Passing the health check – secure connected products

James Kelly, chief executive of the British Security Industry Association (BSIA), discusses the impact cyber security has been having on society and the work being done to reduce the risk of product-related cyber crime

With the NHS recently being one of the highest-profile victims of a global ransomware attack, after computers at hospitals and GP surgeries across the UK were blocked by harmful malware, there has never been a more essential time for the health sector to consider cyber security. Cyber criminals do not only target computers, laptops or mobile phones, but they can also attack connected security products such as video surveillance systems, alarm systems or access control devices.

A rising crime
In recent years, cyber crime has been taken more seriously across the globe, with the UK government demonstrating their commitment to cyber security with the launch of the nation’s first National Cyber Security Centre (NCSC), which opened last year. The NCSC forms part of the Government Communications Headquarters (GCHQ) and was set up to help protect the UK’s critical services from cyber attacks, as well as providing guidance and advice on cyber security. While initiatives like this have been in place to prevent attacks, some have still managed to slip through the net. The ransomware cyber attack on the NHS earlier in the year was thought to have also affected nearly 100 countries around the globe, with 45,000 attacks being recorded. For the NHS, the attack proved detrimental, with ‘operations being cancelled, ambulances being diverted and documents such as patient records made unavailable in England and Scotland’, according to The Guardian.

Ransomware is extremely malicious software which prevents users from accessing files or devices until they pay a ransom of a certain amount of money. Ransomware can be acquired in a number of ways, such as phishing emails or clicking on links on untrustworthy websites. As such, a crucial element of cyber security is ensuring that all staff members are effectively trained in cyber security and are able to identify harmful links or attachments. Ensuring that anti-virus programs are up to date and fully functioning is also essential both in the workplace and at home. While the attack on the NHS did not seem to actually access the patient data – but rather block access to it – it still brings to light the importance of cyber security and how that relates to the protection of personal data.

Data protection
With the General Data Protection Regulation (GDPR) due to apply in the UK from 25 May 2018, the importance of data protection should be a key focus for all organisations. The GDPR will apply to controllers and processors of personal data, with the controller being the person that states how and why personal data is being gathered and processed, and the processor being the person that takes action with the data. The adoption of the GDPR will affect those who are currently subject to the Data Protection Act (DPA), which is, of course, extremely relevant to the health sector. The GDPR will place specific legal obligations on both controllers and processors, with significantly more legal liability placed on persons responsible for a breach. While some may feel that a cyber-attack is out of their control, it is absolutely essential that organisations can prove that they have taken all the necessary steps to prevent their networks and products from being affected by cyber crime.

Connected products
As mentioned before, it is not just computers or personal devices that can be affected by cyber-crime; security products that are connected via the internet can also be vulnerable to such threats. In terms of Video Surveillance Systems, IT technology has played a major role in driving innovation and changes within the sector, such as HD, UHD, H264 and Power over Ethernet. Access control systems have also integrated effectively with IT technology, such as cloud-based access control, allowing for the integration of access control systems with other information management systems. Alongside ease of use and installation, cloud-based services can also allow for regular updates without the need to store large servers onsite – which could be vulnerable to attack – consequently freeing up space and resources. While connected products allow for security applications to integrate more easily and beneficially with each other, it is still essential that such products are adequately protected from cyber threats.

Last October, a cyber attack targeted infrastructure company DYN in the United States, hacking Internet of Things (IoT) devices – including CCTV cameras and DVRS – in order to carry out a Distributed Denial of Service (DDoS) attack. The attack itself infected thousands of devices with a malicious code, known as a ‘botnet’, in order to force a DDoS attack. Worryingly, according to The Guardian, researchers who worked closely with DYN found that the attack was linked to a ‘network of web-enabled CCTV cameras made by a single Chinese company, XiongMai Technologies’, meaning that the ‘CCTV cameras and digital video recorders were forcibly networked together using the sophisticated malware program Mirai to direct the crushing number of connection requests to DYN’s customers’. This situation proves that IP connected security systems must be as secure as possible, as an insecure camera or device can become the weak link that ultimately provides a hacker with an entry point into an organisation’s network. Within the healthcare sector, the implications of such an attack can be wide-ranging, with the risk of sabotage in an effort to disrupt operation being a large concern. Should an attack occur, personal data, including health or financial information, is also severely at risk, and if stolen, this can be detrimental to an organisation, resulting in a loss of patient trust, denigration of reputation and ultimately financial losses.

When it comes to procuring security solutions within the healthcare sector, it is vital that cyber security is a key priority for each party involved in the supply chain of internet connected security equipment. Manufacturers should ensure that accidental design or implementation errors are kept to a minimum and that systems are regularly scanned for vulnerabilities. They should also be proficient in secure coding and testing procedures and should ensure that their products are capable of supporting the stringent controls necessary for secure network communication. This can include encrypted database communication, denial of service protection, system auditing, alerting and management and highly customisable user access and permissions. While the responsibility is on the manufacturer, there is also responsibility on the end user. It is vital that specifiers are ensuring that they have asked essential questions around cyber security and are sure that the products they have chosen are fit for purpose.

Cyber product assurance
The BSIA understands the vital need to protect customers from the risk of product-related cyber-crime. Earlier this year, the BSIA convened a new working group called the Cyber Security Product Assurance Group (CySPAG) which aims to provide education and guidance on best practice in cyber resilience to product manufacturers, installers and users. The group is formed of representatives from a number of sections of BSIA membership and focuses on the increasing connectivity of security systems and how the growing links to home and business networks can leave individuals and companies vulnerable to cyber attacks.

Any single system can be subject to a number of vulnerabilities at different stages of its life-cycle, so its resilience depends not only on initial product design but also on proper installation and configuration, as well as responsible use and maintenance by the end customer. The CySPAG group’s primary objective is to provide best practice guidance at every stage of this chain, from design and testing, to installation and maintenance.

Currently, the group is finalising a Code of Practice which will provide guidelines for connected security systems. The document will include a framework of guidelines to minimise the exposure to digital sabotage of network connected equipment, software and systems used in electronic alarm systems specifically. The BSIA also launched its official cyber ‘offering’ at IFSEC 2017, which included the creation of a dedicated cyber security information portal.

Effective cyber security relies on compliance by manufacturers and installers, but also the specifiers who are actually utilising the systems. When deciding on a specific security solution, ultimately, the end user must take responsibility for the security of their network. If using an IP connected security product, it is paramount that you enlist the services of a reputable installer/integrator that is fully committed to best practice and can demonstrate their understanding of and resilience to cyber crime, with comprehensive cyber security and information security policies in place. In addition to this, they should also comply with any other relevant British and/or European standards related to their products or services. Members of the BSIA are all required to meet strict quality criteria and their membership of the Association is your assurance that a supplier will provide a reputable service.