18 Oct 2024

In today’s world, almost any electronic security system holds the potential to become a gateway for cybercriminals. With physical security and cybersecurity increasingly entwined, security professionals aren’t doing their job unless they take all possible precautions to lock down unauthorised access to camera systems, access control platforms, intercoms, and other network-based security devices and solutions.

Let’s explore the many steps companies should take throughout their security technologies’ lifecycle – from choosing a vendor all the way through device decommissioning – to avoid making the common mistakes that leave systems, and the networks they reside on, vulnerable to attack and sabotage.

Prepurchase phase: Laying the groundwork for cybersecurity

1. Conduct a Vendor Risk Assessment

IT departments often rely on the same Vendor Risk Assessment criteria they use for evaluating IT equipment manufacturers when considering the suitability of physical security vendors. While commonalities exist between how to assess these disparate solutions, there are also differences that require distinct scrutiny. For example, device endpoints within physical security systems run on custom Linux Kernels and therefore do not utilise standard Linux distributions like Red Hat, Ubuntu, or Debian.

IT divisions often rely on the same Vendor Risk Assessment criteria they use for evaluating IT kit

A comprehensive evaluation should examine how each security solutions manufacturer handles its software development life cycles. Ideally, vendors should adhere to a recognised framework when developing both their platform management and device-specific software. In 2021, Executive Order 14028 made it a bit easier for companies to evaluate vendors by providing guidelines for evaluating software security, the practices of the software developer, and methods to demonstrate conformance with secure practices, specifically referencing the NIST SP 800-218 Secure Software Development Framework. In short, a good vendor should have documentation that explains everything it’s doing to address cybersecurity from development, through releases and ongoing maintenance.

2. Obtain Software Update Schedules

The frequency with which manufacturers update their software varies. Each company is different. If you’re their customer, it shouldn't matter whether the vendor schedules updates every six months, three months, or more often than that. What does matter is that you know what to expect and have a plan for how to deal with that reality. For example, if updates only occur every six months, under what conditions are patches released to address vulnerabilities that emerge between updates? Customers must understand how often they'll be updating the software on their devices and ensure they have the resources to make it happen. Make sure stakeholders agree, upfront, who will be performing the software updates. Will it be the integrator who installed the system, the physical security system staff, the IT team, or the end user? Keeping an entire system current is a huge challenge, but a non-negotiable responsibility.

Manufacturers who don't issue frequent releases and patches put the onus on customers to handle mitigation efforts on their own. In these instances, IT departments must be prepared to employ network segmentation, firewalls, security whitelists/blacklists, and other methods to protect their systems until a patch is released. If a company's security team has typically updated firmware only when something breaks, these additional responsibilities most likely require greater collaboration with IT departments and a shift in how security systems are managed.

3. Know the Warranty Terms and Duration of Software Support

Organisations should understand the warranty policies for the devices they purchase

Organisations should understand the warranty policies for the devices they purchase. Even more important is knowing when a device's software support will expire. Software support should extend well beyond hardware coverage. For example, if a camera has a five-year hardware warranty, customers should reasonably expect an additional five years of software support.

When that period ends, companies must plan on replacing the device – even if it still works well. Without software updates, the device lacks vulnerability support and becomes too risky to remain on the network. Manufacturers should be transparent about their warranty and software support policies, helping organisations plan for device replacements that align with cybersecurity needs.

4. Request a Software Bill of Materials (SBOM)

During the pre-discovery process, customers should request a Software Bill of Materials (SBOM) that provides a detailed inventory of the software running on each device, including open-source components.

By revealing what software is "under the hood," the SBOM allows IT departments to be vigilant in protecting the company's systems from exposed vulnerabilities. For example, a customer should understand how Transport Layer Security (TLS) is being handled to secure a security solution's web server if it’s an open-source component like OpenSSL.

5. Assess Vulnerability Disclosure Practices

CNA manufacturers represent the gold standard in cybersecurity practices

Understanding how a manufacturer handles vulnerabilities is essential. Ideally, they should be a Certified Naming Authority (CAN) and report common vulnerabilities and exposures (CVEs) to national vulnerability databases such as NIST and MITRE. Doing so automatically includes any disclosed vulnerabilities associated with their devices in vulnerability scanners' databases. 

CNA manufacturers represent the gold standard in cybersecurity practices, but most security manufacturers do not reach this level. At a minimum, the vendors you choose to work with should have an email notification system in place to alert customers to new vulnerabilities. Remember – email notifications are only as reliable as the employees managing them, so investigate whether the manufacturer has a strong track record of keeping up with such communications. Ask to speak with customer references who have been using the solution for an extended period to ensure the vendor is diligent in its communications.

Configuration phase: Ensuring a secure setup

1. Use Hardening Guides

Once a device is purchased, configuring it securely is the next critical step. Manufacturers should publish hardening guides that detail the security controls available for their products and recommended practices for implementation. Between the features offered by the vendor and your company's own cybersecurity policies, make sure all possible encryption options are activated.

Using HTTPS is vital for ensuring secure communication with devices. Many physical security devices default to HTTP to accommodate customer-specific network topologies and certificate management. Failing to implement HTTPS can leave sensitive metadata unencrypted and vulnerable to interception.

2. Consider Advanced Encryption Protocols

Protocols are necessary to protect video data in transit from cameras to the VMS

Some solutions offer built-in encryption protocols, like MACsec, which makes it impossible for data to be compromised as it is transmitted over the network. HTTPS is still necessary to secure the connection to the devices’ webservice, but while customers set up and configure their devices, MACsec will keep network data safe.

Additionally, if you want to encrypt video streams, consider protocols such as Secure Real-Time Transport Protocol (SRTP), which secures the transmission of audio and video data over the Internet, or tunnelling methods like Secure Socket Tunnelling Protocol (SSTP), which encapsulate data packets for safe transmission between two points, even if the network is insecure. Such protocols are necessary to protect video data in transit from cameras to the Video Management System (VMS).

Encryption should also extend to the VMS hard drive where video is stored. There are different methodologies to do that, but ultimately the goal is to encrypt data in transit and in storage.

3. Implement Remote Syslog

In the case of a breach, each device maintains a set of logs that are useful for forensic investigations. However, if a device gets hacked, its log may not be accessible. Best practices dictate that companies should set up a remote Syslog server that maintains a copy of all device logs within a central repository.

In addition to providing redundant data for investigations, a Syslog offers IT systems an efficient way to look for anomalies. Cybersecurity teams will receive immediate notification for events like unsuccessful login attempts so they can quickly figure out what's happening. Who is trying to log in? Why on that particular device?

4. Practice Healthy Password Hygiene

Ideally, organisations should move towards using Active Directory or Single Sign-On (SSO) solutions

One of the most basic and yet overlooked aspects of cybersecurity is the failure to manage user accounts meticulously. Many organisations use the same username and password for all security devices because it's simply too cumbersome to manage a network of devices in which each requires a separate, unique login. It's assumed that the system's primary administrators are the only ones who know the universal password. However, the system becomes vulnerable if anyone within this select group leaves the company and the password isn't changed or deleted right away. 

Ideally, organisations should move towards using Active Directory or Single Sign-On (SSO) solutions. This approach ensures that employees throughout a company are each assigned a unique login credential that they use for any systems they use throughout the organisation. When they leave, their passwords and access are universally terminated along with their accounts. If SSO is not an option, regular password changes and prompt account deactivation are critical.

Decommissioning phase: Securely retiring devices

At some point, physical security devices will reach the end of their useful life. When that time comes, companies must take care in how they dispose of their devices. A good vendor will provide guidance on how to clear memory chipsets and restore factory defaults.

Improper decommissioning can lead to severe risks. For example, if an improperly decommissioned device is sold on the secondary market or retrieved from a dumpster, an attacker could gain access to sensitive network configurations and use this information for malicious purposes.

Conclusion

Deploying physical security solutions involves more than just securing buildings and assets; it also requires robust measures to protect against cybersecurity threats.

From assessing vendors and understanding update policies to configuring devices securely and managing decommissioning processes, each step presents potential pitfalls that, if overlooked, could expose organisations to significant risks. By incorporating the techniques discussed into their deployment protocols, organisations can ensure their physical security solutions provide comprehensive physical and digital protection.