Mass Transit Magazine: ‘Security in a Mass Transit Setting’

by David Sime and Hyong Cho on November 23, 2016

As anyone who has ever flown on a commercial airline since 2001 knows, security measures at airports are well enforced and the emphasis on traveler safety is all around the airport and its grounds.

Mass transportation, meanwhile, presents a special but not any less significant challenge when it comes to determining security issues. These facilities need to develop the means to protect a constantly changing and large population of passengers. And unlike airports these facilities often have hundreds of points of entry and exit on multiple modes — buses, subways, light rail, commuter trains, even ferries.

About 2 million Americans will use the nation’s airways on a given work day, while 35 million people will board some form of public transportation. In fact, statistics have shown that nearly 11 billion trips are taken on public transportation every year.

In some large metropolitan areas in North America where mass transit is well established, more than 20 percent of the area’s inhabitants get around via public transportation.

For transportation officials and their security providers, solving the mass transit security issue begins with determining the key concerns and then creating the proper responses via security systems, policies and procedures to mitigate the risks.

Although vandalism and graffiti are very visible signs of criminal behavior in mass transit settings such as bus stops and subway stations, this is not where transportation officials typically focus their energy. Fences and gates can secure out-of-service buses and train cars, as can remote surveillance methods to keep such vandalism at a minimum.

Instead, it is the day-to-day safety and security of transit riders and employees that should become the highest priority. This begins with creating the safest environment possible that is highlighted with appropriate signage and, when necessary, audible warnings, and supporting that with technology, such as surveillance cameras, that will document what has happened if an incident occurs.

Incidents of concern within a transit setting can take several forms, ranging from legitimate accidents or crimes to false claims such as faked fall down the stairs to potential and actual suicides. Bus and subway stations also have become magnets for homeless people who may put themselves and others in harm’s way by trying to access less secure public areas within a station as temporary shelters.

If someone is injured on a subway platform and the transit provider is held liable, it could be on the hook for hundreds of thousands, if not millions of dollars.

Suicides are a major concern for operators, with personnel now being trained to look for individuals who seem distressed, are loitering in the area or are intentionally putting themselves in a dangerous situation, such as standing too close to the edge of a platform.

The deployment of video analytics, which can be programmed to send alerts when certain pre-set actions occur, can help determine when such dangerous behaviors come into play. Analytics can also be useful in alerting security about other suspicious behaviors at a transit stop, such as an untended bag or package or a person going into a restricted area.

Whether it is on the bus, train or ferry or at the stops themselves, cameras and intuitive video management systems are the key to both active and forensic transit security.

By using the proper cameras and recording systems in a transit environment, quick-acting personnel can locate a person of interest who boarded a train at one station, follow him during his trip and produce a crisp, clear identifiable image at the end.

Those setting up the system thus should keep in mind proper camera positioning, resolution and motion-based changes to framerates or other compression settings.

A typical 30-foot bus often has six cameras — one each at the front and middle doors, two more within the bus and then one looking forward and another looking behind the bus. The latter two are important in the event of accidents to verify liability.

Some cities use buses that are up to 60 feet long and those can be equipped with up to a dozen cameras.

Train cars are similarly equipped with two to four cameras to view activity down the center aisle. Within the stations themselves, there can be from 15 to 30 or more cameras capturing wide-angle shots.

Train stations, which have a restricted point of egress, often deploy high-definition cameras to better support facial recognition software to get that actionable image.

Although bandwidth and storage can be a concern, with motion-based recording, the resolution can be bumped up during event, resulting in a 1 megapixel stream jumping to 4 or even 8 mbps when needed. By changing the resolution on demand, end users can cut their storage needs significantly.

Transportation settings often rely on the same technology used in other security installations, primarily mini dome cameras, although there are some mini transit domes built specifically for the environment with the proper aesthetics. Because of vandalism threats, transit typically avoids pendant mounts, which can be more easily grabbed and damaged. Temperature ratings for cameras also come into play in cold climates with cameras often getting outdoor exposure.

As trains and buses move along their routes, especially those that service outlying areas, Internet connectivity becomes an issue as well. Because it may be difficult for video to be sent in transit, security bus barns are equipped with wifi so video from onboard cameras can be downloaded at the end of the day. And the use of hardened recorders at the stations allows security personnel to retrieve recorded video.

Today’s new buses and trains are constructed with the cameras onboard and newer stations also take security into consideration at the earliest design stage. Older infrastructure from long-standing subway and bus terminals can prove to be a challenge when adding security, but these issues aren’t insurmountable. Often the solution is to add more cameras to cover the same square footage because of less-than-ideal sight lines and to place conduit wherever it works best, which may mean positioning it under platforms or in other out-of-the-way places within older stations.

Looking ahead, transit security will continue to evolve, not only as new stations and modes of transportation are added to the system, but in terms of communicating with commuters. People can expect to get mass notification alerts on their mobile devices, and those same devices can provide vital data to transportation entities to better develop their overall systems.

David Sime is president of Contava, a security integration and IT company based in Edmonton, Alberta, Canada. Hyong Cho is senior account executive in the Reno, Nevada, office of RFI Communications & Security Systems, a diversified multi-system integrator. Both Contava and RFI are members of Security-Net.

Read the original article in Mass Transit Magazine.

Security-Net Partners with Sales Training Firm

Exton, Pa. – November 16, 2016– Security-Net,Inc., a global provider of security system services to customers both locally and nationally, has announced a strategic partnership with Vector Firm to develop an enhanced sales training program for its team. Founded by Chris Peterson, Vector Firm is a consulting company that has specialized in developing training programs for more than 70 companies within the security industry.

The program is designed for Sales-Net members, a committee comprised of representatives from each of Security-Net’s 21 North American member companies, as well as each member company’s individual sales team to promote best practices and business development opportunities amongst Security-Net members. The program consists of monthly sales leadership meetings and a monthly sales webinar, with as many as 130 people participating in the learning program.

“By engaging in professional sales training across our membership, Security-Net is able to provide additional tools that we expect to see implemented consistently across our organization, said Skip Sampson, President of the Board of Directors of Security-Net. “This is a great example of how we are able to provide greater value for our member companies.”

“The sales training engagement with Security-Net has been successful because of the sales leadership’s buy-in and commitment to the program. They’ve taken the baton from me every month and implemented the tools. Because of their efforts, our strategies and ideas are being implemented in the field within days of our sessions,” said Peterson.

Over the past several years, Security-Net has focused on creating committees to foster sharing of best practices and business development opportunities in specific areas. Sales-Net members collaborate on national accounts strategy, project management and lead generation. OPS-Net was created to enhance communication between project managers and installation teams, while Tech-Net brings together the top technical experts from each company to share information about the latest security products and to troubleshoot any technological problems or issues with implementation.

Hanwha Techwin America adds Security-Net to dealer network

Ridgefield Park, NJ (October 13, 2016) – Hanwha Techwin America announced a new partnership with Security-Net Inc., a leading provider of integrated physical security solutions. The agreement will allow Security-Net’s 22 affiliated partners to source the full line of Hanwha Techwin’s award-winning lineup of cameras, recording and storage solutions, network systems, lenses, monitors and other surveillance solutions as a gold level dealer.

“We’re enthusiastic about this partnership and the new avenue to market it affords us,” said Tom Cook, Vice President of Sales, Hanwha Techwin America. “We look forward to expanding our security and surveillance solutions across Security-Net’s network of customers.”

“The Hanwha product line resonates with quality and value and Security-Net’s member partners are well equipped to leverage these solutions with their outstanding sales support and technology expertise,” said Joseph Liguori, Senior Managing Partner, Access Control Technologies. “It’s a key addition to our program and will serve to strengthen our position and sales reach.”

Security-Net, headquartered in Exton, PA, was established in 1993 to serve the needs of private industry and the government sector with intelligent security system solutions. Member affiliates are located throughout the United States and Canada and, combined, offer approximately 60 regional offices and 1,400 dedicated professionals offering state of the art integrated security and surveillance systems.

For more information, visit

Security Guy Radio with Skip Sampson at ASIS 2016, Orlando

ASIS 2016 in the Final Analysis

by Rodney Bosch


While many exhibitors lamented about sporadic foot traffic, the 2016 event showcased current technology trends and served as a platform to unveil new branding for some companies.

How to define the 62nd Annual ASIS Seminar & Exhibits? That would depend on your perspective. If you were among those who wended through the exhibition floor aisles all three days, then there is a good to very good chance that you experienced thusly: The opening day (Sept. 12) mostly lacked zest throughout. Tuesday, you saw a far more bustling and livelier scene. And an abbreviated Day 3, as most shows go, petered out pretty quickly. That summation was supported by numerous vendors and attendees SSI spoke with throughout the event.

Yet, security pros who took part in keynotes, educational seSSIons, among other goings-on, all of which took them off the show floor multiple times during the event, likely witnessed strong participation in these core offerings from ASIS. For instance, SSI attended the maSSIve gathering for an address by Department of Homeland Security Secretary Jeh Johnson. What keeps him up at night? A home-grown terrorist attack of the “lone wolf” sort. His comments were delivered five days prior to the bombing attacks in New York and New Jersey, suspected to be carried out by Ahmad Khan Rahami.

ASIS Int’l said the event, which was co-located with the (ISC)2 Security Congress and InfraGard 20th Anniversary Congress & Conference, attracted more than 22,000 registrants, representing 10% growth over 2015.

This year the organization made efforts to get more conference attendees onto the show floor, such as erecting the Integrator Theater in the exhibit hall. Among other ancillary activities, it also partnered with the DHS Office of Infrastructure Protection to stage the inaugural Security Week, a series of community preparedness and educational events designed to educate small business owners, community leaders and others about the importance of security and risk mitigation.

While the volume of booth visitors may have waned on the exhibition floor, several vendors and service providers SSI spoke with commented on the high quality of leads. For others, the show served as an opportunity to introduce their brands anew. Protection 1 revealed its “The Power to Do More for You” marketing campaign at the show, its first exhibiting appearance with ADT since the announcement of the leading providers’ merging earlier this year. Securitas Electronic Security, formerly the Diebold Security business, introduced its new branding amidst a large, eye-catching booth presence. Another example: identity management and biometrics provider Princeton Identity, formerly a line of business of SRI Int’l marketed under the SRI Identity brand, introduced itself to ASIS-goers as an independent company.

ASIS, however, is confronting larger issues than simply boosting attendance, according to Paul Boucherle, CPP, principal of Matterhorn Consulting and SSI’s Business Fitness columnist.

“While I always hope the best the reality can be disappointing. The new vendors that had great products or services stayed busy at their booths. The traditional tried-and-true suppliers that support this show were pretty light on the booth visitors,” he says. “The show floor was significantly smaller in its footprint and vendor booths. I think if this trend continues for ASIS leadership they will lose relevancy in a changing market. Most of the changes I saw were mere window dreSSIng and reshuffling and not profound.”

Skip Sampson, president of the board of directors of Security-Net, said the integrator network has been exhibiting at ASIS since 1995 and came away with positive sentiments about the show this year.

“We always find this event important as it gives us the opportunity to meet face-to-face with our end-user clients and our technology partners. Our client reception this year exceeded our expectations with more than 400 people in attendance,” said Sampson, who is president of KST Security of Indianapolis. “We don’t measure the success of the event based on the number of badges we scan, but rather we find the client interactions at ASIS to be invaluable, whether we are meeting with clients on the show floor, in private meeting rooms or at our client reception.”

Among the more notable and compelling trends observed on the show floor: the further proliferation and advancement of video management software, biometrics, the continued deepening integration of video surveillance and access control, cybersecurity, video and systems analytics, situational awareness and robotics.

Indeed, for SSI Tech Talk columnist Bob Dolph, the Seminars & Exhibits remains a venue to keep track of current and approaching trends.

“This particular ASIS show I was impressed with the increased activity in and partnering with cybersecurity organizations. I can remember attending an ASIS conference over 10 years ago in which a roundtable of leading security experts stated their biggest overall security concern was cybersecurity,” he says. “It looks like that prediction is becoming more real today.”

The traditional Monday opening to the ASIS exhibition has long confounded many attendees and exhibitors. That will change for the 2017 edition of the Seminar & Exhibits, which will be held Sept. 25-28 in Dallas, and feature Tuesday-Thursday show floor hours.

Read the original article (and much more about ASIS 2016) at Security Sales & Integration.

Security Info Watch: From Giving Away to Giving Back

by Joel Griffin


As part of a new annual tradition at ASIS, Security-Net has decided to take the funds they once used on booth giveaways and instead make a contribution to a charity in the host city of the conference. This year’s recipient, Operation Freedom Paws, trains veterans to train their own dogs and certify them together as a service team as part of a 48-week program. The program helps veterans with post-traumatic stress, traumatic brain injury and other physical or neurological issues.

One of the time-honored traditions of any tradeshow is the booth giveaway. These giveaways by vendors can range from the extravagant, such as gift cards, tablets and televisions, to mundane everyday items like pens, candy and other small knickknacks.

While these freebies may generate good booth traffic, they may not necessarily result in quality leads for a company. Besides that, giveaways are yet another costly expenditure for vendors who have already made a significant investment in purchasing booth space and on travel accommodations for their employees.

Beginning at ASIS 2014 in Atlanta, Security-Net decided to take a different approach to booth giveaways. Rather than using the money they would have spent on items to give to those who dropped by their booth during the show, the security integration services firm opted instead to take those funds and donate them to a local charity. It’s an annual tradition they’ve decided to carry on at the host city of each ASIS conference after that. (SIW) recently caught up with Security-Net President Skip Sampson to discuss the organization’s reasons for starting this new ASIS tradition and how they plan to grow it moving forward.

SIW: What initially motivated you to want to give back to a charity in the host city of the annual ASIS conference?

Sampson: We got tired of seeing how much we spent on booth giveaways and some attendees would just swing by the booth and grab whatever they could with-out any regard for what they were taking. So, we decided that if we were going to spend the money we might as well do it where someone would benefit. This started with ASIS in Atlanta in 2014 where we purchased pecans as part of an in-the-booth giveaway and to support the Shepard Foundation in Atlanta for Spinal Cord & Brain Injury Rehabilitation. The organization benefitted because we purchased their pecans and then our clients got something sweet.

Last year when we were in Anaheim, Calif., Caterina’s Club, an organization that supplies over 6,000 warm nutritional meals to underprivileged children each week and provides homeless families with housing assistance, was the beneficiary of our donation. We purchased Fat Ass Fudge and the vendor took their proceeds and handed a check to Chef Bruno, the founder of Caterina’s Club. This donation was enough to put a family in need into their own apartment. We also posted infor-mation in our booth about Caterina’s Club, and a QR code, so that attendees could scan the code and make a donation on the spot.

SIW: Do you have a set amount that you give to each charity or is there something else that determines how much you will give as a part of this initiative?

Sampson: There is not a set amount of dollars budgeted each year, but we do try to always do more than the year before. So far the donations have ranged from $3,500 up to $4,200.

SIW: How do you go about selecting the charity that you’re going to donate to during the conference?

Sampson: Currently, we look for an organization that is local to the region where the ASIS show is located and do a little research on what’s happening in the area and how we can help. This effort has been championed by Gabrielle Kotke, who organizes Security-Net’s ASIS booth and is the Marketing Coordinator for Security-Net.

SIW: What really stood out to you about this year’s recipient, Operation Freedom Paws?

Sampson: Recently Security-Net partners expressed a desire to help veterans. What stood out about this program is that they’re giving comfort and assistance to amazing people who have served our country. The organization trains veterans to train their own dogs and certify them together as a service team as part of a 48-week program. The program helps veterans with post-traumatic stress, traumatic brain injury and other physical or neurological issues. The program helps veteran’s remain mobile, confident and active. After they com-plete the 48-week training program they are also able to provide service dogs to others in need of assistance.

SIW: What kind of feedback have you received about this annual charity giveaway from others in the industry?

Sampson: Frankly, we have not overly promoted our charitable giving. We decided to talk about it in hopes that other organizations might have had the same thoughts about giveaways that we did. We are committed to this charitable sponsorship plan we have been doing and are ready to challenge others to think about it too.

SIW: Is this an initiative that you’re going to be looking to possibly expand upon in the future?

Sampson: We hope to expand this each year and develop programs to encourage our sponsors to also get behind supporting a charity located near each ASIS location with us.

SIW: How can others in the industry help?

Sampson: It’s incumbent on all of us to help and pay it forward. Pick a charity and if you can’t get in the trenches and physically help out find out how your dollars can best be spent to improve someone’s life and give them an opportunity. It’s important that we give all people the gift of hope.

Race Is on For Better Video Compression

As new technologies emerge, the tried-and-true methods remain at the top of the heap — for now, at least.

As the old adage says, “Necessity is the mother of invention,” and there may be few areas where this is more applicable than in video surveillance. Camera manufacturers’ constant and continuing “resolution race” is creating larger video file sizes that can place significant burdens on bandwidth and storage requirements. Transferring these larger files requires end users to make larger investments in solutions, which drives up overall video system costs — often substantially.

The necessity in this case is the need to reduce these costs and make high-quality video affordable to a wider customer base. This need has borne the invention of a variety of compression technologies designed to reduce file sizes while retaining the quality images users expect from their cameras.

In the security industry today, there are four main compression formats: M-JPEG, MPEG-4, H.264 (also known as MPEG-4 Part 10/AVC) and the “new kid in town,” H.265 (the full name of which is High Efficiency Video Encoding, or HEVC for short). Of these, H.264 remains far and away the most common and most widely used for surveillance applications. And while there is a lot of buzz around the up-and-coming H.265, the reigning champion isn’t likely to give up its title anytime soon, says Brad Donaldson, vice president, product development, Arecont Vision, Glendale, Calif.

“Over the next 12 to 18 months we will likely see some adoption of H.265; however, I believe H.264 will still be more widely used over the next few years,” he says.

In addition to H.264’s demonstrated performance in reducing file sizes since the first incarnation of the standard was approved in 2003, its continued popularity is largely based on its foothold among manufacturers. But James Marcella, director of technical services, Axis Communications, Chelmsford, Mass., offers a more upbeat outlook on H.265’s potential rise.

“The vast majority of camera manufacturers support it as does the rest of the surveillance ecosystem including the VMS and analytics community,” he says. “H.265 is currently a niche offering from a few companies but will replace H.264 over the next 12 to 18 months.”

The ongoing development of higher and higher megapixel cameras has obviously created challenges with bandwidth and storage requirements for the larger video file sizes that are generated. H.264 certainly helps, but there is still a real need for more efficient compression, which H.265 promises to deliver. But given the conversation over the last couple years about its potential to solve these problems, why hasn’t H.265 been adopted on a wider scale yet? According to Marcella, it comes down to a number of issues, including licensing and royalty fees and a lack of support for the new format across the entire surveillance ecosystem.

In terms of H.265’s use in the products that make up surveillance systems, manufacturers have taken the lead, while software and other providers have lagged behind, which has presented another stumbling block for adoption.

“Camera manufacturers have started to release cameras that have H.264 and H.265 capabilities; however, the VMS companies are slower to react, with only a few so far that have released software versions that can use H.265 cameras,” says Chris Olson, director of engineering, Intertech Ci, Pittsburgh. “The VMS companies will lag camera companies for adoption as it requires a fair amount of work and testing on their end; the VMS companies want to see a broader camera commitment.”


While the industry continues to anticipate the rise of H.265, some manufacturers have focused their energy on developing more powerful versions of H.264 in the interim.

“Camera manufacturers have created ‘super’ H.264 solutions that dynamically change camera settings based on the scene to reduce bandwidth and storage,” Olson says. “Examples of two companies that have done this are Axis with its Zipstream cameras and Hikvision and its H.264+ Smart Codec System.”

These smart codecs are designed to apply compression differently based on factors within the field of view, which helps H.264 to deliver bandwidth and savings that are at least on par with H.265.

“Many camera manufacturers have come out with, and are continuing to come out with ‘smart’ H.264 codecs that allow for applying heavier compression to areas where there is less activity,” he says. “Some smart codecs also allow for dynamic GOP sizes and dynamic frame rate adjustment, which further reduces the storage and bandwidth requirements.”

While these tweaked versions of H.264 are helpful in the meantime, David Choi, product manager, Speco Technologies, Amityville, N.Y., says that like H.265, they fall outside of the standardized set of formats.

Efforts to create an accepted H.265 standard are underway but have not yet been released.

On the storage provider front, those companies are for the most part taking a “wait and see” approach to H.265 because of the extremely limited product availability at the moment, says Tom Larson, director of sales and engineering for Northbrook, Ill.-based BCDVideo.

“After the camera and VMS guys bring product to market, then we will start testing to see what the impact will be on the hardware as far as CPU load and disk storage to determine how many cameras and total bandwidth per server,” he says. “Since H.265 cameras are not mainstream yet, we have not done any of this testing.”


Perhaps the biggest potential hurdle to adoption is the perception that H.265 simply isn’t developed enough to be a realistic option for video compression. One issue lies in the codec’s ability to live up to the bandwidth and storage reduction claims that have been made, which Michael Sherwood, manager, professional services, Milestone Systems Americas, Beaverton, Ore., says is nothing new.

“Like H.264 when it was first released, H.265 is not currently showing a large improvement in storage and bandwidth but will very likely increase as the codec is further optimized,” he says.

However, those who tout the potential efficiency gains and cost savings from using H.265 are not necessarily being dishonest. The problem, says Brandon Reich, senior director of surveillance solutions, Pivot3, Austin, Texas, lies in the difference between theory and reality.

“H.265’s biggest claim is a 40 to 50 percent bandwidth reduction and some storage reduction, and that is probably going to happen with static images, ideal conditions, and continuous recording; but that is not real world,” he says. “The real world is image complexity and motion. In those cases, H.265 can lead to bigger spikes in bandwidth.”

Despite these challenges, H.265 will continue to make gains toward delivering on its potential, says Fredrik Svensson, who chairs ONVIF’s Profile T Working Group.

“It’s ready for prime time, but it is also somewhat of a work in progress in the physical security industry,” he says. “Ideally there would be support for your desired specific compression format in all parts of your physical security system — the VMS, server hardware, graphics cards and camera. It does take a while for all of these components to be ready. But it’s only a matter of time for widespread H.265 adoption.”


In general, Donaldson says, there are three camera parameters integrators must fully understand to properly deploy systems with the appropriate compression: frame rate, bit rate and image quality. Knowing these parameters and how they interact with each other is essential to calculating storage and meeting end users’ expectations, he adds.

“Adjustment for image quality will directly impact the level of compression while adjustment to bit rate and frame rate settings can indirectly impact the level of compression, depending on how the system is configured,” he says.

Of course, the first consideration — as always — must be the objectives behind each camera’s role in an installation, which will guide integrators toward choosing the compression format or technology that is best suited for the system as a whole.

“The ultimate goal is not to simply provide video coverage with the least bandwidth, storage or expense but rather to meet the customer’s needs so when the video is required it is readily accessible and of use for their given circumstance,” Sherwood says.

For those security professionals who ultimately determine that H.265 is the way to go, there are additional considerations that go along with that format, including substantially greater computing and processing requirements and impacts.

“Infrastructure requirements will increase,” Reich says. “Smart codecs can help mitigate some of that, but it will not eliminate it.”

In many cases, integrators can look to how another industry has traditionally dealt with these same types of challenges.

“It’s time to take cues from IT,” Reich says.” Be familiar with shared storage and computer resources, advanced resiliency and fault tolerance, mobility — these can reduce costs, improve reliability and bring real benefits to end users.”

It’s also important to consider that there may be other tactics or practices for reducing bandwidth in addition to — or instead of — technology.

“I always preferred connecting cameras to a private network switch directly on the recorder utilizing the secondary NIC,” says Adam Deegan, application engineer, Northland Control Systems, Fremont, Calif., and a member of PSA Security Network’s Technical Committee. “This allows [for a] security managed network and does not use up bandwidth to the building network.”

Because planning is key to any successful installation, integrators should have a firm grasp on network requirements and map out the infrastructure before installing anything, Choi says.

“Figure out the total amount of bandwidth and storage that is needed before installing the wiring and equipment,” he says. “As camera resolutions get higher, the storage and bandwidth gets higher as well, so that image quality is kept.”

A final piece of advice is to know with whom or what the video surveillance system may share the network and to collaborate with any additional stakeholders, says Christopher Wetzel, founder and executive vice president, Intertech Ci.

“One thing to keep in mind is if the surveillance system is located on a shared network and security is not in total control of the network, other systems can have a huge impact of the performance of the system from one day to the next. So it’s important to develop a positive relationship with IT,” he says.

For all its promise, it’s important to remember that H.265 is just the latest in a long line of compression formats driven by higher resolution. Therefore, it is not the be-all, end-all solution for reducing video file sizes, and others will certainly follow. Because most of these compression formats have transitioned to security from the consumer industry, Marcella suggests integrators keep an eye on that space to anticipate and better prepare for new technologies.

“There will always be a new compression format on the horizon. Keep your eye on the consumer electronics market for advances that will ultimately get repurposed into security products,” Marcella says.

Read the original article at SDM magazine.

The ‘Brave New World’ of Cybersecurity (And the Security Integrator’s Role in It.)

Integrators are aware that anything they put on the network could be vulnerable to cyberattack, but many are stymied by where to start to create a plan to fix it. Experts from inside and outside the industry know how.

Cybersecurity concerns are everywhere. From Target to Home Depot, to the Social Security Administration, to the recent [possibly foreign] hacks of the U.S. Democratic National Committee, it is almost impossible to turn on the news or read a paper without seeing something about cybersecurity.

The documentary “Zero Days,” released in July (and highly recommended as a must-watch by several experts) demonstrated with frightening clarity the speed and breadth of damage cyberattacks can have — thanks to the burgeoning Internet of Things we are all hearing about and striving toward today. But for the security integrator, who is down in the trenches of everyday problems and solutions for making things talk together, much of this discussion on cyber has remained on a higher level and still seemed like a “not us” problem. Not anymore.

As the Target hack showed the HVAC industry, contractors and others in the supply chain — such as physical security integrators — can unwittingly be the weak link that bad actors look for in an enterprise. And unlike other security concerns, cybercrimes cross all types of businesses, from government to the local drycleaner.

“In the past people would talk about cyber as firewalls and all the dark things that happen in data centers,” says Bryan Viau, COO, VTI Security, Burnsville, Minn., featured on this month’s cover. “Now manufacturers and CEOs have woken up and said, ‘These panels and cameras and readers are also portals into our networks.’”

Stephen Fisher, VTI’s director of business development, adds: “We are no longer hanging cameras; we are actually opening doors to the network at our client’s business.”

Even the word “cybersecurity” itself has undergone a revolution of its own in recent years. First used in 1994, Merriam-Webster defines it as “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.” However, in 2013 the research firm Gartner felt the need to expand this definition: “Cybersecurity encompasses a broad range of practices, tools and concepts related closely to those of information and operational technology security. Cybersecurity is distinctive in its inclusion of the offensive use of information technology to attack adversaries.”

Herb Kelsey, chief architect of Palo Alto, Calif.-based guardtime, a company specializing in digital integrity for clients such as nuclear labs and other high-profile targets, says the current meaning of the term is less than 10 years old. “The idea of understanding what that network perimeter is, maintaining the integrity of that and monitoring it were best practices that got pulled into the terminology [over time].” What’s more, he warns, with the IoT, “We are about to create a much larger attack surface.”

At the highest levels, people are listening. In June, the European Union published a new directive requiring critical infrastructure to improve cybersecurity. This directive will require suppliers of services such as energy, transport, banking, health or cloud services to achieve minimum standards of cybersecurity. For enterprise-level U.S. integrators, that could have implications for their global clients, and eventually themselves, says William L. Brown Jr., senior engineering manager, regulatory and product security, Tyco Security Products, Westford, Mass. “We have had conversations where the integrator is asking, ‘If I have an installation in Europe and the U.S. and they are all sharing the same physical security data, how do we meet the EU privacy laws?’”

This is just the tip of the iceberg. “The end user is going to definitely ask for it,” says Paul Cronin, senior vice president of the IT services company Atrion, Warwick, R.I., and SDM’s “Today’s Systems Integrator” columnist. (See this month’s column on page 50.) “They will ask the integrator some qualifying questions to make sure what they are implementing fits in. The small company under 100 employees probably won’t ask. At 200 to 3,000 they probably will and the ones above that at the enterprise level won’t just ask — they are going to tell them what they need done.”

While the size of the company asking today may be the largest enterprise, that won’t be the case for long. The Providence Group, Washington, D.C., is a strategic consulting firm that specializes in cybersecurity and enterprise risk management. “There are a lot of needs in what we used to describe 10 years ago as physical and logical security,” says Dan Caprio, co-founder. “We are seeing a lot of clients and companies or industry sectors that have been traditionally only concerned about physical that we are helping to now understand cyber.”

Chicken Little ran around saying the “sky is falling” and nobody believed him. In the case of cybersecurity, those spreading the word may initially have gotten the “deer in the headlights” reaction, but increasingly, organizations from the U.S. government to industry to security organizations, manufacturers, dealers and integrators are listening.

“There is a tremendous amount of noise in our industry,” Fisher says. “There are manufacturers with hardening guides; industry organizations forming groups; the media; and our own IT and IS contacts that have come to us to say ‘How can we work together?’”

This is key, says Scott Sieracki, CEO, Viscount Systems Inc., Vancouver, B.C., Canada. “At a certain point we are going to get pushback from the CIO or IT saying, ‘Sorry, this system can no longer play in our enterprise. Freeze it where it is and you will either have to replace it or upgrade it.’ But the challenge is when that starts to happen, a different type of player may try to fill that space…. It is just a matter of time. Something is going to happen in the near future that will truly cause a point where if you haven’t already prepared yourself you will be standing there without enough business and you can’t play in this space.”

There are three primary drivers for cybersecurity today, says Ross Federgreen, CEO of CSR Professional Services, Jensen Beach, Fla., a company that specializes in data lifecycle management and breach reporting; and none of them have to do with being a “good guy”: 1. Regulations, 2. Others deciding they will or will not play with them, and 3. Insurability. “All of these cut to the core of any company…. Whether the end user wants to do it or not, they have to. And if the integrator doesn’t broach the issue, someone else absolutely will.”

Caprio adds, “The reason for convergence has radically changed. We are under attack and the adversary is winning. We have to be able to protect ourselves. The mistake we have made in physical and in cyber over time is in thinking we could just protect the perimeter and keep the bad guys out; but with the IoT and IP and phishing and malware and botnets, it is the technical and tactical expertise that is very important. You really have to figure out as an integrator how you do this strategically. You can’t protect the castle with a mote anymore. They have figured out how to get over it and we are all being challenged.

“The Target breach is a good example of a company that was considered to be doing best practices. And low and behold, the breach came through their HVAC operator. What that really points to in terms of physical and cyber is a failure of imagination. In today’s environment you have to plan for those scenarios so you don’t become the next Target.”


As recently as a few years ago, much of the physical security industry still considered cyber to be someone else’s domain, and that attitude still persists today for some. Industry organizations like SIA, PSA, and ASIS have begun to loudly proclaim that this is an “everyone” problem. But it can be hard to see the forest for the trees of daily business concerns, particularly for the bulk of dealers and integrators whose customers have not been pushed themselves to consider cybersecurity — yet.

“The physical security industry hasn’t really understood the threat and they should if they are paying attention,” says Dan Dunkel, vice president of strategic partners, Eagle Eye Networks, Austin, Texas, and member of the cyber advisory board for SIA and PSA. “Every end point attached to an IP network is potentially vulnerable. What our industry has been doing for years is attaching cameras on IP networks without any thought of cyber protection. Hackers are now going after the low-hanging fruit, which is that connection point.”

Dunkel and many others speculate that this has already happened. It is only a matter of time until it makes the news. “The way we silo everything now and connect without any security practices in place, we are asking for a breach,” he says.

“I am not sure there is as much concern over this as there should be,” adds Steven Dillingham, senior director of software and integration, Oncam Grandeye, Billerica, Mass., and chair of the ONVIF Profile Q Working Group (Profile Q covers data encryption). “A lot of these systems are running over IP networks and using these standard protocols and there is a much greater opportunity for those to be disrupted by cyberthreats.”

Yet, integrators have been doing things this way for years without major incident, and customers are more interested in making their business processes work together than they are worried about what happens when they do. This was the mindset Andrew Lanning, co-founder of Integrated Security Technologies, Honolulu, had just two years ago, he says. “In 2014 we attended PSA’s cyber symposium and that got our attention because we didn’t have a lot of awareness, if any, in that space at that point. We weren’t aware of the impact to our company or our people or products we were installing and we took that as a real wake-up call.”

Not only did Lanning start educating himself and his staff about the issue, but he eventually became chairman of the PSA Cybersecurity Committee, advising others on the topic. “I began to study much more deeply what the IT industry had done related to cybersecurity and I realized we as integrators were doing none of those things.”

With customers in the DOD and government space, Lanning’s company was on the forefront of the cybersecurity push. “Business concerns drove me. In 2015 the NSA came out with guidance for the commercial industry that wanted to service the DOD. I met with NSA out here and asked, ‘Will this continue to push down the supply chain?’ and he told me, ‘The writing is on the wall.’

“I am already seeing contract verbiage that requires us to have cyber assurance…. We are included in that supply chain and we are surely a very weak link. It is not paranoia; it is a recognized vulnerability.”

Regulations don’t exist just at the government level. There are regulations for many vertical markets from banking to healthcare to schools, much of them revolving around data privacy. (See chart, page 70.)

“We are heavily involved in the energy industry so we are impacted by the NERC CIP requirements,” Viau says. “Similarly, banking and financial is another heavily regulated [customer block], and we are seeing it both with new opportunities and existing customers. They are asking about size, structure, training, insurance. Do we have a cyber plan? Cyber insurance? These are things we had never heard before that have nothing to do with the work we do. But we have to jump those hurdles to be qualified to even be considered as bidder.”

This is a situation that is going to start happening more and more, says Bill Bozeman, CPP, president and CEO, PSA Security Network, Westminster, Colo. “It is soon going to be true that [integrators] won’t be able to walk into many end users’ facilities without having some cybersecurity strategy to discuss. Even the local donut shop is plugged into the network.”

Bozeman stresses the business case for integrators to be proactive — not reactive — when it comes to cybersecurity. “They actually could probably get by without bringing it up today. However, that is … about as risky as choosing strategically to save money by foregoing continued education and new technology. That company will go out of business.”

This sentiment is echoed by others, such as Vector Security, Warrendale, Pa. (SDM’s 2015 Dealer of the Year). “When we look across the range, there are quite of few of those customers that won’t know to ask until they have had a breach or problem,” says Steven White, vice president of business development. “In my mind that is not the time to do that. We should be leading this, not waiting for residential and small business to have a breach before we offer them solutions.”

And more and more will start to ask these questions, Federgreen stresses. “The actual regulations that drive this are completely blind to size. There is no mention of employee count or revenue.”

For themselves and their customers, whether large or small, integrators cannot afford to ignore the need to do something about cybersecurity today, Kelsey says. “The stakes are higher. The front page for cybersecurity breaches is not restricted to the Fortune 500. In fact, they can weather that storm better than you.”


For most security dealers and integrators today, the thought of cybersecurity is not only a little scary — it is overwhelming. The most common question to cyber experts and educators is “Where do I start?” Unanimously they agree on the starting point — protect your own “house” first. After that make sure you have enough expertise to at least talk intelligently about cyber to the client, and be able to harden what you are putting on their network to the best of your ability.

“We did a gap analysis with one of our auditing firms and identified areas that we were satisfactory in and ones we weren’t,” says Thom Helisek, vice president, information services group for Vector, of how the company began the process. “It all started with our interest in becoming responsible from a cybersecurity standpoint and putting together a plan to achieve that.”

For VTI it started with insurance — something a particular project required them to have in order to even bid. “We already had disaster recovery plans and business continuity plans but we were never challenged that we were truly protecting data. Quite frankly we went back to our customers and said this insurance is about firewalls and stuff; but they insisted we had to have it. It was quite a task, but at the end of the day it put us at an advantage. It was required of us, but it became a no-brainer.”

PSA has a list of questions that can help integrators determine where they are in cyber-preparedness. In a tiered protection scheme based on government NIST standards there are levels 1 through 5. Most security integrators are at “Tier Zero,” Lanning says. The PSA framework is loosely based on the NIST Cybersecurity Framework, a document that describes 800 separate controls. PSA also looked at guidance from the National Infrastructure Production Plan (NIPP), the SANS Institute and the Cyber Security Center (CSC) to adapt the best of these resources for physical security providers.

Starting with a Tier Zero playbook, PSA developed a list of questions (see chart, page 60 for examples) to help integrators and dealers understand where they stand. “We have a list of 16 questions that are so basic they are considered Tier Zero,” Lanning explains. “If you can answer yes to all of those, then you are ready for Tier 1.” So far in his presentations, Lanning says, he has yet to find anyone that can answer “yes” to every question.

Checklists are only a beginning. In the case of the PSA list, the self-assessment portion is there to help you understand where to start. But while it is possible to do the actual gap assessments yourself, it is not recommended, Federgreen says. “When we get called in to do an audit, the first thing you hear is the IT director saying they have done a self-assessment and they have it all handled. Immediately we find 5,000 problems.”

After their assessment, VTI was able to get the insurance, and win the job. More importantly, it put them on the path towards cybersecurity, Fisher says. “The insurance was just one piece of the investment we have made. We have a program that defines user names and passwords and how we collect and store them in our database. We make sure we are changing passwords when we are supposed to be.”

Almost everyone has a variation of the same story about doing a self-assessment first — even PSA went through an audit, Bozeman says. “We found a minor issue that we corrected,” he reports.

While most are concerned going into a gap analysis, they generally find weak areas, but also find other areas where they are doing it right. In some cases it is a complete overhaul, but many more just require some tweaking.

IT and physical security distributor Synnex Corp., Greenville, S.C., has partnered with PSA as well as formed independent relationships with integrators that help with cybersecurity issues — including providing free assessments to integrator clients. Bill Black, information consultant, says these assessments have been enlightening in a couple of ways. “We have probably done close to 350 of these free vulnerability assessments for resellers and their end customers. Out of all of those five have passed [meaning they didn’t need to do any mitigation]. “With physical integrators what I have found is that I would run this against their own network first and a lot of the camera systems were accessible online but they weren’t secured. I could just pull up the video feeds and it didn’t require a username or password and if it did, it was the default. Those resellers said they had no idea it was set up that way. It was a wake-up call.”

Default passwords are a very common weakness, he says. Many of them are overlooked, or even unknown. “Some of these systems have multiple subsystems and you may change one password and not even know the other four exist. But if you open up the manual it will clearly state that to log in the first time, type in ‘admin admin.’”

Another weakness is possession of sensitive information such as passwords and other customer information and how the integrator handles it. Are the plans to the bank sitting in the integrator’s truck? “At the end of the day it is information we are talking about,” Lanning says. “I may have all the IT addresses or passwords for their equipment or credit card information. That is valuable information for a hacker.”

All dealers and integrators are different and not all of them will be as impacted as others — but everyone will eventually have to do something.

“It’s a cliff for some, a leap for others and a small marathon for most,” Cronin says. “Most of them aren’t even protecting themselves. It is just too far off what they typically think about. They aren’t even conscious of the fact that they aren’t doing it. They are depending on the manufacturer to secure the products and … expecting the IT guys and customer to have implemented the right cybersecurity solutions.”

If it is a marathon for the majority, expect to never cross the finish line, experts add. The line is constantly moving.

“It can’t be a point-in-time effort,” Helisek says. Not only does it require constant training to stay on top of the latest developments, but also a mindset shift in terms of sales and service to the customer.

“Far too often these devices are installed as if they were a toaster,” White says. “You can’t treat these devices this way. You have to have a plan to upgrade software and patch and this is something not all are prepared to support.”

And if the IoT keeps moving in the direction it is headed, even toasters may not be safe. But one thing is for sure, slow and steady wins the race.

“You can’t take it on all at once,” Cronin says. “I like the way we are rolling it out with PSA. First secure your own environment because you are a point of exposure. Then, now that you know that, make sure you have the skills and knowledge to secure your client.”


Knowing your own weaknesses is a universal place to start. But figuring out where to go from there is more difficult. This is not like the IP situation where learning to “talk IT” was a critical but very doable step for most integrators.

“Cyber talent is expensive and in short supply,” Dunkel says. “When I hear physical security integrators talking about hiring someone, I think they had better get ready to pay them; otherwise you end up with young talent, work with them for a few years while they get certified, then recruiters get to them and offer them much more money working for cyber companies,” Dunkel says.

Cronin says “partner, build, buy” is the best way to approach cyber expertise. “Finding talented cybersecurity professionals is expensive and [difficult]. It is a significant investment…. Don’t think you are going to be able to necessarily handle it organically.”

Cronin recommends starting with your clients and asking them: “Are you working with anyone really good in cybersecurity?” Then ask that company if they are interested in partnering with you.

Cronin, Lanning and others strongly recommend that dealers and integrators look into cybersecurity conferences such as RSA (scheduled for mid-February 2017 in San Francisco) and seek cybersecurity training from organizations such as CompTIA.

“Right now if I were a physical security integrator I would figure out a way to get this PSA framework into your hands and start to get educated on it,” Dunkel adds. “I would go to these trade shows. I am amazed when I go to RSA that very few physical security integrators are at any of these shows. There really should be more of a cross pollination. We are still in this mindset that we are separate and siloed. But no board member in the country can say ‘I had no idea cyber was a problem.’ Not in 2016. That excuse is off the table and it is the same for the integrator. They can’t say ‘I didn’t know.’”

Vector chose to acquire, White says. “Almost three years ago we acquired a managed network services provider. We saw the industry changing and knew we needed to adapt to it. To do it organically was more of an uphill climb.”

Vector’s Helisek adds, “As a company we have taken cybersecurity very seriously; so while we practice those good habits internally, we also extend it out to our product and service offerings both through the security and the managed network side.”

VTI formed a strategic partnership with Secure Set, a cybersecurity university (, Fisher says. “A couple of our colleagues are going through the program so they can speak intelligently about cyber. We have made investment in education through that partnership.”

Viau adds that in addition to training, the company is also hiring, including those with a higher level cyber IQ, although he acknowledges that there is a price for that. “We are experiencing the need to pay higher wages for people that are far beyond the traditional merit increase because they could be poached by another industry if we are not careful.”

But whether you partner or grow from within, the minimum is to have the same level of “cyber IQ” as you do IT, which is something the security industry has worked hard to gain in the past several years. Even if you don’t plan to become an expert, training is a huge component of being able to “talk cyber” like you talk IT now, Helisek says.

“I don’t think many physical security integrators are well positioned to become cybersecurity experts, even the top flight,” Bozeman says. “It makes more sense to be educated and provide hardened products and to partner with cybersecurity experts.”

Whatever you do, do something, Cronin emphasizes. “You have to be somewhere different a year from now. There is no standing still. It is not Chicken Little, but customers are going to start to ask about this. Your people need to be more astute…. There is a cultural shift that needs to take place, which is one of the hardest things to do.”

But, he adds, the consequences of not doing it are dire. “The more exposed we are and the more action we don’t take, the more we as a country are exposed. I use the analogy of how many people had a Home Depot card. Don’t let this be your client or your employees. Don’t be the next one in the newspaper and be saying ‘Why didn’t I do something as simple as obtain a CompTIA cybersecurity certificate for $150.’”


As next steps become clearer for all it can only benefit the dealers and integrators. The more tools you have in your box, the better you will be able to discuss, prepare, and implement a good cybersecurity plan for your customers. What’s more, it can act as a differentiator for those that have done the steps to become cyber-knowledgeable.

White says his company’s cyber-preparedness has definitely helped with business. “It is absolutely part of the discussion with our customers. It has been extremely helpful, especially when installing devices onto a customer’s primary network when they have requirements that other [integrators] couldn’t meet.”

As the IoT takes hold, cybersecurity is going to become mainstream and integrators need to be prepared. “That is the way the industry is going to go,” says Joseph Holland, vice president of engineering, LifeSafety Power, Mundelein, Ill. “If you can control your home temperature from your cellphone people will want that same capability in every system that they have. Regardless of the fact that for some period of time it will make things more exposed and dangerous, people are going to do it and approach it and have to solve those problems as they come up. It won’t stop anyone from going down that road. But if something does happen they will come back and blame the integrator.”

Viau recommends taking things one step at a time. “Do some benchmarking with PSA or Security-Net or other partners. Find the early adopters and decide whether you want to do that or start taking things piecemeal and create a path. This is not a topic that is going away. Even if you are not able to make large investments in training or insurance, start making smaller changes.”

But don’t delay because things are moving fast, Viscount’s Sieracki adds. “A year ago I would have said recognize the threat. Now I would say make it a strategic part of your company’s DNA. Whether you are going to resell cybersecurity offerings or not (see sidebar, page 58), it needs to be discussed at every board meeting. Not choosing to get this education or understand how it impacts your customer is irresponsible.”

This is important for any company that wants to move forward, say Tom McConnell and David Brinkley, managing directors at Headwaters MB, a Denver-based investment banking firm that specializes in the security industry.

“It is tough to represent yourself as the most forward-looking security integrator if you haven’t already implemented the most robust cybersecurity on your own end,” Brinkley says.

“If I had to paint a picture of an ideal security company I would have the full gamut of an organization’s risk management: access control, video, alarm monitoring, and also be able to protect the data and information we are getting from these systems,” McConnell adds. “That is the holy grail of what a security company should look like if you want to be a market leader. CISOs of enterprise are overwhelmed with these point solutions and data and information and alerts.”

Kirk Nesbit, vice president of design and support services, Synnex Corp., agrees. “I think it can be a somewhat natural play [for physical security integrators]. Given that they are working with the client on a physical security solution, they are trusted in some capacity to take care of the customer’s security. If they can bring up the topic of caring for those devices and showing the concern and knowledge of what it will take to keep the devices they just installed cyber secured, and they show they have credibility and knowledge, then they will get into the conversation.”

Even more than that, Viau says, the security integrator has worked hard to achieve that “trusted adviser” role with the client — a status they stand to lose to someone else if they can’t provide cyber knowledge in some way.

“If we achieve the goal of trusted business partners we are truly at the table and that is what brings us to the forefront of knowing about cyber as a risk. We haven’t really seen our customers panic, but this is the next risk we need to mitigate before it becomes a forest fire.

“What is going to keep you in a position of trusted partner is to say, ‘In addition to all the things you are already doing, I also want to talk about cyber because you may not be aware of it yet. Our responsibility is to keep you informed.’ There you are really showing your value.”

Monetizing Cyber

While many integrators are struggling to figure out ways to boost RMR, cybersecurity has some ready-made opportunities already available to them to resell.

Keeper Security Inc., Chicago, offers a password manager and digital vault that organizes and secures passwords, for example. “We have a reseller program, strong inside sales teams, support and engineering,” says Darren Guccione, CEO and co-founder. He says there are several different approaches to cybersecurity, from prevention to detection to remediation, and integrators should decide which prong to market.

“This is absolutely the fastest growing segment of the security and IT space,” Guccione says. “With the prevalence of cloud computing and cybersecurity we are going to see massive investment over the next 10 years…. I can’t think of a better fit for a security vendor to come in and sell a cybersecurity solution as part of their business.”

CSR Professional Services offers breach reporting and gap analysis both for integrators to use and resell. “The most logical and least painful way of doing it is to attach a service agreement to an installation agreement, which many do anyway,” says Ross Federgreen, CEO. “As part of that agreement they partner with a company like mine that can provide under a white label relationship some service that we provide. It is too specialized and too complicated to do on their own.”

Synnex also offers third-party auditing and more for their integrators to resell. The distributor also has an in-house Network Operations Center (NOC) that performs breach detection. “Physical security integrators are keenly interested in RMR. This delivers on that,” says Kirk Nesbit at Synnex.

PSA’s Bill Bozeman says his organization is actively working to find opportunities to monetize cyber, but it isn’t easy. “Now that we have pointed them in the right direction concerning products that might be cyber hardened and have a program to provide them with insurance partners, best practices, etc., we are finding the most difficult part is identifying how they can actively participate and make a profit.”

Steve White of Vector Security recommends thinking like an IT buyer to figure out what to offer. “IT mandates that you design a system that can be serviced well and you plan for those costs on the front end. We started with a basic offering around network health monitoring for customers with NVRs or IP cameras who wanted to understand uptime. Now we have true remote network monitoring measuring and monitoring patch levels, responding to outages, being proactive about the way we report information. As those devices become smarter we plan to really expand into the business intelligence space.”

Stephen Fisher of VTI says his company is still looking at how to monetize cyber. “Where there is potential revenue it is a balancing act with the kind of investment it would require. You can’t take a security integrator and make them a fire company overnight. And you can’t become a cyber expert overnight either. We have chosen to partner with the experts. There is opportunity out there but we are still looking into that.”

For the right integrator there is a lot of opportunity in this space, adds Tom McConnell of Headwaters MB, an investment banking firm specializing in the security industry. “If you look at the physical security market for integrators alone, that is certainly growing, but not as quickly as the cybersecurity market…. [The security industry] is a relatively mature industry. In cybersecurity the growth is really off the charts. The most recent numbers I saw was that cybersecurity was at about $75 billion in 2015 and expected to go to $170 billion in 2020.

“It is clearly a robust opportunity. And the market for SMB is really just emerging. If I am a mid-sized integrator it is an almost green field opportunity.”

The Role of Manufacturers

What is the role of the security manufacturer in cybersecurity? Are they hardening their products too? The answer is, of course, yes; but in the physical security space it is not as simple as it might seem.

Dan Dunkel of Eagle Eye Networks says his company is working to provide a product to the integrators that is hardened. “We encrypt our video in the cloud. We want to make the video stream tamper-proof. Nothing is hacker-proof. Then if you change the password at the end point automatically, those are a couple of things you can do to markedly improve your cybersecurity. If integrators can start to sell products with a little bit better security embedded in them, that is a step in the right direction.”

Tyco recently launched a six-part cyber protection program, says Kristy Dunchak, director of product management, integration solutions and programs, Tyco Security Products. “We want to make sure we have development practices in place to make sure we are developing products with cybersecurity mindsets. We have teams in place that are dedicated to that, making sure that a product we release today is secure tomorrow. They are watching for vulnerabilities and notifying customers when there is a concern.”

Dunchak says end users and integrators alike can sign up to be notified when a vulnerability to their product is found so that they can mitigate it, which is particularly critical in an industry where the parts and pieces of an integrated system can range from brand new to 20 years old or more.

“One of the unique things about the physical security industry is our products are built to last, similar to the industrial control side of the world,” Dunchak adds. “How do you handle those types of systems? It is up to us to find a way of patching the system. It is a unique challenge and it comes down to creative engineering.”

Some see this challenge as a liability. Scott Sieracki of Viscount Systems says the security manufacturing industry is somewhat unique in the technology sector.

“So many of these manufacturers have all of their revenue tied to the perfection of a 25-year-old device. You don’t see that in the rest of the enterprise world. Technology has evolved in the IT space every single year by leaps and bounds. Our industry … seems to be granted a lot more leniency on its necessity to evolve its technology.”

It’s a waiting game, says Joseph Holland of LifeSafety Power. “Manufacturers are waiting to see what happens with regulations and frankly they are not going to put a bunch of money into something they don’t understand or could be the wrong direction once regulatory agencies get their act together.”

Bill Bozeman of PSA says manufacturers are on a similar track to the integrators in terms of awareness and change. “In my opinion the manufacturers now see the threat. They are addressing the challenges and doing a much better job. They were slow to the game, but I do understand why. As one CEO told me [a year or so ago], ‘I am not going to go spend a fortune on all this cybersecurity stuff until I am losing money because of it and right now I am not.’ They are spending that money now. Our key partners are all stepping up.”

For now, this means integrators who are becoming cyber aware need to be careful when selecting products.

“We are very selective about which products we support and their commitment to cybersecurity is a key part of that,” says Steve Smith of Vector Security. “There are leaders in the space that are doing an excellent job of contributing to that discussion and conforming to standards around updates. But there are many manufacturers that are still trying to answer some of the questions we have talked about today. Not all of them have risen to the challenge.”

Stephen Fisher of VTI Security agrees. “Every time a manufacturer comes into our office we ask them what they have in this regard. Some of them are ahead of the game and others are trying to figure out where they stand on this.”

But Bryan Viau of VTI adds that he is optimistic that manufacturers are at least on the right track. “The manufacturers are getting smart very fast. We have seen how quickly manufacturers are changing their training protocols on how to harden devices. Many are reacting at the appropriate pace.”

Q&A With Bill Bozeman of PSA

SDM spoke recently with Bill Bozeman, CPP, president and CEO of PSA Security Network. Bozeman has been an outspoken and determined spokesperson for the need for physical security integrators to learn about cybersecurity.

SDM: How has the attitude of your integrators changed over the past few years since you began talking about cybersecurity?

Bozeman: There has been a real big swing in attitude. When we started this some three years ago, approximately, it was like I just scratched my head and said why am I even doing this? There was no interest or cooperation from integrators or the vendors. It was very frustrating. I knew this was something we had to be all over. The good news is that has really changed. We no longer even bother having pitches to our community about the importance of cybersecurity. It isn’t even necessary.

SDM: Where does the industry stand now in terms of preparedness, in your opinion?

Bozeman:Our integrator community is 100 percent on board understanding the risks and challenges. Do they all have plans? I didn’t say that. They all recognize it. Most of our key manufacturers are working hard to improve the situation as well.

Our objective is to educate our community as efficiently as we can about the risk and opportunities and how they can protect themselves, whether it be with proper insurance or using products that have been vetted.

SDM: Do you see cybersecurity as an opportunity for integrators?

Bozeman: I really believe this is a game changer, just like when we went from tape to digital or coax to Cat 6 and analog to IP. This is one of those opportunities or challenges. Watch that movie “Zero Days.” Those who choose to turn away, what an amazing loss that is.

[Our playbooks] are sitting there waiting for you to use. You do not have to be PSA members to take advantage of this. We believe this is such an important thing, our education is open to all and we think that serves the entire industry.

Next Steps

While a cybersecurity plan for your company and your clients is the best, first steps you can be taking right now, the industry as a whole is facing a much longer and harder transition toward network and physical security merging. From day-to-day systems that sit on the customer’s network to IoT type projects, all the trends have pointed to a merging of physical and cyber, which is something that almost no one is truly prepared for (not even IT departments and integrators).

As a whole the industry is working on things and looking to the next steps in the climb to cyber awareness.

PSA’s Maturity Tier Zero is now complete and available for members and non-members. The organization plans to present guidance on Tiers 1 and 2 of its framework this fall and complete all 5 by the end of the year, Lanning says. “This is a work in progress. The first layer, for example, asks about your policies. Having the tool is one thing but people need guidance on how to come up with the policy.” The full maturity path presentation will be delivered in sessions at PSA TEC 2017.

The goal is to organize several existing guidelines with the security market in mind, so that integrators will know which piece of the cybersecurity framework they are implementing, he says. “There isn’t a one-size-fits-all. The work our committee does is to help the integrator respond and move up [to their appropriate tier]. Some of them that work with NERC CIP will probably aspire to get all the way to maturity level 5.”

ONVIF’s Profile Q, released this summer, is aimed at the encryption side, Dillingham says. “This is very different than our other profiles. All the others deal with a specific feature set. Profile Q is device-centric of the IP device itself. There are requirements about what state it is in out of the box so that when you put it on the network you know what that device will do.” For example, a conforming video camera may not be able to stream in factory-default mode, he explains.

UL, Northbrook, Ill., recently launched a Cybersecurity Assurance Program (UL CAP), says Ken Modeste, cybersecurity technical leader. “We started the program about three to four years ago by looking at how to help clients like typical manufacturers or vendors address the cybersecurity risk. Beginning last year the department of Homeland Security and the White House reached out to us to develop a voluntary program to help shore up cybersecurity.”

From this the UL 2900 series was born to assess software from manufacturers as well as provide larger integrators with a baseline of how well a manufacturer is addressing cybersecurity within the supply chain. Beginning last spring, UL expanded the program to include process evaluation, and the final piece will be doing an assessment of installation.

The end result, the organization hopes, will be to provide integrators with a UL listing not unlike a UL-certified central station — a highly regarded measure of high standards and excellent processes and procedures.

Dillingham stresses that the goal is for these certifications to involve a lot of what many are already doing as common practice. It just needs to be organized and certified.

“As they start working more with organizations, those clients will start to say more and more, ‘I see you as a very important part of my organization,’ and our goal is to help the industry respond to those clients in an effective way. There is no magic bullet that will solve cybersecurity, but if you have the foundational steps you can make it harder for bad actors to infiltrate. Organizations traditionally have been turning to IT for that but looking at physical products from the integrator. This gives those integrators the opportunity to offer a larger value to their customer.”

A Smart Network Management Solution

by Stephen Smith

Some might think of it as the good old days — that time when security and IT systems ran on separate networks and security folks did not have to worry about sharing bandwidth or protecting their data from hackers to the main system.

But standalone systems have given way to large-scale enterprise networked environments, especially in corporate, medical and educational settings. And with that comes the challenge of managing these systems to make them faster, more efficient and, most importantly, protected from outside intrusion.

There are several danger factors associated with flat, or unmanaged networks, beginning with a lack of inherent visibility. All the computers operating on a flat local area network (LAN) have the ability to connect with one another without anything to prevent this. Because they are able to communicate unimpeded, they are also vulnerable to would-be attackers from several points.

For example, an employee using a computer on this network could introduce a virus or make the system vulnerable to a hacker by downloading a particular file or linking to a suspicious website. That cute cat or kid video may seem innocuous, but it could leave a system open to a serious external threat.

Many companies wrongly believe that if they have a strong, hardened perimeter for their network, they do not have to spend as much time on defending the internal components — but that is not the case in today’s environment.

Security Systems: Another Back Door

Security systems with access control components and video cameras that operate on enterprise-level networks can become conduits, or attack vectors, for savvy cyber criminals.

As some of the recent major corporate hacking incidents have shown us, it only takes a small mistake — a miniscule tear in the fabric of the system — to allow someone to gain entry and wreak havoc. Using, for example, an IP camera that someone forgot to install the latest software patch, hackers can gain access to one vulnerable part of a system, then access to another portion of the system, such as a network video recorder, and then move on to a computer, a server and eventually the overall network.

Even if preventing cyber crime is not top-of-mind for your customer’s system, there are other issues that arise from operating an unmanaged network, such as traffic problems. Without segmenting the network, data flows in an unmanaged, non-prioritized fashion — which can lead to slowdowns, interrupted phone calls and choppy video. The ability to troubleshoot these problems is worsened by the lack of visibility; after all, it is hard to find the problem when everything is lumped together.

A Solution: Managed Switches

Increasingly, security integrators are steering their customers toward smart switches — also known as managed switches — for better network management.

An intelligent switch has the ability to make the interior of the network as secure as the exterior by segregating traffic between ports and devices. Instead of data from all devices traveling along one path, the use of switches can manage the data in a way that makes sense for the system operator from a traffic, maintenance and security standpoint.

It may be decided that all the cameras will be on one segment, while computers will be on another and phone/voice data will have its own as well — thus creating Virtual Local Area Networks, or “VLANing” the network. Having a segmented network controlled by smart switches is not unlike trying to carry on a conversation in a crowded room. If everyone is talking at once, it can be hard to understand what is going on, but if people are divided up into groups and carry on their conversations in smaller segments, it makes it easier for everyone.

Because some network activities are more intensive than others — for example, video surveillance and recording takes up significant bandwidth — one activity, such as a phone call, does not suffer because a large video file is being moved across the system.

A managed switch can be set up to prioritize traffic or, via link aggregation, two ports can be bound together to provide greater speed as well as a redundant path to the next switch either upstream or downstream. Administrators can even write rules within the system, designating which devices can talk to each other. By creating such restrictions it further protects the LAN from virtual attacks.

Use of smart switches also improves the visibility issue when it comes to diagnosing problems. Each port can be managed separately. They can also be mirrored and packet data can be captured and shared with analysis software to troubleshoot an issue. Some switches can even do this from a dashboard, so the system administrator can be in the computer room, at home or in another country and still handle the problem.

When tied in with a monitoring service, smart switches can provide alerts from temperature sensors or send email or text messages when a problem occurs, such as port going offline.

Variety of Applications

While having a managed network may seem a natural solution for a large enterprise with lots of devices and systems in play, even small companies operating under certain scenarios may see the advantage of smart switches. For example, businesses that accept credit cards are required to segment cardholder data to keep it secure, and smart switches can help with that. The same is true for healthcare operators that need to protect patient information.

Smart switches do come at a price; however, in today’s regulatory climate and with the increase of cyber threats, entities of all sizes are seeing the value in smart switches and a managed network, whether they are looking to manage it themselves or are putting that management into the hands of their integrator.

Stephen Smith joined Michigan-based integrator D/A Central Inc. as a Network Engineer and Development Supervisor, where he oversees the company’s Managed Services Team, in 2015. D/A Central is a member of the Security-Net network of independent security systems integrators.

Read the original article at Security Dealer & Integrator.

Security-Net is proud to donate to Operation Freedom Paws

Security-Net is proud to announce that we will be making a donation to Operation Freedom Paws at ASIS 2016 in Orlando, Florida. Security-Net representatives will meet with OFP founder Mary Cortani (and her dog) for presentation of a donation.

About Operation Freedom Paws
Operation Freedom Paws empowers veterans and others with disabilities to restore their own independence

Operation Freedom Paws empowers veterans and others with disabilities to live a quality life by teaching them to train their own dogs, and certifying them as service dog teams. The dogs, usually from rescue organizations or shelters, are carefully evaluated. Each is then matched to a specific client’s physical and psychological needs. There is no charge – all we ask is a commitment to complete the 48-week training program.


What We Do
Founded in January 2010, Operation Freedom Paws is a 501(c)3 non-profit organization that matches dogs with individuals who have Post Traumatic Stress (PTS), Complex-Post Traumatic Stress (CPTS) and/or Traumatic Brain Injury (TBI) symptoms, or other physical, neurological, psychological or mobility needs.

We train the individual to train their own dog, and then certify them together as a service dog team in a 48-week program. Most of the dogs come from rescue shelters. This unique opportunity enables our clients to feel safe and secure, and to manage their day-to-day lives. The very special therapeutic canine-human relationship helps them get back out in their communities and begin to view their future with renewed hope.

To make a donation to Operation Freedom Paws, scan the code below or go to