October 23-26, 2021
Hyatt Regency Riverwalk | San Antonio, TX

Keynote Session

sponsored by

Altronix

Keynote Session

Ballroom Sunday 8:00 – 9:00 AM

GENERAL SESSIONS

sponsored by

Lenel

Security's Impact on Intelligent Buildings

BallroomMonday 8:00 – 9:00 AM

Moderator:Pierre Bourgeix
Panelists:Representatives from Carrier (LenelS2), Johnson Controls, and Siemens

Hear from representatives of three of the largest players in Intelligent Buildings discussing current state of implementation and future trends, including:

  • Who owns the building system?
  • What does an intelligent building mean? How do we move from the "Intelligent Buildings" catch phrase to a clearer definition so customers set appropriate expectations?
  • How deeply is security woven into the building control fabric and what are the security and operational vulnerabilities of Intelligent Buildings? What interfaces to other smart building systems exist today versus what is on the roadmap?
  • How do different operating and service departments interact?
  • What is the current state of implementation?
  • What's coming? What are the most promising opportunities, e.g., AI, not currently being explored or utilized?
  • What tools and strategies contribute to success and how is success measured?
  • How are security consultants likely going to be affected?
  • Is there a potential sacrifice regarding "openness" of the technology or does the implementation of an intelligent building lock in the Owner for life?

Emerging Technology Presentations

BallroomTuesday 8:30 – 9:45 AM

Moderator:Paul Boucherle, Matterhorn Consulting
Panelists:Representatives from Selected Technology Companies

3-4 companies (to be announced), offering exciting next generation technologies, will be invited to provide brief presentations on their company, the underlying product technology and how it brings value to the marketplace, security applications, and success stories. Companies such as these are typically too small to have A&E program budgets and are quite likely off the radar of most security consultants.

Projects – From Design through Operation

sponsored by

Salient Systems

Specifying Integrated Systems vs. Components

CSI MasterFormat as it relates to security (Div 08 and Div 28) is largely structured around components – cameras, readers, etc. Increasingly, however, systems are specified as a unified or integrated collection of sub-systems. There is some newer provision for this in Div. 28 (see 28 05 45, Systems Integration and Unified Systems) and added flexibility within the MasterFormat framework. Is this adequate or should a rethinking of MasterFormat be considered. Hear from several consultants who are wrestling with this issue and from CSI with a broader construction industry perspective.

Scenario Based Testing/System Validation

Following a system installation, but prior to acceptance and sign-off, what is the most effective way to reasonably assure that the system works as intended. Is it through a checklist of functional criteria? Through an evaluation of pre-designed scenarios? Should 100% of devices be tested or random sampling be employed based on pre-determined criteria? When is it practical for Client operators to be involved? How might such testing/validation impact completion of the construction project? This session will discuss these issues and the approaches security consultants should take throughout the project to improve the end result and Client satisfaction, whether or not they are involved in the actual system commissioning.

Planning for the Operational Phase of the Life Cycle

Operational issues associated with achieving the risk reducing goals of the original system procurement may be obscured because the Client is not a security expert. What is the consultant/integrator responsibility to the Client post-commissioning when the contractual agreements have been concluded, and who then owns security through a solution's retirement? Value-add services, extended warranty, all-inclusive support contracts, and upgrades are often overlooked or rejected, but would ultimately benefit the Client. Further, the Client's overall corporate structure, leadership, and personalities may impact such contracts. Is there a conceptual or organizational separation between devices and data, and, if so, who is responsible for each? What about network operation after installation? Is security notified and/or consulted when minor/major network outages are planned for maintenance and upgrades? As "trusted advisors" to the Client, consultants have the opportunity to both shape and meet Client expectations for reliable system operation, cementing relationships in the process.

Design-Build - Threat or Opportunity

To what extent does an integrator's efforts to serve as both system designer and installer create a competitive threat to the security consultant? Can a proper design really be accomplished without an enlightened assessment of a facility's risk? Is security being compromised for the sake of cost? Or, is there an opportunity for consultants and integrators to partner where a solid, risk-responsive design can be accomplished and installation by a known competent integrator be assured? If so, does an involved security consultant act as a voice for the Client, or will the operational requirements of the Client be sacrificed partially or completely to meet a construction cost goal? Hear both sides of this situation from a panel representing both designers and installers.

Products and Technology

sponsored by

Brivo

Plugging into Managed Services

Remote Managed Services, including cloud-based video and access control and network monitoring, are becoming an important component of many systems integrators' offerings. Further, cloud-based services are a key element of both the security and IT landscapes, but not widely specified. Based on responsibilities within the Client organization, a subtle benefit may be isolating the product selection from the General Contractor but introduce deeper issues of data security and policy development. Also, the field of capable bidders may be narrowed to those who have the expertise to effectively address the issues that arise under cloud managed services (such as configuring the security features for the cloud based servers)? Learn more about managed services and their associated benefits, issues, and importance in a post-pandemic environment.

Verifying Network Readiness

Clients networks are, more often than not, owned by IT for whom security may be an internal client. As new equipment is connected to a network, new or existing, how does one know if the network (a) has adequate performance to support the security requirement; (b) is secure prior to the security connection; (c) may be compromised by the addition of the security equipment; (d) has appropriate power back-up to support the security requirement? Who should be tasked with the responsibility to answer these concerns? What are some appropriate questions to ask in advance? How can you judge or confirm the capabilities of the integrator to comply with these requirements in advance? Simply placing that on the integrator's shoulders may be inadequate. These questions, and more, should be in the head of the security consultant from the outset

Secure Device Management

Who takes care of the security equipment and manages device updates? How is this handled at scale? What pre-planning can be accomplished so that end users really do not need to suffer through a truck roll for equipment firmware updates not designed to be addressed remotely or automatically? Does the end user pay for the manual update or is included in the maintenance package? This panel is intended to explore these topics and discuss what changes should be advocated and specified going forward.

Private High Speed (5G, LTE, CBRS) Networks

Presenter:Matt Brown, HetNet Wireless

5G cellular technology will revolutionize how many security and other IOT devices will connect to the cloud. Some are looking beyond the public networks into deploying this technology into private networks. In many countries, mid-band spectrum, particularly the 3.5 GHz band, is a key piece of the 5G spectrum strategy. In the U.S., 3.5 GHz, known as the Citizens Broadband Radio Service (CBRS) band, has been tapped for shared access applications. The CBRS 3.5GHz frequency is now part of the 5G specification, but CBRS will also make an impact on the wireless scene via 4G LTE private networks - additions to cellular networks inside buildings. Several companies have discussed building private LTE and 5G networks within large organizations and across corporate campuses using CBRS technology. Hear Matt Brown, a wireless consultant, unravel the complexities of this technology and discuss the implications for security.

Cyber Security

sponsored by

Milestone Systems

Approaches to Penetration Testing

Presenter:Michael Glasser, Glasser Security Consulting

Penetration Testing ("pen testing") is a set of security tests and evaluations that simulate attacks by a hacker or other malicious actor. It goes beyond vulnerability assessment which is designed to find and document vulnerabilities which may be present in an organizations public or private network but is controlled so as to not interrupt normal business operations. Pen testing is usually conducted by an outside entity to see how far it can get into a system by simulating an attacker. In this session, you will learn about pen testing techniques and how to appropriately adjust the scale and scope of the pen test to accommodate various client situations and scenarios. Of particular note are "Red Team- Blue Team" exercises which simulate attack (red team) and defense (blue team) scenarios to strengthen overall security.

Secure Identity

Preserving the security of an identity has the objectives of (1) uniquely tying one's credentials to an individual to validate who they say they are, and (2) to maintain the security of those credentials to prevent someone else from stealing them to access information or services tied to the credential holder. No longer are user names and passwords considered adequate. This session will review current and proposed techniques to provide more highly secured credentials. These will include FIDO ("Fast Identity Online"), PIV ("Personal Identity Verification"), CIV ("Commercial Identity Verification") smart cards, and mobile credentials

CMMC - An Integrator Qualification with Teeth

Moderator:Andrew Lanning

The Department of Defense ("DoD") recently announced the development of the "Cybersecurity Maturity Model Certification" ("CMMC"), a framework aimed at assessing and enhancing the cybersecurity posture of the Defense Industrial Base ("DIB"), particularly as it relates to controlled unclassified information ("CUI") within the supply chain. The CMMC is expected to designate maturity levels ranging from "Basic Cybersecurity Hygiene" to "Advanced." For a given CMMC level, the associated controls and processes, when implemented, are intended to reduce risk against a specific set of cyber threats. While initially targeted at DOD, this will expand to the entire Federal Government and into critical infrastructure. Learn the importance and details of this program as it applies to integrator/contractor qualifications and ability to work on specific types of projects.

Underlying Elements of Cyber Security Certification and Specifications

Most project specifications incorporating cyber security elements put the onus for implementing a cyber secure system on the integrator. But what is reasonable to require of an integrator and how can integrators be evaluated on their ability to perform what is expected of them? This is the premise behind SIA's forthcoming cyber security certification for integrator technicians. This session will embody a discussion of tasks and areas of competence which should underlie both this certification and specifications incorporating cybersecurity. Learn how this certification is planned to bring value to the end user, integrator, and manufacturers.

Special Topics

Approaches to Protecting our Schools (and Beyond)

Presenter:Jerry Wilkins, Active Risk Survival
Presenter:Chuck Wilson, NSCA and PASS

FEMA, in December 2003, published FEMA 428, a Primer to Design Safe School Projects in Case of Terrorist Attacks, addressing a variety of terrorist threats to our schools. We now regard Active Shooter as by far the top security threat to our students. First established in 2014, the Partner Alliance for Safer Schools (PASS) brings together expertise from the education, public safety and industry communities to develop and support a coordinated approach to making effective use of proven security practices specific to K-12 environments, and informed decisions on security investments. Its mission is to provide information, tools and insight needed to implement a tiered approach to securing and enhancing the safety of school environments based on their individual needs, nationwide best practices, and making the most effective use of resources available. Learn about PASS Guidelines and Resources, tools for objective analysis by school officials, community stakeholders, and solutions providers for assessing and prioritizing of school safety and security needs. Hear about how these principles may be leveraged and applied to the broader security environment.

Resolving the Project Management Dilemma

The success of many security projects may be hampered by the existence of multiple project managers from different participants – integrator, contractor, consultant, client – often with different skill sets, agendas, and level of urgency. This may be overcome with strong communication and coordination or further emphasized when the interaction is weak and counter-productive. Learn approaches to understanding how this has played out in selected projects and avoiding or at least minimizing these pitfalls to achieve a better end result.

Breaking Down Silos - Governance in a Converged Environment

Presenter:Pierre Bourgeix, Convergent ESI

As we are moving to a more converged technological world it will be critical that governance across all domains IT, OT, PS, and IoT are tied intrinsically to the business silos. We no longer can afford the communication chasm to continue between business units and business practices. The goal of this session will be to define and describe best practices to create synergy in communication and decision making across an enterprise using proper unified governance, policy and procedures tied to people, process, and technology in a converged environment.

The Impact of Privacy Laws on Access Control

Moderator:Min Kyriannis

Protection of cardholders' personal data, photo, DOB, license number, work and vacation schedule, etc, contained in access control systems is often overlooked – and can easily be violated. Those with appropriate privilege levels may theoretically abuse their privileges and view the access control transactions and personal information of cardholders for non-security-related purposes. Further, how is cardholder data entered, managed, stored, and secured? Video also plays a role in access control by providing verification and, in some cases, recognition. How is cardholder consent to the use of their data being obtained? Can privacy laws work to diminish security? With the prevalence of GDPR, CPPA, NY-Shield Act, and many others coming forward in the future, how would these privacy laws impact access control? Requirements are broad and wide and many fail to understand that these privacy laws also include any digital signature in these systems. How do you fuzz, encrypt and otherwise protect this data so it still falls under these requirements, yet maintain security?

Questions or comments? Contact us at info@AttendConsult.com.

About Us

CONSULT is a security industry event sponsored by SecuritySpecifiers. SecuritySpecifiers is an online community and network of security professionals established to address the need for the physical security industry to more effectively engage with designers and consultants.

Useful Links

Contacts Details

203-405-3740