By: Robert Flynn, Senior VP of Operations, Aronson Security Group and Vice Chair of the PSA Project Management Committee
Project Managers Role in Providing Today’s Security Solutions That are Cyber Ready
As dealers in the physical security industry, we provide solutions that help companies protect people, assets, facilities, and information. Project managers fill a key role in this process and are central to the successful deployment of projects. Measures of success are changing in this information age and project managers need to be equipped to handle the increasing importance of cyber security risks when deploying their projects.
Statement of Need
We all deploy products that are attached to networks. As we have seen in news headlines with Target and most recently with the denial of service attack against Dyn, cameras, routers, and automation equipment are all being used as entry points to start cyber attacks. In researching our industry, there are some unfortunate truths about the current state of our cyber security awareness and implementation:
Most Products have Vulnerabilities
The simple truth is that many of the devices we install were never built with cyber security in mind. Because of this, the devices are vulnerable to many cyber exploits that we, as dealers, know nothing about. Often times we are notified of these cyber issues by our clients and only sometimes proactively by the manufacturers.
Large Clients are Investing in Cyber Groups
Increasingly our discussions with IT groups are including a representative from their cyber security team. Our clients are building out entire teams to address and mitigate their cyber risks and one of their first actions is to assess the methods and effectiveness of the vendors that attach devices to their network. As dealers, we need to be engaged with these groups and provide solutions that meet their needs.
Deployments on Production Networks
For many of our smaller customers and some of our less savvy larger customers, we are deploying the security devices on their production network. This network is shared with their users, servers, printers, and other devices. Because of this open nature, any vulnerability in a device we install is more easily exploited. Further, because they are on the production networks, they often have the ability to send information out to the internet that can be used in attacks on other networks.
Devices Deployed with Default Passwords
As an industry, we are not consistently changing the passwords on devices away from the manufacturer default. The default passwords are easily found on the internet and using them compromises the integrity of the entire network. This is one of the most avoidable risks that our industry introduces to our clients.
Firmware Updates are Not Being Applied
The ability for devices to be secured relies largely on the firmware that is available for that device. New firmware comes out frequently for each product and dealers often neglect keeping the firmware up to date.
Expectation of Responsibility
Many clients expect us as dealers to be responsible for any failures or vulnerabilities that are found in, or caused by, the devices that we install. Clients often do not realize that cyber security is an ongoing process and does not end when a project is complete. Often times, maintenance agreements are declined and we are still expected to remediate future vulnerabilities at no cost to the customer.
Since project managers are responsible for the communication of expectations and the delivery of quality standards, it is vital for them to be continually educated in the risks and processes necessary to be successful in delivering quality projects that meet the client’s budget, schedule, functional, and (now) cyber security expectations.
Project managers can be successful in delivering solutions that meet client cyber security needs if they implement the following processes:
Change Passwords from Manufacturer Default
All passwords for every device need to be changed and documented. Passwords should be updated for all new devices as well as for any devices that are serviced.
Secure Password Storage Solution
A secure method to store and retrieve passwords is critical as there may be hundreds or thousands of passwords depending on how many clients your company works with. This solution should be encrypted and authentication controlled.
Device Password Change Policy
Like user passwords on our own networks, device passwords should be changed on a periodic basis to ensure security and maintain alignment with client password policies. The frequency may be driven by the client’s IT policies, but bi-annually may be a good target to meet policy and security needs.
Device Firmware and Software Update Policy
Device firmware and software are critical because they include any fixes to known cyber vulnerabilities. Information about cyber threats come out daily and manufacturers are constantly working to create new firmware and software to address these threats. As dealers, we need to keep pace with these updates and install them on a periodic basis.
Device and Network Hardening
Most security devices are IP enabled and attached to a client’s network. In many cases, dealers are also providing switches, wireless routers, or other networking gear as part of the security solution. We need to work closely with manufacturers of security and network equipment to get documented cyber hardening guides and best practices for installing, configuring, and hardening their devices.
Device Cyber Testing and Validation
Dealers are responsible to their clients for the solutions and devices installed. Dealers should be working with the manufactures to implement cyber testing processes to validate that new devices and technologies meet the functional need of the client without introducing additional cyber threats to the network.
It is important to recognize that project managers cannot achieve these goals alone and will require the support of executive management, operations, sales, estimation and most importantly the manufactures. This needs to be a companywide initiative for all dealers.
Communication and expectations are the most important aspects of project management. This holds true with respect to cyber security as with construction and physical security. The entire process starts with identifying client needs, current policies, and environment. Communication needs to start during the sales cycle in advance of a project manager engagement, so success can only be achieved with a team effort across all departments as a dealer. Below are the recommended steps that should be taken to position all parties for success:
Identify Client’s Cyber Compliance Needs
Many clients have regulatory and policy driven requirements to which they must adhere. These requirements are not disclosed at the beginning of the sales or estimating process. These cyber compliance requirements can be used by the project manager in the other recommended steps.
Identify Cyber Hardening Capabilities
Different devices have different levels of cyber hardening capabilities and these capabilities need to be matched against the client’s cyber compliance requirements to ensure that the solution meet everyone’s needs.
Identify Network Architecture
IP networks can be powerful and complex systems with VLANs, segments, routing, and QoS. Devices that are installed by dealers are attached to these networks and some of them, like cameras, can have a major impact on the performance of the network. Dealers and project managers need to assist their clients with making sure that the devices that attach to the network are known by IT and to assist security or facilities departments with understanding the impact on the IT infrastructure.
Plan for Additional Time
Meetings with IT, validation of device capabilities, configuration and hardening of devices, and ongoing updates and maintenance related to the cyber security integrity of any project take additional time and resources that may not have been planned for in the past. Since these things are becoming increasingly required by all clients, dealers need to plan and budget projects appropriately so that project managers can keep costs in line with estimates.
Update Internal Project Management Process
Many of these recommendations may be new to the dealers and will need some form of documentation to ensure consistency. There are many things that project managers are responsible for and it is not practical to perform effectively from memory alone. Project management process documentation should be updated to include the recommendations made above and may also include checklists and change management documents to keep the project organized.
Cyber security can be a complex topic to address effectively, but it is not impossible. By using some of the recommendations listed above, project managers in our industry can deliver better solutions that address the new cyber security needs of our clients and do it in a way that increases the value we bring to our clients.
We all need to band together and work with PSA to get the manufacturers involved in solving the problem as well by designing products with cyber security in mind and documenting the steps necessary to harden them. By working together we can change the way the manufactures and our industry look at cyber security and make all of our products cyber safe. Finally, this is something we all need to take action on now. The industry is changing and there will be little room for us if we cannot change with it. The threat of cyber attacks is real and it is no longer acceptable to be ignorant of the technology and pretend that it is someone else’s problem.