Product Cybersecurity Starts at the Factory

 

Effective cybersecurity isn't just about software, it's also about how products are built

John L Moss

By John L. Moss

John L. Moss is Chief Product Officer of LenelS2

 

If any single topic stands out as an influence on software development over the past five years, it would have to be cybersecurity. Cybersecurity hit the consciousness of the general public with the US Senate hearings investigating the Target data breach (covered in Connect, January 2017). Since then, we’ve experienced distributed denials of service, ransomware, infected mobile devices and worse.

Many cyberattacks are based on penetrating a firewall between your local network and the rest of the world, often through an email message infected with malware sent to an unwitting user behind your own firewall. Another way to achieve that unwelcomed result is through the routine installation of a device that either comes from the manufacturer with a security vulnerability or a cloud service that has a similar weakness. The havoc that can be caused by an exploit of this type is frightening to think about. Worse, our industry has already suffered multiple of these, most recently through IP video cameras. 

There are software coding best practices that reduce the susceptibility of attack. At LenelS2, we work to minimize these risks. The focus on product cybersecurity in the LenelS2 development process emphasizes security by design: it starts with the product concept and runs through the entire product lifecycle – updates included.

The Security Engineering Team at LenelS2 focuses on security at the product level by specifying best practices for design, coding and software maintenance. The team extends its work beyond the development phase of the product lifecycle by making a frequent survey of threats. Threats are evaluated by nightly automated code scans that detect potentially at-risk software and bring them to the attention of developers who evaluate their severity. In the most urgent cases, software patches are immediately developed and posted.

Our Security Engineering Team goes beyond automated scans by ordering software penetration tests that actively attempt to compromise code we run in the field; it’s like us attempting to hack ourselves. Periodic “pen testing” allows us to assess vulnerabilities in a deeper way than the nightly automated tests permit.

The software development, production and maintenance are the manufacturer side of a cybersecurity plan for your security management systems. Beyond what we do at LenelS2, hardening individual deployments should take place in the field. Hardening includes assessing the strength of your security program starting at the servers and going to the edge of the architecture – readers, cameras and other field devices.

As mentioned in Jeff Stanek’s column, users of Wiegand technology readers should consider opting for OSDP-capable readers that secure communication all the way to the edge, providing reader supervision and data encryption. OSDP support is provided in recent generations of the Mercury Security field hardware supported by both OnGuard and NetBox systems. LenelS2 will shortly announce the introduction of OSDP-capable interface boards for the Network Node series products, in support of NetBox systems. 

OnGuard users should reference the Hardening Guide available for versions 7.4 and 7.5 for detailed information on increasing the cybersecurity of those systems. The information provided in these documents covers various areas across the OnGuard solution suite and instructions on how to integrate them into overall IT policies.

At LenelS2 we are committed to staying vigilant regarding the cybersecurity of our solutions and working with you to employ best practices to ensure that your security systems are not vulnerable to exploits.

Read more from this issue of Connect Magazine