The GDPR and physical security systems: convergence challenges, steps to compliance and more
With the GDPR coming in to force in less than four months, a panel of experts - chaired by myself - offered a packed audience of security professionals and business owners/executives advice on how to comply with a new, tougher regime, which replaces the Data Protection Act.
The discussion, part of a day of presentations on data protection and cybersecurity organised by Genetec, also examined data protection laws elsewhere in the world. Integrated systems are only as strong as their weakest link, so effective data protection and cybersecurity policies require buy-in from the entire supply chain. The panel therefore needed diverse input and Genetec duly brought together a cyber-aware integrator, cybersecurity experts, a technology vendor (Genetec, of course), and lawyers versed in data protection law.
Christian Morin, Genetec's chief security officer, diagnosed the problems generated by the ongoing convergence of physical and information security.
If security and other building systems no longer operate in silos, then neither should the people operating, managing and protecting them be sequestered from one another. 'Responsibility' and 'transparency' are the twin touchstones here. How can we make sure that people throughout the supply chain take responsibility?
Who should be accountable for ensuring that systems are as resilient as possible?
Physical security professionals don't speak to their information security counterparts as much as they should
Physical security professionals don't speak to their information security counterparts as much as they should, Morin observed. He had earlier kicked off proceedings with an insight into the complexities created by the internet of things, where the number and variety of devices hooked into corporate networks is burgeoning. Barely a week passes without news of another major data leak but several hacks in particular have given the physical security industry pause for thought.
Some 40 million credit and debit cards were compromised at US retailer Target in 2013, for example, via a vulnerability in its HVAC system. Then, in 2016, 1.5 million networked cameras were hijacked by a DDoS (denial of service) attack. And the Wannacry wave of ransomware attacks that engulfed the NHS in 2017 led to the cancellation of operations and forced hospitals to revert to paper and pen.
The looming GDPR, which introduces more punitive fines, has brought into sharp focus the importance of optimising security and other systems involved in gathering, analysing and storing personal data. However, several trends made it important regardless of any regulatory changes, as Morin outlined:
- Potential for operational disruption, reputational damage, litigation, puts people at risk
- Value continues to migrate online, and digital data has become more pervasive
- Corporations are expected to be more 'open' than ever before
- Supply chains are increasingly interconnected
- Malevolent actors are becoming more sophisticated
The level and nature of investment in security should be proportional to the impact/likelihood of a potential attack, said Morin. [embedded content]
Did you pack your own bags?
Did you pack your own bags?
It's a question anyone who has ever taken a flight will be familiar with and a useful analogy deployed by Morin in relation to third-party systems connected to your corporate network. You're only as strong as your weakest link - a sobering thought if your systems integrate with those of suppliers. This isn't a risk remedied by a purely internal audit.
Morin recommended that you interrogate connected third parties as to 'who packed their bags':
- How is the data encrypted?
- How are the keys managed?
- Any audited 3rd party certifications?
- Who owns the IP and where is product developed?
- How are Service Level Agreements (SLAs) measured and backed?
Cybersecurity is everyone's concern and priorities break down in these ways: End user
- Physical Security and IT
- Supplier Risk Assessment
- Penetration Testing
- System Auditing
- System Lifecycle Management
- Risk Based Approach in System Design
- Manufacturer Risk Assessment
- Follow Manufacturer Configuration Recommendations
- System Auditing
- Risk Based Approach in System Design
- Manufacturer & Integrator Risk Assessments
- Security Development
- Secure Coding and Testing
- Secure by Default
- Product Security Policy
- (Security versus Usability)
- Open Disclosure Policy
- Hardening Guide
GDPR will force integrators to up their game
Graham Cole, operations director at Grantfen Fire & Security Integration, believes that the GDPR will force integrators to up their game and means that contracts will more often be won on quality and less often on price. He lamented that people making procurement decisions are often unqualified to do so and hopes this might change.
Grantfen Fire & Security Integration, which partners with Genetec, has beefed up its own computer networks and hired its own network experts. [embedded content]
The panel was diverse not just in terms of expertise but also geographically. Isabelle Landreau, an intellectual property lawyer and VP for the CEFCYS (Women's Circle of Cybersecurity) Association, gave the European perspective.
An internet built on the freemium model - where users surrender personal data in order to use social media and other online tools for free - has turned privacy into a commodity. But Bonnie Butlin, co-founder and executive director of the Security Partners' Forum (SPF) (plus our top 2017 influencer in her category), noted that the Supreme Court in India recently judged privacy to be a fundamental right. This is a departure from most other jurisdictions around the world.
Isabelle Landreau said privacy by design is essential and there is a growing awareness among end users on privacy and what they want from manufacturers and internet providers. Bonnie Butlin, who was an intelligence analyst for the Canadian government in 2008, offered the North American perspective. Even though its neighbour was comparatively laissez-faire on data protection - which causes its cross-border complications - Canada had actually enacted its own legislation that robustly protects data subjects.
Passed in 2000, the Personal Information Protection and Electronics Documents Act (PIPEDA) rests on 10 principles: accountability, identifying purpose of collection, consumer consent, limiting collection, limiting use and retention, accuracy, data safeguards, openness, individual access, and consumer right to challenge compliance. PIPEDA requires, as with the GDPR, that consumers must give consent to personal information being collected and gives them a right to access personal information held and to challenge its accuracy. Also like the GDPR, organisations are obliged to limit what data they collect, how they use it and how long they retain it.
Canada's Anti-Spam Legislation made executives personally liable for eye-watering fines
She also discussed Canada's Anti-Spam Legislation (CASL), one of the most punitive regimes of its type in the world.
The legislation has had a chilling effect on the not-for-profit sector, suggested Butlin, who we recently interviewed. Potentially making executives personally liable for eye-watering fines, the legislation has made it difficult for them to attract people onto the board.
Cyber liability insurance
Phil Lee, partner at FieldFisher Privacy, Security & Information Group, was asked about suggestions from some quarters that cyber liability insurance should be made mandatory. Poor understanding of such products was leaving organisations poorly protected, he said.
The insurance might cover them for breach reporting but not - often to their surprise - civil actions or regulatory fines. Coverage should go well beyond breaches by malicious third parties into whether you've limited the data stored, kept records, appointed a Data Protection Officer (DPO) and so on. The scope of liability is much wider than it used to be but the insurance market hasn't caught up yet.
Replacing the Data Protection Act in British law from 25 May 2018, the GDPR strengthens protections for the general public and introduces eye-watering fines for transgressors.
I asked for a show of hands from anyone whose organisation has already undertaken at least some activity to make their physical security systems compliant and - reassuringly - more than half of those in the room raised an arm. Only a handful of people raised their arms when asked if they would be confident their systems and processes would already be fit for purpose if the GDPR came into force tomorrow, although even this surprised Graham Cole, who has been alarmed at the lack of preparation, knowledge and or even outright awareness of the GDPR's existence among customers. Nevertheless, the audience would surely, by definition, self-select for taking the GDPR seriously - they'd taken time out to attend the event after all.
Phil Lee emphasised that the GDPR would apply in the UK in full regardless of how Brexit negotiations unfold. That said, the UK would become a 'third country' in terms of cross-border data sharing, creating a legal headache for parties involved.
Practical steps to compliance
We concluded with some practical advice for 'hardening' physical security systems and ensuring compliance with the GDPR. Christian Morin advised delegates to conduct a gap analysis on their systems as soon as possible.
Any shortcomings identified can then be addressed in consultation with their consultants, integrators and manufacturers. Compliance can be attained in most circumstances through upgrades rather a than rip-and-replace overhaul, he reassured the audience. The privacy by design principle - incorporating protections like encryption and automated video redaction for footage recorded in public spaces - should be embedded where possible.
The third and final pillar is to harness cloud-based services to cut the scope and burden of activities the end user is directly responsible for.
You must conduct thorough due diligence and regular audits on cloud providers
Phil echoed these sentiments, saying that the notion that a business holds its own data is dated. But entrusting cybersecurity to external experts makes it all the more important that you conduct thorough due diligence and regular audits on cloud providers - and that you can demonstrate as much to the regulators. Does your cloud provider have relevant SSE and other certifications?
Which country are they based in? Some countries have more robust data protection regimes than others. And regulators often go after the soft target.
This is often the customer, who is based in a jurisdiction they can pursue them in more easily than that of the cloud provider. He also emphasised the importance of business continuity, should the worst happen. The bottom line, he said, was to get the help of lawyers as soon as possible.
Phil Lee noted the conundrum of the right to be forgotten, applicability of which the GDPR extends beyond "processing that causes unwarranted and substantial damage or distress." There had been absurd cases where the invocation of that right forced the removal of news stories related to the data subject only to be replaced by fresh news stories reporting on the removal of said stories.
Scale of data collection
Bonnie Butlin, who is also an expert network member for cybersecurity at the World Economic Forum, sought to put the GDPR into an international context in her keynote address. Aadhaar, a cloud-based ID system that holds the personal data of more than a billion Indians, illustrated the scale of data collection in 2018. Established in 2009 to accurately distribute welfare payments the system holds fingerprints, iris scans, name, birth date, address and gender in return for a single 12-digit number.
She also gave examples where police and security services in the US and Canada - traditionally not heavy-handed in its national security strategy - had tested the limits of public consent with data gathering projects to solve and prevent crime. A CBC News/Radio-Canada investigation found that devices known as IMSI catchers were being used by Canadian police to gather intelligence and thwart organised crime. The devices, which mimic a cellphone tower to intercept nearby phone signals - giving them the ability to access text messages and eavesdrop on calls - and identify them by their International Mobile Subscriber Identity (IMSI).
Smart cities, where data is collected, analysed and acted on in a systematic, interconnected way, takes the data protection challenge to a new level. She cited Sidewalk Toronto, a smart city project that "will blend people-centered urban design with cutting-edge technology to achieve new standards of sustainability, affordability, mobility, and economic opportunity." Russia's first self-sustaining ICT hub, Verkhneuslonsky District in Tatartstan, was also mentioned.
A licence plate reader pilot in Sugar Land, Texas, meanwhile, showed that the general public's tolerance of privacy infringements was highly unpredictable. The deployment of Automated Licence Plate Recognition (ALPR) cameras around the city to identify stolen vehicles or those of a wanted felon attracted less local criticism than might have been expected and surrounding cities have since emulated the scheme.
ANPR technology probably saved lives in the case of a terror attack in Edmonton in October last year
ANPR technology probably saved lives in the case of a terror attack in Edmonton in October last year, suggested Bonnie Butlin. The attack started when a white Chevrolet Malibu crashed through a traffic barricade, before the driver disembarked to attack an officer with a knife.
Police broadcast information about the vehicle's registered owner to all patrol officers across Edmonton. Police vehicles eventually rammed the vehicle, causing it to roll. Police broke the windshield, used a noisy stun grenade to distract the suspect and disabled him with a taser when he resisted.
Bonnie Butlin also examined the unusual case of the 2011 Vancouver hockey riot. Despite having a much lower concentration of cameras than the UK, authorities publicised a most wanted poster featuring suspects captured on CCTV.
Hacking Wiegand Readers with a man in the middle attack
Concerns about the security of card-based door entry systems invariably revolve around the risk of lost or stolen cards. But Graham Cole, operations director at Grantfen Fire & Security Integration, showed that most legacy systems can be easily breached using a procedure few in the industry - bafflingly - seem to be aware of.
Graham Cole showed the aghast audience a video of someone implanting a device into a typical HID Wiegand reader. A drill can remove the two screws needed to take off the cover in just 60 seconds. Once implanted the device permits them to convince the reader that their fake credential is actually valid.
One could hardly expect 1980s technology to be cyber-resilient - and yet the Wiegand protocol remains widely deployed
The Wiegand Interface is a binary-code based protocol pioneered by German engineer John R Wiegand in the 1980s - decades before the IP revolution in access control began.
One could hardly expect it to be cyber-resilient - and yet it remains widely deployed. Card emulators that can 'steal' credentials of cards by passing within a couple of yards of them (think of the ease of passing it along the queue in the coffeeshop near to a given office) are readily and cheaply available on eBay. Graham Cole demoed one such device to show how easy it is.
If anyone in the audience was feeling relieved that they systems used HID iClass, Mifare CSN, HID Prox or 125KHz Cards, they were soon disabused of any complacency - all these protocols were copied easily too. Open Supervised Device Protocol (OSDP) technology is the way to go, suggested Cole. It makes the system much more robust and you needn't rip and replace: an OSDP-Wiegand Hybrid solution can do the job.
Genetec's multi-layered security model
For their part, Genetec deploys a multi-layered security model comprising:
Who is allowed to access the system and how do they gain access?
- Once users have access, what can users see and do?
- Encryption. How is data protected or hidden from unauthorised users?
Genetec Clearance's Certified Information Security Management System (ISMS) boasts TLS-level communication encryption between devices, which have role-based access and permissions, and the cloud, as well as between the cloud and server. The cloud has an audit trail and redundant Storage with AES-256 encryption at rest.
Genetec is exhibiting at IFSEC International, 19-21 June 2018, ExCeL London.
You can find them on stand C200. Register now.
Data-driven surveillance and the privacy-security balance: 'Question Time' insights from Tony Porter, Lord Paddick and more
Advent IM launches MyDataProtectionOfficer with GDPR looming