Transforming Physical Security: Navigating Cybersecurity Regulations and Compliance

00:05 - Steve Kenny (Host)

Hi and welcome to today's episode of Security Tech Talk, where I'm delighted to be joined by a colleague, Baldvin Gisalon Bern, who's taking the time out to share his experience with us today, and that is over 25 years of industry experience in various different roles, both outside of Axis and within Axis.

00:24

So starting his career as a researcher, then moving into a software tester, and then Baldvin's taken various senior engineering roles within Axis. More recently, he's taken volunteer roles as a chairperson within OMVIF and also sits within the UITP Steering Group Committee around cybersecurity and then, more recently, as a consultant and advisor on all things around EU regulations around cyber security, so, more specifically, around the NIST 2 directive and the cyber resilience act, which is fantastic because today we're going to be doing a deep dive into these different pieces of legislation, what that means for businesses within the physical security industry and how we can be prepared to make sure that we address the important considerations and discussion points that organizations like Axis and our partners and our system integrators and customers need to comply with today. So, Baldvin, thank you very much for taking the time to join us today.

01:23 - Baldvin Gisalon Bern (Guest)

Happy to be here to talk about this exciting topic.

01:27 - Steve Kenny (Host)

Excellent. No, it's fantastic, and it's something I really enjoy talking about myself as well, so I'm really really looking forward to this session. Before we get into the details around the regulations, I'd just like to get your spin on some of your background, your experiences, how you've ended up in this space, and then just a sort of a history lesson into why we are where we are today in terms of the cybersecurity landscape.

01:53 - Baldvin Gisalon Bern (Guest)

okay, so I started at Axis in: 2005

02:54

s, early: 2000

04:11

So that's why the regulators are putting down their foot and saying for the safety of society, we need to regulate.

04:19 - Steve Kenny (Host)

It’s an interesting discussion point where we have traditionally and historically relied on technology companies to do the right thing and make sure that the embedded technology and the infrastructure does embrace best practice in terms of cybersecurity.

04:32

But I think there's clear evidence to suggest that that hasn't happened and when we look at the proliferation of different technologies on the market and how they are, you know they're very vulnerable to an attack and the wider implications of that. There is absolutely no doubt that, unfortunately, we could no longer trust these organizations to put the cybersecurity or just the security in general as top of their sort of development needs, because that adds cost and complexity into what they're doing, which ultimately will get passed on to the customer. So I understand, I get why we need to sort of, I guess, regulate from a European standpoint. How have you found then this year because, obviously being mindful that you've been on quite a journey in terms of being a consultant and an advisor to a lot of businesses and you've spoken around the different types of regulations, how have you found the interpretation of a directive, a regulation, a standard, just people trying to understand actually, well, what is it that we need to comply with?

05:34 - Baldvin Gisalon Bern (Guest)

Yeah, I think it's good to get the terminology a little bit straight. It's not really that complicated, but people mix it up a lot. First of all, sometimes people talk about frameworks. Something like the NIST framework is quite famous in cybersecurity circles, and those are kind of guidelines that you can follow to help you get started or to make it easier to communicate with somebody else that's also using that framework, but it's basically just optional guidelines.

06:04

e, so something like ETSI, en: 303645

06:37

Then it comes to regulation. They're obviously not optional. It's the law. You have to do it and then you comply to the regulations, and they typically do not reference specific standards. They are often a little bit more open-ended and more open to interpretation, so to speak. And finally, because you mentioned directives, I think it can be good for people to know that the European Union has something called directives that are put into law by the nation states, which means that it takes a little bit more time for that to happen. But most people don't have to care about this and I don't think it's that important for people to know the subtle details. Mostly, the difference between standards and regulation is the most important part to keep separated.

07:31 - Steve Kenny (Host)

irective was released back in: 2016

08:33 - Baldvin Gisalon Bern (Guest)

I think it's really important to take a step back to what you started, mentioning, that the original NIS directive and the GDPR came about the same time and, as we talked about before, the big tech companies self-regulated on cybersecurity. They definitely did not self-regulate on data. So GDPR was necessary to force them to handle personal data properly, and what GDPR did was have consequences that were significant for the companies, 15 million euros or a significant percentage of global annual turnover, and consequences for C-level executives. So everybody took GDPR extremely seriously. The original NIS directive had no such consequences because the consequences weren't big enough. So one of the biggest changes in the NIS 2, there are many good changes in the NIS 2 directive compared to the original one, but maybe the most important one is that they copied the consequences clauses. So the consequences of not complying to NIS 2 is personal consequences for C-level executives and 50 million euros or a percentage of revenue, and this gets management attention. So all of the bigger companies that have to comply to NIS 2, they typically have compliance departments or officers, legal departments, so they are already aware of this since many years ago.

10:03

Even if the EO directive is kind of supposed to be enforced now and some countries will be a little bit late, so it will be next year. They've been knowing about this for several years and, as with cybersecurity, it's not something you just fix the day before the deadline. It's something you have to prepare for for a very long time. So all the larger organizations have been preparing for a long time and will be continuing to work on this for a long time.

10:35

I mentioned that Microsoft started to take cybersecurity seriously in the late 90s, so it's 25 years ago, something like that. Satya Nadella just this year sent an internal memo about improving cybersecurity at Microsoft, so they are still working on getting better at it. I think the larger organizations that are a bit more mature when it comes to this, they've already started their journey. They just didn't take it seriously enough for the originalness, but I think they will be prepared. I think for smaller companies and companies that are not used to working with software, it's going to be a little bit more of a struggle. One of the challenges we have as well is that the amount of cybersecurity competence is in short supply, so to speak. So there will be some challenges when it comes to it, but I think if most companies start working on it, start going in the right direction. I'm optimistic and I think the legislation that is coming from the European Union or the Biden executive order, the things that have been done in the UK, those are finally pushing everybody in the right direction. So I'm optimistic.

11:53 - Steve Kenny (Host)

Yeah, I think when we look at how long it took for people to take GDPR clients compliance serious, it was sort of two to three years from, actually, the release date that we started to see significant fines being used as a means of punishing organizations for a non-compliance and I think, if we reflect on where we are today, it's about 5 billion euro across the EU, with the average fine being around 2.2 million per fine. So there are examples that this piece or this type of legislation is going to be punished for non-compliance, which is quite interesting. Obviously, I'm mindful that not every organisation everywhere in the EU needs to comply, so what is the type of profile of these organisations that you think right? If you fit this profile, you need to make sure that you're in a position to demonstrate your compliance moving forward.

12:52 - Baldvin Gisalon Bern (Guest)

So first of all, I'd like to say that people should not be doing cybersecurity because the police will come and take money from you. You should be doing cybersecurity because it's important and the bad guys will come and take money from you if the police doesn't. So the goal of cybersecurity should never be compliance to regulation. It should be to make products and information and software secure. When it comes to the risk of being visited by some sort of government agency. Of course, the larger companies are in big risk and I think they already have, as I mentioned, compliance departments, legal departments. They should be able to manage this. I think it's maybe more important to look at what is the European Union trying to achieve with this. They're not trying to make money by fining companies. They're trying to make sure that the European Union society is resilient to cyber attacks.

13:56

So the most important companies or organization that are covered by NIS 2 are companies or organization where the citizens will be annoyed if they are down because of a cyber attack. So, water, toilet, food, that kind of stuff. Nobody will really care if Axis is offline for a week, people in society won't notice, of course, the customers and employees, etc. Axis is probably covered anyway because of the size of the company and Axis has to do this anyway. All of the things that are in the NIS 2. So it's not really a problem. But nobody really cares about some office being down. It's more about the critical infrastructure, things that would come in the newspaper if there was an issue. So that's the focus of the NIS 2, making sure that society works. But it's a broad range of companies. It includes also companies like chemical factories. It's very broad.

15:06 - Steve Kenny (Host)

So it's interesting that you say right at the start of that you say the focus of cybersecurity should not be to comply with the piece of legislation. But I would argue that the reason that the piece of legislation has been put in place is because organizations haven't taken it seriously. So we've needed to find some form of mechanism to punish organizations for not doing the right thing, which I guess is a sad state of affairs, unfortunately. And I think that leads on from, it's not just around the critical infrastructure type of organizations that need to comply. We've obviously seen the release of the Cyber Resilience Act, which is obviously focused on the software and hardware manufacturers Axis being one of those. Do you see this as a step in the right direction to make sure that the technology that is being released to the market is secure?

15:58 - Baldvin Gisalon Bern (Guest)

ady been approved in December: 2024

16:53

And what it does is put in place some of the basic cybersecurity things that are kind of common sense. If you start working on cybersecurity and you mentioned that the regulation is coming because people aren't taking it seriously but you also mentioned a little bit before that you can kind of understand why it hasn't self-regulated, because one of the problem is that it costs money to do cybersecurity. So those that do not do cybersecurity will have a cheaper product and the consumer hasn't always chosen the secure thing. And this is kind of unfortunate as well, that it's not only the manufacturers and the operators etc. that are at fault, so to speak. It's also just market inefficiency, so to speak, that the consumers haven't or customers haven't been ready to pay for it.

17:48

And I think it kind of makes sense because software is becoming so important. I don't know that well the history of electricity, but I can imagine that before the regulations on lamps and stuff were introduced, lamps might just catch on fire and that was obviously very bad. And then there comes some regulations on this, same with restaurants and food safety etc. And software is just such a big part of society today that it has to have some sort of a baseline minimum thing you have to do. And if you don't do this then you are basically criminally negligent.

18:29 - Steve Kenny (Host)

And do you find that when we look at a baseline security I know the UK's PSGI acts are what's at the product security telecommunications infrastructure, that does follow a very small baseline security? Is that a good starting point or is that something that does need to be vastly improved?

18:49 - Baldvin Gisalon Bern (Guest)

I think it's very good that both the legislation and some of the more modern standards like HCE and 303, 645,. They are not telling you exactly what to do and they are not telling you exactly which level of security you should have. And the reason why this is important is because the different kinds of products and the different use is so vastly different. So the Cyber Resilience Act does mention a little bit that there are different requirements depending on the criticality of your product. So if you're doing something like an operating system or a computer chip or network infrastructure equipment and stuff like that, you have to do a little bit more than if you're doing a baby monitor or a toaster or a refrigerator. But I think the baseline is a good thing to not over-regulate. But people need to understand that there is going to be a difference between compliance and higher level of security. Just because you're compliant to the regulation, that only means that your product is not dangerous to society. It does not necessarily mean that it's fit for your use case.

20:03

And one of the really nice things I like about the Cyber Resilience Act is that it mandates that the manufacturer describes the security level of the product and the appropriate use.

20:18

So somebody that makes a baby monitor might say something about how it's supposed to be installed and what it's gonna be used for. And somebody that wants to buy equipment made for spies that has to be really high level will understand that this baby monitor does not have that level. Of course it's kind of a ridiculous example. Of course they know that the baby monitor is not like that, but you could be in the similar situation between two different baby monitors. Let's say that you are a person of interest because of political situation or some other reason, then you might want to buy a baby monitor that has a much higher level of security than somebody else. And it's kind of giving the market a chance to self-regulate, so to speak, and I think the only reason to go into more detail would be if the market fails again. But I don't think so. I think the market just needs a nudge in the right direction and I think I'm generally an optimistic guy.

21:24 - Steve Kenny (Host)

I'm glad you are. Cybersecurity doesn't tend to be an optimistic discussion, I often find, and there's one that I remember incredibly well is that the UK government, so the National Cybersecurity Centre, had to release information in terms of IoT connected kettles, and that is because these kettles had a known vulnerability that if the security was bypassed, a hacker could switch all of the kettles on at the same time, and not only is that a fire risk, but actually there is a common acknowledgement, based on when certain programs are watched in the UK, that if everyone switches on their kettle all at the same time, there is a massive power surge. If an organization, state-sponsored or just a general hacktivist was able to get control of this, turn all of the UK IoT-connected kettles on all at the same time, it could actually bring down the power grid. So the UK's National Cyber Security Centre had to make an announcement and a statement around updating these and the vulnerabilities, and I think one of the challenges and you referenced it there, that people generally don't focus on the security of the technology.

22:38

They look at the performance, how am I going to use this? What's the interoperability? How's it going to connect with different things? They don't generally focus on the security and that is where people think in isolation rather than think of the bigger implications of these technologies being a risk. I just want to pick you brain on what you think is, are we prepared within the physical security industry and please feel free to go back but do you think we're prepared in physical security for organizations that sit on our side of the fence, to make sure that we are going to be compliant and we will support our customers in terms of their compliance?

23:17 - Baldvin Gisalon Bern (Guest)

Yeah, let me get back to that question a little bit. I want to reference something you mentioned before, that the kettles is. I think it's a very good example of how the regulations will try to protect us, because the individual buyer of our kettle isn't going to be interested in the cyber security thing. They're not going to read the manual or instructions or anything like that. So anything sold with software or connectivity in it in the European Union has to have the minimum level so that the risk of something like this is lowered.

23:54

on cybersecurity for Axis in: 2014

25:01

But we need to move forward. We need to continue the journey. It really is a journey. As I mentioned before, Microsoft started in the 90s and their CEO has to send out a memo to the whole company that cybersecurity needs to be prioritized. So it's not something that you do once and then you're done. It really is a journey and unfortunately, in the operational technology industry outside of IT, we haven't just. Most companies and organizations have just started the journey very recently and some are in the beginning of the journey now, and we may need to make sure that everybody gets up to speed. And at least there is the NIS 2 and the Cyber Resilience Act that are pushing everybody along, but I would like to see a little bit faster pace.

25:55 - Steve Kenny (Host)

So, if we acknowledge that what Axis does and what technology vendors do will support an end customer that sits within a critical infrastructure environment, and what it is that they need to do to comply, what do you think the expectations are for organizations from an Axis or from a technology company? Are we going to start to see a whole host of vendor risk assessments hitting our emails? Are we going to start to see sort of equipment being penetration tested? What's that level of supplier due diligence? How do you think that will change the market moving forward now, knowing that organizations will be punished should they not comply with these directives and regulations?

26:40 - Baldvin Gisalon Bern (Guest)

So one of my many favorite parts of the regulation, like NIS 2, I think they are actually very well thought through. NIS 2 says that the people that are responsible for the operation of whatever they are doing the water, the toilets, the food, transportation, whatever it might be, they are responsible and they cannot put the blame on a supplier or a vendor or somebody providing a service to them. Which means that they have to make sure that there is all of their suppliers, their contractors, etc. have a level of security. And it's actually the same for the Cyber Resilience Act that the manufacturer will be responsible for their product, which means that if they take things like an open source component into the product, they can't blame the open source community for it being bad. They are responsible. So it trickles dow. A power plant buying cameras will have to do due diligence on the cameras. A manufacturer using an open source component will have to do due diligence on the component and if they find that it's a risk, then they have to address that risk in some way. And I think this kind of ripple effect is very interesting because even if a manufacturer is not directly affected by NIS 2, because they don't have to comply. It's very likely that their customers are affected and in that way they need to help them to comply by not being a danger to their organization. That's basically the first step. If the product I'm providing to you as a NIS 2 organization that's compliant to NIS 2, then I should at least have a minimum level of cybersecurity, or an appropriate level of cybersecurity so that I don't endanger you.

28:42

And then it's also about information flow, which is quite important, because cybersecurity is not just a one-time thing. You buy something, it's secure, you install it. You forget it. You'll have to keep it updated. There might be vulnerabilities that need to be managed and also you have to make sure that installation and integration and stuff like that does not endanger things. So one of the most important things I think moving forward will be this information flow, which can easily become way too much. So that has to be done in an efficient way, and I think that's also something that we're quite early on in the cybersecurity journey actually. Nobody reads the Microsoft cybersecurity notifications. People don't even update themselves. Microsoft takes care of everything for you. They just install and update and you don't have to think about it.

29:38

We're very far to be there in more the physical software operational technology environment.

29:46 - Steve Kenny (Host)

So, being mindful that there's lots of different moving parts in terms of what organizations need to do to demonstrate compliance, what would your sort of one or two top tips be for the different organizations that need to comply with this sort of ever-changing landscape around cybersecurity regulations?

30:10 - Baldvin Gisalon Bern (Guest)

I think that from the European Union point of view there's been quite a lot of confusion because different parts of the European Union started doing different things in different places, so there was a lot of confusion. There was the DORA for the banks and there was the red cybersecurity addition for radio equipment and there was like a lot of different things. The European Union is harmonizing it. There is also discussion between the United States and the European Union on harmonizing things. The UK has gone their own way from the European Union and in cybersecurity but thankfully their regulation and the regulation inside the UK are very similar to what the European Union is doing and it kind of makes sense because what they are proposing is common sense in a way, and also kind of open-ended to allow the companies and market actors to do what's appropriate for their situation. So when I meet the customer and we start talking about the regulations, first we try to do what we've done now, to map out the landscape and try to understand what different parts of regulations apply to them, and then I ask them to forget it and start working on cybersecurity. And once you start doing that, you will automatically be ticking off some of the boxes that you have to tick off and then you can go back to the regulation or the standard or whatever you're doing and say, okay, did I forget something? Is something missing? Am I focusing too much on one thing instead of another? And then you adjust and then you forget it and you work on cybersecurity.

31:55

I think trying to get good at cybersecurity by trying to understand a regulation or a legal text or a standard is the wrong way. It's like somebody trying to learn something by finding out what's going to be on the exam. Passing the exam is not the point. Hopefully you're learning something. I don't want to be treated by a doctor that doesn't really know how to be a doctor. They just were really good at passing the exam, and it's the same with cybersecurity. Not too much focus on the regulation part is definitely my advice.

32:35 - Steve Kenny (Host)

So, just to wrap up today's episode, what should your one takeaway be for the audience? What should their one thing that they remember from today's session and they can take back to their business?

32:48 - Baldvin Gisalon Bern (Guest)

It's time to take cybersecurity seriously. You have to, but also you are probably the best person to know what to do in your company with a little bit of help from somebody else. Cybersecurity is not going to be solved by buying a tool or complying to a specific standard. It's a long journey that has to be done by the people that run the company.

33:21 - Steve Kenny (Host)

Baldvin, thank you so much for taking the time today to share your views and experiences. It's been incredible. It's something I absolutely love speaking about myself, I've been down the rabbit hole and read many pieces of literature, whether they be legal text frameworks. There is so much available on the market, so I do encourage anybody that's listened today that wants to find out more information on this. There is plenty of information that will support you on your cybersecurity journey online, and it will genuinely add value not only to you individually, but it will also support you and your businesses moving forward. So, on that note, Baldvin, thank you very much, and I look forward to future discussions, thank you.

34:05 - Baldvin Gisalon Bern (Guest)

Thank you.

34:10 - Steve Kenny (Host)

Thanks for tuning in to Security Tech Talk. If you've enjoyed today's episode, be sure to check out the other episodes for more insightful discussion and expert perspectives. Don't forget to subscribe so you never miss an episode. This podcast is brought to you by Axis Communications. Axis enables a smarter and safer world by creating solutions for improving security and business performance.