Physical Security System Cyber Protection: An Interview with Johnson Controls


According to a recent study entitled, “State Of Enterprise IoT Security In North America: Unmanaged And Unsecured” commissioned by Armis:

  • 69% of enterprises have more IoT devices on their networks than computers
  • 84% of security professionals believe IoT devices are more vulnerable than computers
  • 67% of enterprises have experienced an IoT security incident
  • Only 16% of enterprise security managers say they have adequate visibility to the IoT devices in their environments
  • 93% of enterprises are planning to increase their spending on security for IoT and unmanaged devices

Cameras connected to the internet, either directly or through a video server, are the quintessential IoT cybersecurity attack vector. At Brilliance Security Magazine, we believe that it would be difficult to overstate the importance of physical security product manufacturers, along with all IoT device providers, to follow strict cybersecurity best practices, procedures, and processes. 

To explore what physical security manufacturers are doing to protect their customer’s IT infrastructure, BSM routinely conducts interviews with industry leaders and enterprise systems providers. 

Jammy De Sousa, Senior Product Manager for Tyco security solutions

We recently met with Jammy De Sousa, Senior Product Manager for Tyco security solutions. Jammy has spent many years as a security equipment product manager and is a notable expert in that field. 

In discussing Tyco security solutions (a subsidiary of Johnson Controls) and how they protect their customers from cyber threats, Jammy told us, “We have a powerful story when it comes to cybersecurity.” He continued, “Our Cyber Solutions methodology was born from work we are doing with entities like the U.S. Federal Government and others that have an exceptional need for cyber awareness. And what they taught us is that the security industry, with all of its network-attached devices, represents an often vulnerable cybersecurity attack surface.” 

Security cameras were some of the very first IoT devices used by threat actors as an entry point into an enterprises’ IT systems. Over the years, several cases have been reported that implicate cameras and other security systems as the vulnerability used for exploitation. 

Protecting their customers from cyber threats is not a new idea for Johnson Controls and Tyco security solutions. Jammy explained that “Over the last five-plus years, we have looked at cybersecurity very closely. We have seen examples of network-attached devices being attacked to gain access to the IT systems of large corporations.” This type of attack was the impetus for their cybersecurity awakening. A growing awareness of the cyber threats focused on their customers, along with their determination to prevent Tyco products from being used in an attack, led to the development of various cyber protection solutions for their customers. These include a full-fledged cyber protection program as well as device management functionality for their flagship Video Management System (VMS). 

Cyber Protection Program

To formalize their commitment to providing cyber-safe products, a tiger team of the best and brightest from engineering, product management, and regulatory experts was assembled. This team of specialists was charged with digging through the NIST Cybersecurity Framework and the Cybersecurity Information Sharing Act (CISA) to gain an understanding of what can and should be done to provide safe products. 

The Cyber Solutions product security program that is the result of this team’s recommendations, provides Johnson Controls’ customers with a consistent organization-wide focus on cybersecurity. This focus, combined with the global knowledge base of their engineering departments around the world, ensures their customers that cybersecurity will be baked into the entire process from design through deployment and support. 

During our meeting, Jammy explained that education plays a vital role in the Cyber Solutions product security program. Johnson Controls has displayed a keen sense of their responsibility to make sure all concerned parties are fully informed about any vulnerabilities that may expose the customer’s IT environment through their security products. They also notify about the appropriate mitigation tools and processes. 

The complexities of Johnson Controls’ channel strategies around the world dictate that they shoulder a responsibility to inform installing service providers as well as end-users. They provide education around everything from managing open ports and default passwords to establishing an effective patch program.

The adverse effects of many modern cyberattacks could have been significantly reduced if an immediate notification had been provided to potential new victims. The timely sharing of the details related to known attacks against a type or class of OS, application software, hardware, or website can prevent or diminish the effects of future attacks. 

Jammy provided a convincing argument that Johnson Controls is wholeheartedly committed to providing all concerned parties immediate notification of any known attack. They maintain a web portal where up-to-date information is disseminated to their customers and partners. If a vulnerability is identified or an attack reported related to their products, valuable information about how to protect relevant systems is posted. The site is updated as mitigation steps and patches become known. 

Enterprise Device Management

In our interview, Jammy also discussed a cybersecurity advancing feature of Tyco’s victor Unified Video Management Application. Enterprise Device Management, he told us, “helps integrators and end-users keep their video system software and device firmware current.” 

Firmware management and enforcing a software patch policy can be crucial in protecting against cyber threats. victor’s Enterprise Device Management (EDM) provides a central place to push updates to cameras, manage firmware updates, update passwords, and a host of other functions designed to improve cyber hygiene. 

Jammy points out that even if the default passwords were replaced with new secure passwords when the system was installed, after time, that process must be redone. If there is no management system in place to enforce this type of hygiene, it is all too often neglected. He believes that Tyco’s EDM tool goes a long way toward providing a solution to this problem. 

UL-2610 Certification

UL- 2610, which provides standards for Commercial Premises Security Alarm Units and Systems, updated the requirements for this technology to include cybersecurity provisions and cloud functionality. UL tests alarm products and systems against established criteria. This process assesses a product’s software vulnerabilities, weaknesses, and reviews its exposure to exploitation.

To add to its cybersecurity street cred, Johnson Controls announced in January 2020 that they acquired new UL Certification. They said that their Tyco Software House C•CURE 9000 v2.8 and Tyco American Dynamics victor 5.4.1 are the first platforms to be officially certified as meeting new third-party security standards from UL for on-premise commercial security systems.

“Our focus is creating platforms and products that will be not only cyber resilient throughout their lifespan but flexible and scalable enough to meet the future technological requirements of tomorrow,” said Sara Gardner in a recent press release. Sara is a senior director of Product Management, Enterprise Access Control & Video Solutions, Global Building Technologies & Solutions for Johnson Controls.

Conclusion 

We applaud the efforts of Johnson Controls, Tyco security solutions, and all physical security product manufacturers that recognize the importance of providing secure software and devices. The physical security industry was a little late coming to the cybersecurity party, and there were more than just a few breaches attributed to security devices and systems. We see that changing. As we discuss cybersecurity with physical security leaders, more and more, we find not just a recognition of their responsibility but the investment of high-quality technical human resources to back up their position. 

The much-storied cybersecurity skills gap adds complexity and cost to the task of manufacturing cyber-secure equipment and implementing a channel education program. It must be done, however. Thanks to Jammy De Sousa and Johnson Controls’ Tyco security solutions for giving us a peek into their cybersecurity goals, processes, and tools.


Steven Bowcut, CPP, PSP is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Facebook, and Instagram.