Cybersecurity in Safety and Security Industry

Zenitel has decades of experience in cybersecurity and has been one of few organizations that have contributed to creating industry standards for safety and security. Aligned with our vision of being the world-leading provider of intelligent critical communication solutions, our aim has been and always will be to improve the safety and security for all our customers. 
Zenitel’s approach can be summarized by 3 keywords:

• Long term commitment
• Trusted advisor
• Secure by design

Cybersecurity is about the product, the solution, and the best practices. In fact, the vast majority of cybersecurity problems can be prevented by technologies that are already available and through a solid understanding and application of those technologies. 

With our first solution IP critical communication solution, the AlphaCom E, we had a secure by design approach already from the initial product development phases. The solution provided unique cybersecurity features such as an integrated firewall, out of band management, VLAN, and network segmentations, allowing our customers to deploy the solution based on that times best ‘defense of depth’ principles.

Figure 1 First network and cybersecurity guidelines implementing ‘defense of depth’. 

When we introduced our first IP critical communication system in 2006, we quickly understood that it was not enough to only provide good cybersecurity solutions and products. We also needed to provide advice and best practices on how to the use of our products and solutions, by making guidelines and being a trusted advisor for our partners and customer. This security concept was embraced in the industry for a decade, but it lacked standardization, and there were efforts in numerous directions. 

From 2006 to 2012 the landscape around cybersecurity became more complex in the safety and security industry. It was a rapid migration between analogue and digital technology to IP technology, and networking competence was limited and cybersecurity threats were increasing. 

In 2012 we had a situation where each company had developed their own cybersecurity guidelines, resulting in a ‘fog of more’. This ‘fog of more’ made it very difficult to take smart actions on how an integrated safety and security system should be deployed. The need for standardization became apparent. End users and partners receive a lot of advice, and they may not know which direction to go, due to a lack of standards.

In 2012, Zenitel took actions to standardize cybersecurity solutions and was one of the first safety and security companies to join the Center of Internet Security (CIS). CIS (https://www.cisecurity.org/) is a forward-thinking, nonprofit entity that harnesses the power of the global IT community to safeguard private and public organizations against cyber threats. CIS provides a global standard and recognizes  best practices for securing IT systems and data against the most pervasive attacks.Figure 2 Zenitel hardening guide supporting CIS Controls

To support the CIS standards and security controls, Zenitel was the first IP intercom system to support network access control based on IEEE802.1x.

The CIS Controls are a prioritized set of actions to defend against the vast majority of the most common attacks. The First 6 CIS Controls are often referred to as providing cybersecurity "hygiene," and studies show that implementation of the First 5 CIS Controls provides an effective defense against the most common cyber-attacks (~85% of attacks).

What do you see as key cybersecurity trends and impact these trends will have on industry?

Of all crimes, cybercrime increases at the fastest rate, and we see that critical infrastructures and safety and security systems are the target for many of these attacks. At the same time we see an increase of the number of attacks and threat actors, we also experience the potential attack surface explode through more digital interactions, connected devices, and a new way of working.

These trends means that companies need to re-think their cybersecurity model, leading to what we call the zero trust model. The once traditional approach of trusting devices within your corporate perimeter makes less sense in such highly diverse and distributed environments. Zero-trust security, also called perimeter-less security, states that organizations should not trust anything inside or outside of their network perimeters. Every device and user that tries to access an application or system must be verified (encrypt, authenticate, authorize) before access is granted.

Can you highlight some of Zenitel strength when it comes to cybersecurity?

An IP intercom or IP speaker can not be put in a safe equipment room with restricted access and network firewall like a server. Our products are installed in public accessible spaces where the risk of having hackers getting physical access to the network and equipment is apparent.

To deal with risk of hackers getting physical access to network and equipment Zenitel devices supports hardware root of trust and network access control.

The first is a hardware root of trust, ensures that only trusted software will be executed on the hardware. It starts with hardware that has credentials burned in at production. This hardware will only boot from software that is digitally signed

The second part is network access control. Network access control support network visibility and access management through policy enforcement on devices and users of corporate networks. This will deny network access to noncompliant devices, meaning that an hacker will not get access to the network resources even when he has physical access.

About the Zenitel CTO

Thomas Hægh joined Zenitel in 2003 and became CTO in 2009. He received his masters degree in electrical engineering in 1994 from the Norwegian Institute of Technology.

Thomas has 25+ years experience in hardware and software design developing IP communication solutions.