Cybersecurity vulnerabilities of IP physical security systems have long been the industry’s “elephant in the room.” Perhaps as a function of salesmanship, the possibility of a cybersecurity attack on a physical security system has sometimes been downplayed or dismissed. However, video from hacked cameras streaming on the Internet cannot be ignored, nor can the possibility that an enterprise’s system could be hacked using back-door entry through an unprotected physical security component. Such is a downside of our new networked world. Lately, there has been much more talk in the industry about cybersecurity, so we wanted to get our Expert Panelists to add their views. This week we asked our panel: What are the cybersecurity vulnerabilities of IP based systems? How well does our industry address these vulnerabilities and what do we need to do better?
These days everything is moving to IP, and the growing trend of embedded systems, of which access control is one, is the Internet of Things (IoT). In the “good old days,” all embedded systems typically used a proprietary protocol between the embedded device and their application software. This typically used RS485 and was therefore fairly secure and safe from attack. With the move towards IP-based systems, and more importantly open standards, modern systems are more likely to be targeted by a wide range of criminals. This can be achieved using everything from a mobile device to a PC, all from the comfort of an office or bedroom. The cyber landscape is constantly evolving and rapidly changing. It is enough to just try and keep our IT infrastructure protected, let alone our embedded systems. IT personnel have for years been protecting systems using a range of applications from anti-virus, malware, etc. However, this knowledge and protection needs to be pushed down the chain into development to protect the embedded devices.
For IP based systems, the IT industry has established sufficient standards for cybersecurity. However, it is crucial that systems are deployed correctly. Cyber-threats often occur over networks that perhaps are not up-to-date or that haven’t been correctly deployed and configured. When a breach of a network occurs, it is often not a weak link in the security system itself. The industry can do better by providing education and awareness on availability and the proper deployment of networks.
The industry in general is doing a poor job [related to cybersecurity]. Too many manufacturers and integrators have no cybersecurity plan, and others have their heads buried in the sand. A handful of smart manufacturers and integrators are educating themselves and providing products that are cyber-hardened. At the very least, both manufacturers and integrators should be knowledgeable enough to explain the cyber-protection policies of the products and services they are supplying. Eventually, this will be regulated and mandatory, but waiting for the government to step in is a surefire way to get your butt kicked by more progressive suppliers and integrators. PSA has launched an aggressive Cyber Security Congress specific to the physical security industry. We have been pleased with the reception. However, there are some key players on both sides of the fence still hoping and praying a cyber-meltdown will happen to someone else and not them.
Cybersecurity has leapt to the forefront of discussion as threats have become front-page news, and citizens may be at risk across the board. IP-based systems face a growing number of challenges as companies seek to protect confidential information from being stolen and used to the detriment of an organisation. The cybersecurity challenge for organisations is that the threats are evolving and can expose flaws in systems, even while those systems are constantly being tested and having their security features improved. Every customer – both large and small – needs to follow industry best practices for upgrading and patching systems as recommended by the manufacturer in order to fully address these vulnerabilities. Additionally, a timely response enables customers and end users to apply new defenses against new threats and improve their overall security posture.
As the surveillance industry has transitioned from analogue to IP, cameras, VMSs and other devices have become exposed to the many threats the IT industry has been coping with for years. If surveillance devices are not designed with cyber-security in mind, they serve as back doors to the corporate network, allowing hackers to access and steal the most important assets of the organisation. Today’s surveillance cameras also create new types of assets to be protected. These include visual content that presents privacy concerns — such as faces, figures or even minors being captured on camera — and visual data about the sites that are secured, which can be utilised for malicious acts. Today’s surveillance devices are, in essence, small computers, and they are vulnerable to malware just like any other IP device. And worse, even if the IP infrastructure is well protected, the addition of video surveillance devices exposes it to new vulnerabilities.
The risk of cracked passwords or encryption is continuously increasing as faster computers enable hackers to do this more quickly. Moreover, hacked default protocols can be shared more easily via the Internet, also increasing the risk of being hacked. Currently, everyone realises that encryption keys have to be more complicated. But what is often not realised is that today’s encryption standard will probably be outdated in five years’ time. A well-designed system is therefore capable of adapting itself to this, now and in the future. That is, a system must be easy to change when the risk of being hacked increases, which is why new ways of encryption need to be easy to implement. The facility to update card readers to new, more secure technologies remotely is also important as risks increase the likelihood that new card technologies are required during the service life of the system.
As the need for interconnectivity grows among system components, so does the cybersecurity threat. Systems are only as secure as their least secure component. In general, security system manufacturers and network administrators should support and enforce secure protocols such as Transport Layer Security or at least some basic kinds of certificate/key-based authentication for client-server communications. One of the biggest vulnerabilities of IP-based systems is default usernames/passwords, as well as not segmenting functionality by user, open ports that are vulnerable to hacking, and wireless connections that are vulnerable to having video or data taken or seen by unauthorised users. Manufacturers need to strongly encourage end users to change default usernames/passwords when they first configure the camera/DVR/NVR. Segmenting functionality by user (i.e., ordinary user, administrator, super user, etc.) allows checks and balances for administrators that can produce alerts about critical system parameters and features.