As physical security continues to move away from siloed systems to a more open, API-focused approach to product and system integration, cybersecurity is becoming a vitally important part of the equation and conversation from day one. And while the physical security industry has been slow to adapt technologies like edge analytics, machine learning and AI, the industry is finally starting to catch up with what IT has been seeing for years.
“I had spent my entire life conducting cyber warfare for the NSA, and when I came to this field, I was blown away by how far behind everything is,” says Will Knehr, senior manager of Information Security and Data Privacy at i-PRO America, during the session entitled “How Cybersecurity, Edge Analytics, and AI Have Impacted the Design and Implementation of Physical Security Systems” at the GSX conference in September. “When I walk around the [GSX expo] floor, all I see are devices that are entry points into networks. I see those as pivot points. I see those as things that I can own using my laptop in 2 minutes or less.”
Knehr says he would like to see the security industry embrace a standard such as the Federal Information Processing Standards (FIPS), for federal computer systems that are developed by National Institute of Standards and Technology (NIST). These standards and guidelines are developed when there are no acceptable industry standards or solutions for a particular government requirement. While FIPS are developed for use by the federal government, many in the private sector voluntarily use these standards, especially “when it comes to secure software design, when it comes to understanding which controls need to be in place when it comes to encryption,” says Knehr.
He continues, “I get it. I understand. I know that when [companies] are designing and making the product, sometimes security isn't at the front of their mind. But this product that gets deployed is often what we call mission-critical or critical infrastructure [and is] going into schools, hospitals, energy systems – whatever else it happens to be – and they're so easy to take advantage of. What I would love to see is the embracement of national standards and industry standards and for us to all comply with those as an industry.”
Steve Reinharz, CEO at Artificial Intelligence Technology Solutions, Inc., hopes for the same thing on the AI side of things, which is a new territory for many within security. “We're working on creating more standards, particularly around artificial intelligence, machine learning and deep learning, so the vetting and selection process is easier,” says Reinharz. “I'll be the first to say that the process is going to take a while, but from the industry standpoint, we're trying.”
Jeffrey Slotnick, CPP, PSP, president at Setracon ESRMS, agrees that the industry needs to be much more united on standardization. “Now we're in an area where we have what I call the alliances … you have the one alliance over here; you have the other alliance over there. What they're saying is, ‘If you buy into our alliance, then you know we'll give you all the codes and then we can create equipment to sell around it.’”
Slotnick is excited to see manufacturers and service providers now working to create secure APIs to integrate at a much higher level. “I want plug and play. I want to, as the consumer, be able to pick any device that I want and plug it into a system just like I plug a camera into my laptop at home or plug a printer in or any USB device and just handshakes and we go to work. I'd love to see that in the physical security industry because what it's going to do for us is allow us to really put things back in the hands of the consumer. Because this camera from this company does a really good job at doing this, but this one from this company performs this action a little bit better, and I want both cameras. So, I think we're heading toward that true integration.”
He continues, “But firmware and software, they've been a little bit reluctant to move in that direction because we're of this mistaken philosophy that if we give up proprietary controls, what we're doing is we're giving up ownership and we're giving up revenue, but I think that is an absolutely wrong model. I'm hoping we'll get to true integration sometime.”
As Antoinette King, founder of Credo Cyber Consulting LLC, points out, “There's a legacy machine that makes money for the big companies, and until they're really pushed by disrupters, like we are seeing now, there isn’t going to be true change.”
Reinharz agrees, noting, “We must drive that change as an industry … we cannot continue to allow products to be made without thinking about security of the products being developed. And I know it's costly and it takes a little bit more time, but you must do it in the beginning and not as an afterthought.”
Purpose Built vs. Network Based
As King explains, designing, implementing and maintaining physical security systems used to be relatively easy, as they were purpose-built systems designed to deliver specific security safeguards, while also providing a physical deterrent to criminal activity and forensic evidence for use in investigations and court. “All that continues to change and further evolve with the development and implementation of intelligent networked system solutions driven by advanced AI-powered hardware and software solutions,” she explains. “Thus, moving away from specific purpose-built technology to network based sensors and multi-use business enablement technology.”
King aptly points out, “We're pushing a lot of the compute power to the edge. We're integrating other solutions that are not security related, so business intelligence-type analysis as well that's integrated into the security stuff now – identity and access management doesn't just mean a card presented at a door, but now that same credential potentially could get you into your computer and single sign on and things like that.”
With so much more being connected, it creates what King calls “hybrid threats – these physical and cyber threats” … so how does that impact when you're designing the physical infrastructure, from the locks to the cameras. While there is always going to be that mechanical and physical side of things, we need to look at how systems and products are communicating, for example.
“Where do those vulnerabilities lie is those APIs and integrations?” says King. “That's the weakest link. So even if you have secure code in your program, when you're integrating that with something else, that connection, that API could potentially be where the vulnerability is, especially if you're not keeping things updated. We're not just thinking about a lot of that stuff because we're trying to get these systems out there.”
The panel also discussed the opportunities available on the managed services side of things for security professionals. “This is an opportunity for security integrators in particular to create an RMR model,” says King. “Working with the customers on a managed services side of things to keep systems up to date, making sure those APIs are, you know, protected, making sure firmware is updated, making sure that whatever the new latest threat is that the system is going to be able to withstand that.”
Data is the New Oil
An interesting area that the panel delved into is the use of AI to process and analyze data for not just security but a multitude of operational efficiencies and business intelligence. As Knehr explains, we have data lakes everywhere with our social media data, with your location data on our cell phones, for example.
“This data about you is just sitting everywhere, chilling in these lakes, waiting for AI to come in and tag and figure out how to use it,” says Knehr. “Use it for you, use it against you, we don't know yet, right? But it's something that we have to be thinking about now. What data are you collecting, where are you storing it and what are you allowing access to.”
He continues, “On the positive side of that, I'm working with several clients right now and we're imagining what we can do with the data lake to be predictive of risk. So, we can now be proactive on a risk basis as opposed to being reactive.”
Today, buildings are pulling data streams that are produced by cameras, visitor management systems, access control systems, building automation systems, etc., “and aggregating other data like publicly available crime data and things like that, to actually calculate a real time risk for a particular building of facility and individual by bringing in all this data and then identifying real time risk before it occurs,” explains Knehr.
He points out that he is talking with clients about using 3D modeling of a facility to do the design and implementation of the security technology. “So being able to drop the cameras in the 3D model, seeing what you can see with the access control stuff in there, seeing what vulnerabilities and things you're missing. It's a lot easier to see it when you're looking at the whole picture than when you're walking the facility.”