The world of systems integration, every building device is IP enabled and riding on the network. Building security, HVAC, audio visual, mass notification; these devices now ride in and out of the network to cloud applications for management.
The fact is building technology solutions today provide efficiency, amazing capabilities to the end user and flexibility in their design and deployment.
But really how cybersecure are they?
As an integration firm who sells, installs and supports these systems, you have a responsibility to ensure that you are providing your customers the best level of cybersecurity when deploying solutions at their locations.
Here are 5 tips to help you secure your deployments better, and prove you’ve done so:
Not all vendors have a security-first mindset. Sure, they might build “security” cameras, but they don’t necessary build cybersecure products. As the technology partner for your customers, they trust you are selecting vendors that meet the “cybersecure” model - That means these vendors must take cybersecurity seriously. You can start by simply asking your vendors about the cybersecurity of their products, steering clear from those vendors who look like a deer in headlights when you ask the question.
A vendor who has a cybersecure model will have hardening guides for their devices and systems. These guides have been designed by the manufacturer as a handbook for your technical teams to help ensure customers systems are deployed in the most secure way possible. Ask your vendors to train your teams on how to use these deployment guides, and add them to your installation guidelines for all deployments. Having your technicians use a checklist and sign off on the procedure will confirm that they have followed the recommended deployment techniques appropriately.
You deployed the devices and systems at your customers site and with that you have a responsibility to ensure your customer understands that there may need to be continued patching and updates to these systems. Manufacturers today typically will report vulnerabilities in their systems publicly, and work towards remediating those vulnerabilities. For example, head on over to https://cve.mitre.org and use the search tool to see the list of vulnerabilities for products that you install and support - You might be surprised by the size of the list. When vulnerabilities have been discovered by manufacturers, usually the fix will be released in an update that, once installed, will solve the issue. It’s important that these updates are applied quickly before an attacker uses them for their advantage. As the technology provider, you have an obligation to make sure your customer is aware of potential vulnerabilities, and the fact that without a fix, a compromise could happen.
To help, vulnerability scanners can be deployed inside and outside of the network to identify if IP enabled devices, software, and web applications have any vulnerabilities. These technology tools run automated and bring ongoing detailed results back with ranked mitigation priority. Devices with critical vulnerabilities are ranked first with medium and low following. Included is remediation recommendations to provide further guidance. There is an opportunity for managed service providers to offer these services to further build the recurring revenue stream.
Test your deployments:
So how do you know if the system you deployed is secured properly?
Ethical hacking can be utilized to do just that. Ethical hacking (or penetration testing) is when a skilled “white hat” hacker utilizes tools and techniques to test how secure your deployment is. Yes, they “hack”, just like the bad actors do, and depending on the size of the deployment, these tests could take days or even weeks.
After the testing is completed a full report is provided which will include remediation recommendations. Re-tests can be implemented once remediation is complete to finalize the process.
Providing your customer this attestation can add tremendous value and perceived trust that the system is being deployed securely.
Improve YOUR cyber posture:
Get your own house in order! Your technicians are rolling into jobsites with laptops full of sensitive data, including customer floor plans, system schematics, device Inventory with IP addresses listed, and so much more. While at the job site, they connect their computers into their customer’s systems to troubleshoot and install software. All of these practices require proper cyber-hygiene to ensure you are protecting the end user appropriately. Be aware that end user information security (IS) teams are now understanding the risks associated with these practices, so you can expect that they will be asking more questions about your organizations cyber posture.
It’s important that you have a solid cybersecurity program in place at your company that includes the three key areas of Foundation, Culture and Technology. Your cybersecurity should be an ongoing program, constantly being reviewed and improved upon.
Get ahead of the competition:
All of these tips not only help in securing deployments at your customers sites, but they can also be a competitive differentiator. Once you take a cybersecurity-first approach, you can add cybersecurity as a sales and marketing tool to better position you from competitors who lack evolved cybersecurity practices.\
Add your cybersecurity techniques as part of your proposals and brochures. Train your sales team how to showcase your cybersecurity prowess, and start promoting that you take cybersecurity seriously.
More Resources for Systems Integrators:
New Security Requirements Impacting Contractors and Integrators (Interview with Chuck Wilson, Executive Director of the NSCA)