SSN Exclusive Q&A: Steve Bell, Gallagher CTO – Security

NEW ZEALAND—Security Systems News recently caught up with Steve Bell, Chief Technology Officer – Security at Gallagher, a New Zealand-based manufacturer of integrated access control, intruder alarms, and perimeter security solutions.

As a global security leader trusted to protect sites in over 130 countries, with more than 13,000 customers, Gallagher is a government-approved provider of security solutions for the United States, the United Kingdom, Australia, and New Zealand.

Bell has spent more than 30 years developing physical security systems, with the goal of making the world a better and safer place. He and his team at Gallagher constantly review the ways that the company develops products and re-engineers them in order to protect, secure and manage people and assets within organizations around the world.

In this exclusive interview, Bell gives SSN some insight into what Gallagher does to ensure that companies are protected from security threats in the physical and cyber world, as well as offer his take on the current rash of cyberattacks that have threatened critical infrastructure in the U.S. and around the world.

SSN: Please give us a general overview of what Gallagher does to ensure that companies are protected from physical security and cyber threats.

Bell: Our product is physical security, and we have a full solution from perimeter security through to physical access control, card readers, as well as administration and management platforms. So, it's a little bit different in that we provide an end-to-end solution, which isn’t common across other security manufacturers.

Some of the things that we're trying to do to help protect companies is to make our product as robust as we possibly can. We believe that everyone within the industry should be responsible from the point of view of cyber security in keeping the product updated and improved.

We've done a bunch of things along that line, which include having a dedicated Research & Development team. Their focus is on cybersecurity, improving our products, and finding existing vulnerabilities. All software products will have vulnerabilities. Some of them might not have been found yet because the technology hasn't moved along. It's a bit like a treadmill. What we did five or 10 years ago was at the forefront of its time, but as security technology evolves, new vulnerabilities present themselves, so we've got to keep moving on that treadmill to stay ahead of the curve.

Our team are trained with OSCP Certification - Offensive Security Certified Professional – which is a penetration testing qualification. This teaches them how to think like a hacker so they can look at our product and say, “Well, if I were thinking I'd want to break in, I'd start there.”

As a responsible vendor, we are committed to publishing our cybersecurity vulnerabilities, the same way that big companies like Google, Microsoft - yes, all the big names you can think of - they have a process of publishing CVEs, which are Common Vulnerabilities and Exposures.

Along with that, we realize that people internally can become a little bit blind to their own product, so we also make sure we use an external penetration testing company to review and audit everything new that we do.

We have a strong focus on government projects around the world, so we've been doing quite a lot with the U.S. federal government, based around the government issued high assurance credentials, but also in other Five Eyes alliance countries too, such as Australia and the UK.

The flow-on effect is that through the work we do to meet government cybersecurity standards, we're in turn providing high levels of security for all our customers.

This element provides our customers, critical infrastructure or not, with the peace of mind that their security solution is designed and tested by a government-approved manufacturer.

We're not going to stop ransomware and cybersecurity attacks in our customers’ systems completely, but it is how we stay ahead of the curve and manage potential vulnerabilities today that matters most.

If any customer suffers a cyberattack of some sort through ransomware, we at least believe we've got our product architected so it can be resilient. If they are in position where they have to remove their computer networks and shut them down, we can make sure that their doors will still open, and their controllers will stay operational. They will be able to get people in and out of the building to fix any problems and keep their lights on to some extent.

We're very much focused on resiliency, and that should the worst happen to a customer’s IT network, they will still have the minimum functionality needed to operate.

SSN: What solutions does Gallagher provide to help its customers manage cybersecurity threats in real time?

Bell: There are different sorts of cybersecurity we have to consider. With ransomware, as long as they can get in there, they're going to shut down systems and charge you for it. There's also the other version of cybersecurity, which might be nation state governments wanting to attack systems or people trying to steal IP from an enterprise or disrupt it.

There's a bunch of things that we have built into our system to be secure by design, and we've got a phrase we use quite regularly - “security of security”. All of our communication networks within our system are very well authenticated and encrypted, and that's right down to the card reader.

For example, before a denial-of-service attack gets to the point where the network can't communicate anymore, it will report an alarm into the system, so our system is monitoring everything in real time and creating alarms on anything that is deemed to be suspicious. This gives customers some warning before things become non-operational, should someone attack their system.

A hacker is going to look for the easiest way to get access to a facility this can be as easy as putting on a Hi-vis vest and just walking in, so the counter for this is making sure all staff, contractors, and visitors have a visual ID, and we get our staff to question unknown people with no ID.

A common weakness in access control systems is the credential technology. Our industry has been slow to move our customers from the legacy card technologies where a card can be cloned by a $15 device purchased online. Gallagher promotes secure card technologies like MIFARE DESFire to our customers and for Federal customers there is the U.S. Government PIV card.

When we developed our mobile phone app, we ensured that we used the underlying authentication technology based on a standard called FIDO [Fast Identity Online], which is something that's being pioneered by all the big industry companies for the secure logging on to websites. We've used that same standard in our mobile security app, which means that if somebody managed to get access to a database with these credentials, there's nothing they can do because it is public key based.

Multi-factor is the next step to add to improve security, there will be doors that move people into high security areas and the use of multi-factor, card plus PIN or phone plus fingerprint protects against people picking up a staff card and moving around a building.

SSN: How will the recent release of Gallagher’s latest version of Command Centre v8.60 provide organizations with increased security and reassurance that they are protected for the future?

Bell: Command Centre v8.60 introduces a new super secure method of integrating the onsite server with systems that may be hosted elsewhere. The Gallagher Cloud has a very secure connection from the customers on-site server. We have remotely exposed APIs through our cloud, so when someone wants to do an integration to another system, like a cloud-based HR system, or a visitor management system, we now allow them to connect to our cloud to obtain that information. The benefit to the customer is that they are not opening any network connections from the internet into their internal networks, our cloud API gateway will make the IT teams life much easier.

Command Centre Mobile is a mobile app, that allows guards and administrators to access certain system functions while on the move. It needs to connect to the server. If the mobile devices are on site, they can normally connect to Wi-Fi and securely connect to the server, but if they're offsite, we've also allowed them to come in through our cloud gateway so that they don't have to create some sort of proxy to allow these devices to get on to communicate with our Command Centre software.

All our version releases have cybersecurity improvements that may fix vulnerabilities or even replace a 3^rd party software library with one that is more cyber secure, or we deprecate the older versions of Microsoft operating systems or database.

SSN: We’ve seen a slew of ransomware attacks occur quite frequently over the past year in the United States and around the world (SolarWinds, Colonial Pipeline, JBS Foods, just to name a few). Why has there been such an increase in the number of cyberattacks that have crippled critical infrastructure in recent months?

Bell: Most of everything we hear about is ransomware, and I think many of these situations are very opportunistic. You know these hackers are out there and it's too easy for them to make money on it at the moment. It's going to take a lot to change that. We need more and more of these businesses to hold out and not pay the ransom, but when you look at the impact on the business, it's very hard to have your business down and non-operational for months and months. This is the challenge.

If you look at the reasons why it's too easy, these entities, may not be setting the right policy from the top down and investing in robust cybersecurity.

I read an interesting news article recently of a company that had a cyber review, and it got released to the executive team of this operation, two days before a ransomware attack occurred. That pointed out a lot of the things that they weren't doing right, including a lack of top-level policy and budget for employing the right sort of experience on to their IT teams. In addition, they were running Windows XP on a lot of their systems and were not patched, so they weren't keeping everything up to date.

The staff weren't trained in even the basics of network security, so they had no idea what they should be doing and how to keep it protected, and that goes down to the physical security. If they see someone they don't know walking around the site in secure areas, do they do anything about it? This awareness can make a big difference.

Along that line, I reached out to our Director of Federal Programs for the U.S., Ashley Meston, who is leading our federal team. Her view is it's very much, getting back to basics. Get the basics of security right from the beginning; prepare to make all necessary security measures, including policies, to ensure the education and implementation across all teams and employees.

A lot can be done without necessarily spending big money on new architecture. Get the basic things done well, – train your people, use good passwords, and implement multi factor authentication. There are so many things that can be done and need to be done to really get that security level up there.

SSN: In response to the recent wave of cyberattacks, U.S. President Joe Biden is about to sign into law a $1.2 trillion bill aimed at improving the resilience of U.S. infrastructure in the face of physical and cyber threats, including a massive investment to defend against malicious attacks. Are these actions in Washington and other government-approved security solutions enough to quell these attacks on our critical infrastructure, and if not, what else should be done?

Bell: I think it's a good start and if anything, the fact that the government's investing in doing something like this, it is highlighting its importance and hopefully encourages all businesses to create a policy and train their staff.

There are still a lot of other things that can happen, such as getting their policy and process in place and getting that awareness, since the critical national infrastructure really does need to be looked after. The Colonial Pipeline incident was an example of what can be done and the impact that can have on all our lives.

The Florida water treatment plant attack earlier this year was another example where it could have been a devastating outcome if they hadn't found it quickly.

I think the Bill is a good thing to be doing, but how much it will achieve, I guess we just have to wait and see.

SSN: Has there been a wave of cyberattacks in New Zealand and in other parts of the Asia-Pacific (APAC) recently? If so, what was Gallagher’s response to these attacks?

Bell:  Like the rest of the world, we've definitely had incidents of cyberattacks happening here.

What we encourage all of our other customers to do is try and stay up to date with their software. Currently we're putting out two software releases a year, and we would hope that most of our customers would take at least one of those releases. We're putting a lot of emphasis on that, so we’re trying to educate on the need to keep up to date because the product we've got now has significantly improved from a cybersecurity aspect, than the product we had three to four years ago.

That treadmill is still running, and we are continually identifying any aspects that are past their best-by date and improving them to the latest standards.

If there is one thing that customers takeaway, I would emphasize the importance of making sure your security system and software is up to date.

SSN: With the growing threat that ransomware and digital extortion has posed to the U.S. and other countries, please talk about the importance of cybersecurity and the role it plays in ensuring that critical infrastructure is protected.

Bell: Cyber security is one of the most important things you can invest in. If you look at the examples we talked about - Colonial Pipeline, the Florida water treatment plant, and other critical infrastructure sites that have been attacked around the world - it’s relatively easy to affect their operations and the impacts are far-reaching. For critical national infrastructure, it affects so many people.

SSN: Is there anything you would like to add?

Bell: One thing that we've recently been working on is a new product called Gallagher security for SMB [small and medium-sized businesses]. We've identified that there's a need for small businesses that do not have their own dedicated IT resource, but still want to have physical security such as an alarm system, and secure access control, however, they need it to be really simple, and convenient. With all this in mind, we've produced a cloud-based solution which gives business owners access control on site, such as a controller, door readers, and an alarm system, but the servers are looked after for them, and there are several bonuses for that.

One is that they get all the software updates. This means customers, stay up to date and we can fix any security vulnerabilities really quickly and easily without them having to do anything.

They have that security from anywhere, so it's primarily a mobile phone administration platform. They can use their smartphone for getting through doors or arming and disarming alarms, or alternatively program access key tags. It's very much a brand-new, mobile-first technology that is secure. We’re excited to be launching this solution in North America early next year.