With video surveillance systems becoming increasingly sophisticated and interconnected, they have also become prime targets for cyberattacks. The consequences of a breach can be severe, compromising not only the security of physical spaces but also the privacy and safety of individuals. To mitigate these risks, it is essential to adopt comprehensive cybersecurity measures. This starts with building cybersecurity awareness among all integration team members, ensuring that everyone from top management to technicians understand the potential threats and the best practices to counter them.
Training staff on security protocols is another crucial step. By implementing standardized procedures for handling and securing data, responding to incidents and maintaining system integrity, organizations can significantly reduce vulnerabilities. Furthermore, fostering a culture of security within the organization ensures that cybersecurity becomes a shared responsibility, integrated into daily operations rather than an afterthought.
SDM consulted with over half a dozen manufacturers to explore best practices for developing a robust cybersecurity framework. These experts provide practical advice for security integrators on prioritizing cybersecurity education, fostering a proactive security culture, and better protecting assets to maintain trust in surveillance capabilities.
Tackling Cybersecurity Challenges
Designing and installing video surveillance systems poses several critical cybersecurity challenges for security integrators. According to Dean Drako, CEO and founder of Eagle Eye Systems, Austin, Texas, antiquated systems and human error are among the primary concerns that need addressing. Like any networked device, modern video surveillance equipment is susceptible to hacking, potentially serving as gateways for cybercriminals to infiltrate larger IT networks — a significant security risk. To mitigate this risk, it is essential to ensure that all devices are secure and regularly updated with the latest cybersecurity patches.
Drako emphasizes the prevalence of outdated systems lacking necessary cybersecurity measures within many companies. He points out that cybercriminals are more likely to target these older systems, and integrating them with newer technology can exacerbate security vulnerabilities. He advises integrators to either upgrade these outdated systems or implement robust security measures to address lingering vulnerabilities that have not been adequately mitigated or patched.
“Human error such as weak passwords, incorrect setup and infrequent updates all fall into this category,” Drako says. “In order to reduce the likelihood of malicious or accidental abuse, integrators should make sure that all employees receive proper training on cybersecurity best practices and that systems are set up correctly.”
Will Knehr, senior manager of information assurance and data privacy, iPRO Americas, Houston, agrees that integrating legacy systems with new technologies can lead to vulnerabilities due to incompatibilities and outdated security measures.
“Network vulnerabilities also pose a major risk, as video surveillance systems are often connected to networks, making them susceptible to network-based attacks,” he says. “Additionally, ensuring the security of all devices, including cameras and network video recorders (NVRs), from unauthorized access is crucial.”
Data privacy and protection is another critical area, Knehr continues, requiring measures to protect the integrity and privacy of captured video data. Furthermore, managing and monitoring user access to the system to prevent unauthorized use is a constant challenge that integrators must address.
In most cases, cybersecurity is not written into the specifications for a given project, explains David Brent, senior CyberData technical trainer, Bosch Security and Safety Systems, Fairport, NY. If it is, the installation workforce may not have a working knowledge of cybersecurity, best practices or locking down a system.
“In addition, depending on the specified product and vendor, there may be limited or no additional cybersecurity features beyond password protection,” Brent adds. “If there are features, they may be beyond the scope of the average installation technician.”
Aaron Saks, director of product training, Hanwha Vision America, Teaneck, N.J., highlights a prevalent challenge in system installations — the tendency to prioritize speed over cybersecurity considerations. He emphasizes, “Often, installers rush through projects, leaving cybersecurity as an afterthought, or worse, completely disregarded due to time and cost constraints.”
Moreover, Saks underscores the significance of integrators’ familiarity with a brand’s cybersecurity features. “If integrators are unfamiliar with a brand’s cybersecurity practices, they may not optimize the system’s capabilities or implement best practices,” he explains.
Cybersecurity, with all of its various elements, is complex enough. On top of that, regulatory and compliance challenges are large, growing and contributing to the complexity. Cybersecurity standards and regulations are formed to serve as a guideline, or minimum baseline, for the protection of physical security devices attached to the network. After landmark events like the Mirai botnet, NotPetya, and SolarWinds breach, it’s common for regulatory agencies worldwide to draft standards and regulations in order to prevent these types of large-scale attacks from happening again. The result is a growing list of measures that must be adhered to. Here are some key areas to be aware of:
CONSIDER THE LEGISLATIVE PROCESS AND GOVERNING BODIES — Despite ongoing efforts, it’s important to understand that the legislation process takes time, so existing standards and certifications are usually not current with the cybersecurity threat landscape. Additionally, it’s important to remember that there are different standards and certification organizations across the globe. And, while oftentimes there are some commonalities among them, there can also be stark differences. Some organizations are more device-centric like the European Telecommunications Standards Institute (ETSI) and their standards like ETSI EN 303 645, which focuses on consumer IoT devices. Other organizations are more company and enterprise focused like the EU’s Network and Information Security (NIS) and its NIS 2 directive which aims to improve the overall security of network and information systems.
KNOW INDUSTRY-SPECIFIC REGULATIONS AND TAKE A SYSTEMATIC APPROACH — There are also cybersecurity regulations specific to industry verticals like the Payment Card Industry’s Data Security Standard (PCI-DSS); the North American Electric Reliability Corporation’s Critical Infrastructure Protection standards (NERC/CIP); and of course healthcare’s Health Insurance Portability and Accountability Act (HIPPA) and Health information Technology for Economic and Clinical Health (HITECH), along with others.
It can be very difficult for an enterprise to map all of the specific global requirements as they plan to implement network video surveillance. The best practice is to start by helping them examine all of the external cybersecurity requirements, followed by those needed for statutory or contractual obligations. This approach helps to build a baseline for external requirements. From there, a company can build internal governance on top of this baseline in order to add controls and mitigations that go beyond foundational requirements in order to better protect their business.
EMPLOY A HOLISTIC VIEW AND A ‘ZERO TRUST’ MINDSET — Overall, it’s cybersecurity best practice to look at requirements holistically, including an evaluation of physical security device and solution manufacturers. It’s important to look at the capabilities of a manufacturer’s products, but also examine the company itself and the way it practices cybersecurity. Of course, integrators and installers also play a key role when it comes to hardening products and solutions and implementing cybersecurity features. In the end, cybersecurity comes down to being vigilant and supporting a zero-trust model. Remember, customers and operators have a lot at stake and a need to ensure that all cyber policies and practices are properly implemented so that their business can be more fully protected.
— Wayne Dorris serves as program manager, cybersecurity, for Axis Communications
Collaborating with trusted manufacturers is crucial, ensuring integrators understand the cybersecurity measures embedded in products beforehand, he says.
Saks points to Hanwha’s Secure by Default policy as an example, where cameras come with recommended settings out-of-the-box, streamlining setup for users. He stresses the importance of clear communication between installers and manufacturers to bridge potential knowledge gaps about product design, enabling proactive cybersecurity measures before project commencement.
“In essence, effective collaboration and communication between installers and manufacturers ensure cybersecurity is integrated seamlessly into system installations,” he says.
Mathieu Chevalier, principal security architect, Genetec, Montreal, notes that ensuring a physical security system’s cybersecurity posture may seem costly at first with expenses like purchasing secure hardware and software, and staff training, among other cost factors. However, neglecting due diligence can lead to financial losses, operational downtime, legal fines and reputational damage, outweighing initial investments. While upfront and ongoing expenses are necessary, they mitigate the higher costs of security breaches, he says.
“For many systems integrators, one of the key challenges is keeping up to date on the latest cyber threats and defenses,” Chevalier explains. “This is largely due to the increasing complexity of integrating physical and information technology (IT) security, the constantly evolving threat landscape and the specialized cybersecurity skill sets. Navigating evolving regulatory and compliance requirements adds to the complexity.”
Chevalier acknowledges staying on top of vulnerability patching, software updates and managing those environments may be challenging. Thus, integrators should look to work with manufacturers that handle the bulk of such efforts so they save time while offering more reliability to their customers.
Communication and documentation are crucial in addressing cybersecurity challenges during the design and installation of new systems. According to Wayne Dorris, program manager, cybersecurity, Axis Communications, Chelmsford, Mass., integrators must understand the end user’s cybersecurity requirements and document responsibilities for each project phase. During the design phase, products are chosen based on project needs, while network cybersecurity considerations are essential at implementation.
“Oftentimes these are not explicitly outlined and even if they are, the team at the project kickoff isn’t necessarily the same team who will install the video devices,” Dorris says.
Despite the potential for project delays, maintaining cybersecurity should remain a priority throughout installation. Dorris emphasizes, “The pressure to meet installation deadlines can begin to take precedence over securing or locking down the system — but it’s important not to be deterred when it comes to cybersecurity.”
In the customer acceptance phase, clarity is needed regarding software patch management responsibilities. Dorris underscores the importance of discussing and documenting patch management expectations with the end user: “The integrator may handle this work the first year after the installation, but who does it after that? This responsibility must be discussed and determined with the end customer and can be worked into a service agreement.”
User awareness and training are critical aspects of cybersecurity, particularly in the context of video surveillance systems, says Michael Schutt, marketing manager, Speco Technologies, Amityville, N.Y. End-user training plays a pivotal role in ensuring that clients and their staff are well-versed in cybersecurity best practices pertinent to these systems.
“This includes understanding how to navigate potential security risks and being adept in handling the technology securely,” Schutt says. “Moreover, addressing user behavior is paramount, as it can pose significant threats such as poor password management or susceptibility to phishing attacks. Tackling these challenges necessitates a comprehensive approach encompassing robust system design, regular maintenance and updates, continuous monitoring, and thorough user training.”
Bridging Knowledge Gaps
Despite the critical importance of robust cybersecurity measures, there are several prevalent misconceptions and gaps in understanding that can undermine the effectiveness of video surveillance systems. Addressing these misconceptions is crucial for ensuring that integrators can adequately protect their clients’ video surveillance infrastructure against sophisticated cyber threats, sources say.
One such gap is understanding the difference between a vulnerability scan and a pen test, Brent explains. A vulnerability scan takes minutes and identifies basic vulnerabilities, while a pen test can take weeks or months, depending on the target. Notably, some exploits, like Stuxnet, took years to develop, he says.
“Also, one misconception is that hackers want the actual video,” Brent adds. “Hackers are typically focused on the video device — an edge device with an IP address and bandwidth that can be used as a weapons platform if it can be mounted — rather than the video.”
Knehr suggests one prevalent misconception is that physical security measures alone are sufficient to protect video surveillance systems, neglecting the need for comprehensive cybersecurity measures.
“Some integrators may underestimate the likelihood of cyber threats, believing that video surveillance systems are not prime targets for cyberattacks,” he says. “Additionally, assuming that basic IT knowledge is sufficient without specialized cybersecurity training can lead to inadequate security measures.”
One of the most common fallacies is that if it’s working today, there’s no need to worry about it, Chevalier says.
To help security integrators prioritize cybersecurity in their video surveillance projects, SDM asked the sources featured in this story for their top advice on where to start. Here’s what they had to say:
“Start with training, resources and tools for the devices and systems that you install the most often. Most major manufacturers also have technical people employed who can help you and your clients with cybersecurity matters. Cybersecurity is a large complex topic with many stakeholders, so the earlier in a project these items and requirements are discussed the better for everyone.” — Wayne Dorris, Axis Communications
“Cybersecurity affects every sector of industry and life in general. Integrators should look to have their technicians trained in cyber to offer system lock down as part of an installation package. With qualified technicians with the correct certifications, integrators could even provide a quarterly vulnerability analysis to their customers as a recurring service. — David Brent, Bosch Security and Safety Systems
“Look for a cloud video surveillance provider that has a cyber lockdown capability, where any camera connected to the VMS is locked down — cannot be attacked and compromised — and will not allow any trojans that may have been implanted in the cameras to communicate with the internet.” — Dean Drako, Eagle Eye Networks
“Remember that any application connected to the internet or a broader network requires attention as it poses a potential risk to the organization. IoT devices, such as cameras or card readers, can be an attack surface. Implement multi-factor authentication on accounts and vet your suppliers to prioritize cybersecurity in your supply chain. Additionally, employ multiple controls, often referred to as defense in depth, to improve your posture.” — Mathieu Chevalier, Genetec
You might have a customer that’s only installing 25 cameras today, but they might expand exponentially in the next two or three years. And with those higher camera counts, will the customers also need access control, video solutions and other scalable network products? That’s why it’s important to stay current, educated and equipped with the latest resources and tools. Do you know how to capture packets on the network to be able to troubleshoot or work with a manufacturer’s tech support team? Find products that can grow with you and your customers’ business. Surveillance and networked encryption technologies change so fast, and it’s important to stay up to date or you risk falling behind. — Aaron Saks, Hanwha Vision America
“Start with a risk assessment to identify vulnerabilities and prioritize addressing them. Invest in training to ensure team members are knowledgeable about cybersecurity practices. Implement strong access controls, like multi-factor authentication, and regularly review permissions. Keep software and firmware updated with security patches. Develop an incident response plan for handling cybersecurity incidents effectively. Fostering a culture of security throughout the organization encourages a proactive approach to cybersecurity and helps integrate security into all aspects of the business.” — Will Knehr, iPRO Americas
Regularly updating software and systems, attending industry conferences and participating in professional development courses are essential practices for maintaining robust security measures. Staying informed about the latest cybersecurity trends and threat intelligence through reputable sources ensures that individuals and organizations can proactively address vulnerabilities. — Michael Schutt, Speco Technologies
“This ‘set it and forget it’ mentality may put security and privacy at risk,” he says. “Obsolete firmware or a default password creates a foothold for an attacker to compromise the whole network. To mitigate this risk, systems integrators can take a proactive approach and update their customers’ physical security systems as they update their IT networks.”
Chevalier adds another common misconception is that cyberattacks are the exclusive domain of highly skilled cybercriminals. The availability of easy-to-use, easy-to-acquire hacking tools has made it easier for individuals with limited technical knowledge to conduct cyberattacks.
“There are more and more ready-to-download exploits targeting security cameras on the internet today, which are increasing the risk profile that physical security systems are facing. These enable less technically proficient attackers to deceive individuals and gain access to sensitive information,” he explains.
Dorris emphasizes that if a project lacks cybersecurity requirements or has very few, it should raise a red flag. Integrators should seek to clarify the requirements with the end user. At the very least, if no guidance is provided, integrators can propose implementing a basic cybersecurity framework for the devices and system.
“Some basic cyber hygiene practices to implement include encryption, setting up least privileged accounts, and updating software to the latest revision,” he adds.
There is often a mistaken belief that merely practicing basic cyber hygiene significantly reduces cybersecurity risk and prevents attacks, Dorris notes. “These small things, like changing passwords and keeping software up to date, are important and do make a difference, but with a caveat: They only help if they are consistently applied and updated,” he says.
In Saks’ view, the most common gap between manufacturers and integrators regarding cybersecurity in video surveillance occurs when there is an assumption that a product’s cybersecurity will prevent any intrusion and no further steps need to be taken. Another important issue he highlights is insider threats.
“You might have the most secure firewall or the most secure cameras or devices, but a malicious virus or malware may already be in your network. Too often, people assume having a strong firewall is enough,” Saks explains. “That’s why taking a holistic approach is so important — installing anti-virus and anti-malware software on desktops, establishing firewall rules between VLANs and separating several types of devices on a network.”
It is commonly believed that video surveillance systems are less susceptible to attacks because they are isolated and not linked to other networks, Drako explains. However, due to their integration with corporate networks and the internet, modern IP-based video systems are often vulnerable to external attacks.
“While it may seem like a good idea at the time, some integrators think that simply isolating their systems from other networks is enough to keep them safe,” he says. “However, doing so restricts who can access the system and makes it impossible to integrate it with other security systems.”
Cyber Skills & Knowledge Fundamentals
As cybersecurity continues to be a critical component of modern video surveillance systems, systems integrators must develop a robust foundation of skills and knowledge to ensure comprehensive protection.
Dorris of Axis Communications underscores the importance of basic IT and cybersecurity skills. “Many integrators have people in their organization with these skill sets, but it isn’t consistent throughout their organization,” he notes. Integrators should concentrate on network security, certificate management and trust structures. Moreover, mastering device hardening basics and leveraging manufacturers’ hardening guides to align with end customers’ cybersecurity policies are essential skills and practices, Dorris adds.
Chevalier from Genetec further emphasizes the necessity for integrators to grasp the fundamentals of IT security practices and the integration of physical security systems with IT infrastructure.
“This includes understanding network protocols, securing operating systems and applications, implementing multi-factor authentication and encrypting data,” he says. “Integrators should also be familiar with industry standards and regulatory requirements, such as GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act).”
Saks of Hanwha Vision America highlights the critical nature of foresight in network design. “Are my cameras going on a dedicated network or am I using a VLAN? How has that VLAN been configured? Are there firewall rules to limit traffic between each type of network? Having that foresight is the number one skill,” he explains.
Saks also stresses the importance of understanding industry-specific technologies and standards, such as HTTP versus HTTPS and the different versions of the Transport Layer Security (TLS) protocol. These foundational elements are crucial for ensuring that cybersecurity practices align with specific industry requirements, such as HIPAA in healthcare or PCI compliance in retail.
Understanding network security is fundamental, according to Knehr of iPRO Americas. This includes knowledge of firewalls, virtual private networks (VPNs) and network intrusion detection systems.
“Integrators must be aware of common cyber threats, such as phishing, malware and ransomware, and how to defend against them,” Knehr states. He also stresses compliance with relevant regulations such as GDPR and CCPA. Having incident response capabilities are also essential skills for integrators.
Knehr continues, “Conducting risk assessments to identify and mitigate potential vulnerabilities is another critical skill for ensuring the security of video surveillance systems.”
Drako of Eagle Eye Networks points out the importance of familiarity with network protocols like TCP/IP, HTTP/HTTPS and RTSP, which are commonly used in video surveillance systems. He suggests that integrators should also know how to configure firewalls and implement VPNs to prevent unauthorized access.
Drako advocates for using true cloud video surveillance systems to alleviate some of the cybersecurity maintenance burdens. “All cybersecurity and feature updates are delivered automatically via the cloud,” he explains, reducing the need for on-site visits and manual updates. He also emphasizes that cloud systems offer superior cybersecurity assurance compared to on-premise hardware.
“A true cloud system is different from pseudo-cloud systems, which are equally insecure. These systems do not meet the NIST definition of cloud; they are cloud in name only,” he says. “A cloud VMS provider should have cybersecurity credentials such as SOC 2 Type 2, which is a rigorous audit of products, processes and protocols.”
Brent from Bosch Security and Safety Systems emphasizes integrators should educate themselves on cyber fundamentals, as well as encrypted communications, states of data, basic certificate usage and how to lock a system down based on the products being used.
“The cyber landscape is a moving target with threat vectors that change daily,” he says. “The security industry primarily deals with edge devices, such as cameras and panels. So, most of the equipment that integrators are installing are primary targets for hackers, as the devices are typically not part of a domain, subject to domain policies, or support anti-virus software.”
