Cybersecurity talk currently dominates many events in the physical security industry. And it’s about time, given that we are all playing catch-up in a scary cybersecurity environment where threats are constant and constantly evolving. I heard an interesting discussion about cybersecurity recently among consultants attending MercTech4, a conference in Miami hosted by Mercury Security and its OEM partners.

The broad-ranging discussion touched on multiple aspects of cybersecurity, including the various roles of end user IT departments, consultants, and integrators. Factors such as training, standardisation and pricing were also addressed as they relate to cybersecurity. Following are some edited excerpts from that discussion. 

The role of the IT department

Pierre Bourgeix of ESI Convergent: Most enterprises usually have the information technology (IT) department at the table [for physical security discussions], and cybersecurity is a component of IT. The main concern for them is how any security product will impact the network environment. The first thing they will say, is “we have to ensure that there is network segmentation to prevent any potential viruses or threats or breaches from coming in.” The main concern for IT departments is how any security product will impact the network environment”
They want to make sure that any devices in the environment are secure. Segmentation is good, but it isn’t an end-all. There is no buffer that can be created; these air gaps don’t exist. Cyber is involved in a defensive matter, in terms of what they have to do to protect that environment. IT is more worried about the infrastructure.

The role of consultants and specifiers

Phil Santore of DVS, division of Ross & Baruzzini: As consultants and engineers, we work with some major banks. They tell us if you bring a new product to the table, it will take two to three months before they will onboard the product, because they will run it through [cybersecurity testing] in their own IT departments.
If it’s a large bank, they have an IT team, and there will never be anything we [as consultants] can tell them that they don’t already know. But we all have clients that are not large; they’re museums, or small corporations, or mom-and-pop shops. They may not be as vulnerable from the international threat, but there are still local things they have to be concerned about.
It falls on us as consultants to let them know what their problems are. Their IT departments may not be that savvy. We need to at least make them aware and start there.

Wael Lahoud of Goldmark Security Consulting: We are seeing more and more organisations having cybersecurity programs in place, at different maturity levels. At the procurement stage, we as consultants must select and specify products that have technology to enable cybersecurity, and not choose products that are outdated or incompatible with cybersecurity controls.
We also see, from an access control perspective, a need to address weaknesses in databases. Specifying and having integrators that can harden the databases, not just the network itself, can help.

The broad-ranging discussion touched on multiple aspects of cybersecurity, including the various roles of end user IT departments, consultants, and integrators
The impact of physical security products on the network environment was a dominant topic at the MercTech4 consultants roundtable discussion

The need for standards on cybersecurity

Jim Elder of Secured Design: I’d like to know what standards we as specifiers can invoke that will help us ensure that the integrator of record has the credentials, knows what standards apply, and knows how to make sure those standards are maintained in the system. I’m a generalist, and cybersecurity scares the hell out of me.
We’re not just talking about access to cameras, we are talking about access to the corporate network and all the bad things that can happen with that. My emphasis would be on standards and compliance with standards in the equipment and technology that is used, and the way it is put in. It can be easier for me, looking at some key points, to be able to determine if the system has been installed in accordance. We are seeing more and more organisations having cybersecurity programs in place, at different maturity levels"
I’m taking the position of the enforcement officer, rather than the dictator. It would be much better if there were focused standards that I could put into the specification— I know there are some – that would dictate the processes, not just of manufacturing, but of installation of the product, and the tests you should run accordingly.

Pierre Bourgeix: With the Security Industry Association (SIA), we are working right now on a standard that includes analysed scoring on the IT and physical side to identify a technology score, a compliance score, a methodology, and best-of-breed recommendation. Vendor validation would be used to ensure they follow the same process. We have created the model, and we will see what we can do to make it work.

Terry Robinette of Sextant: If a standard can be written and it’s a reasonable process, I like the idea of the equipment meeting some standardised format or be able to show that it can withstand the same type of cyber-attack a network switch can withstand. We may not be reinventing the wheel. IT is the most standardised industry you will ever see, and security is the least standardised. But they’re merging. And that will drive standardisation.

Jim Elder: I look to Underwriters Laboratory (UL) for a lot of standards. Does the product get that label? I am interested in being able to look at a box on the wall and say, “That meets the standard.” Or some kind of list with check-boxes; if all the boxes are checked I can walk out and know I have good cybersecurity threat management. IT is the most standardised industry you will ever see, and security is the least standardised"

The role of training

Phil Santore: Before you do any cybersecurity training, you would need to set the level of cybersecurity you are trying to achieve. There are multiple levels from zero to a completely closed network.

Wael Lahoud: From an integrator’s perspective, cybersecurity training by the manufacturer of product features would be the place to start – understanding how to partner the database, and the encryption features.
We see integrators that know these features are available – they tick the boxes – but they don’t understand what they mean. Cybersecurity is a complex topic, and the risk aspects and maturity levels vary by organisation. That would be a good starting point.

The role of integrators

Wael Lahoud: Integrators like convenience; less time means more money. So, we see some integrators cut corners. I think it is our role (as consultants) to make sure corners are not cut. If you rely solely on integrators, it will always be the weak password, the bypass. We have seen it from small projects to large government installations. It’s the same again and again.

Even having an internal standard within an organisation, there may be no one overseeing that and double-checking. Tools will help, but we are not there at this point. I will leave it up to manufacturers to provide the tools to make it easy for consultants to check, and easier for integrators to use the controls.

Before you do any cybersecurity training, you would need to set the level of cybersecurity you are trying to achieve
Cybersecurity is a complex topic, and the risk aspects and maturity levels vary by organisation - so training is very important

The impact of pricing

Pierre Bourgeix: The race to the cheapest price is a big problem. We have well-intended designs and assessments that define best-of-breed and evaluate what would be necessary to do what the client needs. But once we get to the final point of that being implemented, the customer typically goes to the lowest price – the lowest bidder. That’s the biggest issue.

You get what you pay for at the end of the day. With standards, we are trying to get to the point that people realise that not all products are made the same, not all integrators do the same work. We hope that through education of the end user, they can realise that if they change the design, they have to accept the liability.It’s not just the product that’s the weakest link, it’s the whole process from design to securing that product and launching it"

The big picture

Wael Lahoud: The Windows platform has a lot of vulnerabilities, but we’re still using it, even in banks. So, it’s not just the product that’s the weakest link, it’s the whole process from design to securing that product and launching it. That’s where the cybersecurity program comes into play. There are many vulnerable products in the market, and it’s up to professionals to properly secure these products and to design systems and reduce the risk.

Pierre Bourgeix: The access port to get to data is what hackers are looking for. The weakest link is where they go. They want to penetrate through access control to get to databases. The golden ring is the data source, so they can get credentialing, so they can gain access to your active directory, which then gives them permissions to get into your “admin.” Once we get into “admin,” we get to the source of the information. It has nothing to do with gaining access to a door, it has everything to do with data. And that’s happening all the time.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Larry Anderson Editor, SecurityInformed.com & SourceSecurity.com

An experienced journalist and long-time presence in the US security industry, Larry is SourceSecurity.com's eyes and ears in the fast-changing security marketplace, attending industry and corporate events, interviewing security leaders and contributing original editorial content to the site. He leads SourceSecurity.com's team of dedicated editorial and content professionals, guiding the "editorial roadmap" to ensure the site provides the most relevant content for security professionals.

In case you missed it

Which new buzzwords reflect the security industry’s trends?
Which new buzzwords reflect the security industry’s trends?

As an industry, we often speak in buzzwords. In addition to being catchy and easy to remember, these new and trendy industry terms can also reflect the state of the security market’s technology. In short, the latest buzzwords provide a kind of shorthand description of where the industry is - and where it’s going. We asked this week’s Expert Panel Roundtable: What new buzzword(s) rose to prominence in the security industry in 2020? (And how do they reflect industry trends?)

Maximising effectiveness of thermal cameras for temperature screening
Maximising effectiveness of thermal cameras for temperature screening

Thermal cameras can be used for rapid and safe initial temperature screening of staff, visitors and customers. Used the right way, the cameras can help prevent unnecessary spread of viruses like the novel coronavirus. During the global pandemic, use of thermal cameras has increased, but they have not always been used correctly, and therefore, not effectively. Hikvision’s temperature screening thermal products are currently assisting users in initial temperature screening across the global market. During 2020, demand increased in most markets, and the company highly recommends that Hikvision’s thermographic cameras be used in accordance with local laws and regulations. Limitations of the technology include throughput and the impact of ambient conditions. Detect viruses and fever Hikvision releases a video that illustrates how skin temperature measurements are normalised within minutes Thermal cameras cannot detect viruses and fever and should only be used as a first line of screening before using secondary measures to confirm, says Stefan Li, Thermal Product Director at Hikvision. “We also believe it is important for businesses and authorities to use [thermal cameras] alongside a full programme of additional health and safety procedures, which includes handwashing, regular disinfection of surfaces, wearing protective clothing such as masks, and social distancing.” Hikvision has released a video that illustrates how skin temperature measurements are normalised within minutes after someone emerges from the cold. Mr. Li says the video demonstrates the accuracy of forehead measurement under difficult circumstances when people come inside from a cold outdoor environment. Temperature screening facilities “There have been some claims that measuring the forehead temperature is not as accurate as measuring the inner canthus, and we believe this video demonstrates the accuracy of forehead measurement very well,” he says. “We also illustrate how the skin temperature will experience a process of recovery (warming up), no matter if it is measured by a thermal camera or a thermometer.” Mr. Li adds that people should wait five minutes in such circumstances before starting a temperature measurement. “We hope that stakeholders who are involved in the design of temperature screening facilities and associated health and safety procedures will recognise how important it is to consider the skin temperature recovery time, and that forehead measurement can provide accurate test results,” says Mr. Li. Thermal imaging manufacturers The algorithm is based on a large number of test results to obtain a value that tends to be dynamically balanced The temperature measurement principle of thermal imaging is to detect the heat radiation emitted by the human body. The detected heat value often does not reflect the true internal body temperature of an individual. Furthermore, the temperature varies among different parts of the human, such as the forehead, ears, underarms, etc. A temperature compensation algorithm can be used to adjust the measured skin temperature to align with the internal body temperature. The algorithm is based on a large number of test results to obtain a value that tends to be dynamically balanced. At present, thermal imaging manufacturers in the market, and even forehead thermometer manufacturers, have developed their own algorithms to map the skin temperature measured by the camera to the internal body temperature, so as to compensate the skin temperature to the internal body temperature. Thermal cameras This is also why Hikvision recommends that the "actual body temperature" should be checked with a secondary device for confirmation. The calibration work for a thermal camera is completed in the production process at the factory, including calibration of reference values and detection point and so on. At the same time, the equipment parameters should be adjusted before on-site use to ensure accurate temperature reads. Hikvision does not deny the accuracy of temperature measurement at the inner canthus but prefers forehead temperature measurement and algorithms based on actual use scenarios, says Mr. Li. A large amount of test data and practical results indicates that the forehead is a correct and easy-to-use temperature measurement area, says the company. There are advantages and disadvantages of choosing different facial areas for temperature measurement. Default compensation temperature Two main approaches direct the measurement area and how compensation algorithms are applied: Forehead area + default forehead compensation algorithm value Upper half face (forehead + canthus) + default inner canthus compensation algorithm value. Both methods deploy compensation algorithms, but the default compensation temperature of the inner canthus will be less than the default compensation temperature of the forehead, generally speaking. The reason is that the temperature of the inner canthus of most people is higher than their forehead, so the temperature compensation is relatively low (i.e., closer to the actual temperature inside the body.) Upper face area Hikvision found that selecting the upper face area plus the default compensation value for the inner canthus resulted in situations when the calculated temperature is lower than the actual temperature. For the Hikvision solution, the forehead is a relatively obvious and easy-to-capture area on an entire face Mr. Li explains: “The reason is that when the camera cannot capture the position of the inner canthus (for example, when a person is walking, or the face is not facing the camera), the camera will automatically capture the temperature of the forehead. Then the result that appears is the sum of the forehead temperature plus the default compensation temperature of the inner canthus, which is lower than the actual temperature of the person being measured. Therefore, errors are prone to occur.” Thermal imaging products But for the Hikvision solution, the forehead is a relatively obvious and easy-to-capture area on an entire face. Also, the default forehead compensation temperature is based on rigorous testing and can also correctly mimic the actual temperature of the person being measured, says Mr. Li. After many test comparisons, considering that the results of forehead temperature measurement are relatively more stable, and in order to avoid the false results from inner canthus temperature measurement, Hikvision chose the forehead temperature measurement approach. “We look forward to bringing thermal imaging products from a niche market where there is a relatively high-end industry application to a mass market and serving more users,” says Mr. Li. Facial recognition terminals Additional application parameters can maximise effectiveness of thermal cameras for measuring body temperature: Positioning and height - All cameras must be mounted appropriately to avoid loss of accuracy and performance. The installation height of each camera must be adjusted according to camera resolution and focal length, and stable installation is needed to avoid errors caused by shaking. Ensuring a ‘one-direction path’ - The detection area must ensure that cameras capture the full faces of all those passing by or stopping, and obstacles should be avoided in the field of view, such as glass doors that block the camera. Adequate start-up and usage - A waiting time of more than 90 minutes is required for preheating, after the initial start-up. Before conducting a thermal scan, people should be given three to five minutes to allow their body temperature to stabilise. When Hikvision MinMoe facial recognition terminals are used, people must stand at a fixed distance, pass one by one, make a short stop, and face the camera directly. Hikvision cameras support efficient group screening, but one-by-one screening is suggested for more accurate results, says Mr. Li. Unstable environmental condition An unstable environmental condition may affect the accuracy of thermal camera systems Environmental factors can impact the accuracy of thermal cameras, and the idea of using a black body is to provide the camera with a reference point that has a stable temperature. The black body is heated to a specific temperature and helps the thermal camera to know how much error is caused by environmental factors in the room, and how the camera should calibrate itself in real time to improve its accuracy. A black body can help increase the temperature measurement accuracy, and the most common improvement is from ±0.5 degrees to ±0.3 degrees. However, it also increases the cost of the installation. In some markets, customers may require black bodies in order to comply with regulatory accuracy requirements. An unstable environmental condition may affect the accuracy of thermal camera systems for measuring temperature. Medical temperature measurement Therefore, Hikvision suggests that the ambient conditions should be met for installation and use. First of all, users should avoid installing devices in hot or changeable environments. All cameras require indoor environments with calm air, consistent temperature and no direct sunlight. Installation should also be avoided in semi-open locations that may be prone to changes in ambient conditions, such as doorways, and there should be enough stable, visible light. All devices should be installed to avoid backlighting, high temperature targets, and reflections in the field of view as far as possible. “We often see the misconception that thermal cameras can replace medical temperature measurement equipment, which is not the case,” says Mr. Li. Rapid preliminary screening “Temperature screening thermographic cameras are designed for the detection of skin-surface temperatures, and the measurement should be conducted to achieve rapid preliminary screening in public areas. It is really important that actual core body temperatures are measured subsequently with clinical measurement devices.”

Looking back at 2020: Cloud systems expand in shadow of COVID
Looking back at 2020: Cloud systems expand in shadow of COVID

The cloud is here to stay. Its resilience and ability to connect the world during during the COVID-19 pandemic has proved its worth, even to the uninitiated who have now witnessed first-hand the value of connected systems. Video and access control as a service provides a flexible and fluid security and business solution to meet the demands of a rapidly evolving industry, where the changing threat landscape means investing in the cloud is an investment towards success. This article will look back at our articles in 2020 about the growing popularity of cloud solutions for physical security, with links to the original content. Product offering While most people agree on the definition of “cloud,” there are several points about the terminology that may require clarification. Private cloud or public cloud? VSaaS or unlimited storage for video? Beyond the basics, the terms become foggy, reflecting a variety of notions about how cloud services fit into the broader physical security marketplace. As cloud usage becomes more popular, it’s important that marketers be precise in their terminology, and that integrators and end users be diligent in understanding the specifics of available product offerings. Different meanings “The cloud has many different possible connotations, depending on the context,” says Yu Hao Lin of Rasilient Systems, one of our Expert Roundtable panelists. For example, corporate CIOs will more likely understand the cloud to be a private cloud platform. As such, the public cloud is a ubiquitous term while the private cloud is more specified. Cloud system security Security of cloud systems is an ongoing discussion in the industry, especially how cloud system cybersecurity compares to that of on-premise systems. Our Expert Panel Roundtable weighed in on this question. “While both kinds of security systems serve their purpose, it can be argued that the streamlined updates that are commonplace with cloud-based solutions may put them at more of an advantage when it comes to data security,” says panelist Eric Widlitz of Vanderbilt Industries. “Also, most reputable cloud-based solutions are running in secured data centers by companies such as Google, Microsoft or Amazon, so you also get to take advantage of all the security layers they have protecting your data.” Hybrid cloud video security solution A growing list of cloud players reinforces the importance of the cloud in the future of physical security There are several relatively new companies pushing cloud in a big way. Verkada is fast-growing company currently currently focusing to deliver an all-in-one hybrid cloud video security solution powered by edge processing inside the camera. The growing list of cloud players reinforces the importance of the cloud in the future of physical security. Combining AI and cloud video One company investing in the cloud is Eagle Eye Networks, which has raised $40 million of Series E funding from venture capital firm Accel to finance the realisation of their vision to combine AI and cloud video. The money will allow Eagle Eye to continue its steep growth curve and leverage AI on its true cloud platform to reshape video surveillance. “The investment will make video surveillance smarter and safer for end-users,” says Ken Francis, President. Eagle Eye offers an application programming interface (API) to enable the integration of best-in-breed third-party AI and analytics systems to leverage the video. Eagle Eye is also investing in its own AI development and hiring additional development and customer service personnel. Hirsch Velocity Cirrus and MobilisID Identiv introduced the Hirsch Velocity Cirrus cloud-based Access Control as a Service (ACaaS) solution and MobilisID smart mobile physical access control solution. Hirsch Velocity Cirrus is an optimal solution for both end-users and integrators, with lower upfront costs, reduced maintenance, enhanced portability, and the future-proof assurance of automatic security updates and feature sets.  MobilisID is a smart mobile physical access control solution that uses Bluetooth and capacitive technologies to allow frictionless access to a controlled environment without the need to present a credential. Advantages and disadvantages Advantages of cloud-based physical security technologies are many, when supporting staff  The advantages of cloud-based physical security technologies are many, and have wide-ranging applications for all areas of the transport sector; across stations, transport hubs and vehicles. When used to support staff and complement existing processes, such systems can prove invaluable for transport professionals in helping to create a safer working environment, promoting confidence among personnel and passengers, and assuring passengers who are fearful about the current pandemic that all possible precautions are being taken during their journey. 5G supporting cloud-based applications 5G is the first communication environment that is cloud-native. As such, such, 5G networks will support cloud-based applications in a way that 4G, 3G and 2G can’t support. For instance, sensors (e.g. in a manufacturing plant) often have small internal storage and rely on synced devices (e.g. gateways) to interact with the cloud. Soon, these sensors will be able to work more efficiently, interacting with the cloud via the ultra-low latency and the edge computing capabilities supported by 5G networks. Increasing use of IoT Unlike current IoT services that make performance trade-offs to get the best from these existing wireless technologies, 5G networks will be designed to bring the high levels of performance needed for the increasing use of IoT. It will enable a perceived fully ubiquitous connected world, with the boosted capacity offered by 5G networks transferring exponentially more data at a much quicker rate.