In 2006, there were a mere two billion connected devices worldwide. By 2020, that number is projected to top 200 billion, according to Intel. That’s more than 25 devices for every person on Earth based on population forecasts. Cisco is more conservative, pegging the number at closer to 50 billion, which is still staggering.

As a result of the rapidly expanding number of potential entry points for attackers, Juniper Research expects the cost of cybercrime to businesses will reach $2 trillion globally by 2019. At the same time, total cyber security spending from 2017 to 2021 is forecast to top $1 trillion, according to Cybersecurity Ventures. Yes, that’s trillion — with a T.

IP cameras are particularly susceptible, says Jeff Whitney, vice president of marketing, Arecont Vision, Glendale, Calif., because many models were not designed to address this type of challenge, making them easy to hack or be used to do things users don’t intend to happen.

“When the shift came to IP cameras from legacy analog devices, most vendors moved versions of their existing architectures from analog to IP cameras, without considering the potential long-term impact on the organization,” he says. “The network is no longer exclusively for the surveillance, access control, and other physical security systems. Instead, it may be a segment of the overall corporate network or part of the corporate network directly, and as such any device that becomes infected — including security cameras — can become a propagator or vehicle for cyber attacks on other platforms and networks.”

More Than
80%

of network breaches are made possible by default or weak passwords. — Panda Security

The main reason for this is the common operating systems — in many cases, Linux — employed by many cameras and DVRs. This simplifies the process of adding features, shortens time-to-market, reduces manufacturers’ costs, and lowers purchase prices for end users.

“Today, however, we now know that this approach can also expose the device to cyber weaknesses or exploits. Malware, worms and hackers use these exploits in their attacks,” Whitney explains.

“It’s been well known in the cyber security world for years that if you take a Windows XP machine and connect it to the Internet, it will get hacked into within minutes,” says Chuck Davis, director of cybersecurity for North America, Hikvision USA, City of Industry, Calif. “It’s not somebody sitting in their basement who all of a sudden gets an alert. It’s that there are automated programs or scanners constantly scanning the Internet looking for these devices, every single IP address on the Internet. When it finds something, it tries to compromise it or hack into it.”

3.8
Million

Since 2013, more than 3.8 million records have been stolen via security breaches every day. That translates to more than 158,000 per hour, 2,645 per minute and 44 per second for the last four years. — Nu Data Security

Therefore, any device that is connected to the Internet must have a proper firewall and access control in front of it.

“Putting anything on the Internet needs to be done with extreme caution and responsibility. That’s why we need strong authentication so that when one of these scanners finds a device, it can’t compromise it unless it knows the password and can authenticate,” Davis says.

Once breached, cameras can be used to launch attacks on other devices or networks in an effort to collect valuable data stored within other systems.

Some of the incidents Alessandro Araldi, vice president of global product management, Honeywell Security and Fire, Melville, N.Y., has seen using video cameras have been among the largest cyber security breaches, where someone used cameras and recorders as a way to get into a corporation as a whole.

“It’s not just getting hold of the video data, but it’s using these devices as a Trojan horse into a corporation to then get to other servers in the network and other data in the network,” he says.

And in the age of the Internet of Things (IoT), no one wants to be the one who enabled potentially significant damage resulting from a breach.

“Any device that doesn’t have a high level of security is potentially the weakest link in the ecosystem and we’re doing everything we can to make sure we’re not the weakest link,” says Ryan Zatolokin, chief technologist, Axis Communications, Chelmsford, Mass.

In addition to the well-publicized Mirai malware attack that in 2016 turned millions of IP cameras into bots used to attack a number of high-profile websites in some of the largest distributed denial of service (DDoS) attacks, there have been other examples of large numbers of IP cameras being breached.

Whitney points to a high-profile incident that saw a ransomware attack infect 70 percent of the Washington, D.C., police department’s video cameras citywide just prior to the inauguration of President Donald Trump. A total of 123 of 187 NVRs had their data encrypted, and the content could only be accessed if a ransom was paid to those behind a cyber attack. Luckily, the city was able to resolve the problem without paying ransom by taking all devices offline, removing all software and restarting the system at each site — a costly endeavor.

46%

of organizations have experienced a security breach or incident within the last two-plus years as a result of an attack on IoT devices, including IP cameras. — Altman Vilandrie & Co.

“Whether cameras were purposely put on the Internet or if someone accidentally port forwarded or left it open, there have been so many cases like that,” says Aaron Saks, technical manager, Hanwha Techwin America, Ridgefield Park, N.J. “Nowadays, more people are saying they don’t need remote access and if they do, they’re going to use VPN or other technologies. They’re not just going to open these up to the Internet because there are so many different search engines out there that are designed to specifically find these IoT devices.”

Basically, the industry is trying to catch up to where the IT world has been for a while. As the industry has moved to IP, cyber security has taken on greater importance, says Sean Murphy, director of regional marketing – video systems, Bosch Security, Fairport, N.Y.

“As an industry, everybody’s becoming self-aware and trying to take action to make that a reality. It’s not reinventing the wheel, it’s just using a new wheel or even a wheel that was invented two or three generations ago,” he says. “I don’t think anyone in the industry takes it for granted anymore especially with the attacks that have happened.”

 

Balance

Cyber security best practices have to walk the line between reasonable protection while maintaining ease of use and accessibility. Today’s video systems are by design more accessible, which introduces greater potential for misuse.

“That’s the fundamental problem we’re facing that we didn’t face before. When it was a true closed circuit TV system, it meant that whoever had physical access to the cameras could be the one who watched it and that was the limit of it,” Murphy says. “Now that we’re wanting to do things like view cameras from across the world on various types of devices, keeping that information only available to the people you want to have access to it is much more complicated.”

Therefore, cyber security must be a complete approach that comprises factors beyond what may be considered “cyber.”

“A strong cyber security program needs to take into account all things which affect an IP camera, from software to network infrastructure, from installation to proper ventilation and from keeping the camera software up-to-date to performing regular hardware maintenance,” says James Hoang, integrations manager, Speco Technologies, Amityville, N.Y.

 

Passwords

The most important action, which can go a long way toward preventing breaches or compromises, is also a simple one: change default passwords and settings. Surprisingly, this step is all too often not completed.

“The number of IP cameras that remain on default settings is estimated to be in the hundreds of thousands, and websites listing these default settings and passwords are easily found,” says Alan Wang, systems engineering manager/Edison expert L2, Pelco, Clovis, Calif.

As rudimentary as it may sound, just getting a product installed with a strong password is absolutely required.

With Bosch’s latest firmware, creating passwords is no longer optional. Once a camera is activated, it must be assigned a password.

140
Days

The average time a hacker remains hidden on a breached network is 140 days, during which time they may uncover additional vulnerabilities and steal sensitive data. — Microsoft

“For some of our customer base and installer base, it does make it a bit more difficult because depending on how they roll out the cameras, the first turn-on is not the point where they would prefer to put passwords in, but we thought it was absolutely necessary to be more ethically responsible and at least forcing that minimum level of protection,” Murphy says.

Simply having a password, though, isn’t enough. Those passwords have to be strong enough to withstand attempts to guess them, which is yet another task hackers are handling with automation.

“No device should be given access to the network without having a user ID and a 16-digit ASCII password, enabled after the device has been configured for use by the installer and turned over to the customer,” Whitney says.

Passwords can be made even stronger with multi-factor authentication, which is an area where today’s IoT devices are lacking. But something as simple as requiring the entering of a numeric code received via text message or through a smartphone app, in addition to a password, can strengthen cyber security significantly, Davis says.

“That’s multi-level authentication because you’re using one of a number of factors. One is something that you know, and that’s your password. Another factor would be what you have, which would be a token, that number generator,” he says. “A third factor could be what you are, which is biometrics — retinal scan, thumbprint. A fourth factor that we talk about is where you are. Since we have GPS in our phones and everything, there are authentication solutions where if I’m logging in to an email account from Denver, but two hours ago it looked like I was in Berlin, the logic should keep me from logging in a second time from a different geographic location.”

 

Updates & Patches

Another common way hackers and others gain access to IP cameras is through outdated firmware. There’s a reason why hackers target this potential entry point — because it’s often left open, practically inviting a breach.

93%

of security practitioners are unable to triage all potential cyber threats. — McAfee Labs

“We really have to do better in patching, maintaining and keeping devices up-to-date because there are constantly vulnerabilities that are being found in all computing devices,” Davis says. “The manufacturer’s responsibility is to find out what those vulnerabilities are, patch them and release their firmware updates. The other piece is the person who owns those devices needs to be vigilant about making those updates too,” he says.

No device should be connected to the network that has not been verified as having the latest firmware from the manufacturer.

“Regular updates of IT devices are common, but security practitioners are not as familiar with performing frequent updates of cameras as they should be,” Whitney says. “This new practice needs to be enforced as a best practice. Cameras that can be updated through a planned, secure process remotely and with multiple units at a time will make this process easier and less complex for the security practitioner.”

Sadly, even the firmware updates designed to protect devices can become tools for determined hackers, says Saks of Hanwha Techwin America.

“Most of the time, they download and analyze firmware without ever having the camera, and they’re looking for vulnerabilities that they can then use. Then they use a search engine to find a camera and attack it,” he says.

Recognizing this, Hanwha and other manufacturers have taken steps to eliminate this potential problem. (See related article, “Securing IoT Devices,” at www.SDMmag.com/securing-iot-devices.)

“We’ve started encrypting all of our firmware for our products so we know the firmware hasn’t been tampered with and that someone can’t just download the firmware and extract and analyze it,” Saks says.

 

Numbers That Will Keep You Awake at Night

46 percent of organizations have experienced a security breach or incident within the last two-plus years as a result of an attack on IoT devices, including IP cameras. — Altman Vilandrie & Co.

More than 80 percent of network breaches are made possible by default or weak passwords. — Panda Security

The average time a hacker remains hidden on a breached network is 140 days, during which time they may uncover additional vulnerabilities and steal sensitive data. — Microsoft

52 percent of companies that experienced a cyber attack in 2016 made no changes to their security programs in 2017. With regard to security spending, 45 percent of those organizations expected to make no changes to their security budgets, while 7 percent expected their budget to actually decrease. — Barkly

Since 2013, more than 3.8 million records have been stolen via security breaches every day. That translates to more than 158,000 per hour, 2,645 per minute and 44 per second for the last four years. — Nu Data Security

 

UL 2900-2-3 to the Rescue

In an effort to improve the security of connected physical security systems, UL released a new standard, UL 2900-2-3, last April. The latest addition to the UL 2900 series of cybersecurity standards, UL 2900-2-3 was developed with input from the industry to provide a foundational set of cyber security performance and evaluation requirements that manufacturers of devices that can be networked can now use to establish a baseline of cyber protection against any number of vulnerabilities.

Manufacturers can have their products tested and evaluated by UL’s Cybersecurity Assurance Program to determine vulnerabilities and weaknesses, and certify that the product’s software architecture and design meet the specifications of the new standard.

UL 2900-2-3 offers a three-tiered approach. Level 1, recommended as a minimum level of assessment, consists of foundational cyber security testing requirements, with the level of security testing increasing for each tier. Among the tests conducted under the standard are known vulnerability detection, code analysis, risk control analysis, penetration testing and security risk controls assessment.

 

Ethical Hackers

In the cyber security battle, vulnerability testing is becoming an increasingly important tool to help manufacturers identify potential problems before they can be discovered. This process involves so-called “ethical hackers” who are provided with products and given a simple directive: compromise them using any means necessary.

“We’ve done this a few times in the past. I want to continue to do this and do this more frequently,” says Hikvision’s Chuck Davis. “I want to have third-party penetration testing by ethical hackers who take our products and try to hack in. If they’re able to compromise any of our cameras or NVRs… they let us know what they found and how they found it. They typically will also offer recommendations.”

Having this tool at his disposal provides greater peace of mind that his company’s solutions will be as secure as possible when they are deployed.

“The cybersecurity certifications are basically a checklist of items to make sure we’re following best practices. The ethical hacking exercises pull out the tools of a hacker and try to really break in and compromise devices. That’s where I think we get some real value,” he says.

 

The Human Factor

No amount of cybersecurity technology and best practices can be effective if people aren’t aware of the potential consequences of their actions.

“We can do everything on our end as a manufacturer, but we don’t have control over devices once they’re purchased by a customer,” says Hikvision’s Chuck Davis. “Manufacturers and installers, resellers and owners — everybody has their part and their responsibility in keeping the devices, the networks and the Internet at large safe.”

This can be easier said than done given the complex channel in the security industry, which includes distributors, integrators, architects, engineers and consultants.

“Training that long chain and getting everybody to a foundational level on a topic as complex as cyber security can be a challenge, and it’s something the industry is trying to work its way through,” says Sean Murphy of Bosch Security.

In the end, however, training everyone along that chain about the role they play in cyber security is critical.

“We all are in this and have something to gain, so at this point, everybody needs to be all the way in and do the best they can,” Murphy says.

 

Preparing for a Vulnerability

Given the relentlessness of hackers and the automation technologies they employ, it’s only a matter of time before a vulnerability is discovered in practically any manufacturer’s devices.

“Despite all the best intentions, cyber security is a moving target so there will always be incidents that occur and you need to be prepared for those,” says Honeywell Security and Fire’s Alessandro Araldi. 

Whether an algorithm is cracked, a vulnerability discovered in a camera’s operating system or a clever hacker figures out something, the most important thing for a manufacturer is the response.

“The question is how does a manufacturer address it? Do they come out with a statement and publish the information quickly and effectively to notify their end users and their dealers and give them a resolution?” asks Aaron Saks of Hanwha Techwin America.

Getting and staying ahead of a problem will go a long way toward maintaining a positive relationship between manufacturers, integrators and end users.

“Cyber security is all about trust. It’s all about us as a manufacturer being transparent when we do have a vulnerability, letting people know about it and taking care of it, meaning releasing a firmware patch to address it. That is one of the big things out there,” says Ryan Zatolokin of Axis Communications.