AS/NZ2201 Alarm Standard Failing Monitoring Customers
As the alarm monitoring industry is reinvented as a creature of the digital world, AS2201 fails to provide manufacturers, installers and end users the support and surety it once did. The time has long passed for the official alarm standard to cover common IP components and comms paths.
WHEN key parts of AS2201 were updated in 2004 and again in 2007, the teams that worked on the standard sought to incorporate as many aspects of the latest technology as they could but in those digitally distant days it was impossible to anticipate the impact the world of IP would have the alarm industry. Twelve years later the effect is clear to see. There are aspects of the alarm transmission process (AS2201.5) and core monitoring station systems (AS2201.2) that no monitoring station can function without, yet that are not covered by any part of the standard.
What we are talking about here is digital networks and network components, VPNs, cloud storage data centres locally and overseas – an entire ecosystem that was undreamed of in 2004 that isn’t just central to the future of alarm monitoring, it is the future of alarm monitoring. When you think about the enmeshing thicket of network components bound up in security transmission solutions – within security systems, not just within transmission systems – it’s easy to see why no one is doing anything about networked solutions when it comes to standards. This is a tough nut to crack.
Kostas Kyrifidis of The Security Advisory undertakes reviews of Grade 1 monitoring stations for the VSI in Victoria and SPAAL in NSW. He maintains the Australian Standard covering security alarms, monitoring stations and alarm monitoring equipment undertaken in 2004 must be upgraded to take into account the intrinsic role that customer network components, monitoring station network components and third party provider network components play in the alarm reporting process as covered by the standard.
“What we need to do, given the new threat levels introduced by network exposure, is make sure there are standards in place that take into account risks and minimise those risks," says Kyrifidis. “This needs to be done without imposing on monitoring station operators and with discussion at the grass roots, then developed through Australian Standards to reflect best practise. It’s important that we undertake the process at the grassroots level – that any changes are not imposed.
“Fundamentally, I think we need to identify the risks and have due diligence in relation to what we are doing operationally in our monitoring businesses and work to tighten this aspect up in line with an agreed best practise,” he says. “There needs to be consensus between monitoring providers and users as to what constitutes an appropriate level of security and protection around third party communications and data storage. We need to start a discussion, which is likely to take 6-12 months.”
What worries Kyrifidis is that since 2004 when the standard was completed the risk matrix has changed yet the standard does not provide the means for providers to respond to those changes.
“We have thousands of people around the country protecting sites and infrastructure and relying heavily on our reporting paths, links and storage solutions, and they want a secure, high quality service,” he says. “But what is a secure and high quality alarm monitoring service today? Residential, commercial and government end users expect us to make sure that we are storing and managing data securely, giving them the protection they need. But to do this with confidence we need to consider the risks and tighten up the standards by filling in the technological gaps. There’s simply nothing in the standard that covers this vital area and its growing risks, yet I know from personal experience that we go to great pains to govern other physical aspects of monitoring centres that have far lower risk profiles."
“We need to start a discussion between monitoring stations, industry bodies, monitoring station auditors – there’s urgency, we need to move on it”
Naskam’s Maks Makson agrees there needs to be a conversation about the issue.
“Frankly, the genie is well and truly out of the bottle when it comes to networked components of monitored systems and monitoring systems,” Makson says. “We have information in the cloud and so do all other monitoring providers. But there are so many variables when it comes to things like cloud it’s hard to know where to start. If your provider is in Australia, then a new standard might apply. But if your provider is overseas then you have no control over the standards they apply to the service they supply to you and your customers. I would like to see providers whose cloud components are maintained here in Australia to a future AS2201 standard graded more highly than those who use external cloud providers and have no clear idea of the underlying topology and risk exposure of their cloud components. That’s something I think needs to be disclosed to customers.”
Suretek’s Glenn Smith agrees the risk profile has changed and that monitoring stations are more likely to be exposed to attacks on networked components than on their physical premises.
“Just this year ransomware has taken out 4 control rooms we know of,” Smith says. “One had to pay thousands of dollars to hackers in Russia to retrieve their database. It’s scary stuff. This ransomware goes through an entire network, finds a database, then compresses and locks it. Go back 10 years it was a local peer-to-peer network, digital dialler – signal comes in, sends it through to the network – simple and secure. Not anymore. One of the control rooms was down for 4 days.
“So yes, it’s a huge issue at multiple levels. Prices are dropping but you need a full time IT person to manage the network side. You need to plan your entire system to take IT into account, monitoring is changing shape totally and we are living in a different world when it comes to risk. This has to be taken into account. The old standard is all about construction and that’s fundamentally easy compared to this new world of evolving risk that’s always changing shape. The standard can’t be written and then cast in stone for 12 years as AS2201 has been – the standard has to have fluidity built into it so it can keep up.”
Who is responsible for this managing this? Associations, monitoring stations or software providers?
“Well, generally speaking no one has the expertise,” Smith says. “Within Suretek we have our own experts who are dedicated to keeping up with this – given we have so many control rooms we have a considerable responsibility to ensure customers are protected. Network security is a whole other thing – it’s organic and can be highly secure but for a single unprotected backdoor, like a wireless router with a default password setting somewhere on the system. All of a sudden there’s a flyscreen door on the back of the safe. It’s scary.”
According to Kyrifidis, gone are the days when information could be protected by the application of physical security.
“Today it’s network components, data encryption and secure communications, everything we do operationally that is exposed to networks needs to be protected to a standard,” he says. “We need appropriately secure agreements with cloud providers, we need to know which country data is stored in, as well as considering the IP security arrangements around the data. At the moment all this is an unknown.
“The EL-31 committee that looks after security standards needs to consider this. We are in the business of protecting community interests and it’s too important to ignore. We need to start a discussion between monitoring stations, industry bodies, monitoring station auditors – there’s urgency, we need to move on it. It’s not on the horizon, it’s banging on the door. We need an honest and ethical approach, a working approach, and we need it right now.” ♦