The Interview: Steve Bell, Gallagher
Gallagher has become the first New Zealand organization to be authorized as a CVE Numbering Authority (CNA). According to Gallagher’s chief technology officer Steve Bell, becoming a CNA demonstrates a level of maturity in cyber security and a commitment to communicating vulnerability information to customers – but operationally, what does this mean?
JA: What are CVEs, Steve?
SB: CVEs are Common Vulnerabilities & Exploits – it’s essentially a big database where all the companies publish their vulnerabilities – companies like Google, Microsoft, Apple and…Gallagher. The security industry is not that well represented – there are some companies that post vulnerabilities to it, but not many.
JA: How do published CVEs help end users and security integrators manage cyber security threats in real time?
SB: Enterprises with IT departments will be watching the database – if we can’t get our own communications through to enterprises, organisations and integrators through the usual communication channels, then hopefully they have a CVE trigger on the word ‘Gallagher’ and any vulnerability we publish will pop up, encouraging them to do an assessment and/or contact their integrator to organise an upgrade.
JA: Having read around CVE – it’s quite a dry area, yet it’s intensely important, isn’t it, especially now with networked solutions increasingly at the heart of electronic security and solutions?
SB: You are working with cyber security guys who are passionate about the facts of cyber security – from our perspective it’s about working out the approach we take to cyber security, how we manage it and how we assist customers to manage it. For a number of years we were undertaking cyber security initiatives behind the scenes – I think a lot of the electronic security manufacturers would be doing that – quietly fixing issues we find and improving our cyber security profile while not really letting people know. As long as customers stayed on the upgrade path, they would get all our new stuff and they would be protected.
The challenge is that while we have many customers who stay up to date with our software, others – including big enterprises like universities and government departments – purposely stay a version behind so that any issues are resolved before they install the latest version. Sometimes the process they might experience getting through the stakeholders in their organisation to get permission to upgrade can be such a significant effort that they try not to undertake that process any more than they need to.
However, sometimes vulnerabilities may evolve that we fix and our customers definitely should upgrade in order to keep themselves secure. That entire process of detecting, fixing, communicating and upgrading poses a challenge. Every company that has had an electronic security solution in the market for a few years and who claims they have never found or been appraised of security vulnerabilities in their product has never really looked or had external experts look. The standards have changed over time.
JA: Cyber security is a journey isn’t it – does that make this process of detecting, fixing, communicating and upgrading even more difficult?
SB: It certainly does. As you know, we released the first variant of this platform way back in 2001 and the thing about cyber security is that it’s a treadmill – you’ve got to get on and keep moving to keep up with evolving threats. Since those early days, all our cryptography has been updated, many of the platform aspects have changed – the way clients communicate to servers, the way controllers communicate to servers – all that has been refreshed. Cyber security is an ongoing process. The cost of maintaining a platform and keeping customers secure requires significant effort.
We formed a dedicated cyber security team of 5 around 4 years ago – their whole mandate is that they get involved in every new feature we do, they do a design review of every new feature, they also power up the feature and give it a penetration test and once all that is done and prior to release we will engage an independent white hat organisation to examine the feature for weaknesses. They look at everything – so it’s layers upon layers of testing. The security team has the mandate to examine the overall solution and hunt through all areas looking for issues and actioning fixes as part of a process.
JA: Has anyone outside of your team ever found a serious cyber security issue?
SB: There’s only been one issue an external party has reported to us – this came from a cyber security expert who noticed a Gallagher security system in their building and set out to find an issue with the product and did find something. We take the approach of welcoming that and we took the expert’s advice, got the issue fixed and gave the expert credit when we wrote the CVE.
More recently, we had a company in NZ approach us to do some security testing – they spend a lot of time practising and wanted to practise on our product. We sent them some of our solutions to examine and they spent a lot of time hunting for vulnerabilities, but they did not find anything, which was pleasing.
JA: What is the process of reporting a discovered vulnerability to Gallagher?
SB: It’s a process based on the acceptance that every company, including us, should have a responsible disclosure policy when it comes to solutions we provide that are network-facing and may be vulnerable to cyber security threats. In our case, the process is a secure email address – there’s a PGP key, so that companies or individuals can encrypt an email to us telling us about a vulnerability. The process is about getting information to us securely, we can then triage that information and resolve any issues.
Penetration testers will give a manufacturer 90 days to resolve an issue they find before they publish it – that’s part of the responsible disclosure. We communicate with anyone who reports an issue and appraise them of our progress with resolution – this has only happened once.
A report could come from external sources, it could come from an external penetration testing company after they have done testing, or it could be from an internal source like our internal cyber security team. There are 4 ratings given to reports – critical, high, medium and low. The critical and high reports will get immediate response from our cyber team, which has a triage team they need to get onboard as quickly as possible – depending on the seriousness of the issue, it might trigger an immediate triage meeting.
A critical issue is drop tools and fix it immediately – we have a policy of supporting the last 4 versions, so we will patch back through 4 versions and then do a maintenance release on all those. High security issues will be added to the next release depending on the severity, while mediums and lows will be resolved as part of the upgrade process of the next appropriate version.
We first get some of our most senior developers to do an assessment – the Mitre Site that run CVE also have a vulnerability classification process called a CVSS – that is to create a standardised way so if all companies that are reporting things all have done the same sort of classification then the security risk will come out the same for everybody – we decided to standardise on that because we had our own internal classification and the penetration testing company had its own different classification – we found ourselves struggling to establish whether an issue was high or medium.
JA: Were any vulnerabilities fixed in the latest Gallagher Command Centre release?
SB: Yes, we did have some vulnerabilities that were fixed. A couple of weeks ago we advised our team worldwide about the issue – we tell the team the severity of the issue, whether it relates to the server, the workstation client, the controller. If it’s only a problem in some applications, we will let them know, so they can let the relevant customers know. We ask our team to contact their channel partners / integrators and channel partners contact their customers. We follow that up a week or 2 later with an announcement to our channel partners and a few weeks after the fixes have gone out, we will publish the vulnerabilities on the CVE site.
The whole thing about that is if there are hackers wanting to break in, we don’t want to give them a chance before mitigations have been implemented. The customers that make us feel we have to do this are our higher security clients – government departments, banks, universities – also all the big enterprises that feel they need to be on top of cyber security issues. It’s those customers we really need to keep our system up to date for.
So, it’s dry material but the threats are severe – we don’t hear of our sites being hacked and if there was a group of hackers going after our sites we would have no idea of it, so we must be proactive. We cannot afford to be complacent – we need our system to be secure and we need a process by which our customers can upgrade their solutions to the latest and most secure versions – that’s what CVE is about.
JA: You recently broke ground on a facility in the UK and announced the intention to support 5 Eyes nations (Australia, New Zealand, Canada, USA, UK) with high security solutions – does CVE flow into that and does this focus on cyber security enhance not only your high security solutions but your other offerings as well?
SB: It does both. Over the last year we have done a couple of UK government standards – like SCEC in Australia – the aim being that we want to support the UK high security market the same way we support the high security market in ANZ – we had an audit of our software processes by a UK expert – that was really good – we value that. A clause in their standards was that we had openness about vulnerabilities and a process in place to resolve them and to ensure customers were advised and assisted to resolve them within their applications.
When it comes to the impact of this cyber security focus on our solutions – this flows all the way through – we don’t just apply the processes around CVE to high security solutions. Every Gallagher customer benefits from the fact we’re dedicated to ensuring they have the information they need to keep their systems up to date and protected against cyber threats. Becoming the first authorized CNA in New Zealand really demonstrates Gallagher’s commitment to delivering solutions with the highest levels of cyber security.