Your video surveillance system protects your property. But what protects your surveillance system? So many security people focus on the benefits of new camera features that they often overlook today’s reality: not all intruders come through the front door.
We all have to come to grips with the fact that IP surveillance isn’t just about physical security anymore. Cybersecurity plays a major role as well.
The latest HDTV and higher resolution cameras, cameras with wide dynamic range and PTZ cameras with automatic tracking, and cameras with electronic image stabilization will deliver forensic quality details. Thermal cameras, network radar, and video analytics are great early warning devices. Active tampering alarms can alert operators that something is obstructing a camera’s view. And all of these tools are great for catching breaches in the physical realm.
But how can you be sure that your IP video system hasn’t become a gateway for hackers to penetrate your cyber realm?
In this era of the Internet of Things, the push for network accessibility opens the door for opportunistic and targeted attacks. If you think that network video systems are somehow immune to the problem of cybersecurity, let me disabuse you of that notion. Malware can infect any unprotected network surveillance device – from cameras and video recorders to routers, video management systems and servers. And once there, it’s an easy jump to the IT network and into the company’s valuable digital assets.
Change Default Settings
Ignoring the danger won’t make it disappear. But addressing the problem isn’t as difficult as you might think. Sometimes the fix can be as simple as changing manufacturers’ default usernames and passwords for a device. Hackers think of default settings as low hanging fruit. So don’t become easy pickings. Change those default settings into something stronger before the device goes live.
Reduce Your Surface Area for Attack
Oftentimes devices come preconfigured with protocols and services that you don’t need or use. Be sure to disable and/or remove them if you’re not going to use them. Also, keep an accurate inventory of what surveillance devices you have your network. If you don’t know what’s there how can you update it with the latest security measures? The goal of all this is to reduce your surface area for potential attack.
Check Your Audit Logs Regularly
If you think retrieving system reports or audit logs should only be a priority when there’s an incident, think again. It’s important to review logs on a regular basis because they might reveal whether there have been any failed attempts to breach, which may help you prepare to fend off a full-blown attack.
Lockdown Multiple Devices at Once
Cybersecurity features are inherent in most IP surveillance products on the market today. But they have to be configured one device at a time. For enterprise-sized video systems, the time and resources to do that become prohibitive. So security departments have tended to be less than diligent about turning those features on. Yet this hardening of devices is exactly what’s needed to prevent their exploitation as conduits into the network.
Not to worry, help is on the way. New mass-configuration tools are now coming onto the market to address that scaling issue. They’re designed to make it easy to lock down multiple devices simultaneously. What may have taken days or weeks before can now be done in a matter of hours. With a few keystrokes, security can align their video systems and devices to the same rigorous corporate cybersecurity standards adopted by their IT counterparts.
Some of those cyber protection features include:
- 802.1x network port-based security. This digital certificate-based service protects the network by authenticating the devices connected to it. For example, if you had an outside camera with 802.1x and someone removed the camera and attached a laptop into that same network port, that laptop couldn’t get into the network because it would lack the 802.1x certificate needed for network authentication.
- SRTP encryption. Secure Real-Time Transport Protocol or Secure RTP is the newest encryption protocol on the horizon for IP Video Surveillance. While SRTP has been used for years to provide encryption on VOIP networks, it is quickly gaining traction in the IP video surveillance world. SRTP is an extension to RTP (Real-Time Transport Protocol) that incorporates enhanced security features. It is specifically designed to maintain a secure data connection between surveillance devices such as IP cameras and the video management system. When SRTP is used to encrypt the video stream it also automatically encrypts all data communications between the server and the endpoint. SRTP has the added benefit of working in both unicast and multicast environments.
- HTTPS encryption. This is also a digital certificate-based service. It encrypts any data communications that you’re transmitting across the network. It’s similar to the way online banking and online shopping sites protect your transaction data. HTTPS works in layers giving you different configuration options depending on what you want to encrypt: commands, metadata, audio files, video files, etc.
Follow System Management Best Practices
Cyber threats continue to evolve and so should your cybersecurity practices. Cybersecurity isn’t a one-and-done operation. It needs to be constantly managed to reflect current risk assessments. But sometimes the hardest thing to do is take that first step. So where should you begin?
- Use strong passwords. This is something I mentioned earlier. Bad passwords or default passwords represent a constant threat to cybersecurity. Users need to balance their ability to remember a password against the ease in which it can be guessed or cracked using a brute-force attack. The strongest passwords are those that combine numbers, upper and lowercase letters as well as special characters.
- Isolate your surveillance system. Put your surveillance network behind a firewall so that the devices aren’t directly exposed to the Internet. Also, consider segmenting your IP surveillance system from your production network to prevent hackers or even unauthorized employees from jumping from one network to another.
- Keep firmware, software and patches up-to-date. Institute a regular maintenance schedule to ensure that all components of the system are operating under the most current version of firmware, software and malware protection. Many manufacturers automatically send alerts out letting you know when updates are available. And with these new mass configuration tools, you can make these wholesale changes across the entire IP surveillance system at once.
Choose Partners Committed to Cybersecurity
Speaking of manufacturers, it’s important to vet your partners to assess their commitment to providing products and services that will help to enhance your system’s cybersecurity. Things to look for include:
- Honesty about vulnerabilities. Historically has the company been upfront about cybersecurity issues with its products? Has it been quick to apprise customers of problems and provide solutions to correct the vulnerability?
- Security-conscious about software development. Does the company participate in cybersecurity forums and professional organizations to keep abreast of evolving cyber threats? Does the company focus sufficient resources on designing and testing the cybersecurity of its firmware and software before they’re released to the market? Does it validate that its cybersecurity measures won’t introduce new vulnerabilities into other vendors’ products on the network or within the surveillance system?
- Timely patches and updates. How quickly does the company distribute patches and updates when vulnerabilities are discovered? Do they have an automated alert system to notify you when the most recent updates become available?
- Regular maintenance and upgrading cycles. Does the company provide management tools to help you with ongoing maintenance and version control of your devices’ firmware and cybersecurity features?
Denial Won’t Make it Go Away
Let’s be honest. Nothing that you do is going to make your surveillance system 100 percent cyber secure. But if you act like an ostrich with your head in the sand and do absolutely nothing, you’re going to present an easier target than the next guy. And that means you’re probably going to get hacked. And worse still, you probably won’t even know it.
So you need to start somewhere, even if it’s just something simple like mandating stronger user passwords. Once you’ve taken that first step, going forward will get easier. New time-and-resource-saving mass-configuration tools will help you implement cybersecurity features quickly across your surveillance network devices. Partnering with manufacturers who employ best practices in developing and maintaining cyber secure products and services will also help you reduce your vulnerability to attack. And look to your IT counterparts for guidance and security policies that will help you make your surveillance system as strong in the cyber realm as it is the physical realm.
About the author: Ryan Zatolokin is the senior technologist for the business development team of Axis Communications. His primary focus is cybersecurity as well as positioning and promoting Axis technology in conjunction with the hardware and software technologies of eco-system partners. Ryan joined Axis in 2011 as a field sales engineer, bringing more than a decade of experience in network engineering on the systems integrator side of the industry.
