In today’s interconnected security industry, there are more cameras, IoT, and edge devices “talking” to each other than ever before. Modern IP cameras have powerful processing, networking, and storage capabilities that make them incredibly versatile, while cloud technology enables more data storage, and the internet connects them all.
But there’s a downside to all this progress: more devices, cloud usage, open source software components, and internet connection also means more exposure to cyber risk.
More IoT devices, a larger cloud presence, and ransomware converge to create a bigger cybersecurity threat in video surveillance, says David Brent, senior cyber and data security training engineer for North America, Bosch, Fairport, N.Y. Hacks are on the rise because of more remote work, and with an estimated 38.1 billion IoT devices now on the web, with public-facing IP addresses and open lines, hackers can do a lot of damage, he says.
“When left unsecured, IoT devices such as network cameras inevitably increase the attack surface,” says Dr. Peter Kim, global technical consultant at IDIS America, Coppell, Texas. “The sheer volume of IoT devices that have been added to an organization’s network, often without involvement of the IT department, has certainly increased concerns and vigilance.”
The transition from analog to IP in video surveillance has contributed to increased cyber risk. “Ever since IP-based systems and cameras started dominating the video surveillance industry, we have seen a growing rate of cyber-related issues,” says Guy Arazi, director of product development at Vicon, Hauppage, N.Y. “Cybersecurity issues are also affecting the general IT side of the house, but the transition from analog to IP in the video surveillance industry may have created a knowledge gap that does not exist on the network-savvy IT world.”
Emerging Trends in Managed Access Control
RAYAHRISTOVA/ISTOCK / GETTY IMAGES PLUS VIA GETTY IMAGES
6 Tips to Prevent Video Cyber Attacks
1. Change default and weak passwords.
“Eighty percent of hacks are due to weak passwords.” – David Brent, Bosch
2. Ensure that all upgrades and patches are installed.
“As new threats emerge and hackers become more sophisticated, it’s important that both manufacturers and their integration partners work together to provide software and firmware updates, so customers are not left vulnerable to new attacks.” – Dr. Peter Kim, IDIS America
3. Maintain a detailed asset inventory.
“Knowing what devices you have, what vulnerabilities can be exploited on them, what firmware version they are on, and when passwords were last updated on them can direct what actions need to be taken to secure them.” – Bud Broomhead, Viakoo
4. Train employees on prevention.
“The No. 1 vulnerability is end users. The weakest link in any system is an untrained person. I once had someone in a class who worked for an integrator and was late because his truck was stolen. His Notepad was in there, and all the passwords for all the systems he managed were on there.” – David Brent, Bosch
5. Implement multi-factor authentication (MFA).
“End-to-end systems that use certificate-based mutual authentication and proprietary protocols are one of the safest surveillance tech options to ensure cybersecurity. … This means there is a guarantee that the video feed is coming from a camera paired with an NVR. It’s cybersecurity working behind the scenes, without human interaction, once again taking human factor out of the cybersecurity equation.” – Dr. Peter Kim, IDIS America
6. Adopt a zero-trust approach.
“The move toward a zero trust environment, where each person and/or device must prove their identity and access rights to video surveillance systems individually rather than simply having access to a network. This is being driven by industry experience with how threat actors gain access to trusted networks, increased customer awareness and sophistication, and new technical capabilities in the video market.” – Vijay Dhamija, global video engineering leader, Honeywell Building Technologies, Atlanta
“Using certificates (802.1x and TLS/SSL) to authenticate device identity and to encrypt device traffic… is central to having a zero trust architecture, and many organizations that have moved to zero trust are now extending that to IoT devices, including cameras and access control.” – Bud Broomhead, Viakoo
Edge devices such as cameras, network video recorders, and encoders are more prone to hacking, Arazi says. While the primarily Windows- and Linux-based servers running official operating systems are regularly updated by the OS manufacturer to address loopholes and security gaps, IoT-type devices depend on the specific manufacturer following up and providing firmware updates — which don’t always arrive fast enough and typically don’t auto-update, he adds.
More complex devices that can do more are especially prone to hacking. “The challenge in the industry is the components used in video surveillance systems have traditionally been neglected and not upgraded as steadfastly as other components in a corporate IT system,” says Dean Drako, founder, president and CEO, Eagle Eye Networks, Austin, Texas. “A video surveillance upgrade process would require taking down the system, which might be different in every building and not necessarily wired into corporate IT, so it’s often neglected.”
Cameras have always been a target because they give an attacker a way to view what is going on at a certain site, says Steffen De Muynck, senior product manager, Teledyne FLIR Security, Wilsonville, Ore. “This information in the wrong hands can be used to facilitate breaking and entering, blackmailing, and much more,” he says. More insidiously, “The security cameras can also be used as a stepping board to attack other assets in the network of a customer, or can be used to form a botnet that can simultaneously attack a specific target,” he adds.
More businesses are reporting that a quarter of their physical security environments are in the cloud or a cloud hybrid, according to Genetec's "State of Physical Security 2021" report. // IMAGE COURTESY GENETEC
Over the last several years, there have been some dramatic examples specific to the security industry, with several top manufacturers grappling with hacks that arose from IP camera breaches. One of the most recent attacks required the manufacturer to shut down all systems to limit the fallout. And one of the biggest security camera hacks exposed footage from more than 150,000 connected cameras in use inside schools, jail cells, hospital ICUs, and major corporations.
“Not properly securing IP cameras and other devices by allowing them to be directly accessible from the internet is the biggest source of cyber risk in video surveillance,” says Chuck Davis, vice president, global information security at Hikvision, City of Industry, Calif.
Bud Broomhead, CEO of Viakoo, Mountain View, Calif., agrees. “The IP cameras themselves are the biggest source of cyber risk. In reality, these are powerful Linux servers, sometimes hanging outside a building with exposed ports — of course, threat actors see them as the low-hanging fruit when breaching an organization.”
The Pandemic Plays a Part
Just as it affected so many other areas of life, the global pandemic and an increase in remote work upped the ante on video surveillance cyber risk — and cybersecurity in general.
According to Genetec’s “State of Physical Security 2021: Adapting to an Uncertain Future,” cybersecurity will be a top priority for businesses in 2022. Thirty-six percent of respondents globally are looking to invest in cybersecurity-related tools to improve their physical security environment in the next 12 months.
Cloud: More or Less Secure?
While a recent survey by Genetec finds some businesses are reluctant to transition to the cloud due to cybersecurity concerns, 35 percent of respondents have triggered or accelerated their cloud strategy specifically related to physical security. // ATOMICSTUDIO/ISTOCK / GETTY IMAGES PLUS VIA GETTY IMAGES
Thirty-five percent of respondents to Genetec’s “State of Physical Security 2021: Adapting to an Uncertain Future” indicated that the pandemic had either triggered or accelerated their cloud strategy specifically related to physical security, an increase from last year’s survey when 31 percent indicated the same.
Genetec also found that large organizations are more open to cloud solutions, with 30 percent of respondents having deployed at least some video surveillance as a service (VSaaS). “Responses clearly indicated that this trend toward the cloud will continue,” the report finds. “Forty percent of companies who have deployed less than 50 percent of their physical security environment to the cloud, indicated plans to begin or further deploy parts of their security solution to the cloud.”
However, the report also found that cybersecurity concerns deter cloud adoption, and that most physical security deployments remain on-premises. “Cybersecurity concerns were highlighted overall by respondents as one of the major reasons deterring them from cloud adoption,” the report finds. “End users from financial institutions, transportation, and government are the most concerned.”
Views on cybersecurity varied among respondents based on the number of cameras they managed. End users whose organizations had fewer than 500 cameras installed ranked “cybersecurity vulnerabilities” most commonly as a top threat faced by their organization. Yet, these same end users were less likely to have installed “cybersecurity-related tools” in their physical security environment compared with end users whose organizations had greater than 500 cameras installed.
“Sometimes we talk about the cloud being more or less secure; my opinion is that it depends,” says Mathieu Chevalier of Genetec. “In general, people might think the cloud is less secure because you have less control. But if you choose a provider carefully, it can actually be more secure because now all the stuff that’s hard to do at scale is being done for you by the provider, such as strong password updates,” he says. “In general, for systems, it’s hard to compete on the maturity of a cloud provider in terms of security compared to what an in-house team can do.”
Dean Drako of Eagle Eye Networks agrees. “There’s a trend toward cloud to keep video safe, to give it to a professional security company rather than putting it in the mattress or the basement of a building,” he says. “Cybersecurity gets a lot more attention.” Eagle Eye just completed a SOC 2 audit and regularly does penetrating testing and other methods to secure the cyber nature of cloud, he says. “Customers are starting to realize that the cloud is significantly more secure for video surveillance than an on-premise system. Twenty years ago, your magazine would have been operating its own email server and trying to keep it secure from Russian hackers. … Just as email and CRM and taxes have moved to the cloud, video surveillance is also moving to the cloud and getting the same benefits with cybersecurity.”
In last year’s report, organizations named their top challenge as managing employee and visitor safety. This year, visitor management dropped to No. 5, with cybersecurity taking over as the No. 1 challenge. A reason for this is that more employees are working remotely, and as a result, more organizations are seeing an increase in cyber-crime.
“Throughout the COVID pandemic, the world saw an exponential rise in the frequency of ransomware attacks, with many aimed at schools and universities,” Kim says. “In some cases, their video was connected to networks, and many chose to rebuild, including backups, rather than paying ransomware demands. … This meant they not only suffered severe impacts to learning continuity over weeks and even months, but they were left without surveillance monitoring or recording, leaving them vulnerable to physical security threats or the ability to meet insurance requirements, health and safety obligations, duty of care and related compliances.”
Weaseling Into the System
While there are several ways hackers can wreak havoc once they’ve weaseled into a system, the primary threat comes from using access from cameras to move laterally into the corporate network.
To hackers, video surveillance systems are not an end in themselves, but rather a “vector to potentially get into the network and thereby get access to other things; that’s the real threat or concern around cybersecurity for video surveillance,” Drako says. “It’s an access point to the network where they can sift around and try to find other things that are not properly secured, like laptops or customer databases, where they can encrypt everything for ransomware.”
Once the bad guys get in, things can get really ugly. “Backdoors allow hackers to strike using a range of Mitre malware variants, which then issue system commands,” Kim says. “Others, such as Minikatz and ELoader, are designed to steal usernames and passwords, while REvil is a ransomware family designed to encrypt data and drives to extort payments. And these are just some of the most popular types of malware and ransomware we’ve seen increasingly used in the last couple of years in various guises.”
While the malwares’ names may change, the games are mostly the same. Ransomware, which hackers install on a computer or device after gaining access through a successful phishing attack, is still the No. 1 threat, Hikvision’s Davis says. “Ransomware quietly encrypts all of the files and folders on your computer, and any data on connected USB or mounted shared drives, and then uploads the decryption key to the threat actor who tricked you into installing the ransomware,” he says. “You’ll only receive the decryption key from the ransomware threat actor after paying the ransom fee.”
The scam is so popular that ransomware as a service (RaaS) is now a viable business model on the dark web, with organizations like Conti Group structured and running it like a legitimate business, Brent says. (A recent article in ThreatPost describes the group as offering bonuses, employee of the month, performance reviews, and top-notch training — with many of its employees believing it’s a legitimate business.)
Often hackers gain access through spear phishing, accessing a company’s org chart and impersonating executives to get users to click on links in what looks like a legitimate request. Impersonation of corporate executives in email can help hackers misdirect money by using stolen information about the executive to make the spear phishing emails look real, Drako says.
And then there’s the growing threat of deep fakes, which involve malicious editing of video acquired from surveillance systems, Kim says. “Malicious editing represents one of the fastest-developing threats to the credibility and value of video surveillance solutions. … Malicious actors can weaponize an organization’s own recorded footage against them. Every interaction and incident recorded by a video security camera on a site can now easily be altered if the integrity of that footage is not protected with the right technology and falls into the wrong hands.”
More Exposure From Russian Threats
Cyber warfare attacks by Russian government-sanctioned hackers like Fancy Bear are becoming more of a threat to Western democracies, especially since Russia’s invasion of Ukraine. // BeeBright/iStock / Getty Images Plus via Getty Images
The recent Russian invasion of the Ukraine has increased the threat level of cyber breaches, both for government entities and businesses in Western democracies.
“From a cybersecurity standpoint with Ukraine, it has lots to do with the fact that we are so reliant on communications via IP,” says David Brent of Bosch. “Most phone providers don’t use copper anymore. There are miles and tons of it in the ground that are dark because everything has gone IP. … The Ukraine people are sending things via telegraph because they can’t communicate by cellphone. … The Ukraine situation is what every country faces if an actual war starts at any point. Cyber is now part of standard war.”
While an attack on a surveillance system is unlikely to lead to devastating consequences, “We are now seeing the start of widespread cyber-warfare often conducted through Russia’s GRU, the country’s military intelligence service and a government-backed group of hackers, Fancy Bear,” says Dr. Peter Kim of IDIS America. Recent examples of what Kim calls “cyber warfare” include the February attack on Expeditors International, which disabled one of the U.S.’s largest logistics operators; a successful hit on the Colonial Pipeline carrying petroleum from Texas in May 2021; and a thwarted attack at a water treatment plant in Florida last year. “It’s already clear that high on the list will be critical infrastructure including utilities as well as transport links, while banks and payment systems are also vulnerable,” Kim says. “But equally, hackers will use tactics to pester, disrupt, cost money, and generally undermine day-to-day business operations, and that could include disabling vulnerable company IoT devices such those that form surveillance systems.”
Fixing the Vulnerabilities
The only upside to all this criminal activity is that high-profile breaches have made customers more aware of the need to put cybersecurity first when purchasing or upgrading a video surveillance system — and it’s made manufacturers more vigilant about troubleshooting their products.
“In recent years, system and network administrators have become more informed about certain vulnerabilities associated with current video surveillance systems, and have raised the security level accordingly,” Arazi says. “This, combined with steps taken by the manufacturers, has resulted in safer practices and ultimately a more secure system.”
But end users are still ultimately responsible for securing their video surveillance systems. Rotating passwords, using strong user IDs and multifactor IDs, updating camera firmware or OS, patching vulnerabilities quickly, and using certificates are the basic steps customers can take to secure their cameras and video surveillance systems.
“The biggest trend I’m seeing is to bring IT security best practices into physical security systems,” says Mathieu Chevalier, principal security architect and manager, Genetec, Montreal. “The reason for this is the convergence between those worlds. More IT systems are being used for physical security protection … and cameras are becoming more like computers, with lenses that can send video back to the network.”
For their part, manufacturers are doubling down on penetration and third-party testing to help find and fix vulnerabilities. “The top trends we are seeing in securing video surveillance systems against cyber risk include the hardening of edge devices that sit on the IP network, such as cameras and other devices like speakers,” says Kirk Tashjian, product manager, video systems, Identiv, Santa Ana, Calif. “We are continuing to follow the cybersecurity trend of protecting computer hardware the same way the entire IT industry protects other infrastructures. We are also engaging third-party experts to support the hardening of computer equipment and edge devices.”
Cybersecurity was one of the top challenges named by organizations in 2021, with 52 percent of respondents pointing to cyber vulnerabilities as a prime concern, according to Genetec's "State of Physical Security 2021" report. // IMAGE COURTESY GENETEC
When selecting a vendor, end users and security integrators must do their homework on how stringent they are about cybersecurity for their products. “If I’m looking at a vendor, I want to know if they’re using secure engineering process (SEP), just from a certification standpoint,” Brent says. “If they have SEP, that means everything they do before releasing a product has been tested.” Other boxes to check are whether the vendor conducts internal and external penetration testing, who produces the product’s CVEs (common vulnerability and exposures), and if they’re using vulnerability scanners that show IP addresses and which ports are open on specific products, he adds.
Standards compliance is another way manufacturers can keep products safe. National Defense Authorization Act (NDAA) standards helped increase the cybersecurity of many government and federal loan recipient implementations by banning the use of specific Chinese products that had been prone to vulnerabilities for years, Kim says. Additionally, a proposed FCC ban that will extend that protection for smaller organizations will also help if imposed later this year, he says.
NIST 800, primarily used in corporate or government network deployments, is a technical standard set of publications that details United States government procedures, policies, and guidelines on information systems. And the Security Industry Association (SIA)’s Security Industry Cybersecurity Certification (SICC) is the first industry-focused credential specifically for cybersecurity in physical security systems, Kim says.
Additionally, the Biden administration in 2021 signed an executive order to improve cybersecurity with the specific goals of enhancing software supply chain security, improving detection of and response to cybersecurity vulnerabilities and incidents on federal government networks, and modernizing federal government cybersecurity with tools like a safety review board, says Davis of Hikvision.
However, cyber threats are constantly changing, and the industry must stay ahead of the curve on emerging threats. “It is all a risk,” Tashjian says. “Everything needs to be watched and protected, from edge devices to the computer sitting in the server rack. Following a manufacturer’s prescribed hardening guides is key to having a successful system free from the risk of cybersecurity issues.”
