As evidenced by the steady stream of news about data breaches coming from companies large and small, cyber crime has become a very real problem in the world today. Given the convergence of video surveillance technologies with other security and non-security solutions, securing the products that make up these systems has become a priority for manufacturers, integrators and end users.
“With video security, the convergence of video and data such as analytics and biometrics makes it an even more attractive target for criminals. Therefore, the need to effectively detect and prevent cyber crime is even more pressing,” says James Hoang, partnering and integration manager, Speco Technologies, Amityville, N.Y.
The high profile of cyber breaches has created a culture in which device manufacturers, particularly those in the security industry, are making concerted efforts to prevent their products from becoming the “back door” that allows hackers to access customers’ networks — and the sensitive data therein.
“Cyber security awareness has had a positive impact on the industry at large, including how we put our own products through the paces to ensure that by the time it gets to the end user, it is indeed cyber secure,” says Fredrik Wallberg, director of marketing – security and ITS, FLIR, Wilsonville, Ore. “The fact that cyber security is now starting to become part of the spec has ensured that manufacturers, including us, have really had to address cyber security in a much greater sense.”
However, there’s a hidden challenge as a result of the growing cyber attack risk and the precautions needed to address it, says Jeff Whitney, vice president of marketing, Arecont Vision Costar, Glendale, Calif.
“Security manufacturers can’t make their platforms so secure that they become too difficult to manage and use, or that greatly limit the many benefits of IP networking and remote access via the cloud,” he says. “Customers either won’t select those platforms that are so secure that they are difficult to use, or they will find ways to bypass the intended safeguards.”
This requires balancing an acceptable level of cyber security with simplicity of use, system reliability, expandability, affordability, interoperability and ease of administration, with the importance of each of these factors varying from end user to end user.
When it comes to cyber security, the most basic tool is password protection. However, all too often the default passwords go unchanged, which is why many manufacturers have incorporated measures to keep this from happening.
“We have installed some features within our cameras like making sure the customer has to change the password,” Wallberg says. “There’s an admin password that can be very simple to guess, so instead of letting the customer decide whether or not they want to change [it], we’ve mandated it.”
But simply changing the password isn’t always enough, given people’s tendency to choose passwords that are easy to remember — and therefore easier to crack.
“We force an integrator to set a complex password during installation,” says Aaron Saks, product and technical manager, Hanwha Techwin America, Ridgefield Park, N.J. “We want to make sure that products that are being put in the field never have a default password or a dummy password like 12345. So we … require it to be a complex password — numbers, letters, uppercase, lowercase, special characters, things like that.”
Encryption goes hand-in-hand with password protection, which means ensuring the transfer of video and data from a device to the headend is secure. According to Whitney, NIST-compliant data encryption must be provided with password protection to access video and ensure appropriate access.
“Each local VMS or NVR system must establish a trusted outbound connection to the cloud storage platform,” he says. “This eliminates a major potential network vulnerability by eliminating the need for any open ports through the network firewall.”
To provide this high-level encryption, many companies go to great lengths to protect video and data at every step along the surveillance system.
“Our system approach is the key to achieving the highest standards in end-to-end data security,” says Paul Garms, director of regional marketing, Bosch Security and Safety Systems, Fairport, N.Y. “For example, we create trust by assigning every component in the network an authentication key and secure data from hackers by encrypting it at the hardware level using a cryptographic key that is stored in a unique built-in trusted platform module (TPM). We also offer easy ways to manage user access rights, can support the set-up of a public key infrastructure, and more.”
Protecting the integrity of video streams is important, especially when that video is needed for evidentiary purposes. Working with threat protection provider DigiCert, Panasonic combines reliable certificates and technology for detecting and analyzing cyber attacks with its in-house embedded cryptography technology to deliver data and communication encryption as well as verification.
“Video leakage is prevented, as the encrypted video data is transferred using a secure channel with our recorders,” says Shawn Kermani, product marketing, Panasonic Security Group, Newark, N.J. “Data is secured by using certification and hash value, which can detect video alteration and confirm which camera has created the video.”
In an ideal world, cyber security would be a “set it and forget it” proposition. But because this is far from a perfect world, the software running devices has to be updated periodically to ensure protection against cyber threats.
“No device should ever be connected to the network unless the manufacturer commits to providing easy-to-implement updates to the product firmware,” Whitney says. “Many IoT devices today are simply unable to be updated to address a security issue once identified, thus becoming a point of attack for those with malicious intent.”
As is the case with communication, firmware should also be encrypted. Like many manufacturers, Hanwha takes measures to protect its firmware from tampering.
“For all of our products, we want to make sure the file people are installing has not been hacked or maliciously messed around with, so we use encryption on all our firmware for all of our products,” Saks says.
Testing & Re-testing
The cyber threat landscape is constantly evolving; and while most companies try to stay up-to-date on vulnerabilities and other factors, hackers are constantly working to stay one step ahead. To address this, many manufacturers employ penetration testing, whether conducted in-house or by a third-party provider.
“We work with a dozen third-party security service companies to provide more robust and secure products,” says Tim Shen, director of marketing, Dahua Technology USA, Irvine, Calif. “Through our collaboration with these companies, system scans, protocol fuzz testing, penetration testing, and threat modelling are used to help discover and close vulnerabilities.”
Instead of ignoring so-called “ethical hackers,” FLIR embraces and works closely with these types, who try to find any bugs, leaks or vulnerabilities in the company’s products.
“We’re working with a few of these people to ensure that if there’s any way to get in, if there are any vulnerabilities in terms of cyber security, or if there are any patches that need to be made before general availability, we can take care of those in the R&D and beta phase,” Wallberg says.
MOBOTIX is another manufacturer who has gone this route to stay ahead of potential threats.
“We cooperate with other third-party white hat hacker companies that are skilled at cyber attacks,” says Thomas Dieregsweiler, head of product management, MOBOTIX, Langmeil, Germany. “If they find any areas of vulnerability, they forward any potential security leakage to MOBOTIX in order to stay proactive and ahead of large threats.”
Hanwha brings in third-party testers early in the product launch process in an effort to deliver the most secure products possible. “They look at our products and our code to identify vulnerabilities and look for issues,” Saks says. “When we release a product, there’s time to mitigate any issues so it will be a secure product when it hits the market.”
End User & Integrator Resources
Regardless of how stringent the cyber security features of a product may be, it’s still important for not only integrators but also end users to take an active role in the process.
“End users also play a critical role in cyber security by adopting strong network security protocols with appropriate security configurations and adhering to best practices like strong passwords and installing all necessary software updates in a timely manner,” says Jeremy Kimbler, video global product management director, Honeywell Commercial Security, Melville, N.Y.
That’s why some of the most common steps manufacturers have taken are providing resources for integrators and end users, such as a cyber-hardening guide that provides best practices for ensuring solutions are protected.
“These guides provide a baseline configuration for dealing with the changing threat landscape, and the installer’s job is to match what’s in the document with an end user’s cyber security policy,” says Wayne Dorris, business development manager, cyber security, Axis Communications, Chelmsford, Mass. “A solid, written cyber security policy is key to helping mitigate risk and using security controls to alleviate any other threats with cameras and devices being on the network.”
When putting together cyber hardening guides and other resources, manufacturers have to consider a wide range of potential issues. However, that doesn’t mean that every practice outlined in these resources applies to every end user.
“There is no letter of the law, no one single way to do cyber security, but there are best practices everyone can follow to improve cyber security,” Wallberg says. “That’s why we have created best practices for cyber hardening, which comes with every single one of our products that goes out.”
In addition to publishing white papers and hardening guides on its website, Hanwha provides webinars and also speaks about cyber security at industry events.
“We’re always talking about cyber security. That way it stays fresh in people’s minds and isn’t just a ‘We learned about that once and we never talked about again,’” Saks says.