Workplace changes wrought by the COVID-19 crisis and a never-ending barrage of new threats are causing more organizations and their IT departments to get serious about cybersecurity — and security manufacturers are responding with tighter standards and secure practices for their video surveillance devices and systems.
Cyber hygiene is especially important for cameras and video surveillance systems, which users have perceived as being especially vulnerable to cyberattack.
“Over the past year, we’ve seen an increase in demand for better protection, because there are more threats — and more bad actors — working to attack than ever before,” says Greg Tomasko, applications engineering leader at Honeywell Building Technologies, Charlotte, N.C.
“The biggest change on the human side has been the acceptance that cybersecurity is a problem,” says Will Knehr, senior manager of information assurance and data privacy at i-PRO Americas Inc., Houston. “In the past, I always needed to explain to an organization why cybersecurity is important, but now organizations seem to understand that already, and they are just looking for a solution. Cybersecurity isn’t just a technical problem; it’s a business problem, a financial problem and a public image problem. The implications that an attack can have are far outside of just losing a computer system; it could mean losing customers and big fines, hitting businesses right in their wallets. Investment in cybersecurity is crucial for protecting customers, employees and profits.”
Bosch has been involved in cybersecurity since 2005, and has provided a Cyber Security for IP video certification course since 2016. // IMAGE COURTESY OF BOSCH
Part of the change in attitude is probably due to the steady increase in high-profile security breaches in recent years. According to news source Cyber Security Hub, there were more than 4,100 publicly disclosed security breaches in 2022, with victims including Twitter, Uber and WhatsApp. In March 2023 alone, hackers struck AT&T, the U.S. Marshals Service, and thousands of U.S. lawmakers and government employees who had sensitive data exposed in a breach on DC Health Link, a health insurance provider for Congress.
While none of these specifically involved video surveillance systems, they certainly helped raise awareness about cyber threats in general and increase customer demand for more security.
“End customers have taken a much more aggressive approach to cybersecurity policy. They are requiring vendors to submit vendor risk assessments that go beyond an individual product’s cybersecurity protections and holistically look at the vendor’s cyber capabilities,”
— Ryan Zatolokin, Axis Communications
“End customers have taken a much more aggressive approach to cybersecurity policy,” says Ryan Zatolokin, senior technologist, business development at Axis Communications, Chelmsford, Mass. “They are requiring vendors to submit vendor risk assessments that go beyond an individual product’s cybersecurity protections and holistically look at the vendor’s cyber capabilities to ensure they do not create an unacceptable potential for business disruption. In addition, end customers are mandating that all devices on their networks are held to the same high cybersecurity standards, including patches for any known vulnerabilities at regular time intervals.”
And as physical security devices become more entrenched within a business’s overall technology solution, the IT departments of those businesses are growing more involved with security issues, says David Brent, senior cyber data technical trainer at Bosch Security and Safety Systems, Fairport, N.Y. “IT departments are becoming more interested in the video systems that hang on their network as IoT devices in their facilities,” he says. “In some cases there is a tug of war between the security department and IT. Security is trying to implement IT policies on old devices that don’t support the requirements, yet there is no budget to replace hundreds of cameras. If the budget is available, there is often air gapping or rip and replace of older systems.”
In spite of these internal conflicts, increased cooperation between IT and security can only help increase an organization’s cybersecurity. “IT departments are now realizing that they have hundreds of IoT devices on their network that can be used as attack platforms for lateral movement,” Brent adds. “They are becoming involved in the decisions made, as they pertain to security and surveillance devices. This trend started a few years back, but it is becoming more prevalent, which is a good thing.”
Shifting Standards
Although specific cybersecurity standards for the physical security industry have been slow to evolve, they are developing, especially on the government side, says Ryan Zatolokin of Axis Communications.
Action has been taken on the policy level through mandates from the U.S. government, such as the National Defense Authorization Act, California SB 327 (which protects devices that are sold or offered for sale in California), and President Biden’s recent executive order on Improving the Nation’s Cybersecurity. These mandates include dictating where the device and its components are manufactured, requiring users to change a device’s password at first login and keeping more detailed logs in the device.
Probably the best-known standard is FIPS 140-3, the National Institute of Standards and Technology (NIST)’s latest benchmark for validating the effectiveness of cryptographic hardware, says David Brent of Bosch. Products with a FIPS 140-3 certificate have been tested and formally validated by the U.S. and Canadian governments.
Additionally, a new Security Technical Information Guide (STIG) benchmark for Windows Server 2019 makes it FIPS compliant, he added.
Mathieu Chevalier of Genetec points out that there are many regional standards for the U.K., Australia and North America, but, “There are so many standards it’s hard to tell what is good. … Everyone wants their own flavor and we have limited resources and have to choose which makes sense for us to do.” He’s optimistic that these standards will eventually consolidate and boil down to a handful that will be commonly accepted. “We see this in the cloud like ISO and SOC for cloud products, but in general for physical security, while there are some emerging standards for physical security, they are still young in maturity.”
Greg Tomasko of Honeywell adds, “In recent years standardized certifications have been gaining traction across organizations. The advantage of external agency certifications is that they establish an industry standard that helps create more informed customers and responsible manufacturers. As a whole, the industry is becoming more secure, which has helped address issues. Peer companies, our competitors — we’ve come together and created alliances like the ISA Global Cybersecurity Alliance, of which Honeywell is one of the founding members, to help drive better security in industries such as this. Security is a responsibility, not just a ‘nice to have’ feature.”
Targeting the Weakest Links
While specific strains of cyber liability may come and go, some forms of cyber risk remain the same — and the main cause of hacks boils down to human vulnerability.
When asked about the biggest threats to cybersecurity, Josh Cummings, executive vice president, technology, at Paladin Technologies, an integrator based in Vancouver, B.C., points to user error. “I would say it is unfortunately us the humans,” he says. “Social engineering is still a major challenge that we have to train against and bring awareness to.”
Brent agrees. “The weakest part of any computer system is the human at the keyboard — either from social engineering via OSINT (open-source intelligence), bribery, burglary, blackmail, etc.”
Good cyber hygiene starts with the simple basic of maintaining unique, complex and regularly updated passwords. “When working to minimize cybersecurity risks to video surveillance systems, the most important factor is limiting the spread of passwords,” Zatolokin says. More organizations are requiring users to use a VMS or device management platform that supports individual user accounts rather than allowing users to access devices directly, as well as requiring employees to use strong passwords and change them at least once a year, he adds.
Beyond human error, businesses with unsecured configurations that fail to patch systems are also at risk, Cummings says. Keeping systems up to date — including operating systems, firmware, SQL and application updates — can help prevent breaches, he says.
Cummings also reports seeing a rise in certificate-based authentication for cameras, clients and servers, as well as end-to-end encryption of video traffic. And more companies are focused on secure configurations for devices, including disabling ports and services that are not needed, he adds.
“The weakest part of any computer system is the human at the keyboard — either from social engineering via OSINT (open-source intelligence), bribery, burglary, blackmail, etc.”
— David Brent, Bosch Security and Safety Systems
Another way to plug security vulnerabilities is through the cloud, which more customers are accepting than they did in the past, especially since they’re more engaged with common IT practices, says Dean Drako, president and CEO of Eagle Eye Networks, Austin, Texas. “Over the past several years, the physical security buyer has gotten smarter, more in tune with what the IT industry is doing,” he says. Organizations are also demanding more systems audits, penetration testing and certifications for their video surveillance devices, Drako adds. “It’s a way for them to get confidence that the cloud company for the software provider truly takes security seriously,” he says. “There’s increased awareness that cloud security is better than roll-your-own security.”
That’s not to say that video surveillance systems and cameras don’t pose a unique set of vulnerabilities.
“Typically, the biggest sources of cyber risk in a video surveillance system are the cameras themselves,” says Mark LaBua, chief information officer at Pavion, Chantilly, Va. “Cameras provide a significant risk because the default passwords aren’t always changed, and they aren’t segregated. The camera itself tends to have the least amount of security in the system. The network video recorder (NVR) can also be a cyber risk. When the NVR is not behind a professional-grade firewall and the default credentials aren’t changed, they too can pose a significant risk to cyber-attacks.”
“Based on anecdotal experience, customers perceive IP cameras to be biggest risk, so that’s what they look to secure,” says Mathieu Chevalier, principal security architect at Genetec, based in Montreal. But since some end users have thousands of surveillance cameras, “It’s a scale problem to manage,” he says. And because many cameras are located outside of buildings, they can pose an easily accessible target for hackers. For example, the Vercella data breach of 2019 came about through the platform not through surveillance cameras, but because cameras and IoT are now mainstream, they’re top of mind, he adds.
Brent of Bosch points out that the risk to cameras is cross-site script injection attacks due to weak web interfaces, accentuated by the fact that most venders require there to be an open HTTP port. Again, it’s related to NVR vendors using non-encrypted RTSP streams from third-party devices, he points out. “Weaponization of a weak embedded operating system allows BOTS to be loaded that can be used in DDOS attacks,” he says. “While this is an old-school attack, it is used for many purposes, and frequently. If hackers can mount the IoT devices, they may not care about the video, as they now have an IP address and bandwidth.”
Most customers have a variety of cameras from different manufacturers bought over a long time span, Drako says. This disparate array of cameras and software versions can be difficult to keep updated. To address the issue, Eagle Eye developed a system called Cyber Lockdown that isolates cameras from the internet to make sure they’re not compromised. “If they are, we alert the customer, but because they [the cameras] are isolated, it’s almost impossible to compromise them,” he says. “This makes cybersecurity much better for customers.”
Manufacturers have seen a higher interest in standardized certification and Greg Tomasko of Honeywell predicts 2023 will be the year this gains further traction. // IMAGE COURTESY OF HONEYWELL
Manufacturers Rise to the Challenge
Depending on you who talk to, video surveillance manufacturers are either rising to the occasion and addressing cyber risk, or not doing enough to stem the tide of threats.
“I have seen manufacturers and integrators have a higher interest in standardized certification and due to this I think 2023 will be the year this gains further traction,” says Tomasko of Honeywell. “It means having external certification agencies confirm a manufacturer’s own assessment of its cybersecurity protocols.
Knehr of i-PRO agrees. “Manufacturers are taking security seriously,” he says. “Almost every major manufacturer has a cybersecurity section on their website that touts the security features of their products. Cybersecurity features like modern encryption algorithms and secure protocols are becoming the baseline for products instead of the exception.”
“Typically, the biggest sources of cyber risk in a video surveillance system are the cameras themselves”
— Mark LaBua, Pavion
Knehr cites the increased use of distributed computing through containers and virtualization as a way manufacturers are addressing cyber risk. “As consumers demand more analytics from these edge devices, some companies turn to virtual containers to help distribute the processing load across these devices,” he says. “I believe this model will revolutionize what an edge device is capable of. By combining the processing power of all edge devices on a network, analytics are no longer confined to the technical limitations of a single edge device itself.”
Modern encryption algorithms are another important aspect of cyber-risk prevention, Knehr says. However, encryption is only as good as the algorithm it uses. “Sometimes these algorithms become antiquated as attackers figure out ways to decrypt them,” he adds. “Manufacturers must keep up with industry standards to ensure they use the most up-to-date encryption algorithms (see sidebar). I recommend the Federal Information Processing Standards [FIPS] 140 Series for an updated list of compliant algorithms.”
Manufacturers are also offering “bug bounty” programs — rewards for anyone who finds vulnerabilities in their code, Knehr says. These encourage hackers to come to the manufacturer with vulnerabilities instead of releasing them into the wild, which allows manufacturers to correct the issue.
Top Cyber Threats for 2023
Our sources shared what they perceive to be the biggest cyber threats today:
David Brent, Bosch: There are an estimated 300,000 to 500,000 new malware signatures registered every day. … The targets of Advanced Persistent Threat Groups, in some cases, set the trends. These groups are well-staffed with code writers and well-funded. There are also cyber gangs that deal in Ransomware as a Service (RaaS). Groups like Conti offer a playbook on the dark web that include the target and the ransomware package to franchise groups. The answer to these changes daily, but the targets are steady, including power and utility companies, healthcare and financial institutions and government.
Josh Cummings, Paladin: They’re not specific to our industry. Typically, our biggest challenge on the vulnerability side is the use of codes or services that are mainstream and vulnerabilities that are discovered against them. This is inevitable and we have to be diligent in our patching of systems to address the risk.
Mark LaBua, Pavion: Right now there is a growing trend of supply chain cyber-attacks. Instead of attacking customers, cyber criminals are attacking vendors, which in turn gives them access to customer data. There is also a huge focus on unpatched systems. Any system that has a vulnerability that either the customer hasn’t patched, or the vendor hasn’t released a firmware update for is a major target for cyber-attacks. Everyone should review their patching regiment to address this vulnerability.
Will Knehr, i-PRO: If you look at any major research company or government agency for top malware strains, they have been around for years with only minor changes to them. This shows that most people who write malware and commit cyber crimes have an “if it ain’t broke, don’t fix it” mentality. Why worry about writing the next big thing when 8-year-old malware is still raking in the dough? This reveals that people are still being compromised for the same reasons — typically not patching their systems, not enabling multi-factor authentication or having weak passwords, not following best practices, not properly configuring devices, and not properly segmenting their networks. … The botnet Mirai was recently modified to use the Linux kernel on security cameras to hijack those cameras and use them to launch DDoS attacks against targets.
Ryan Zatolokin, Axis Communications: There are not any particular types of malware or ransomware that are especially virulent right now, but it’s important to always remain vigilant and follow best practices in order to stay secure. However, in the past ransomware has been used to compromise VMS platforms, or more specifically the Windows OS those platforms run on, and this should always be taken into account. Keeping systems up to date and following other best practices is the best way to mitigate the risks that are out there and prepare for future threats.
Greg Tomasko, Honeywell: While we often hear about large ransomware or spyware attacks by unknown groups on well-known brands, no one should assume they are not a target of interest. It doesn’t matter that you are more secure than the “person next door.” If you are associated with anything a bad actor could deem “valuable” — personal information of individuals or physical access to a building, for example — you are a potential target. For attacks originating from a nation-state, they will continue their efforts until they are successful. Time and effort are of lesser concern to them than achieving their objective. It is critical to remain ahead of the game and to be actively taking steps to protect your systems and devices and, just as important, to be able to recover from an attack when it occurs. The threat of malware will only continue to grow as we become more and more reliant on connected technology. It’s a case of “when” an attack will occur, not “if.”
Other mitigation steps include code reviews, signed security certificates, and hardening guides containing best practices for deploying and securing devices, he adds. These should cover how to turn on and configure security features to ensure customers get the most out of their devices.
“Manufacturers are now actively involved in promoting secure practices for their equipment,” says LaBua of Pavion. “They have really begun to focus on not only securing the customer sites, but securing the systems that secure the customers’ sites.” He cites the increased use of two-factor authentication and AI to provide alerts when multiple unsuccessful login attempts happen.
Many manufactures have introduced secure development, which allows them to create software using threat modeling, says Zatolokin of Axis. This ensures the software will be secure against certain threats from the beginning and that cybersecurity wasn’t added to the product as an afterthought. Manufactures have also introduced new capabilities such as signed firmware and new hardware capabilities including secure elements and Trusted Platform Modules (TPMs).
“Some (manufacturers) are changing their philosophy to be secure by design, meaning that the system is configured in a way to provide high levels of security right off the bat,” Paladin’s Cummings adds. “If a feature is needed or configuration with less security is desired, that must be enabled. This is in stark contrast to the open by design concept we have been operating from where all features and services are enabled out of the box, and we have to invest extra time and effort to secure the products.”
Other observers think manufacturers can do more. “The industry is improving, but many vendors are in catch-up mode,” Brent says. “From a manufacturer’s standpoint, a few vendors are finally starting to take cybersecurity seriously, at least in some of their products in their portfolios.” He stresses that Bosch has been involved in cybersecurity since 2005, and has provided a “Cyber Security for IP” video certification course since 2016.
Drako breaks manufacturer response to cyber risk into two camps: those that are more attuned to it, and those that aren’t. “Hardware manufacturers’ reaction to cybersecurity in my view has been modest; I don’t think they’ve given it a tremendous amount of attention because most of it falls on the customer,” he says. “I haven’t seen [many] camera manufacturers talk about how they’re running penetration testing from a third party on their cameras to prove they are less vulnerable. On the other hand, cloud providers have been very focused on more penetration testing, more thorough SOC qualifications, and all of these things relate to process and procedure which translates to better cybersecurity.”
Often the biggest sources of cyber risk in a video surveillance system are the cameras themselves because the default passwords aren’t always changed, and they aren’t segregated. // MAXKABAKOV/ISTOCK / GETTY IMAGES PLUS VIA GETTY IMAGE
Tips for Prevention
However vendors are addressing the issue, there are still plenty of things end users and integrators can do to mitigate cyber risk — starting with being proactive.
“Cyber risks should be tackled with an active approach, not a passive one,” says Tomasko of Honeywell. “Customers should ask themselves: Is this product current enough? Are we doing updates daily, weekly and monthly? Do we have a process in place that facilitates updating firmware, passwords and personnel? An adage we use in the industry is that security is only as good as last year’s hacker. If you keep your technology and products up to date, it can help reduce a bad actor’s chances. In the current global climate, many bad actors don’t want to waste too much time trying to access a reasonably well-maintained, cyber-aware network when there are hundreds of thousands of other less secure networks out there. That’s why we encourage staying as up-to-date as possible to decrease cyber risk.”
Drako stresses the importance of selecting a vendor with a quality cybersecurity history. “If they’ve had breaches and problems, there’s a cultural disrespect for cybersecurity and it will be hard for them to convert and adapt. Cybersecurity mindset comes from the top; you really want to vet your provider for a clean history and make sure the top dogs value cybersecurity.”
Drako also recommends making sure the vendor has certifications, audits and penetration testing, and reports from third parties. “That basically shows that not only are they doing the right thing but they’re willing to let other people test to verify.”
Zatolokin’s top tips for protecting video surveillance systems against cyberattack boil down to three: prevent sharing passwords, always keep software and firmware up to date, and encrypt device communication on the network.
“Additionally, it’s important to be proactive with your device lifecycle planning,” he says. “This includes determining how long a device should be on a network and having a plan in place from the device’s installation to its decommissioning. Typically, we see customers with cyber concerns replace devices every five to seven years, which is a long lifecycle compared to the IT industry. As a result, most customers will have a mix of old and new devices with varying cyber capabilities that need to be maintained.”
Cummings stresses the importance of hardening devices and if possible, avoiding exposing systems to the internet — and if you do, use firewalls and DMZs to protect that hardware from outside attacks.
Reputable manufacturers also provide hardening guides, which integrators should use to configure the devices in accordance with best practices and update the firmware and software on these devices as required, Knehr says.
And LaBua says that utilizing a VLAN (virtual local area network) should be the absolute minimum to protect against cyber breaches, with a separate physical switch to physically segregate the traffic preferable. Additionally, users should consistently patch and install firmware updates, especially if any devices are running on any kind of Windows platform. And regularly monitoring the Syslog for any abnormalities is a must.
Finally, “Talk to the IT department about what they currently expect from a security standpoint, and what they will want in the future to ensure purchases will meet their requirements,” Brent says.
