues. I find it interesting to watch Information Security (InfoSec) issues mature in our legal system. The path has been similar to the same evolution experienced with physical security. Those that have been through a lawsuit know, the legal measure of culpability is tied to “reasonable” efforts at prevention and response. In the physical security realm, we have several decades of case law to define these parameters. InfoSec is too new and the legal guidelines are still being developed today.
Defining “Basic” Cyber Prevention & Response
This is a new age of responsibility for stewardship of online data. Private enterprise will be completely liable for the resulting impact from these attacks: theft of personal data, user access to personal data, shareholder fiduciary responsibility, etc. As our legal system would, consider defining Cyber liability based on recent real attacks and the developing countermeasures currently being developed. David’s presentation attempted to define the current standard for “basic” Cyber attack countermeasures. Follow this link to a presentation excerpt regarding “basic” (reasonable?) Cybersecurity measures: Wilson Presentation. Please contact David via LinkedIn, if you would like to explore this with him further and utilize his services.
I suggest keeping an eye on this evolving area for current protection strategies and the impact on related systems.
This is the other emerging area… certifying software, firmware and IP addressable equipment for compliance with minimum reasonable Cyber STANDARDS.
Underwriters Labs (UL) purchased InfoGuard last year, the leading company working in this discipline. I thought this would be the harbinger for the evolution of such standards with the subsequent development of UL 2900, but UL had a hiccup with the roll-out: “UL Refuses to Share Cybersecurity Standard“.
ONVIF is a consortium of 500 (or so) manufacturers attempting to voluntarily create a universally accepted standard for inter-operability in the physical security industry. This Cybersecurity presentation at PSATec was not an effort to lead, but more a cry out to the industry for leadership from an organization capable of tackling such a daunting task. In talking with Pers, it appears manufacturer members are seeing this uncertainty as a revenue opportunity… individually developing commercially viable solutions for competitive advantage. I would expect nothing else. It is too much to ask for such a standard from an organization of competing companies promoting voluntary adoption.
Cyber Standards Leadership
So, I asked Pers, where will the leadership come from? He also did not see UL being effective in this area. His response was surprising: RSA Security! For any of you not familiar with RSA, they are the organization that came from the Black Hat / White Hat hacking community. Their primary role has been development of encryption and encryption standards. Looking at their current website, it appears they are much more now… but I have to tell you, RSA moving into the physical security industry, really?
If RSA dives into physical security, that will be the beginning of “HYPER-CONVERGENCE”. You think technology is driving change now, this happens… and you won’t recognize the security industry in five years!
These are exciting AND challenging times for the security industry. I wonder where these issues will take us? The change is happening SO FAST, I can’t even guess where we will be 2-3 years from now!
This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.