Interview with Glenn Foot, chair of the Cyber Security Product Assurance Group at the British Security Industry Association

The British Security Industry Association (BSIA) is the trade association for the professional security industry in the UK. Members are responsible for UK security products and services including the manufacture, distribution and installation of electronic and physical security equipment and the provision of security guarding and consultancy services.
The BSIA have long been concerned with the ever-increasing use of internet connected devices and systems in electronic security and how the growing links to home and business networks can leave individuals and companies vulnerable to cyberattacks. In response to this, the BSIA have formed an interest group known as the Cyber Security Product Assurance Group (CySPAG). The group consists of security equipment manufacturers, electronic security installers, alarm receiving centres representatives, inspectorates and specialist cyber experts from the wider industry who are focused on reducing the risk of product related cybercrime.
Chairman to the CySPAG group is Glenn Foot, product manager at global power management company, Eaton. At the cutting edge of cyber security integrated products, Eaton has been collaborating with renowned standards leader, UL ( Underwriters Laboratories) to establish global cyber security research and test labs. Glenn is an experienced manufacturer and all too aware of the sophisticated threats from connected technology. We caught up with him to speak about the CySPAG group and the importance of the whole supply chain working towards the same cyber security goals.

When was the CySPAG Group developed within the BSIA?

CySPAG met for the first time in 2017 to define its objectives and lay the groundwork for future projects. We aim to provide the professional electronic security industry with the tools and materials that enable security companies to manage the cybersecurity impact of their products and systems.

What are your views about physical security and the increasing integration and cross over with cyber security?

Smart or “cloud-connected” security systems enable the controlling and monitoring of security systems anytime, anywhere through internet connected devices such as smartphone apps or internet browsers. This technology provides installers, end users, alarm receiving centres and third-party communication companies with more flexibility and information than ever before. While we welcome and embrace this new technology, we do this while recognising the additional risks that smart security technologies bring along with it and encourage the industry to use risk mitigation techniques to manage those risks.

What is the awareness of cyber security like across the private security sector?

Awareness is mixed and this was the main reason we created our CySPAG group as we were concerned by the use of new technology in the industry and lack of guidance in terms of how to deal with it. Some sectors of security such as CCTV and access control are used to utilising cyber enabled products as its been around a lot longer, it is relatively new, however, for the intruder alarms sector and even more so for the fire sector.

What are the benefits of internet connected systems within the private security sector?

These connected systems bring ease, convenience and accessibility of use for both installers and consumers.

  • Different systems can now interact with each other – a fire alarm could talk to an intruder alarm. They could be aware of what each system is doing and then can act upon a threat as a single connected system rather than as stand-alone systems.
  • Consumers have far greater levels of access and control to their security systems, for example using an app on their smart phone to see in real time who is outside their building.
  • Installations are much shorter. Typically, a system will have a keypad with a two-line display where the installer will need to select hundreds or thousands of configuration options. You can imagine how long it can take to configure a system with such a limited display compared to using something like a lap top screen to display all the option in an easy to use user interface within a web browser. Now a company can even have tandem working, one fitter goes to the site, screws everything to the wall and connects it up, and somebody else in the office does all the configuration.
  • Better diagnostics and information, for example where an installation isn’t performing as expected the installer can remotely access vital information, diagnose a concern and take corrective actions without the need to physically travel to the installation, saving not only time but also reducing the carbon footprint to resolve a concern.

The security industry has the advantage that the professional installation requires you to use an approved installer, ongoing maintenance is usually also part of a package. Cyber security threats are changing all the time, so applying updates and ongoing maintenance in an efficient manner is essential for continued security.

What are your thoughts on the Government’s latest proposals for regulating the cyber security of consumer ‘smart’ products?

I think this is a very good idea. Unlike our industry, where there are now defined roles and responsibilities through the BSIA ‘Installation of safety and security systems – Cybersecurity code of practice’, in the consumer world there is no ownership of cyber security, so introducing legislation to help protect consumers can only be a good thing.

Can you tell me more about the Codes of Practice that CySPAG is developing?

CySPAG is continuing to support the installer code of practice with some example and guidance documentation, as well as training aimed at supporting installers in adopting this code of practice.
The next phase of the CySPAG work is to focus on a code of practice for manufacturers that will take the same practical approach as the installer document and will also complement it.
The code of practice both for installers and for manufacturers of a cyber security system intends to bring visibility to everyone in the supply chain to collaborate towards the same goal. All parties need to accept the extra work involved as part of normal work flows to ensure that devices remain secure.
Our code of practise for the manufacturers addresses core principles, things like default passwords. It’s probably the biggest weakness for products and can allow even a basic hacker to take control of that system. These days, we need to build our products assuming that the network is full of hostile devices, we have to assume the worst.
The codes of practice are the BSIA’s attempt to help the security industry practically without placing onerous requirements on businesses or industry practitioners.

What is your advice to businesses who use an increasing amount of electronic security products and systems that connect to the internet?

The sales of these devices and systems focuses very much on the features and benefits, with very little information in many instances regarding the cybersecurity lifetime of a product..
The life cycle of a product is decreasing compared to non-connected products manufactured 20 years ago, the main driver for this is the ever changing threat of cyber, it is very difficult to predict how long a product will be secure. Software updates are a key approach to keep products secure, but you get to a point where the hardware becomes the vulnerability. At that point, no amount of software updates are going to fix the problem. And that’s when the life cycle gets shorter.
I would advise businesses to think about the product(s)/system(s) in terms of their lifecycle, rather than what they can do today, think about how they are maintained and updated and think about how they be assessed in terms of their cybersecurity performance.