3 Steps to Improve Physical Security Systems' Cybersecurity
A Q&A with UL's Gonda Lamberink about Cyberattacks, Video Surveillance, Supply Chains and Upcoming Regulation
As networked video surveillance solutions continue to take over the market, the security vulnerabilities in what were once considered solely physical security systems grow. As each IP camera becomes another endpoint in an enterprise’s digital footprint, they can each potentially open up a backdoor into the network and the business’s mission critical data and services.
By 2020, more than a quarter of cyberattacks in the enterprise will involve IoT devices, including connected video cameras, Gartner estimates.
Camera manufacturers, service providers and installers are paying attention – many booths at the recent GSX conference heavily emphasized their investment in cybersecurity – but it’s still largely up to the end user to demand transparency into cybersecurity processes, supply chains and installation best practices.
Security connected with Gonda Lamberink, cybersecurity senior business development manager at UL (Underwriters Laboratories) to discuss what next steps need to be taken at the manufacturer and enterprise levels to improve surveillance systems’ cybersecurity, as well as upcoming regulatory efforts.
Security: From a broad perspective, how does cybersecurity impact video surveillance cameras, and why should security end users be interested? What are some of the potential risks?
Lamberink: There is a growing market need for security and safety systems. Technological advancements, such as 4K resolution, edge-based video analytics and penetration of H.265 high-efficiency video encoding is enabling higher quality surveillance equipment products. On the demand side, and enabled by this technology push, there are government investments to improve security infrastructure, building operators’ increased adoption of security cameras, and a rise in demand from smart-home owners, for example for integration with home access control systems.
Increased digitization means that cameras become smarter, more interconnected and have more software. As a consequence, cameras also are more vulnerable to cyber threats. Traditional network security, like network segmentation and firewalls, are no longer sufficient to address these threats. Cameras themselves need to be designed with security in mind and go through security testing and evaluation. E.g. cameras can be compromised due to security issues, which can lead to unauthorized access to networks and service disruption, through distributed denial of service (DDoS) attacks.
Security risks that can materialize if security issues are effectively exploited include:
- Successful brute-force attacks, e.g. against the camera-registering system to guess camera serial numbers;
- Authentication bypasses, to gain access to the device and/or register new user accounts;
- Access to live video and audio feeds, e.g. detecting camera presence based on public IP addresses accessible on the Internet and exploiting insecure protocols;
- Access the device and enable hidden functionality; or
- Gain access and use a compromised camera as a stepping stone to the rest of a network, e.g. performing large-scale automated DDOS attacks.
Security: What are some steps that the security technology ecosystem – from manufacturers to installers to end users and associations – can do to improve cybersecurity on these devices?
Lamberink: Manufacturers can start designing their cameras with security in mind. Examples of easy-to-implement fixes include:
- Strong password management, including the use of random default passwords and password reset;
- Avoiding use of insecure protocols where possible, or otherwise mitigate associated risks; and
- Removing unsafe input processing and unnecessary hidden functionality.
Manufacturers should perform security testing to detect vulnerabilities and provide end user guidance on how to securely configure a camera. End users should make an effort to understand this guidance and look for evidence of implementation of security features and security testing, for example by checking whether the camera is UL 2900 certified for security: https://industries.ul.com/cybersecurity.
They should also ensure to download the most recent firmware versions made available to them by manufacturers. Associations can help by taking input from security experts on security best practices and standards and promote these among their member base. It is critical that associations, security experts, manufacturers, installers/integrators and end users work together to ensure baseline security levels.
Security: How is the international supply chain for surveillance devices making cybersecurity even more challenging?
Lamberink: Closer collaboration between end users, OEMs and ODMs mandating security testing to best practice requirements is important, also across sometimes complex supply chains. Start with baseline security requirements, emphasize a secure Software Development LifeCycle (sSDLC) and roll out security evaluations to commonly understood and shared security best practices and standards. Enable “voting with wallets” by providing “buyers” sufficient security information about the products and components they source.
Security design and testing comes at a cost, but this is balanced against the cost of data breaches, network security compromises and brand reputation damage.
Security: What are some regulatory issues that affect video surveillance device cybersecurity today, and what should end users in particular be aware of?
Lamberink: There is no regulation today yet mandating security design or testing for video surveillance or a range of other IoT ecosystems. There is more indirect impact from regulation though such as when the U.S. House of Representatives earlier this year passed a bill including a ban on government’s use of Dahua and Hikvision, two leading Chinese surveillance equipment manufacturers, over growing awareness and concern with Chinese government control, security backdoors and increased global hacking attacks.
Another example is the European General Data Protection Regulation (GDPR). A video recording of an identifiable person is part of an individual’s personal data and privacy regulation calling for proportionate use and protection of that data is impacting video surveillance manufacturers and operators.
Security: What can end users do to ensure the devices they’re purchasing and installing conform to cybersecurity standards and good practices?
Lamberink: As mentioned above, end users should look for evidence of implementation of security features and security testing. Furthermore they should:
- Keep firmware and software up-to-date.
- Manufacturers will make fixes and patches for vulnerabilities available. Yet, these will not be effective unless end users and installers / integrators download them onto the cameras.
- Apply user names and passwords.
- Do not keep any default settings, but change these to unique user names and sufficiently strong passwords. Hackers may only need the IP address of a camera to access it through the internet remotely if they can use a default password.
- Use network segmentation.
- Put your cameras and other critical I(o)T systems behind routers and firewalls.
Security: How is UL participating in this discussion and the development of standards?
Lamberink: UL has promoted UL 2900 certification including for surveillance equipment. Next to UL 2900-1, which is an ANSI standard, UL has published a 2900-2-3 standard outline of investigation, targeting building security. UL 2900-2-3 compared to UL 2900-1 has different levels of security assurance with Level 1 as a minimum level of assessment and Level 3, next to an assessment of the product also adding organizational security requirements. This is based on industry preferences to have various options depending upon the need and application of the deployment of building security products.
The market and surveillance equipment manufacturers benefit from:
- Cybersecurity certification with assurance that is gained when a product is measured against an established product baseline for cyber protection;
- Common criteria for cybersecurity that can be used for product selection; and
- The proven quality and trust that UL certifications are globally recognized for.
Security: How can security professionals throughout the industry help?
Lamberink: We should keep in mind that security awareness is emerging in different IoT ecosystems, including video surveillance.
Manufacturers and their customers still focus a lot more on functionality, time-to-market and other competitive differentiators, not necessarily including security. In residential homes, consumers still do not consider that a vulnerability in a surveillance camera or a door lock can have an impact on their safety and security. Awareness is growing though under pressure of increased hacking attacks, and security features and resilience to cyberattacks that a camera can offer are becoming more of a differentiator.
The industry needs time to improve security, and UL, along with security professionals employed by manufacturers and operators or acting as independent experts, is helping and contributing to this. UL works to create a common understanding of threats and security risks and from there derive the appropriate baseline security requirements that we validate as part of security testing and certification.