printer friendly version

Cyber-securing your surveillance infrastructure

Anyone who thinks that cybersecurity is not a component of their surveillance infrastructure may be in for a big surprise. There are more warnings, studies and research reports than ever before about the damage cyberattacks are wreaking in all industries around the world, as well as insane amounts of money that is lost every year due to cybersecurity failures.

Surveillance equipment is no stranger to cyberattack, as we have seen cameras and recording devices used for massive attacks on a global scale as far back as 2013 – and those are only the reported attacks.

Of course, the attack surface of a surveillance installation has more components than simply the camera and the storage device. As demonstrated at iLegal 2019 earlier this year, the control room is a goldmine for hackers as it incorporates a full IT infrastructure of electronic, connected components that can be compromised, providing access to sensitive data and/or the corporate network. In addition, in many control rooms that make use of poorly trained staff, these control rooms are full of the weakest link in all security fields – humans.

To try to get a better picture on what some vendors are doing to protect their surveillance customers from cyberattacks, Hi-Tech Security Solutions asked two global leaders in the surveillance market for some input into their cyber-defence strategies.

A natural connected target

Brent Cary.

Brent Cary, regional sales manager at Genetec, confirms that IP security cameras and other security devices are by their very nature connected to the Internet. That’s what lets users access them remotely to check in on their business, and what lets manufacturers update device software without having to make a house call. But this feature can also be their Achilles’ heel.

“When not secured properly, any camera or access control device in the so-called Internet of Things (IoT) can be accessed remotely by just about anyone, not just those with whom you want to share access,” Cary explains. “Similarly, unencrypted communications between a server and client application, or out-of-date firmware can all be exploited by cybercriminals, potentially putting an entire organisation’s network at risk.

“And that’s a big problem for the physical security industry.”

Cary adds that, according to industry analyst firm, Gartner, by 2020 more than 25 percent of cyberattacks in enterprises will involve IoT devices. And yes, that includes the very devices that are supposed to help keep us safe. More than 60 percent of cyberattacks are currently on small- to medium-sized businesses and small businesses are particularly vulnerable to these threats. Sixty percent of small companies are unable to sustain their business beyond six months following a major cyberattack.

Attacks on large businesses are also enormously expensive. According to a 2018 study by IBM and the Ponemon Institute, the average data breach costs companies US$ 3,86 million and large-scale breaches can surpass US$ 350 million.

“You simply cannot afford to take any risks when it comes to protecting your physical security system against cyber threats. The good news is you have help in the fight. Reputable physical security manufacturers and software developers have established a multitude of ways to protect against cyber threats. And those that are most trusted don’t just stop there. They literally ‘attack’ themselves in an effort to determine if their products really provide the protection they say they do.

“Another key partner that can help you protect against cyber threats,” says Cary, “are trusted systems integrators who are in the field recommending and installing these physical security solutions.”

Hikvision is another company that has been in the midst of cybersecurity news for some time.

Securing the full supply chain

Andrew Mu, Hikvision South Africa’s product marketing manager in the company’s Africa business department, says the security of products, including cybersecurity, is always a priority.

“We have adopted a comprehensive security strategy to cope with the challenge of cybersecurity, covering different aspects, from product security baselines to R&D; process security, supply chain security and so on.

“Strict security baselines have been set for Hikvision products, such as specifications and standards for secure coding, safe password usage, security certification, security testing, security incident management, etc. And at the beginning of the R&D; process, we have incorporated a broad range of security activities in security design, security development and security testing.”

For its supply chain security, Mu says Hikvision uses anti-tampering, anti-implantation, anti-replacement and other security management measures during key stages of product manufacturing to ensure its products are secure from the first step.

Furthermore, he says Hikvision’s Security Response Centre has been a member of the Forum of Incident Response and Security Teams (FIRST), which is a recognised global leader in incident response. In addition to this, Hikvision is a CVE Numbering Authority, part of the family of global companies who maintain the CVE vulnerability library (Common Vulnerabilities and Exposures (CVE) is a list of common identifiers for publicly known cybersecurity vulnerabilities).

Identity management for security?

As far as Genetec is concerned, Cary explains that the company provides secure, audited and compliant solutions that help customers protect their privacy without compromising security. “We help to incorporate multiple and varied lines of defence, otherwise known as a ‘Defence-In-Depth’ cybersecurity strategy, to face common and emerging threats, and secure customers’ environments. Data captured by our unified security system for management, analysis, and storage, is protected by strong encryption, authentication, and authorisation methods.”

Encryption is the process through which data is encoded so that it remains hidden from or inaccessible to unauthorised users. It helps protect private information, sensitive data, and can enhance the security of communication between client apps and servers. When your data is encrypted, even if an unauthorised person, entity, or cybercriminal gains access to it, they will not be able to read or understand it.

Authentication is the process of first determining if an entity – user, server, or client app – is who or what they claim to be, followed by verification of if and how that entity should access a system. Depending on the setup, authentication can occur on either the client side or server side, or at both ends. Client-side authentication uses username and password combinations, tokens, and other techniques while server-side authentication uses certificates to identify trusted third parties. Two-factor authentication refers to two forms of authentication used in combination.

Cary adds that authentication is an important tool for keeping your data from getting into the wrong hands. “It prevents unauthorised access and ensures that your security personnel are, in fact, the ones accessing your system when they log in. This means hackers can’t pretend to be a security server in order to take control of, manipulate, or copy your valuable and sensitive data.”

Authorisation is the function that enables security system administrators to specify user or operator access rights and privileges. Administrators restrict the scope of activity on a system by giving access rights to groups of individuals for resources, data, or applications and defining what users can do with these resources.

“When administrators manage what their personnel can see and do, they are ensuring the security of the data transmitted and stored within the security system,” Cary notes. “This is a key way to increase the security of the system as a whole, as well as enhance the security of the other systems connected to it.”

Securing the edge

Hikvision also has a complete product security architecture to protect the security of customers’ devices, data, applications and networks. “For device security, we have secure booting, software updates, a security chip, security shell and key management functions to do the protection,” states Mu.

“And to ensure the security of customers’ data, we include user data protection, storage media encryption, digital watermarking and audio and video data security systems in our products. For application security, application code signing, ID authentication, cryptographic algorithms, access control, log audit and component security are used to make the application secure.”

For the secure transmission of data, various tools like secure protocols, secure network services, session security, WLAN security, port security, IP filtering and Web security have been adopted to protect the network from cyberattacks.

Harden your surveillance infrastructure

Any surveillance infrastructure has myriad components that make up the full solution and any of these components and the connections between them could be a vulnerability. Installers and integrators, as well as the customer’s own technical team, need to ensure they do all they can to harden their infrastructure as a primary defence against cyberattacks. The processes one goes through start with simple, easy wins, and extend to more complex defences.

“Security management is one of the most important elements in product security,” says Mu. “For technically safe systems, if the user cannot manage and operate their system well, security cannot be guaranteed.”

He suggests the following as a start:

• Create a strong password for devices and the operation system.

• Use the ‘illegal login lock’.

• Set security questions for resetting the password.

• Choose a secure user authorisation management method.

• Backup important data.

• Regularly check and upgrade the firmware.

“All too often, people are the weakest link when it comes to cybersecurity breaches,” states Cary. “Employees not changing default passwords on IoT devices is an easy way for opportunistic cybercriminals to gain access to your system. Brute force attacks consist of criminals guessing passwords, packet sniffing that captures network traffic, and man-in-the-middle attacks eavesdrop on communications between two systems, using the gained information to their advantage.

“Most physical security solutions are a work in progress with new devices being added to expand the system or to replace outdated or broken products. The process of adding new equipment – perhaps from a different manufacturer with less secure standards – is another opportunity for a vulnerability.”

He warns that while emboldened cybercriminals may have increased the scope of their attacks, that doesn’t mean customers are defenceless.

“One of the most important ways to combat cyber threats is with a plan. Companies must develop training and educate their workforce as to the importance of best practices and the diligence in adhering to company policy. Choosing a systems integrator that recommends only the most trusted manufacturers and emphasises the importance of cybersecurity is a good start. Together, you’ll need to develop a solution that implements multiple layers of cybersecurity, including encryption, authentication, and authorisation to your critical business and security systems.”

The best-of-breed question

Given the amount of work vendors are putting into cybersecurity these days, there are many defences when one standardises on a single brand for your entire infrastructure – although this is no guarantee that you are cyber-secure. Cary is adamant: “You can never be complacent when it comes to cybersecurity.”

However, he also notes that with the almost daily reports of another hack or security breach, many are starting to suffer from cybersecurity awareness fatigue. Nonetheless, nobody can afford to become complacent in the war against cybercriminals. “Once you’ve strategised and invested in a cybersecurity strategy to protect your physical security investment, it’s important to remain vigilant.”

He offers the following pointers:

• Only choose trusted and reputable security product manufacturers who are committed to protecting your organisation from cyber threats. There are a number of governmental and organisational compliance requirements when it comes to information protection and privacy. Be sure to choose a company that takes these requirements seriously.

• A company that’s serious about cybersecurity will also conduct its own penetration testing. Penetration tests should be done on a recurring basis to catch any vulnerabilities that could have been missed during product development and to guard against new forms of cyberattack.

• When working with a systems integrator to develop or maintain a physical security solution, it’s important to share your concerns about cybersecurity at the onset. A systems integrator must consider cybersecurity a top priority and should only recommend products from trusted manufacturers who are also committed to protecting your system.

• To mitigate the financial risk of cyberattacks, some companies are also turning to cyber liability insurance. It’s a relatively new type of coverage offered by insurance companies to protect businesses against Internet-based threats and data breaches. While not a ‘get out of jail free card’, cyber liability insurance will give integrators peace of mind and allow companies to access funds to manage a cyberattack response and keep the business running.

Adding to these pointers, Mu notes that the security of a system cannot be guaranteed by the security of a single point. The entire system must be secured. “To ensure the security of video surveillance systems, the front-end, back-end, network, security devices and the platform system must work together and complement each other to form a system that provides ‘Defence In-Depth’. A cybersecurity issue with any device in the link will be a vulnerability that could expose the entire system.”

Another important issue to consider, according to Mu, is that if the user cannot manage or operate the management system properly, security cannot be maintained. Users also need to develop good security habits, take regular note of security announcements from manufacturers, update to the latest firmware and install patches as soon as possible.

It impacts everyone

Mu adds that while we have seen the benefits the digital and networking revolution brings to the surveillance industry, we have also witnessed the slow spread of various types of malicious cybersecurity attacks to the surveillance industry.

“Cybersecurity is not just a problem for certain countries and companies. All stakeholders, including users, system integrators, operators, system designers, service providers, and government agencies must understand that cybersecurity is a problem that everyone faces, and that all should adopt best cybersecurity practices in their operations.”

Cary notes that Genetec focuses on providing customers with secure physical systems that protect people, assets, and spaces while maintaining personal privacy.

“Regardless of where customers fall on the security vs. privacy scale, we want to help our customers address their concerns. At Genetec, we do this by offering solutions that have strong built-in encryption, including end-to-end encryption from cameras to client stations, and ensuring that all client-to-server and server-to-camera communications are encrypted. In addition, we also support strong authentication mechanisms, including TLS and claims-based with ADFS (Active Directory Federation Services), and provide organisations with the ability to set authorisation parameters to protect video data and privacy.

“We also believe that, to be truly effective in this industry, we must strive for transparency. Hiding issues or developing a fix in secret doesn’t work. After all, the nature of security is always changing. New threats are emerging and hackers are constantly looking for new ways to breach a system. Just because an organisation’s system is secure today does not guarantee that it will remain that way in the future.”

In concluding, Cary adds a bit of common sense that is, unfortunately, not yet all that common in the security industry in general: “Understanding the risks and the solutions as well as engaging in open communication helps everyone.”

For more information contact:

• Genetec, Brent Cary, [email protected], www.genetec.com

• Hikvision South Africa, +27 87 701 8113, [email protected], www.hikvision.com

Share this article:

Further reading: