Who's Monitoring the Monitors?

Video monitoring systems, along with other surveillance devices, present a cyber vulnerability that must be taken seriously. Follow these steps to proactively monitor the security and monitoring system components.

A key consideration for every business is how to properly secure its data and assets. Video monitoring has long been a great tool in the arsenal of security professionals, allowing for dynamic and real-time observation of physical locations and data centers. Advancements in IP or IoT-based video surveillance equipment and systems have given users the power to keep an eye on nearly every inch of their operations from remote locations all over the globe.

While NVRs and monitoring systems can help protect the integrity of a business, these devices can easily become significant liabilities to a company’s overall security plan if they are installed improperly or left undefended. Internet connected video monitoring systems can provide a digital portal to malicious actors and cyber criminals. Indeed, an end user’s digital eyes may in turn be used against him.

In addition to the pressing cyber risks presented by hacking of video monitoring systems to access sensitive network traffic and data, unprotected Internet-enabled cameras and systems can also be tools used by malicious actors in the exploitation of cyber vulnerabilities such as the control of BotNet attacks. By hijacking the Internet traffic of a Web-enabled monitoring system, BotNets can string together multiple unprotected devices into a weapon against large servers and domains. We have seen such DDoS attacks using BotNets, comprised of webcams, NVRs and other similar devices, to wreak havoc on major corporations, end users and critical systems.

Companies can practice good cyber hygiene and defend their systems by being proactive in their approach to security. Though a completely secure system is the ultimate goal, there are several steps companies can take to begin working toward a more secure future. For example, one of the easiest places to begin is with employee training dedicated to both hardware and software cyber security, as employees themselves can unintentionally become access routes for malicious activity. This training should be updated regularly to keep up with trends and technology. Similarly, formalizing a set of requirements and specifications for third-party software can help secure the supply chain.

Finally, implementing industry wide standards around the cyber protection protocols for software connected devices, through third party assessment, testing and certification tools such as the UL 2900-2-3 Standard (Software Cybersecurity for Network-Connectable Products, Part 2-3: Particular Requirements for Security and Life Safety Signaling Systems), can help you stave off the infiltration of networks and misuse of Web-enabled cameras. In this age of connected technologies, it is simply no longer enough to watch the physical boundaries for intrusion. Rather, we must also monitor and defend the monitors — including the security and monitoring system components — themselves.

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Lou Chavez is a contributing writer to SDM magazine and is a global principal engineer with UL’s Security and Life Safety Equipment and Systems business. Louis is recognized by UL as a distinguished member of technical staff and is a member of UL’s William Henry Merrill Society.