11 minute read
Cyber responsibilties
SECURITY
Taking cyber seriously
This month we meet up with Glenn Foot of Eaton to talk about the trends in connected technologies and find out how a new scheme is aimed at improving cyber security for all parties
It was announced recently that Eaton Security had become the first company to sign up to CySPAG, the British Security Industry Association’s (BSIA) cybersecurity group code of practice for safety and security systems. Speaking at the time Glenn Foot, Chairman of CySPAG and Product Manager at Eaton said: “It is important that the industry takes responsibility for itself rather than being dictated to by other organisations.
“Unlike many cybersecurity schemes where the product is the main focus, CySPAG has taken a much broader view of and recognised that not only manufacturers of products, but the installer and client are key links to a cyber secure system. This code of practice ensures professionals with the security industry are taking all reasonable precautions when installing security equipment that has a cyber exposure.
“The overall aim is to ensure products are produced and installed securely.”
To find out more about the scheme, why Eaton signed up and where the business sees the future for networked technology we caught up with Glenn Foot and began by discussing the current issues of note in the sector:
Are you seeing any trends in the market today? There are a couple of technology trends such as the move towards IP, wireless systems and remote monitoring and management, but the main issue across the board is that the security sector is experiencing a lot of challenges with the supply chain. I imagine for the end customer it might be hard to believe how many different factors are involved with system manufacture from sourcing different components to redesigning products that will work with different components and the amount of effort involved in the process. Plus maintaining price is extremely difficult in these times with freight costs going through the roof and all of this means that planning is more critical than ever. And because the supply chains are overstretched it means that it is harder to react to new projects as instantly as we are used to. Despite all of this I’d say we've only had a few blips in supply and have generally managed to keep the entire product line going.
This is not a problem exclusive to the security market is it? Every industry has been affected and we're all fighting for chips because the development of electric cars has massively reduced the number of units available – mainly due to the buying power of massive corporations that can put themselves ahead of the queue for components. Fortunately we have got very good, established suppliers that we've used for years and they are able to give us lead times going up to two years ahead. The problem of shortages affects the whole supply chain at the moment, from the manufacturer all the way through, but Eaton is a large global organisation so we also have good buying power in the market which has helped us a lot across all of the sectors we work in.
How powerful is the Scantronic brand today? When I speak to someone for the first time it is quite often that a mention of the name Scantronic will register with them more than the name Eaton or, prior to that, Cooper Security. It is still one of the sector’s most recognised and oldest brands. There are installers that have worked with
Glenn Foot
SECURITY
(continued from page 35)
Scantronic for years and won’t fit anything else which is great endorsement for us.
What have been the major technology developments for alarms? Our main focus in recent years has been IP connectivity of the systems to the point that today we've embedded IP functionality in all of our SecureConnect enabled panels; there’s no extra module required, the unit has IP connectivity out of the box. Taking that to the next level, we have our own cyber security division at Eaton who perform cyber security testing of all connected product before they are released to the market. We've really taken a stance on connectivity and security because you can have all of the features you like but if the system is insecure, then you are going to have trouble at some point. We’ve had that approach since 2008 and it carries right through to our Connect cloud platform today, which is fully encrypted and secure.
Is that why you have signed up to the BSIA’s CySPAG initiative? Yes, primarily because we wish to support the industry in moving forward in its approach to cyber security, which is why we were the first company to sign up to it as well! I was actually part of the industry-wide team behind the development of the scheme, yet even while we were compiling the requirements of the campaign I realised that Eaton had already got those measures in place. I honestly believe that CySPAG is a scheme that the industry needs because it's not enough for a manufacturer to say they are secure, they should be able to demonstrate their commitment to it and at the moment there isn't a cyber security standard or a common test that you can do to demonstrate how robust your networked technology is. CySPAG was created to enable manufacturers to show that they had committed to best practices when it comes to cyber security and I sincerely hope that other companies will join us on the scheme. We all need to be working together on this for the betterment of the whole sector.
Does it surprise you that we’re in 2022 and still talking about cyber security? Absolutely not, cyber security will always be an evolving topic which needs to be focused on as new threats are always emerging. I think that most manufacturers in the industry are taking the right cyber steps but now they have the opportunity to sign up to a scheme that proves it and provides the information about what will happen should any problems arise. Take security updates for example, we've committed to doing security updates for two years after we make a product obsolete; so not two years from manufacture, two years after the date of obsolescence. Which is a cost to us but we’ve made that commitment to the market so that everyone knows that the system is supported.
Is that the main benefit for installers then? It will mean that they’ll know that they’re not going to fit a system that is going to be left on its own - it will be kept up to date. However there is another side to CySPAG which is a code of practice for the installer. Both codes were written around the same time and so far only the manufacturer’s registration scheme has been launched. The installer scheme is currently being trialled by NSI with the intention to make that a registration scheme as well. This will recognise those installers who follow the code and give their customers cyber security peace of mind when they have work carried out.
So to confirm, CySPAG is something that manufacturers and installers will sign up to – it’s not awarded approval? CySPAG registration is only awarded once the manufacturer or installer has proven that they are able to meet the requirements of the scheme, it isn’t just a tick the box exercise. The scheme is very different to anything in any industry at the moment. A lot of schemes focus only on technology, but because we are a
SECURITY
(continued from page 36)
professional industry in which products are manufactured and then installed, there are some great responsibilities for involved parties. The best approach to cyber security in our view is that it is a shared responsibility, meaning you can't put it all on the installer and you can't put it all on the manufacturer. The best example of this is with regard to security updates as manufacturers need to supply and communicate updates and installers needs to make sure that these are installed – any break in that chain and the system may not be secure. This is why there will be two codes to CySPAG and as an industry we need we need to take collective responsibility.
What has been the impact of DIY security systems? From a cyber security point of view, I think homeowners may be exposed to a higher risk if they use DIY systems.
What is CySPAG?
The BSIA’s security equipment manufacturer’s cybersecurity registration scheme launched through its special interest group, the Cybersecurity Product Assurance Group (CySPAG) is a self-declaration registration scheme is based on the requirements of BSIA Form 343 Manufacturers of safety and security systems cybersecurity code of practice. Its aim is to provide a level of confidence to the supply chain that product procured for use in safety and security systems have been produced by CySPAG registered manufacturers who have processes in place to manufacture, supply products using cyber risk mitigation techniques and provide ongoing support throughout the product lifecycle.
To support the scheme, the BSIA has created a CySPAG registration website, which allows companies to self-declare that their product(s) are produced using the process described in the BSIA’s Manufacturers of safety and security systems cybersecurity code of practice. Once accepted, the company will receive a certificate and can use a CySPAG badge of assurance on their products. The self-declaration will be valid for twelve months from the date of acceptance to the scheme, at which point the self-declaration must be renewed for ongoing registration.
The scheme is open to both members of the BSIA and also non-members, with registration fees based upon the company’s status. Over the coming months the BSIA is planning to launch a scheme for installers. With a DIY system the level of cyber protection is often unknown and without any official support. This can easily lead to system becoming insecure as there is often no commitment from DIY manufacturers as to when or even if they will provide security updates. Additionally, if a system is totally reliant on an internet connection or an app to set up and control it, then this is ultimately not a robust and reliable security solution, if the internet connection fails or the mobile device runs out of battery, then the homeowner can be left with a non-functional or totally out of control system. Installers that that fit products compliant with EN50131 are providing homeowner with much more resilient, reliable and robust security solution because the standards that the manufacturers follow ensure that a simple thing such as loss of internet connectivity would never compromise the security of a system.
So what will be the future for security systems? Connectivity will be key, more and more systems will be connected by default, this unlocks new possibilities for installers where they can offer new services such a remote servicing and even remote call outs. Connectivity can help reduce costs and the impact to climate change through the reduced need to physically travel to installation to provide support to customers. Integration with other systems such as home automation will continue to grow, driving toward the totally connected house of tomorrow. A simple example would be the when the security system is set, that the heating is turned down and lights automatically switched, therefore saving power when the building is not occupied.
Finally, what do you think will be the big industry talking points over the next few years? We've got a lot of technology changes in the pipeline such as the PSTN network disappearing as our communications go IP, which will be a www.psimagazine.co.uk
INTERVIEW
(continued from p38)
major change for the industry as many systems have utilised PSTN for Speech dialler devices and ARC communications over many years. IP based solutions will replace the old technology.
The 3G service is also being phased out along with 2G, although 2G is expected to take a little longer to disappear. The coverage of 4G is increasing every day which means access to high-speed mobile connectivity is always improving which can give the same level of connectivity as if you were plugged into a router so installers can now benefit from remote access to systems without the need to worry about router connections. With 5G also rolling out mobile internet connectivity will only get better.
Using our SecureConnect solution installers can do almost anything remotely with the same level of control, maybe even slightly more, than using the keypad. The way that installers react to problems will change and will not always require a physical call-out drastically improving the speed of response. I expect that installers will be able to be more proactive, productive and generate more business by using connected solutions in future; in fact we’re already seeing that happen with the technology that is out there today.
Follow PSI
for more news, views & comment
