The Hilt

7: Contractors and Integrators Now Required to Add Cybersecurity, or Risk Losing the Job (with NSCA's Chuck Wilson)

June 10, 2020 Chuck Wilson, Executive Director of the National Systems Contractors Association (NSCA) Episode 7
The Hilt
7: Contractors and Integrators Now Required to Add Cybersecurity, or Risk Losing the Job (with NSCA's Chuck Wilson)
Chapters
The Hilt
7: Contractors and Integrators Now Required to Add Cybersecurity, or Risk Losing the Job (with NSCA's Chuck Wilson)
Jun 10, 2020 Episode 7
Chuck Wilson, Executive Director of the National Systems Contractors Association (NSCA)

How concerned are you of the cybersecurity component of your projects? 46% of integrators surveyed earlier in 2020 by the NSCA said they are not interested in cybersecurity, but with new regulations rolling out in June of 2020, contractors, AV and systems integrators must now include cybersecurity in all projects:

"If you sell it, you'll need to secure it."

Defendify Co-Founder Rob Simopoulos interviews Chuck Wilson, the Executive Director of the National Systems Contractors Association (NSCA) on what the new 2020 MasterFormat® regulations say about cybersecurity.

This episode covers:

  • Emerging changes within Construction/Building industry
  • Recent Construction Specifications Institute (CSI) MasterFormat® cybersecurity updates
  • Resources to better understand Division 27 and Division 28 requirements
  • How to simplify cybersecurity to "check the box" without needed specialized skillsets
Show Notes Transcript

How concerned are you of the cybersecurity component of your projects? 46% of integrators surveyed earlier in 2020 by the NSCA said they are not interested in cybersecurity, but with new regulations rolling out in June of 2020, contractors, AV and systems integrators must now include cybersecurity in all projects:

"If you sell it, you'll need to secure it."

Defendify Co-Founder Rob Simopoulos interviews Chuck Wilson, the Executive Director of the National Systems Contractors Association (NSCA) on what the new 2020 MasterFormat® regulations say about cybersecurity.

This episode covers:

  • Emerging changes within Construction/Building industry
  • Recent Construction Specifications Institute (CSI) MasterFormat® cybersecurity updates
  • Resources to better understand Division 27 and Division 28 requirements
  • How to simplify cybersecurity to "check the box" without needed specialized skillsets

[music to teaser]
I just even think about what they receive from their customers. Sensitive information, you know, the floor plans of really secure facilities that show where all these devices are being installed, the security cameras, the access control points, the IT systems - sometimes they get MAC addresses and IP addresses. Imagine an architect that skilled in aesthetics and building these beautiful buildings.

Imagine him looking at that placeholder saying "oh man" what do we do there? 

Let's put a bill out there that says we will reward you if you do the right thing instead of penalizing if you do the wrong thing. So yes, what we're thinking about is, could there be a tax credit involved for companies who take a proactive approach? To be able to hire a Chief Information Security Officer to be able to put in the system that they need?

We're talking small businesses primarily - to be able to equip their company with the knowledge,  the training, the equipment, the technology, the awareness, and all of this stuff that would make their company better - so that they're not putting themselves or their employees, or their customers at risk.

Let's get a group together - say as advocates for the advancement of cyber - and get ahead of all this stuff.

Let's rewrite the laws to say, "quit fining us for doing the wrong thing, but give us credit - give us an incentive, to do the right thing.

[music to intro - timestamped transcript]

hey everyone I'm Rob simopoulos and this is The Hilt.

01:39

Today I'm chatting with industry legend Chuck Wilson. Chuck is the executive director and CEO of the NSCA.

01:46

NSCA stands for National Systems Contractors Association.

01:49

The members of this association are the companies who

01:52

install physical security audio-visual

01:54

and communication devices in buildings

01:56

I'm really excited to chat with Chuck he

01:58

wanted to share some changes that are

02:00

coming that are really going to affect

02:02

building construction projects that have

02:03

some requirements for cyber security so

02:05

imagine construction projects and

02:07

cybersecurity coming together these

02:09

changes could have some serious impact

02:11

on how construction is navigated today

02:13

so let's get right to it

02:14

[Music]

02:19

so Chuck to start off with why do you go

02:22

ahead and introduce yourself Chuck

02:24

Wilson here I'm the executive director

02:26

and CEO of NSC a and NSC a is a

02:30

international trade association that has

02:32

about 1,000 system integrator members

02:35

throughout North America primarily and

02:37

we help our member companies with their

02:40

business resources their leadership

02:43

training business development training

02:45

looking at emerging technologies all the

02:47

time codes and compliance things of that

02:49

nature and then just trying to give them

02:52

some idea of what the industry landscape

02:56

is going to look like in the near term

02:57

and then you know in the three to five

02:59

year range so that we can have more

03:01

predictable direction about where we

03:03

take our companies and stuff so we work

03:05

with integrators who do voice video data

03:07

security life safety surveillance access

03:10

control all of the specialty

03:12

technologies you know within the

03:15

low-voltage realm I guess so it Chuck

03:18

just so for people who don't necessarily

03:19

know what those technologies are if you

03:21

have a building and you want to protect

03:23

it with security systems they would be

03:25

the ones installing the card readers and

03:27

the cameras and then how about the

03:29

audiovisual side what kind of projects

03:30

would they do in and maybe in a

03:31

commercial building to give some people

03:33

some examples yeah that's right so so in

03:35

the audiovisual world you know it's

03:37

about unified communication systems

03:39

collaboration system so we think of all

03:41

of these rooms that are being equipped

03:43

with video conferencing technology and

03:45

the ability to do file sharing screen

03:48

sharing being able to work remotely and

03:50

to you know what I like to call it is

03:52

working with the the workflows that are

03:55

happening in a modern office building

03:57

that would be the the intersection if

03:59

you will between the digital world and

04:02

the physical office environment so we're

04:04

helping modernize the workspaces and

04:07

then at the same time if you think about

04:09

healthcare or education or government

04:11

facilities is creating what is now these

04:15

mission-critical high demand rooms that

04:18

are used for control and command or

04:20

looking at a variety of high graphic

04:22

images where we're dealing with virtual

04:24

reality and artificial intelligence and

04:27

machine learning and you know the the

04:29

world is just

04:30

in terms of what types of audio-visual

04:33

technologies that are taking place in

04:35

the modern office environment and the

04:38

smart buildings if you will and I think

04:40

the one of the interesting things about

04:41

you know the type of work that these

04:43

folks are doing is that you know back in

04:45

the day these would be you know closed

04:46

loop systems where they would run a wire

04:48

from one device to another device and

04:50

that would be it but today you know

04:52

correct me if I'm wrong all of these

04:54

systems are basically running on the

04:55

networks or most of them are meaning

04:58

that you know the integrators are going

04:59

out taking devices programming them and

05:01

then somehow interacting with the IT

05:03

systems to get them implemented at

05:05

running yeah that's right so and it's

05:08

really changed a lot Rob so 20 years ago

05:11

that wasn't really an issue you know if

05:12

there if it were an IP enabled device

05:14

it'd be on a standalone IP network we

05:17

just figure out how to digitize

05:18

something and transport it over the

05:21

cables or or whatever today you know

05:24

almost everything we do is an IOT type

05:27

device or an IP enabled device that is

05:29

using power over ethernet or some form

05:32

of communications technology that also

05:35

has power attached with it in order to

05:38

energize the edge devices so we're

05:41

looking at a lot of edge intelligence

05:43

devices and we're looking at things that

05:45

are really a connected technology that

05:48

sits in a sometimes it's a it's a

05:51

portion of the enterprise network

05:52

sometimes it's segmented sometimes it's

05:55

a standalone IT network but a lot of

05:58

times it is connected in some fashion to

06:01

the enterprise network that's carrying

06:03

sensitive and mission-critical data for

06:05

the business to operate so so we find

06:08

ourselves working in that same realm and

06:10

we find ourselves dealing a lot with the

06:13

IT departments now we're where we never

06:15

used to do that before right yeah I

06:17

think it's such a really interesting

06:19

industry and as we get a little deeper

06:21

here in the conversation we start

06:22

talking about cyber security I think

06:24

there's a lot more aspects there as well

06:25

just just so everybody understands about

06:27

what this industry looks and feels like

06:29

how big of an industry is this you

06:31

mentioned the number of members that you

06:32

have but you have any ideas of total

06:34

industry revenue or anything along those

06:36

lines that you'd be able to share yeah

06:37

so so if you think about it from a

06:39

standpoint of being part of the built

06:42

environment a part of the vertical

06:44

construction if you will so we're we are

06:46

the fastest-growing segment of the

06:49

construction industry so when we look at

06:52

the overall size of the construction

06:54

industry it is over a trillion dollars

06:57

and we represent about 6% of that so and

07:00

that's just on new construction start so

07:02

when you think about how big our

07:04

industry is it is in the billions of

07:06

dollars and you take a look at just one

07:08

segment of it like audio-visual that's

07:10

many many billions of dollars and you

07:12

look at security and you look at IT and

07:15

you look at the structure cabling you

07:17

look at Wireless you look at telephony

07:19

you look at access control and security

07:21

these are huge segments of the US

07:25

economy and they're growing rapidly of

07:27

course because everything that we do is

07:29

becoming more and more in demand all the

07:32

time

07:32

Wow amazing I think a lot of people

07:34

don't even realize that that industry

07:35

exists so when you talk to your members

07:38

what are some of the challenges that

07:39

they face today Chuck well there's a lot

07:41

of them you know the big things that

07:42

we're dealing with is a significant

07:45

shortage of talent if you will so so one

07:48

of the big initiatives we have is how to

07:50

find that next generation of workforce

07:52

we look at you know where is this talent

07:54

coming from you know we're in

07:55

competition now with adjacent industries

07:58

that we'd never had to compete with

07:59

before so we're this hybrid between the

08:02

construction or a trade type of

08:04

occupation classification and that of an

08:07

IT or a you know a highly skilled you

08:10

know almost like a computer science

08:11

person is now becoming of interest for

08:14

our industry so we're going to stuck in

08:17

that middle between what is considered

08:18

the traditional blue-collar type of

08:21

trade and then this super advanced you

08:24

know high educated IT computer type

08:27

person and then you know this whole

08:30

business model transformation is

08:32

happening where we used to sell things

08:34

on a project centric basis like the

08:36

clients would say how much for that

08:38

system over here it'd be a hundred

08:40

thousand dollars whatever we'd sell it

08:42

we did install it there we go nowadays

08:44

people are so afraid of product

08:47

obsolescence and what the lifecycle is

08:49

so now it's almost like we want to

08:52

consume the technology but we aren't

08:54

really sure we want to own it you know

08:55

we might want to do it as a service or

08:57

as a

08:57

you know some sort of a monthly payment

09:00

or something so we're really seeing a

09:02

shift in going from that capital

09:04

expenditure if you will to an operating

09:06

expense we're maintaining these systems

09:08

as the trusted advisor now for our

09:11

clients and we're you know a lot of

09:13

times our people are embedded within

09:14

their facilities to take care of these

09:16

things yeah and you guys do a wonderful

09:18

job helping your members having you know

09:19

worked with you guys for so long I think

09:21

you play such a pivotal part in helping

09:23

the members evolve and move forward with

09:25

their companies which brought me to the

09:27

the topic here that I really wanted to

09:28

talk to you about you shared with me

09:30

that you know there's some real changes

09:32

that are occurring here on the

09:33

construction side where people who are

09:35

involved in maybe systems integration

09:37

project maybe other types of

09:39

construction projects are now facing

09:41

cybersecurity requirements in order to

09:44

you know do their projects and so on so

09:46

just to start off with is cybersecurity

09:48

a topic of conversation for your members

09:50

and the industry as a whole it really is

09:53

in fact we just did our state of the

09:55

industry address gosh what was it two

09:57

days ago I guess we have the state of

09:59

the industry and one of the questions is

10:01

how aware or how concerned are you with

10:03

the cybersecurity component of the

10:06

systems that you install for your

10:07

clients not just internally in your own

10:10

offices and stuff but for your clients

10:12

and things that you do and what's really

10:14

starting to shape up here Rob is that

10:16

our members are starting to understand

10:19

now that having a system that they sell

10:22

that they don't secure properly is just

10:25

as bad as if you sold them a system that

10:27

didn't work you know so right it's

10:29

almost like another element to client

10:33

satisfaction is to know that you know

10:35

and we're using this mantra now that if

10:37

you sell it you have to secure it well

10:39

if you're sitting on that enterprise

10:41

network or if you're making at all a

10:43

point of vulnerability for your client

10:46

is that's a big responsibility and so

10:48

the follow-up question that is how many

10:51

of you are offering cyber security

10:54

services for your clients and then we

10:57

asked how many of you have cyber

10:58

security insurance and we're starting to

11:00

see this definite shift towards both is

11:03

I think it was about 46% of our members

11:06

that were surveyed said that they carry

11:08

cyber security insurance the other half

11:11

was essentially we don't carry it and we

11:13

don't intend to and then the same thing

11:15

with they don't intend to offer it as a

11:18

service now if you think about that what

11:20

these companies are saying knowing that

11:22

they're immersed in this IT environment

11:25

the IP you know they are on the network

11:27

in some shape or form what they're

11:29

saying is that by ignoring the concern

11:33

of cyber yet being an IT enabled device

11:36

installer is you are basically self

11:39

eliminating your company from doing work

11:42

in healthcare facilities education

11:45

facilities government facilities and so

11:48

on so if you look at our primary

11:50

vertical markets the vertical markets

11:52

where most of the revenue and our

11:53

industry is generated by being oblivious

11:56

or having a lack of interest in

11:59

acknowledging that the real threats of

12:02

cyber what you're doing is you're saying

12:03

to yourself I don't choose to

12:05

participate in those markets that

12:07

require it which then makes me wonder

12:09

well what are you going to be doing so

12:11

are you going to be basically saying

12:14

that I'm just going to be a very small

12:15

company and a niche player that doesn't

12:17

hang anything on a network and to be

12:19

happy with just that so I think I think

12:21

this is a massive issue of concern for

12:24

our members and the ones that get it

12:26

really get it the ones that don't get it

12:28

are simply in denial that they will soon

12:29

have to or you know how relevant are

12:32

they going to be when the client is

12:34

looking for someone that can can work on

12:36

these kind of things right and I think

12:38

their customers are starting to realize

12:39

that as well because when they're

12:40

starting to do business with these

12:41

enterprise organizations their security

12:44

teams are now sending them cyber

12:46

security vendor assessments asking them

12:48

about what their cybersecurity posture

12:50

looks like and their practices and some

12:52

of these members must be getting caught

12:53

off guard you know when these things

12:54

arrive with a hundred questions and they

12:56

go well you know I don't have cyber

12:58

insurance I don't have policies I don't

12:59

train my team that's got to catch them

13:02

off guard it'd be too bad to lose a

13:03

project or a customer because you didn't

13:05

you didn't have proper cybersecurity

13:07

hygiene man that's what they're doing is

13:09

they're just saying that we're not going

13:10

to be a candidate for this project

13:12

because the level of sophistication

13:13

requires a company that has a more

13:16

advanced skill set in the IT realm than

13:19

what we do and it kind of scares me I

13:21

think about we need to heighten our

13:23

level of awareness

13:24

this year in what our messaging is to

13:27

those companies who may not see this the

13:29

way that we do you know you know to that

13:31

point I think avoiding it or trying to

13:33

avoid it is only gonna last for so long

13:35

and I think that this thing that we're

13:37

gonna share you want to share in regards

13:39

to the master format and the new

13:41

construction changes that are happening

13:42

are gonna be a key part of it because I

13:44

don't think it's necessarily gonna be a

13:46

it's not going to be a vertical centric

13:48

thing it's gonna be a construction focus

13:50

so why don't we start right there so

13:51

tell us what is this master format and

13:54

what is the construction specifications

13:55

Institute if you don't mind Chuck yeah

13:57

so basically the construction

14:00

specification institute is the

14:02

organization that is the leaders in

14:05

determining how does a building get

14:08

built in relationship to the blueprints

14:11

that are provided for the direction that

14:13

the contractors have to bid off of and

14:16

perform - and then the specification

14:19

manual that gives us direction of site

14:21

conditions and all of the different

14:23

deliverables that are in that project

14:26

and then it goes chapter by chapter if

14:29

you will different sections different

14:32

categories that pick up every possible

14:35

piece of material and the instruction on

14:38

what to do with that material and the

14:39

workmanship that would go into it so it

14:41

basically tells you it's the place

14:43

holder if you will for everything that

14:46

needs to be done on that project to

14:48

deliver it in the way that the architect

14:50

and engineers have designed it and the

14:53

way that the end user customer wants to

14:56

build out that building or to take

14:57

occupancy of it so it's a trade

15:00

association if you will a not-for-profit

15:01

organization that's been around forever

15:03

and they're the keepers of how does a

15:06

construction project organize itself and

15:09

how does the specification manual give

15:12

direction and give contractors that have

15:15

various scopes of work give them the

15:18

proper direction and how to bid it how

15:20

to perform that work so we're talking

15:22

about like building the foundation of a

15:24

building putting up the electrical the

15:26

plumbing it's it's basically that

15:29

blueprint for success taking all the way

15:30

through there yeah and it just goes

15:32

division by division

15:33

you know from openings and doors to

15:36

ceilings to floor coverings

15:38

everything that leads up to our world

15:40

which is division 27 and 28 for the most

15:43

part and then our building automation

15:44

and control technologies are also part

15:47

of this in division 25 there's a segment

15:50

for integrated automation and then

15:52

electrical now is in its own division in

15:55

26 and then of course communications AV

15:58

that type of thing is in 27 and then all

16:00

of our security life safety fire access

16:03

controls in division 28 so most of your

16:05

members are working within that 27 and

16:07

28 range uh-huh those two divisions

16:09

right yeah correct so how I got involved

16:11

is I was the with all the 20 divisions I

16:14

was the task team chairperson for all of

16:17

the technology things when we had the

16:20

biggest sweeping change of master format

16:22

back in 2004 when division 27 and 28 all

16:26

the communication technologies all the

16:28

security technologies got pulled out

16:31

from underneath division 16 which was

16:34

electrical at the time and we were

16:36

granted basically our own divisions

16:39

which really helped springboard our

16:42

industry into recognition on projects

16:46

and recognition by architects and

16:47

engineers and builders and users as

16:49

being our own trait being our own

16:52

profession our own set of specifications

16:54

that we had to abide by and to do so we

16:58

we really as an industry and as a

17:00

technology group got that identity that

17:03

we were looking for back then and it is

17:05

it is just evolved from there that's

17:07

great

17:08

so what's cybersecurity got to do with

17:10

the master format and so forth I'm glad

17:12

you asked so the last revision I think

17:14

was 2017 or 2018 and several of us got

17:18

together and we said you know what and

17:19

we started in division 28 in the

17:21

security world because we knew at that

17:23

point the security industry was a little

17:26

bit more advanced than the AV industry

17:28

or the communication system industry and

17:31

looking at security systems from the

17:34

standpoint of mission-critical and we

17:37

were well underway with IP enabled

17:39

security cameras and access control

17:42

devices that were intelligent and remote

17:45

and everything so we thought the

17:47

vulnerabilities on the security side are

17:49

real and they're present and were

17:52

working with a lot of products that have

17:54

supply-chain origination sources of who

17:57

knows where right you know so these

17:59

products come from all over the world

18:01

and they get integrated and built into

18:04

different forms of security systems if

18:06

you will so several years ago we went

18:09

and we created a category just a section

18:14

in that division of 28 that said that we

18:17

want to have cyber security requirements

18:20

for that security so we created division

18:23

28 and then the number is zero 5.12 and

18:27

dot o 5.12 is the designation for cyber

18:30

security so what that meant was that a

18:34

security system designer or architect or

18:37

engineer could go and create a

18:38

three-part specification which outlines

18:42

you know what is the general site

18:44

conditions and requirements it outlines

18:46

what are the materials and then the

18:48

third part of it is how you go about

18:50

implementing those materials or the

18:52

system that you're putting in place so

18:54

that's the intent is they give you

18:56

direction tells you what to do and tells

18:58

you how to do it within a a

19:00

specification segment of the master

19:02

format so this year what we did was we

19:06

went back and we said the communications

19:09

division is equally now at risk

19:12

potentially because we are doing the

19:14

same thing by attaching all of these

19:17

connected devices be it IP

19:20

videoconferencing cameras be it nurse

19:23

call technology be it communication

19:26

speakers and you know the whole voice

19:28

over IP you know everything is a device

19:31

that's attached or potentially could be

19:33

to attach to a network so we said the

19:35

same thing is we have to create a

19:38

division 2705 12 as well as 25 for the

19:42

integrated automation because in the in

19:45

the world of building automation and

19:46

control there's the same vulnerabilities

19:49

right you know you think about all that

19:50

stuff with intelligent devices hanging

19:53

everywhere so so what's gonna be new

19:54

this year 2020 it got approved that

19:57

edition of 2705 12 the cyber security

20:01

requirements for communications now and

20:04

that encompasses

20:05

of your voice systems your paging

20:08

systems if you will the intercom systems

20:11

and then all of the video collaboration

20:14

unified communications video

20:16

conferencing AV displays digital signage

20:19

and all that stuff so we've got this

20:21

huge AV industry that for the first time

20:25

will start seeing sections within that

20:29

division of the master format that

20:31

requires them to Commission systems and

20:35

provide you know materials if need be or

20:37

software as need be that will address

20:39

the issue of cyber security for those

20:42

systems is it specifying what each of

20:45

these products and pieces need to have

20:47

from a cyber protection perspective or

20:50

is it more focusing on you know

20:52

deployment practices and configuration

20:55

where are those two lines yes inside of

20:57

there it could be a little bit about so

20:59

so what this gives the spec writer is a

21:01

placeholder it gives them a spot to

21:05

place the requirements that they're

21:07

looking for or in most cases it's what

21:09

the client is demanding so imagine if

21:11

you will a new hospital or medical

21:15

facility being built that end-user at

21:18

that Hospital they know all of the the

21:20

worst-case scenarios with what's going

21:22

on with ransomware and all this kind of

21:24

stuff so in no way shape or form are

21:26

they going to build a hospital that

21:28

doesn't have the specialty systems that

21:31

have the provisioning of the best

21:33

practices for cybersecurity that would

21:36

be implemented in their type of facility

21:38

so when they build the building from the

21:40

ground up they will know from the very

21:43

start of that that this particular

21:44

hospital has these requirements and best

21:48

practices from the Food Drug

21:50

Administration it could be HIPAA related

21:52

it could be a variety of requirements

21:55

that they have put in place that need to

21:57

be embedded within the systems that get

21:59

put in place from the very onset of when

22:02

that the bids or proposals or selection

22:04

of the contractors has taken place so

22:07

now you've got the the architects and

22:09

everybody looking at the placeholders

22:11

that exist in masterformat and they'll

22:14

be thinking oh my goodness now what do

22:16

we put in here what do we say about

22:18

cyber secure

22:19

when it relates to a V or any other

22:22

systems and that's when they get in

22:24

touch with consultants in our industry

22:26

or the integrators that the hospital or

22:29

schools or corporate facility want to

22:31

use and they would say what language do

22:33

we put in here and what materials do we

22:35

specify and what are the work results we

22:37

expect from that or what codes and

22:40

compliance and standards you know do we

22:42

list you know some form of NIST

22:45

standard or qualifications of the people

22:48

doing the work or do we have to have

22:49

that system tested to a certain level of

22:52

sophistication and respect to it but the

22:55

beauty of this the watershed moment that

22:58

we're going to embark upon here this

23:00

year Rob is that it's in there and it's

23:03

visible and those 46 percent of these

23:06

people that said that they had no

23:08

intention of getting into cybersecurity

23:10

they're gonna look at that for the first

23:12

time and they're gonna think oh my

23:14

goodness I should have paid more

23:16

attention back at the start of 2020 or

23:19

whatever to begin my journey about

23:22

creating that cyber posture to create

23:24

that you know what is our response plan

23:26

and I tell you that big thing that's

23:28

driving this right now is these business

23:30

associate agreements that we're having

23:31

to agree with so so especially in

23:34

healthcare the BAA

23:35

is a document that we have to agree to

23:37

that says this is how our people are

23:39

going to behave when they get on site at

23:41

this facility and this is what they're

23:43

going to do with their computers with

23:45

their mobile devices this is what

23:46

they're going to do and not going to do

23:48

with emails and Wi-Fi and they have the

23:51

same stringent requirements on their

23:53

contractors or integrators that come on

23:55

site that's what they're having with

23:57

their own employees we have to do the

23:59

training we have to do the best

24:00

practices we have to have people and

24:02

staff and certify and all this kind of

24:04

stuff so so the reality of doing our

24:07

work in the future really is now bumped

24:10

up and not you know we've raised the bar

24:12

to say that if we sell it we got a

24:15

secure if we're working on anything to

24:17

do with that network we got to be

24:19

network savvy from and not just

24:21

connecting the devices and getting the

24:23

IP addresses and all that kind of stuff

24:24

configured but we also got to be mindful

24:26

where did this product come from can we

24:28

track back to the originating source

24:31

where that chipset

24:33

came from is it counterfeit is it

24:34

authenticated you know what happens

24:36

within all of the integrity of that

24:39

system and the components of that system

24:42

as it came down through the supply chain

24:44

as it came into our place as it came and

24:46

got configured by our people and this is

24:49

our new reality right amazing and it's

24:51

got to be putting a lot of pressure on

24:52

the manufacturers as well because I can

24:55

see quickly the systems integrators

24:56

turning to them and saying you know if

24:58

you wanted us to specify your products

25:00

in here you're gonna have to match up in

25:02

the same way - so it's not just the

25:03

systems integrators the manufacturers

25:05

must be looking at this as well oh yeah

25:06

well it starts even before that imagine

25:09

an architect that skilled in aesthetics

25:11

and building these beautiful buildings

25:13

imagine him looking at that placeholder

25:15

saying oh man what do we do there so

25:17

they call the engineer and they say hey

25:19

what do we put in here and he calls the

25:21

consultant

25:22

you know our technology consultants in

25:24

our industry and they say hey what do we

25:25

put in here and they will call our

25:27

integrators and say hey what should we

25:29

put in here we call the manufacturers

25:32

say hey what do we what do we do with

25:33

this spec right and then we call you rob

25:35

yeah so that so it all it all comes back

25:39

to we got to have the right partners

25:42

with the right skill sets and the right

25:44

certifications and the right training

25:46

and knowing what we're doing with this

25:49

in order to make sure that things are

25:51

safe right this is such an important

25:54

thing here Italy is you know having

25:56

looked in the systems integration

25:57

industry and understanding the type of

25:58

work that they do you know there's the

26:01

variety of risks associated with with

26:04

their practice is so important it's not

26:05

only just as you mentioned deploying the

26:07

devices on their network I just even

26:09

think about what they receive from their

26:11

customers as sensitive information you

26:13

know they get floor plans of government

26:15

facilities or really secure facilities

26:18

that show like you know where all these

26:19

devices are being installed the security

26:21

cameras the access control points the IT

26:23

systems sometimes they get MAC addresses

26:25

and IP addresses and their cyber posture

26:28

and storing those and and utilizing

26:31

those schematics and so on and storing

26:33

them and their technicians with laptops

26:35

rolling around to different sites and

26:37

connecting it's really deep when you

26:39

think about it even to that respect and

26:41

the level of protection that they need

26:43

to put in place so I think the point

26:45

that here is that in

26:46

avoidance is not going to be an option

26:48

anymore they're gonna have to embrace

26:49

this in essence they're got to become

26:52

cybersecurity knowledgeable so that they

26:54

can do this appropriately and meet these

26:56

specifications and and in the end

26:58

protect their customers which is so so

27:00

important and then you know imagine

27:03

you've seen these before too but we have

27:05

our integrator members sending us their

27:07

applications for their cybersecurity

27:09

insurance and these things are page

27:12

after page after page of you agreeing to

27:15

have these kind of things in place and

27:18

our members are like overwhelmed by it

27:20

they're like we don't even know what

27:22

these words are that they're saying and

27:24

that's just to get an insurance policy

27:26

to make sure that you meet the minimum

27:29

standard of just being protected

27:31

so that if there is a breach that you

27:34

were party to somehow and it doesn't

27:36

even have to be your fault you just have

27:38

to be one of the many people that hung

27:40

something on that network that you know

27:42

you could be drug into this but in order

27:43

to be protected from this kind of thing

27:45

is you almost have to really immerse

27:47

yourself in understanding what it means

27:50

both at your facility you know that

27:52

first party coverage as well as the

27:54

third party coverage issues when you're

27:56

out working at someone else's facility

27:58

based on the technology that you're

28:00

you're implementing to know that you're

28:02

doing everything to the best of your

28:04

abilities and to treat everything at the

28:07

highest level of industry standard if

28:09

you will to make sure it's protected and

28:11

that's where we're struggling right now

28:12

and I think it's concerning because a

28:14

lot of them are just checking the boxes

28:15

with yeses just to get the cyber

28:17

insurance but without really thinking

28:19

that once something does actually occur

28:21

and the deep dive was performed and they

28:23

said yes but the answer was really no

28:25

that they run the risk of not having

28:27

that coverage and the protection that

28:29

they expected not a good situation I

28:31

would say about every other claim that

28:33

we hear about in the cyber breach

28:35

environment the claim gets denied by the

28:39

insurance company because they misled

28:41

them when they check the boxes as yes on

28:43

their form you're seeing incidents

28:45

discharged oh yeah all the time so

28:47

what's what's going on here and by the

28:49

way no one will admit that they're part

28:50

of a cyber breach right you know they're

28:53

like cockroaches these cyber breaches is

28:56

if you see one there's probably a

28:57

hundred that you you haven't heard about

28:59

or see

28:59

so the problem that we're having is that

29:02

people because they don't talk about

29:04

what happened or how they got hacked or

29:06

how they got breached or what kind of

29:07

vulnerability or ransomware that someone

29:10

had to pay or whatever is because we

29:12

don't want to talk about those things is

29:14

that we don't know enough about how to

29:15

prevent them either so right it's kind

29:18

of a catch-22 there so Chuck back to the

29:21

master format for a second when is this

29:22

coming into play so if someone is a

29:24

systems integrator and they need to get

29:26

things in place and start getting

29:27

organized what time frame do they have

29:29

here well they're the resolution you

29:31

know we got our proposal was approved by

29:33

the new master format task team which

29:35

I'm not part of anymore that's what I

29:37

used to be on so the resolution was

29:39

adopted and then the publication of

29:41

master format 2020 is scheduled for June

29:45

of this year okay that's coming fast in

29:48

that's not to say that every architect

29:50

in the in the country will you know as

29:52

soon as the new 2020 comes out that

29:54

they'll start writing specs based on

29:56

2020 right away it's kind of like a code

29:59

adoption you know when the NFPA code

30:01

comes out some states will take a year

30:03

or so to adopt it because they have to

30:06

do the training on it and have their

30:07

systems you know do some reprogramming

30:10

and things of that nature

30:11

so we got a little bit of time here but

30:13

I think June 2020 is kind of a wake-up

30:16

call for us to know that it's coming you

30:19

know it's not going to be not happening

30:21

so we got a we got a sooner or later get

30:24

good at it and when we start seeing the

30:25

specs come out with this later on in the

30:28

fall or maybe early next year or

30:30

whenever whenever these large and most

30:33

large architectural firms do it op the

30:35

new master format right away but some

30:37

don't but when the next big project

30:38

comes it's using master format 2020

30:41

that'll be one of the placeholders or

30:43

provisions in there so I would have the

30:46

listeners our members that are involved

30:48

in this get on it sooner rather than

30:49

later yeah it's an awareness time right

30:51

now getting the word out there I can see

30:53

or it feels like to me that there's

30:55

probably other divisions that are gonna

30:56

come have to add similar practices if

30:59

you think about even just the electrical

31:01

side of things you know all their stuff

31:03

is all connecting into the the network

31:06

as well I do you expect that you'll see

31:07

that grow within the master format

31:09

itself I didn't get involved in any of

31:12

those other divisions

31:13

time around right so I I don't know but

31:15

it wouldn't surprise me you know you

31:17

think about building automation control

31:19

that's a no-brainer and then then you

31:20

think about security that was a

31:22

no-brainer because everything is IP

31:24

enabled now and and now you think about

31:26

AV systems and man with all the voice

31:30

over IP devices and all of the you know

31:33

almost everything everything that would

31:34

be a p OE connected device of some sort

31:37

or Wi-Fi enabled or something like that

31:40

you've got to take this into account

31:41

everything is getting connected to the

31:43

network that I think yeah alright so

31:46

Chuck I've been lucky enough to work

31:47

with you for years and I know you do

31:49

other wonderful things and it takes a

31:51

lot to get you to really don't want to

31:53

use the word brag or boast because you

31:54

know you never do that but I want you to

31:56

just share with some people about some

31:58

of the other amazing things that you

31:59

know you and the group have been doing

32:01

in regards to cyber security

32:03

improvements you mind doing that for a

32:04

second for me no you know and that in a

32:07

good way to frame it up is to get people

32:09

to go to our website it's nsca dot o-r-g

32:12

and then click on our advocacy page and

32:15

advocacy is a word for just us being

32:19

proactive we consider ourself to be the

32:21

voice of the integrator and so advocacy

32:24

is just us working around the clock to

32:27

make sure that we are creating the best

32:29

possible business environment we can for

32:31

our members and then when you click on

32:33

that advocacy page there's a tab called

32:36

track legislation an under track

32:39

legislation a big old map of the United

32:41

States will come up and in that map we

32:44

track all of the different bills and

32:46

pieces of legislation that's taking

32:48

place that deals with things like codes

32:51

and compliance and school safety and

32:54

regulations and a bunch of things but

32:57

one of the most interesting tabs to

33:00

click on is the one that says cyber

33:01

security and when you look at that you

33:04

can see all of the bills both on the

33:06

state level and at the federal level of

33:09

new discussions and hearings that are

33:12

taking place and potential new laws and

33:15

code requirements and provisions that we

33:19

have to possibly adhere to right away

33:22

that will prescribe if you will or

33:24

define what type of Cyprus's

33:27

security things that we need to be doing

33:29

as system integrators across all of the

33:32

different types of work that we do and

33:34

what we're working on myself and our

33:37

friends at the Alliant group that does

33:39

our R&D tax credits for our members what

33:42

we're trying to do is to get a law

33:44

passed or to get some form of

33:47

legislation out there that isn't

33:49

punitive in nature in other words a lot

33:51

of these bills will find us if we do the

33:54

wrong thing what I'm trying to do is to

33:56

get a group of people together that will

33:59

say hey as a lawmaker let's put a bill

34:01

out there that says we will reward you

34:04

if you do the right thing instead of

34:06

finding if you do the wrong thing so so

34:08

what we're hearing yeah so what we're

34:09

thinking about is could there be a tax

34:11

credit involved for companies who take a

34:14

proactive approach and to be able to

34:16

hire a chief information security

34:18

officer to be able to put in the systems

34:21

that they need we're talking a small

34:23

business primarily is to be able to

34:25

equip their company with the knowledge

34:27

the training the equipment the

34:29

technology the awareness and all of this

34:32

stuff that would make their company

34:33

better so that they're not putting

34:35

themselves or their employees or their

34:37

customers at risk let's get a group

34:39

together to say as advocates for

34:41

advancement of cyber and getting out

34:44

ahead of all this stuff and being a

34:46

leader in the United States and what

34:47

we're doing is let's let's rewrite the

34:49

laws to say quit fining us for doing the

34:53

wrong thing but give us an incentive to

34:55

do the right thing so that's my that's

34:57

my latest soapbox is to is to get

34:59

something like that going but we started

35:01

codes and compliance committee you know

35:03

this year so we're doing a lot with

35:05

helping our members identify what type

35:07

of code language that they have to

35:09

adhere to and what kind of conflicting

35:11

codes that are out there so we have

35:13

several directives from like testing

35:16

agencies and different things about how

35:19

things should be treated for safe

35:20

practices of things and they conflict

35:22

with like an NFPA code or something so

35:25

we're helping our members now this year

35:26

more than ever

35:28

realized that they are the responsible

35:30

party when it comes to closing out a

35:32

project to make sure it's code compliant

35:34

and if any of these projects are calling

35:37

for certain cybersecurity provisions and

35:39

they're the responsible party

35:41

is we really have to step it up here at

35:43

NSCA to make sure that our members

35:45

understand what they are being held

35:47

accountable for and responsible for and

35:49

the big news on that really is that we

35:53

can no longer rely on any one individual

35:56

manufacturer when we ourselves as

35:58

integrators are connecting multiple

36:00

systems together so how can one

36:02

manufacturer in a system that has maybe

36:04

ten manufacturers involved in the

36:06

overall solution

36:08

how can one manufacturer be held

36:10

responsible if something may have

36:11

happened over here in this side of the

36:13

system chain you know right right it all

36:16

comes back to we are the responsible

36:19

party and that's what the code officials

36:21

the hjz well that's what everybody is

36:23

telling me is that we've got to get our

36:26

members up to speed you know we are

36:27

going to be these technology solution

36:29

providers we got to get our members up

36:31

to speed quickly on what are the

36:33

requirements and expectations of those

36:35

systems and cybersecurity is bubbled

36:37

right to the top as you know well Chuck

36:39

thank you so much for for joining me on

36:41

the podcast I really appreciate you

36:43

you're doing amazing work you and the

36:45

team there at the nsca and I think it's

36:47

really exciting to see the cybersecurity

36:48

side you know come together on the

36:51

construction side with systems

36:52

integrators and the work that they're

36:54

doing I think in the end you know the

36:55

industry is changing and those changes

36:57

in the end are gonna protect the

36:59

customers and is really important so

37:01

thanks again for joining me Chuck really

37:03

really appreciate it yeah thanks for

37:05

thanks for having me and thanks for

37:07

being such a good partner with NSCA on

37:09

all this Rob we're dependent on you man

37:11

because it's a big big deal and you know

37:13

you be in the partner that you are it's

37:15

just it's been wonderful and you and

37:17

you've helped us out here internally

37:19

immensely so we take advantage of the

37:21

services ourselves and we we have taken

37:23

our cyber posture from you know

37:26

something we weren't very proud of when

37:27

we started and now we are what I feel

37:29

much much better shape now internally as

37:32

well so thank you for helping us with

37:33

all that well you're welcome Chuck

37:35

thanks so much

37:36

[Music]