01 Jun The enemy within – cyber security and network surveillance
Timothy Compston investigates the steps being taken by manufacturers to ramp-up cybersecurity and how such concerns are influencing purchasing decisions following the growing problem botnet/DDos incidents affecting cameras on the network
Today, more than ever, providers of physical security systems are investing in cyber protection for their solutions. With the move to IP-based video surveillance and access control solutions the cyber and physical security system worlds have never seemed closer, so it is perhaps not too surprising, in this ‘Internet of Things’ world, that we have witnessed a string of announcements from vendors regarding the steps they are taking here.
Considering the direction of travel, one issue that has been hitting the headlines is the cybersecurity of cameras and wider infrastructure. A series of incidents have raised red flags around the threat to new and legacy video surveillance equipment from hacking attacks. This is not just about privacy, as individuals seek to gain unauthorised access to camera images but, crucially, concerns are being raised over cameras as a backdoor into the wider corporate network. In addition, by taking remote control of vulnerable cameras – that are essentially mini-computers – cybersecurity experts say that there is a ready platform for individuals, groups and even states, to launch large-scale, disruptive, botnet/DDoS (Distributed Denial of Service) incidents.
Given this backdrop, key industry figures have been extremely vocal on the issue of camera vulnerabilities, a case-in-point is the president of Genetec, Pierre Racz, as he sought to explain the move by the company to place certain video surveillance cameras into a ‘restricted’ category. The argument that Racz put forward at a Genetec press summit in Montreal last year, and has repeated many times since, centred on the ultimate origin of the technology inside some video surveillance cameras and potential ‘backdoors’. To illustrate his point, Racz drew an analogy with airport security with someone seeking to fly and being asked by the airline if they have packed their own bags: “If not, do you trust the person who packed your bags? If you can’t answer that question your bags should not go on that plane.” For his part, the co-founder of Axis Communications, Martin Gren, has warned about the cheap and inferior IP cameras and DVRs associated with cyberattacks that were configured with a standard hard-coded route password and put on the open Internet: “If this was in the IT industry it’s an absolute no-no. But we in the security industry, we unfortunately lag behind IT security.”
Looking at some of the specific scenarios that underline the dangers on the ground, a dramatic event, in terms of scale and impact, was the massive DDoS attack in 2016 on Dyn a DNS host – which took offline or degraded the functionality of key websites – with the attack being especially pronounced on the Eastern seaboard of the US. A significant proportion of the attack traffic was thought to have been via compromised Internet of Things (IoT) devices, participating in Mirai botnet activity. It is suggested by cybersecurity specialist Flashpoint that the attack was initiated by two types of devices, one, worryingly, was reckoned to have been a DVR running software from a Chinese company and the other a network attached storage device.
With a smaller footprint in cyberattack-terms, but gaining column inches nonetheless thanks to the security implications, last year saw the arrest of two individuals – a British man and a Swedish woman – in London who were suspected of hacking into network video recorders in Washington DC just days before President Trump’s inauguration. The attack, the Washington Post reports, involved ransomware and impacted 123 of 187 network video recorders which meant that they could not record from the city’s video surveillance cameras until remedial action was taken, specifically taking the recorders offline, removing any malicious software and then reconnecting them.
Vendor action
Given the ever-changing dynamics of the cyber threat landscape, equipment manufacturers are lining up to demonstrate to their prospective customers that they are taking active steps to harden solutions against attack. Jon Cropley a principal market analyst at IHS Markit believes that cybersecurity is now having a noticeable impact on buying decisions in the video surveillance marketplace: “I do think that it is definitely having an influence and some companies are using it as a differentiator. We have talked a lot about price decline in recent years and companies have looked at features to compete on things other than price and cybersecurity is one of those elements.”
In terms of devices that are cybersecurity-ready, Jeff Whitney, vp marketing at Arecont Vision – and a member of the Security Industry Association’s Cybersecurity advisory board in the US – singles out the vendor’s Mega single, dual, or multi-sensor IP megapixel cameras which, thanks to their unique design, are, he reckons, a good fit for situations with ‘maximum security needs’: “Each [camera] is based on Arecont Vision’s in-house developed Massively Parallel Image Processing (MPIP) architecture. If a hacker or a virus were to successfully obtain the camera’s 16-character ASCII password, doing so would only let them access that particular device.”
Whitney goes on to explain that in the case of the Mega cameras the lack of a common operating system eliminates most security exploits and means, crucially, that there is ‘nothing for a virus or hacker to leverage’ to infect other devices across the network, apply ransomware, or launch a false identity or distributed denial of service (DDoS) attack on others. When it comes to Arecont Vision’s new Contera single or multi-sensor IP megapixel camera line, Whitney reveals that the vendor has taken a different but complementary approach on the cybersecurity front: “Contera cameras follow all of the industry’s best practices for user IDs and passwords, include support of all common security and network standards, and can be used – like the Mega family – with Arecont Vision’s new ConteraVMS and ConteraWS software,” concludes Whitney.
Early warning
Of course, flagging up concerns over the vulnerability of video surveillance equipment is nothing new, one of the earliest leaders in the security industry to foresee this problem, and its ramifications, was of course Mike Newton, the founder of Dedicated Micros. His colleague Pauline Norstrom, who is managing director at NetVu Ltd and president of its sister company Dedicated Micros Inc, takes-up the story. She believes that the vendor’s award-winning Closed IPTV solution – which was invented by Newton in 2009 and brought to the market in 2010 – was way ahead of the curve and addressed a problem which many simply did not realise was there: “It [Closed IPTV] was launched before [end] users knew that there was a need to secure their networks when using IP cameras, that IP cameras could be used to attack the network – become the enemy within – and could be hacked and used as a botnet to create massive denial of service attacks.” Back at the start of the decade, Norstrom says, people simply did not appreciate that they had to act to protect their networks and data.
According to Norstrom, what really set Closed IPTV apart at the time of its unveiling – and still offers a robust solution today – was the ‘new and unique’ method that it had adopted which involved automatically applied security features including: zeroconf camera discovery and addressing, automatic segregation of the IP camera network, port-to-port lock down, port lock down by Mac address, ingress restriction and end point authentication combined with lock down and alerts being generated if any was breach detected.
Moving ahead, she warns that simply adopting an approach that the IP camera network is isolated within the corporate network is not good enough: “A botnet infection could derive from any device inside the network, from a phone to an unrelated IoT device.” Norstrom explains that it is important to go much further and that, crucially, the ‘hardened management layer’ of Closed IPTV is designed to protect IP cameras and NVR devices from the outside world, and internal corporate network, while, if an attack were to be established – and devices infected – to protect that network from those devices. Ultimately, according to Norstrom, it is this two-layer approach, where access to and from the IP Camera IoT devices is restricted in both directions, that allows Closed IPTV to provide enhanced levels of security and protection to a corporate network.
Device management
Another vendor taking action to ramp-up cybersecurity, and to help their customers do the same, is Axis Communications. Back in February, Axis announced the release of AXIS Device Manager, an on-premises device management tool which is designed to enable centralised account, password, and certificate management, as well as the hardening of Axis network cameras, access control and audio devices, according to the company’s hardening guide. Ola Lennartsson, global product manager – system management, at Axis Communications, underlines the pressing need for a proactive tool like AXIS Device Manager in today’s fast-paced world where any device or network that is static is not only ‘old fashioned’ but, potentially, prone to cyber threats: “It is important that we ensure that our customers can use a tool that that allows them to easily, rapidly and decisively manage all the devices on their network.”
For its part, Johnson Controls has just confirmed that its VideoEdge network video recording platform from American Dynamics is the first product to be officially certified as meeting the highest level of third-party cybersecurity standards from UL (Underwriters Laboratories) for Life Safety and Security, UL29002-3. Bosch too is forging ahead on the cybersecurity front with the announcement that Bosch cameras are fully integrated with Genetec systems. The vendor says that this results in an end-to-end data security solution incorporating all Bosch network video surveillance cameras, plus Genetec Archiver and Security Center. Beyond this, at Intersec 2018 Genetec showcased the latest iteration of its Security Center (5.7), unified open architecture platform, which can now, automatically, identify edge devices and cameras that need firmware updates. This move, Genetec says, will help strengthen network protection and ‘security of security’.