This article originally appeared in the January 2024 issue of Security Business magazine. Don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter if you share it.
Unlike legacy analog CCTV systems, today's IP video surveillance systems feature a variety of technology, such as advanced IP detection cameras, motion sensors, body-worn cameras, NVRs, and card readers, among others, which add to system complexity and broaden the attack surface for cyber criminals.
Once a surveillance system has been hacked, attackers can disable cameras, gain access to live or recorded video that may be disclosed to the public, or inin industrial settings where IT and OT have been converged, hackers can travel between networks to access confidential financial data or invaluable intellectual property.
Ethernet Switches: A Potential Vulnerability
Ethernet switches have long served as the cornerstone of communication networks. Because of their widespread deployment, they are an ideal attack surface for cybercriminals.
Gaining access to local or remote Ethernet switches can give attackers pathways to an entire network segment. Something as simple as an unused port on an Ethernet switch, for instance, can be a gateway to centralized servers, since, while switches may not host data, they do create the infrastructure that provides the transportation highway for that data.
Once penetrated, Ethernet switches can be programmed to offload critical data that can be parsed for sensitive information.
Unfortunately, surveillance systems are not physically isolated from the rest of the network, which means they share an Ethernet switch with the rest of the network. Depending on the network design, surveillance systems are often physically grouped together on the same Ethernet switch as other critical enterprise systems, such as servers, access points, and backup systems.
Even though these systems may be distributed over different logical networks, they still share the same physical Ethernet switch; thus, if an Ethernet switch is compromised, the consequences could be disastrous, with an attacker gaining direct access to other systems due to the infrastructure’s topology.
8 Best Practices for Ethernet Switch Security
Integrators should be mindful for the following switch-specific tips to help minimize the risk of a cyberattack:
1. Disable unused ports to reduce the attack surface: To prevent industrial switches from being hijacked, all unused ports not connecting devices should be disabled. In addition to stopping hacks, disabling ports helps to prevent loops. Another option is to allocate these ports to a VLAN that is not utilized for uplinks to the network's core.
2. Authenticate switch ports: Port authentication is the best defense against malicious use of a data connection to enter the network. Cameras or any connected device should never be able to exchange data with a switch port until the linked device has provided authentication credentials. MAC address filtering links a certain MAC address to a particular switch physical port – in effect, white-listing authorized MAC addresses to the switch. The switch will prevent a device from connecting to the network if it detects a MAC address that is not on the list of permitted addresses.
3. Switch alarm notifications: The industrial switch an integrator installs should include an alarm whenever the condition of a port – whether plugged in or out – changes according to standard network management protocols. Alarms are received and displayed by network management systems, promptly informing staff of any effort to interfere with connections.
4. Disable dynamic trunking: An interface can automatically configure itself as a trunk with its connected neighbor through dynamic trunk negotiation. Cybercriminals take advantage of this feature and build a trunk containing their own unauthorized device. You should specify the roles that are allocated to your ports to avoid this and keep them only as access ports, if possible.
5. Stay diligent with software updates and patches: To address a specific vulnerability, firmware upgrades for your switches may be made available frequently or infrequently. Switches should be registered on the manufacturer's website to receive notifications of all these updates, which need to be downloaded and installed immediately.
6. Adjust passwords and VLANs: Today, almost all cameras sold come with a default username and password. Upon installation, these need to be changed to a much more rigorous password to avoid easy entry by hackers. For additional security on administrator accounts, multi-factor authentication is an excellent move. As with camera password defaults, VLAN 1 is preconfigured on switches as the default VLAN, and every hacker is aware of it. While you cannot delete VLAN 1, an integrator can choose to not use it. Instead, create a new VLAN out of the box. In short, do not use VLAN 1 for anything. It is also a smart move to change the management VLAN to prevent unauthorized parties from obtaining a management connection.
7. Control physical access to the switches: Sometimes the most basic advice is the most useful. Be sure the customer locks up industrial Ethernet switches in a room or closet designated for security – away from employees, customers, or other vendors who may be tempted to meddle with them.
8. Be careful with network drops: A hacker can take advantage of a network drop in a public lobby or empty conference room. Integrators can prevent unauthorized devices from accessing a switch by statically assigning the MAC address of authorized devices to specific switch ports.
Keeping Good Cyber Hygiene
Even the most advanced switch security will not stop malicious attacks. Security is a layered process that is essentially never finished and always evolving. Besides the switch-centric security steps, integrators should be sure their customers follow general cyber best practices for securing a network.
If connected, segment the surveillance network from the corporate IP network, as both a cybersecurity tactic and to prevent it from consuming valuable bandwidth that may prevent employees from accessing resources. Segmenting does not mean creating a new parallel infrastructure, only a subnet that is still consolidated on the main data network.
Segmentation will make it much more difficult for a hacker to gain access to the main network. It also makes certain that the security subnet is routinely subject to the same cybersecurity inspection, monitoring, and updating as the rest of the company's information systems.
The customer should establish procedures for changing passwords frequently and require that the root admin password be changed whenever an employee with password access leaves the company or changes roles.
Finally, the integrator should ensure that all sensitive video data is encrypted and password-protected. Have an administrator test the surveillance network for weaknesses by assuming the role of an attacker to launch various types of attacks. Results can then be audited and, if necessary, policies adjusted for improved risk mitigation. Many of these tests can be conducted manually, while others are best conducted by an outside cybersecurity firm.
Henry Martel is a Field Application Engineer for Antaira Technologies. He has more than 10 years of IT experience along with skills in system administration, network administration, telecommunications, and infrastructure management. Request more info about Antaira at www.securityinfowatch.com/10271760.
