Securing VMS Against Cyber Attacks
For security integrators, an ounce of prevention can go a long way
Cyber security in everyday life has become a major concern for virtually anyone who has a device connected to the Internet. The list of networked devices continues to grow, creating even greater opportunities for would-be hackers to gain access to networks. In the security industry, where IP-based solutions have become the norm, this is particularly prescient, meaning security integrators have to stay on top of the issue, particularly when it comes to securing video management systems (VMS).
“Cyber security is a complex topic, and it’s essential that the system integrator understands the context of the topic and is able to technically implement and configure it,” says Mario Verhaeg, product manager for video management solutions, Bosch Security and Safety Systems, Fairport, N.Y. “This will only work if the end user, integrator and manufacturers all do their part.”
There are a number of encryption protocols that are often deployed as a main line of defense in many solutions. While this is certainly important, protecting VMS and other systems requires more effort.
“Encryption is seen as the holy grail of security, but it’s really only part of it,” Verhaeg says. “It all comes down to the quality of the software and how the manufacturer’s engineering processes regarding security are working. Just slapping encryption — a hardened communication tunnel — on a product doesn’t help if both the entry and exit points of the tunnel are unsecured.”
While it may be tempting to assume that VMS solutions come equipped with the latest cyber security technologies, there’s always a danger in making assumptions. Instead, it’s up to security integrators to take steps to verify that the solutions they deploy are as secure as possible.
“An integrator’s job is to implement and deploy best practices. The video surveillance system is only as secure as the best practices utilized and implemented by the integrator,” says Kyrillos Mossad, partner relation and integration manager, Hanwha Techwin America, Ridgefield Park, N.J. “There should be some awareness of the types of vulnerabilities and exploits that are out there. If you’re not aware of what’s out there, you won’t know that it exists enough to stop it. So training and awareness is first and foremost.”
For VMS cyber security, integrators must serve as a trusted source of knowledge to supplement their customers’ in-house staff.
“In many cases the customer is looking toward the integrator, even though they may have resources internally, such as their own IT department. They still want someone who can bring the perspective from the operational technology side,” says Jon Williamson, product manager, cyber protection, Johnson Controls, Westford, Mass. “In some cases, when the conversation becomes more advanced, they can bring in experts if they can’t address those issues directly themselves.”
Ensuring the cyber security of an end user’s VMS begins long before the solution is deployed or even evaluated. Knowledge, Verhaeg says, is the key.
“They should start getting familiar with the technologies, know what certificates are doing, and how this all works together,” he says. “With cyber security, it will be even more crucial than before that integrators make themselves aware of what, for example, Microsoft and the network manufacturers like Cisco and Juniper are offering in this area, and how it relates to the VMS.”
When it comes to specific actions security integrators need to take, the first step in securing customers’ VMS lies in the process of evaluating potential solutions using a model similar to the way providers are evaluated in other industries.
“In cloud computing and software as a service, organizations have adopted the habit of properly vetting their cloud service providers and asking them a bunch of questions with respect to how they manage security, how they vet access control systems, how they code properly. There are a whole bunch of questions both on the technology side and on the people and processes side,” says Christian Morin, vice president, cloud services and chief security officer, Genetec, Montreal. “This is the type of approach in terms of vendor risk assessment that end users and integrators need to do a much better job of.”
Manufacturers can be extremely helpful in the evaluation process.
“Integrators need to make sure they work with manufacturers that understand cyber security. It’s important that when manufacturers are developing products they incorporate cyber security into the entire product development life cycle,” says Kristy Dunchak, senior director of converged solutions, security products, Johnson Controls. “It’s also important to make sure they work with product manufacturers that have cyber security programs with a cyber mindset instead of taking a ‘prepare for today and to react to tomorrow’ approach or they could introduce risk into the customer site.”
In fact, one of the best cyber security resources for integrators is something that comes directly from the manufacturers themselves. A hardening guide provides a wealth of information that will help an integrator go through the necessary processes to ensure their customers’ VMS are secured.
“Review the manufacturer’s hardening guide to make sure the manufacturer provides guidelines about the security settings,” Dunchak says. “Integrators should also look and understand the features and characteristics of each product to understand the potential risks and threat vectors.”
One mistake people tend to make is adopting a false sense of security that VMS and other software and systems are protected from vulnerabilities so long as they are not connected to the Internet.
“There are still a lot of myths out there. For example, they think that if a system is not connected to the Internet, cyber hardening guidelines don’t matter. That is totally preposterous,” Morin exclaims. “Somebody could just pop in a USB key and compromise your system because you’re not installing anti-malware and you’re not patching your system and so forth. There are still some myths out there because of this general lack of awareness.”
The Risk of Convenience
When it comes to installation, many products are touted as being plug-and-play, which can reduce the time and expense associated with deployment and configuration. However, this has created a tendency to assume that plug-and-play means that all the necessary default settings have been updated to ensure a VMS has the strongest cyber security settings — which may or may not be the case.
“When an integrator takes the product out of the box they can’t assume the product is secure by default. There are usually additional steps to follow because there are variances in how each customer will use the product,” Williamson says. “For example, one step an integrator will need to take is to create a complex password, not a two- or four-character password. There is a reason behind it and integrators need to understand that. Also, you might encrypt the connection and also separate roles and privileges so you don’t give full admin access to someone and you need to make sure account access is not shared. With shared user accounts you don’t know who made changes to the system or configured the system.”
That’s not to say that plug-and-play is inherently bad. Solutions just need to balance convenience with security.
“The downside to more efficiency and more convenience is lower security. Herein lies the challenge: basically ensuring that it’s as plug-and-play as possible but as secure as possible and finding that balance,” Morin says.
There are many technologies available for securing VMS and other systems, but it’s important that integrators don’t put the cart before the horse.
“Our industry suffers a lot from the basics not being done. So before you do the advanced stuff, you need to get your basics straight,” Morin says.
Ongoing Maintenance & Updates
Once a solution is deployed, it’s important to make sure the software is continually updated and patched to address cyber security vulnerabilities. Too often, Morin says, this is not the case.
“There’s this ‘set and forget’ attitude where I’m building a building and with all the other systems I’m putting a security system in place for doors, for video surveillance so I contract that out and put my system in place,” he says. “Then there’s always this budgetary constraint or this desire to keep operating expenses as low as possible, so people don’t give the TLC that’s required for these systems to maintain them all the time. You get systems that are multiple years old and have never been maintained.”
In these scenarios, it falls on the security integrator to make sure end users understand the risks of running older, unpatched versions of software.
“The end users are somewhat partly to blame for this, but systems integrators need to do a better job of selling ongoing maintenance. And ongoing maintenance now has a totally different meaning with the current threat landscape from a cyber perspective,” Morin says.
The best way to ensure security of the VMS is to be proactive in updating and patching the software.
“With every piece of software, continuously keeping the software up-to-date ensures that you have the latest security patches. It’s not just a matter of deploying it and letting it run until an issue occurs. It’s a matter of proactively keeping both sides of this surveillance system up-to-date, whether it’s camera firmware or the latest version of the VMS,” Mossad says.
Systems that include multiple generations of products and systems deserve special attention from an ongoing maintenance perspective, as certain devices may no longer be supported by manufacturers, opening the entire system up to potential risk. It’s also worth noting the impact cyber security is having on the useful lifetime of certain technologies.
“Also it’s important to carefully review the systems in buildings and facilities that include multi-generations of products since as they get older they become more difficult to update,” Williamson says. “While a vendor may be willing to patch and update the systems and components there comes a time when it will become too old and offer limited protection when compared to modern features and modern safeguards. Because of cyber security concerns we may see shorter lifecycles of the products.”
While the emphasis here is on VMS, it’s not enough to simply focus on that software solution. Cyber security in a connected world means securing everything that is connected to the network. Any vulnerability within any device or system puts the entire video surveillance ecosystem — and more — at risk.
“Integrators need to think about the whole solution they are providing to the customer outside of just the VMS they are implementing: cameras, networking infrastructure and physical protection of the components and cabling,” Williamson says.
The importance of taking a system-wide approach to cyber security cannot be overstated. Any vulnerability at any point within the system, whether the VMS software, a camera or other device, offers the potential for someone to access the entire network.
“With security in general: the weakest link in the chain decides the security level of the entire system,” Verhaeg says. “Even if the VMS is fully secured, if your password management of network security is not looked at, the level of security of the system would still be low.”
Therefore, it is up to integrators to ensure the security of anything they are deploying.
“Defenders, from a cyber perspective, have to be successful 100 percent of the time versus hackers, who only have to be successful once. The odds are in favor of the hackers by a long shot, so don’t make their lives easier,” Morin says. n
When securing a video surveillance system, there is the command and control aspect and the video itself. This means ensuring the VMS communicates with cameras using HTTPS or another type of encrypted method while the video is secured using SRTP (secure real-time transfer protocol). According to Hanwha Techwin America’s Kyrillos Mossad, these are the two biggest cyber security protocols for video surveillance, meaning it’s important to make sure they are supported when choosing VMS and camera solutions.
“Not all VMS support these types of methods of communication. One thing is to source a VMS that actually does support these encryption methodologies for both command and control and video, as well as sourcing cameras that support them,” he says. “It’s a two-part thing. You can’t just have a VMS that is secure with an insecure camera. Both sides have to be secure and support these protocols.”
Additionally, there are other protocols that can add even more layers of security onto the system, such as 802.1x, which allows integrators to secure the network ports, as well.
“If we’re talking about a system from end to end, this would be what bridges the two, your VMS and the camera — the switching and routing hardware,” Mossad says. “Again, both the VMS and the camera need to support this as well.”
and the camera need to support this as well.”
The success of ongoing maintenance at heading off cyber-attacks relies heavily on knowing what’s been deployed, including the version number and more. That’s why documentation is an incredibly vital part of cyber security. After all, you can’t update or patch anything you don’t even know has been deployed.
“Systems integrators need to specifically document the systems deployed within each customer site to clearly know which systems are installed at which facilities in case an advisory comes out that a specific product version has a vulnerability that can be exploited and needs a patch,” says Jon Williamson of Johnson Controls. “Not having this information and not being able to clearly and quickly communicate with a customer as to whether there is an issue or not can result in unnecessary concern and worry on the part of the customer.”