Securing your security
April 2017, CCTV, Surveillance & Remote Monitoring, Cyber Security, Integrated Solutions, IT infrastructure
We’ve heard about how the Mirai botnet used surveillance equipment to launch DDOS attacks on certain servers, and we know the software for Mirai is now available to purchase or rent – even for Windows machines. And there are many others out there looking to exploit weaknesses in connected devices, including security devices connected to the Internet, for malicious purposes.
Despite the nonchalance in some areas when it comes to securing your physical security infrastructure, the areas of cyber security and physical security are closer and more integrated than ever before. How long before a surveillance installation is the subject of a ransomware attack – all your video is encrypted and if you want it back you have to pay?
Securing anything in the technology world naturally requires technology in the form of hardware and/or software, but it also requires a ‘wetware’ solution in the form of people. Technology can be unbreakable, but someone will find a way to break it, either by accident or on purpose. Therefore, any complete solution will require an understanding of all of those components.
Hi-Tech Security Solutions hosted a round table to discuss the issue of securing surveillance (and security in general) installations and find out what the people in the market are doing and advising these days when it comes to protecting systems from these types of attacks, and from more sophisticated ones we haven’t seen yet.
The round table was made up of three vendors, Arecont Vision, Bosch and Milestone, complemented by two integrators, G4S and Johnson Controls.
Left to right: Johan Crause, Neil Cameron, Armand Steffens, Jason McGregor, Tim Timmins.
It’s all digital
Johan Crause, Arecont Vision.
Johan Crause from Arecont vision says his company understands that we are in a digital world that is inherently vulnerable to malicious attack. From a technology perspective, Arecont has therefore taken its own path and built its own integrated circuit (or chip for the non-engineers), the FPGA (Field Programmable Gate Array), which is mounted on its own printed circuit board (PCB).
This technology is in its fifth generation and can be tailored for the particular camera functionality the company requires since it develops its own code. More than this, Crause says this makes it impossible for the system to be hacked and used to launch cyber attacks. This means that Arecont does not host analytical applications on the cameras, but has decided to stay with server-based analytics to ensure performance and security.
Neil Cameron, Johnson Controls.
Neil Cameron is the GM for Johnson Controls in Africa. As a systems integrator, Johnson’s is product agnostic. Cameron explains that this allows the company to have a broad view of the products available and their various security strengths and weaknesses. This allows it to select products that match their client’s risk levels or appetite. It may not be a problem if someone can hack a camera and see a company’s gate, for example, but you wouldn’t want to give them access to your network.
Another issue that impacts security, according to Cameron, is the different levels of installation and the various skills levels of installers. Some installations are quite shocking as the installers use the cheapest equipment they can find, leave default passwords unchanged and similar issues that should not be issues anymore.
On edge devices, for example, there are no biometric login or encryption options, so the only option one has is a decent password. Leaving the default in place is unacceptable. Cameron says about 60% of the sites today still use the default passwords and are open to attack. And then there’s the issue of integration: just because you got it to work doesn’t mean it is working properly.
If you touch it, you own it
Armand Steffens, Milestone.
Milestone Systems’ Armand Steffens agrees with Cameron, noting, ”if you touch it, you own it”. The problem, apart from ignorance and laziness when it comes to changing passwords and following basic security processes is that many security integrators or installers lack the network knowledge to secure a surveillance solution properly, especially in the IP world. However, he says it goes beyond only surveillance.
And as more companies are using their CCTV systems for business intelligence these days, there is a lot of information to be obtained from them. “If you can get access to a camera, you effectively have access to the network if the camera is not set up correctly. And if the network is yours, you can potentially access anything.”
Steffens advises that security starts at the physical level, securing the cabinets in the back rooms where it’s not unusual to see the keys left in the cabinet for easy access. Then secure the switching infrastructure and so on.
Jason McGregor, Bosch.
It would be wrong to say that the capabilities to secure surveillance installations are not available in today’s higher-end products. Jason McGregor from Bosch Security says many of the leading manufacturers have security system and processes in place, but they are often not used, as it’s a rush for the technicians to get the stuff installed and move on to the next job. It’s similar to using antivirus on your PC, it’s not important to get the paid version or to get an up-to-date version until something happens and then it’s too late.
Basically, he says users, installers and integrators need to understand the need for more secure systems and to implement it. The only alternative is to force people to comply – as many manufacturers are doing by forcing installers to change default passwords. But in a complex network situation, how much can one force them to do before they simply choose a product with fewer restrictions?
Tim Timmins, G4S.
Tim Timmins from G4S Secure Solutions, the system integration arm of G4S, adds that the risks we face in poor installation practices are massive. There are websites that can give you the default passwords to almost every camera or router and who knows what other devices. And there are sites that have lists of thousands of cameras from all around the world, both in residential and commercial settings that can be streamed over the Internet because the installer left the defaults in place. These sites only show the video, but what of criminals who want to get more than a picture?
He even relates an experience with a camera vendor where the control room lost the signal to various cameras because the vendor decided to use a different port, which the IT department had restricted as a common security procedure. The camera manufacturer was more focused on convenience than security.
Convenience beats common sense
We all know how it is, especially when we set up Internet-connected devices at home. Instead of coming up with a complex password, we opt for the easy route because it’s too much hassle to remember the complex password and to change configuration settings to be more secure. The question is, how does the industry manage to get people past this convenience issue to a place where the understanding of what you should do becomes more important than being too lazy to remember a password beyond your dog’s name?
“I think the only way people are going to learn is when there is an email that comes to them and says ‘I have all your data, it is going to cost you $10 000, pay it into this bank account and I will give you your data back’. That, unfortunately, is what is happening in the market at the moment,” says Crause.
He believes the manufacturers have a responsibility to make sure their products are as protected as they could possibly be, even in the default state. Additionally, the manufacturer should also ensure that using their systems, including the security component is as foolproof and easy as possible.
Steffens is of the same mind that manufacturers have the responsibility to make sure their products are easily installable, “and that we educate our installers. On the other hand, our SIs [systems integrators] have the responsibility to ensure that their staff is educated or allow them to be educated.”
Milestone runs a number of courses throughout the year, and found that it needs more. The company therefore has various online properties where partners can learn, not only Milestone-specific issues, but industry-related information, including security. Of course, it is up to the partners to attend the training and to learn for themselves, which can be a problem in a world where we are always rushing from one thing to another.
Education and skills is critical for Timmins. He notes that while you always get one or two people who are the whiz kids, most of your employees need to be trained properly and continually in the issues that matter to delivering what the customer requires – whether this is camera or network specific training or anything else. The same applies to the end users, they need to know what is and should be going on, although perhaps not to the in-depth technical level their integrators do.
Bosch is focused on security-related training on many platforms, adds McGregor, whether it’s talking about it on YouTube or writing white papers about it. The manufacturer’s job, he says is more than creating trust between devices (something Bosch is making happen in its security efforts) and making sure that its products are secure, it is also about education. This ranges from simple ‘top 10’ lists about security best practices in various environments, through to technical information needed when installing IP systems.
“It is like a car manufacturer putting seatbelts in a car,” McGregor explains. “That is the first step, but the second step is to educate people on the risks so they understand why they need to wear a seatbelt.”
The IT manager cometh
As the IP market has matured, security installers and integrators find they are not only talking to a security manager anymore, but also to the IT department, which requires more in terms of network knowledge and skills. IT tends to be very prescriptive of what can or can’t go on its network and how it should behave.
Unfortunately, many IT leaders, if they are involved in the security installation, still prefer to see it on a separate network that won’t impact their business communications. Cameron says that the result of this is that using Active Directory, for example, to control access is not common, nor is seeing the IT manager controlling the network – as long as it doesn’t hamper the IT department’s functioning, it can carry on. The result, often the network does not include the normal IT encryption protocols or whatever they put in place as standard security principles.
He notes that when the security system is integrated into the company’s IT platform and it is looked after by IT, it is generally more secure with forced password changes and Active Directory use and so on, and it is easier to use.
For people who say all this security talk isn’t necessary, Cameron points out that there are innumerable people who would hack your system just for fun, that is the reality of the digital world we live in. You get points for being a cool hacker dude. And these are the ones who aren’t after money, the real criminals are an additional, more dangerous threat. So the fact is, you will have attempted hacks. The question is what you plan to do about it and how will you react.
What it comes down to, repeats Timmins, is education. Educating integrators and end users is key to ensuring everyone understands what is needed and why, and then adding the ‘how’ in terms of the technology they use. As the Internet of Things (IoT) gains more traction and more electronic devices come online, there will simply be more opportunity to find a weak spot and get into the network if it is not secured.
Trust is key, not price
Of course, when speaking of vendors and manufacturers, it should be clear that not all companies turn out the same quality products. Cameron says security starts by selecting credible suppliers, those with accreditation courses for their products and not those who offer the cheapest price. Some people still do buy on price, and they often come to regret that decision when they see the results or find they can’t extend the use of their systems beyond basic video streams.
Bosch is dealing with this issue by creating a network of trusted devices. The idea is that each device, like a camera, incorporates a safe (unhackable) module with its encryption certificates and so on. These devices will only communicate with other devices with the correct authorisation credentials. The idea is to have a network of trusted devices that communicate securely, only with each other. This could, of course, be extended to include any devices connected over the Internet.
When it comes to encryption, all the individuals around the table agree that it has become a necessary part of the surveillance and general security business. This does not mean encrypting business data at rest and in transit (which one should be doing already), but also the security information transmitted to and from cameras, NVRs, servers and storage.
Steffens advises that Milestone supports end-to-end encryption. This means data is encrypted from the edge to the database. Even if someone does hack the network, they would only end up with encrypted data they can’t use.
McGregor adds that the devices in question cover everything that can be used in a surveillance project, including mobile devices. You will look hard to find a surveillance vendor that does not offer mobile access and management capabilities today. As with everything else, these mobile devices and apps need to be secured and operate as trusted devices before they can be allowed access to sensitive data.
Legislate or cooperate?
When discussing the need for cyber security in both the physical security and information security worlds, the round table agreed that we are likely to see some form of standards coming out in the near future. In the spirit of openness and integration, vendors have adopted standards in almost every sphere to enable cooperation between various products. If a similar approach is not taken when it comes to securing connected devices, whether they are CCTV cameras or any part of the IoT, there is a good chance that governments will intervene and force standards, which in all reality are likely to impede the progression of technology rather than enhance it.
When it comes to standards and cooperation, the question may crop up as to whether imposing security-based restrictions as to what talks to what and how it does it may be the opposite of openness. We have seen the idea of open systems touted for many years along with the advantages of integration and so forth.
Cameron does not believe these standards would impede openness and integration, using the example of ONVIF or even Ethernet communications. These are open standards that allow cooperation between many devices and anyone can use them, but what is ‘closed’ is the encryption that keeps the communications secure and the authentication protocols that ensure the flow of communications is secure. In the same way, security standards will still permit openness in terms of connectivity and integration, but allow users and integrators to ensure their installations are secure.
Another example is Internet banking. One uses the open and unsecured Internet to connect with your bank, but the protocols used ensure your communications are encrypted and safe. A standard such as this has not been adopted in the security world, apart from companies creating their own secure environments, but the alternative of continual breaches and losses will force their creation, either via legislation or industry cooperation.
Both Cameron and Timmins note that this would be an ideal setup, but at the moment, integration depends on what the client wants and the systems they want integrated. Some systems, which could be in the IT, security, building management or any other space, use protocols that were designed before security was an issue and hence were designed for efficient information transfers and not, for example, for encryption. This leaves the integrators having to write special drivers or add-ons, adding to the complexity and cost. Once again, a rethink is required to develop protocols and standards with security as a foundation rather than an afterthought.
And as more of the world moves to cloud-based services, the information flow becomes incredibly large and even more difficult to manage. Here again we will see significant progress over the next few years in creating secure, yet open cloud solutions for everything from tiny sensors communicating ‘yes’ or ‘no’ messages to cameras pumping out constant high-resolution video streams.
Ask the right questions
Talking about what should happen and what vendors may or may not offer is one thing, but what can the end user do today if they want to have some form of assurance that they are not an open target for hackers? What can they do and what questions should they be asking of their service providers?
McGregor says the first step is simple, since you are looking for a trusted partner, you need to ask them if they can educate you in terms of what the best options for your environment are. This does not necessarily mean technical education, but more insight into what to do (or not do) and how to do it for the best, or most secure results.
Expanding on this, Timmins notes that often the users don’t understand that some brands may be vulnerable or that certain accepted practices are insufficient for good security, even though they carry a low price. Moreover, larger clients often retain the services of a consultant and it is also worth it for integrators and manufacturers to develop relationships interfacing with the consultants to share information and advice.
Another issue to consider is who is involved. Steffens says the IT crowd has much more experience in the cyber security game and can offer invaluable assistance – such as insisting each server is equipped with antivirus software (which, for some reason, doesn’t always come standard). The old divisions between what is security and what is IT should not be a hindrance anymore. And should the IT service provider not want to cooperate, or vice versa, the customer needs to insist they do because in today’s integrated world, poorly secured security solutions will impact on the network and other IT territories, not to mention finances and potential legal repercussions is a breach occurs.
In the end, it seems there is no clear answer to the surveillance security question. Manufacturers have a responsibility to make sure their products are secure by design and to update them when vulnerabilities are discovered. In addition, the integrator and installers also have a responsibility to ensure they have the skills to implement solutions correctly, and to actually do it.
If something goes wrong and a breach occurs, it’s likely that the manufacturer will be the one blamed, even if the installation was botched. Similarly, if an integrator gets a reputation of installations that are easy to penetrate, they may find themselves last on the list in future.
Nevertheless, at the end of the day, the biggest loser in all of this are the users. They are the ones paying for a solution as well as losing whatever the hackers take or do, as well as paying for the clean up after the breach. To date there is no law in South Africa that makes it compulsory to make any kind of cyber breach public, but with the approach of the PoPI Act this will change as disclosure is legislated. When it is enforced, there will be no hiding away and leaving your customers to deal with the fallout as is mostly the case in South Africa now. There will be a reputational cost for the users to deal with as well as a financial cost.
It is therefore critically important for users to be educated. In fact, the end user should make the decision that they will not rely on certifications or advice from their vendors or integrators, but will keep themselves abreast of current security trends and risks. This does not require in-depth technical knowledge, but enough information to know what to ask for, what to insist on from installers and integrators, and to understand that a camera isn’t simply a camera.
As with all things security related or not, you get what you pay for. When the whole supply chain is focused on secure installations, the whole supply chain wins.