As evidenced by the steady stream of news about data breaches coming from companies large and small, cyber crime has become a very real problem in the world today. Given the convergence of video surveillance technologies with other security and non-security solutions, securing the products that make up these systems has become a priority for manufacturers, integrators and end users.
“With video security, the convergence of video and data such as analytics and biometrics makes it an even more attractive target for criminals. Therefore, the need to effectively detect and prevent cyber crime is even more pressing,” says James Hoang, partnering and integration manager, Speco Technologies, Amityville, N.Y.
The high profile of cyber breaches has created a culture in which device manufacturers, particularly those in the security industry, are making concerted efforts to prevent their products from becoming the “back door” that allows hackers to access customers’ networks — and the sensitive data therein.
“Cyber security awareness has had a positive impact on the industry at large, including how we put our own products through the paces to ensure that by the time it gets to the end user, it is indeed cyber secure,” says Fredrik Wallberg, director of marketing – security and ITS, FLIR, Wilsonville, Ore. “The fact that cyber security is now starting to become part of the spec has ensured that manufacturers, including us, have really had to address cyber security in a much greater sense.”
However, there’s a hidden challenge as a result of the growing cyber attack risk and the precautions needed to address it, says Jeff Whitney, vice president of marketing, Arecont Vision Costar, Glendale, Calif.
“Security manufacturers can’t make their platforms so secure that they become too difficult to manage and use, or that greatly limit the many benefits of IP networking and remote access via the cloud,” he says. “Customers either won’t select those platforms that are so secure that they are difficult to use, or they will find ways to bypass the intended safeguards.”
This requires balancing an acceptable level of cyber security with simplicity of use, system reliability, expandability, affordability, interoperability and ease of administration, with the importance of each of these factors varying from end user to end user.
Communication & Openness
One of the most powerful cyber security practices manufacturers employ has nothing to do with technology. In this age where hackers are relentless in their efforts to gain access to devices and networks, communication is key.
“Ultimately, we want to be known as a good business partner for both the integrator and the end user, and we’ve taken the stance that being open and honest is the best way forward,” says FLIR’s Fredrik Wallberg. “The more you share, the better.”
Many manufacturers provide a dedicated area on their website for communicating information about vulnerabilities, which products may need firmware updates, and more.
“We have a product security landing site where users can opt in to know about vulnerabilities in our products and be alerted when there is a patch for those, so they can keep their products up to date and reduce the risk of having older products that may have vulnerabilities,” says Wayne Dorris of Axis Communications.
This ability to quickly communicate information about potential vulnerabilities and how to fix them is crucial, says Paul Garms of Bosch Security and Safety Systems.
“We also have a process in place if a vulnerability is discovered,” he says. “This helps us to react quickly with notifications to our customers for resolving the issue.”
Password Protection
When it comes to cyber security, the most basic tool is password protection. However, all too often the default passwords go unchanged, which is why many manufacturers have incorporated measures to keep this from happening.
“We have installed some features within our cameras like making sure the customer has to change the password,” Wallberg says. “There’s an admin password that can be very simple to guess, so instead of letting the customer decide whether or not they want to change [it], we’ve mandated it.”
But simply changing the password isn’t always enough, given people’s tendency to choose passwords that are easy to remember — and therefore easier to crack.
“We force an integrator to set a complex password during installation,” says Aaron Saks, product and technical manager, Hanwha Techwin America, Ridgefield Park, N.J. “We want to make sure that products that are being put in the field never have a default password or a dummy password like 12345. So we … require it to be a complex password — numbers, letters, uppercase, lowercase, special characters, things like that.”
End-to-End Encryption
Encryption goes hand-in-hand with password protection, which means ensuring the transfer of video and data from a device to the headend is secure. According to Whitney, NIST-compliant data encryption must be provided with password protection to access video and ensure appropriate access.
“Each local VMS or NVR system must establish a trusted outbound connection to the cloud storage platform,” he says. “This eliminates a major potential network vulnerability by eliminating the need for any open ports through the network firewall.”
To provide this high-level encryption, many companies go to great lengths to protect video and data at every step along the surveillance system.
“Our system approach is the key to achieving the highest standards in end-to-end data security,” says Paul Garms, director of regional marketing, Bosch Security and Safety Systems, Fairport, N.Y. “For example, we create trust by assigning every component in the network an authentication key and secure data from hackers by encrypting it at the hardware level using a cryptographic key that is stored in a unique built-in trusted platform module (TPM). We also offer easy ways to manage user access rights, can support the set-up of a public key infrastructure, and more.”
Protecting the integrity of video streams is important, especially when that video is needed for evidentiary purposes. Working with threat protection provider DigiCert, Panasonic combines reliable certificates and technology for detecting and analyzing cyber attacks with its in-house embedded cryptography technology to deliver data and communication encryption as well as verification.
“Video leakage is prevented, as the encrypted video data is transferred using a secure channel with our recorders,” says Shawn Kermani, product marketing, Panasonic Security Group, Newark, N.J. “Data is secured by using certification and hash value, which can detect video alteration and confirm which camera has created the video.”
Firmware Updates
In an ideal world, cyber security would be a “set it and forget it” proposition. But because this is far from a perfect world, the software running devices has to be updated periodically to ensure protection against cyber threats.
“No device should ever be connected to the network unless the manufacturer commits to providing easy-to-implement updates to the product firmware,” Whitney says. “Many IoT devices today are simply unable to be updated to address a security issue once identified, thus becoming a point of attack for those with malicious intent.”
As is the case with communication, firmware should also be encrypted. Like many manufacturers, Hanwha takes measures to protect its firmware from tampering.
“For all of our products, we want to make sure the file people are installing has not been hacked or maliciously messed around with, so we use encryption on all our firmware for all of our products,” Saks says.
Securing Products From Design Through the Supply Chain
From a cyber security perspective, it’s important to know exactly where products are coming from and how vendors are securing their devices prior to shipping them to resellers and security professionals.
For Axis Communications, that means employing groups of coders who focus on secure coding techniques and testing throughout the product development process.
“The idea is that as you’re building the product to try threat modeling,” says Wayne Dorris of Axis. “That way as they’re building it, we try to understand that if we include a feature, how could a bad actor exploit it? That allows us to mitigate the number of issues as code is being developed.”
Hanwha Techwin America handles all its manufacturing in-house to control the supply chain from raw materials to finished product.
“We manufacture the SOC (system on chip), which is the heart of our cameras,” says Hanwha’s Aaron Saks. “We design, engineer, manufacture and assemble, so we are controlling the entire supply chain. By manufacturing our own products in our own facility with our own people, we can make sure something isn’t being implanted or we’re not using the wrong parts or the wrong firmware.”
Among the steps manufacturers have taken to ensure no one can use the supply chain as a means of compromising products are using trusted platform module (TPM) and secure-boot features. A TPM chip stores RSA encryption keys specific to the host system for hardware authentication. Encryption is maintained within the chip and cannot be accessed using software, Dorris says.
Products that offer secure boot ensure that no one has tampered with the software code between manufacturing and deployment. In the highly unlikely event that someone is actually able to do so, the device will simply not start up.
“This way, end users can be sure that no matter the manufacturing process or the distributor, when the integrator puts a product on their site, nothing’s been tampered with, code-wise,” Dorris says. “In addition to protecting devices along the supply chain, this also helps mitigate potential insider threat once the device has been installed.”
Testing & Re-testing
The cyber threat landscape is constantly evolving; and while most companies try to stay up-to-date on vulnerabilities and other factors, hackers are constantly working to stay one step ahead. To address this, many manufacturers employ penetration testing, whether conducted in-house or by a third-party provider.
“We work with a dozen third-party security service companies to provide more robust and secure products,” says Tim Shen, director of marketing, Dahua Technology USA, Irvine, Calif. “Through our collaboration with these companies, system scans, protocol fuzz testing, penetration testing, and threat modelling are used to help discover and close vulnerabilities.”
Instead of ignoring so-called “ethical hackers,” FLIR embraces and works closely with these types, who try to find any bugs, leaks or vulnerabilities in the company’s products.
“We’re working with a few of these people to ensure that if there’s any way to get in, if there are any vulnerabilities in terms of cyber security, or if there are any patches that need to be made before general availability, we can take care of those in the R&D and beta phase,” Wallberg says.
MOBOTIX is another manufacturer who has gone this route to stay ahead of potential threats.
“We cooperate with other third-party white hat hacker companies that are skilled at cyber attacks,” says Thomas Dieregsweiler, head of product management, MOBOTIX, Langmeil, Germany. “If they find any areas of vulnerability, they forward any potential security leakage to MOBOTIX in order to stay proactive and ahead of large threats.”
Hanwha brings in third-party testers early in the product launch process in an effort to deliver the most secure products possible. “They look at our products and our code to identify vulnerabilities and look for issues,” Saks says. “When we release a product, there’s time to mitigate any issues so it will be a secure product when it hits the market.”
End User & Integrator Resources
Regardless of how stringent the cyber security features of a product may be, it’s still important for not only integrators but also end users to take an active role in the process.
“End users also play a critical role in cyber security by adopting strong network security protocols with appropriate security configurations and adhering to best practices like strong passwords and installing all necessary software updates in a timely manner,” says Jeremy Kimbler, video global product management director, Honeywell Commercial Security, Melville, N.Y.
That’s why some of the most common steps manufacturers have taken are providing resources for integrators and end users, such as a cyber-hardening guide that provides best practices for ensuring solutions are protected.
“These guides provide a baseline configuration for dealing with the changing threat landscape, and the installer’s job is to match what’s in the document with an end user’s cyber security policy,” says Wayne Dorris, business development manager, cyber security, Axis Communications, Chelmsford, Mass. “A solid, written cyber security policy is key to helping mitigate risk and using security controls to alleviate any other threats with cameras and devices being on the network.”
When putting together cyber hardening guides and other resources, manufacturers have to consider a wide range of potential issues. However, that doesn’t mean that every practice outlined in these resources applies to every end user.
“There is no letter of the law, no one single way to do cyber security, but there are best practices everyone can follow to improve cyber security,” Wallberg says. “That’s why we have created best practices for cyber hardening, which comes with every single one of our products that goes out.”
In addition to publishing white papers and hardening guides on its website, Hanwha provides webinars and also speaks about cyber security at industry events.
“We’re always talking about cyber security. That way it stays fresh in people’s minds and isn’t just a ‘We learned about that once and we never talked about again,’” Saks says.
More Online
For more on cyber security visit SDM’s website, where you will find the following articles:
“It Will Take a Village to Make the Security Industry Cyber Secure”
www.SDMmag.com/it-will-take-a-village-to-make-the-security-industry-cyber-secure
“Cyber Reality: How the Security Industry is Adjusting to the New Normal”
http://www.SDMmag.com/cyber-reality-how-the-security-industry-is-adjusting-to-the-new-normal