Steve Bell, Chief Technology Officer at Gallagher Security responds to the Five Eyes Alliance release of ‘Five Principles to Secure Innovation’.
In October 2023, the Five Eyes Alliance, the world’s oldest and most significant intelligence alliance, made up of security agencies from Australia, Canada, New Zealand, the United Kingdom and the United States released a document through the UK’s National Protective Security Authority (NPSA) outlining the five principles to securing innovation.
Upon releasing the document, MI5 Director General, Ken McCallum said, “Across all five of our countries we are seeing a sharp rise in aggressive attempts by other states to steal competitive advantage.
“This content is particularly acute on emerging technologies; states which lead the way in areas like artificial intelligence, quantum computing and synthetic biology will have the power to shape all our futures. We all need to be aware and respond before it’s too late”.
The Five Principles of Secure Innovation emphasise the need to understand the threats, secure your environment, build security into products from the start, manage the risks that partnerships with investors, suppliers, and collaborators can bring, and finally, to carefully manage the security risks from entering new markets and expanding your workforce.
Steve says the importance of threat awareness and a response plan is critical for security manufacturers. He offers his thoughts on key areas of focus below.
Threats can be identified as any of the following: insider, cyber, physical, international travel, investment, overseas jurisdiction, and supply chain.
“The insider is a person who has, or previously had, authorised access to, or knowledge of the organisation’s resources, including people, processes, information, technology and facilities,” says Steve.
“Within the high security industry, insiders are one of the main threats.
“The key within high security is that if we cannot stop the attack, ensure there is an alarm or tamper evidence left behind.”
Choosing a security solution that enables evidence of tampering both via a physical act of gaining access to information, a product, package or system, or remote access (hacking) is the first step in securing innovation.
Gallagher’s Command Centre is a centralised platform designed to provide “unparalleled control” of every aspect of a site.
Trusted by governments around the world, including those in the Five Eyes Alliance, Gallagher’s end-to-end security solution provides complete site control from one central management platform while complying with the strictest security standards.
“Combining the intruder alarm and physical access control in one system gathers all the audit trail that makes it more difficult for an attacker to fool the operators,” says Steve.
Steve points out, “Security is only as good as the weakest link, so staff culture and the types of access control you use is important.
“In a security conscious company, staff will badge their card at every controlled door event though it may still be open from the person in front of them, and an employee will challenge a person attempting to tailgate another through a door.
“The use of turnstiles prevents tailgating and at high security level, the interlocking doors feature can create a sterile area with a door in and door out that can enforce the no tailgating rule”.
While mitigating the risk of insider threats is the end goal, sometimes it is just about making it as hard as possible while creating a trail to enforce alerts.
“The idea with an insider threat is that any sort of attack on the system should leave something behind that can show tamper evidence.
“The use of special door locks won’t necessarily stop somebody from forcing the door open, although they’ll try and make it hard, but it creates an alarm that can get a response going,” adds Steve.
The use of older technologies can expose vulnerabilities in a security system, and limit integration opportunities.
“Outdated technology can also pose increased risk to instances of cyberattacks or the use of clone or counterfeit products.
“It is well known in the industry that the traditional “prox card” may be easily cloned by an attacker, much less an insider. It is vital that any access card technology is secure,” says Steve.
Outdated credentials can increase the risk of clone products and in turn pose a threat to site security and physical safety.
Incidents exposing site vulnerabilities or security breaches can also increase the likelihood of reputational damage to an organisation.
“Software that is not kept up to date can be a significant vulnerability.
“Cybersecurity techniques have become much more sophisticated and software that could be considered secure five years ago may have become vulnerable due to new techniques being found to exploit previously unknown vulnerabilities.
“All responsible software vendors will be regularly providing software updates to their applications to fix vulnerabilities. Command Centre has two major updates each year but will issue minor updates as required to fix significant issues,” says Steve.
He adds, “Responsible software vendors publish their vulnerabilities in the CVE database online. This provides information about the vulnerability with a score between one and 10, where 10 is critical and any mitigations that may make the risk manageable for the customer”.
For Gallagher, a high or critical CVE will trigger the release of updates to the four latest releases enabling customers who do not install a new version more than once a year (or two) can still install a patch update that fixes the issue.
Over time people will forget or get ‘lax’ complying to security rules or practices, says Steve.
“Command Centre keeps track of staff training and inductions and stores competencies.
“It can send reminders when specific qualifications or competencies require renewal or are nearing expiry.”
Stored competencies can also be used to allow access to specific doors by defining a set of rules for unique roles and the competencies they require to gain access, while also dynamically denying access if a competency has been disabled or expired.
In some cases, a competency is activated at the start of each day by meeting a process requirement, for example first access needs to be at a specific entrance or passing an alcohol test.
These features add another layer of complexity for an insider to move freely and avoid detection when best practise, minimum privilege access control is used.
“The access control system needs to have very fine grained and detailed audit trails so that a system operator is not tempted to change their own or another team members access privileges.
“Editing any system property or cardholder property should detail the new value as well as the previous value of data so that everything is “tamper evident”.
As the security landscape continues to evolve, organisations need to ensure they continue to fortify their security measures to best protect their people and assets.
As detailed in the report, taking steps to secure your business environment, products, partnerships and growth through identifying threats ensures a confidence around best security practice and risk mitigation.
This article was originally published in the March Edition of Security Journal United Kingdom. To read your FREE digital edition, click here.