Because of the nature of the smart systems sector, many manufacturers are focused on the creation of either edge devices or central control and management systems. This inevitably means that the advice they offer with regard to cybersecurity concentrates on those two areas within a networked solution. However, it is vital that the network infrastructure itself is not vulnerable, and that is as important – or arguably more important – than edge-based nodes. Benchmark considers secure infrastructure.
When considering cybersecurity, the very first task is to understand the end user’s priorities and expectations for their system. Having a cast-iron idea of a specific cybersecurity solution, based upon the advice of a single manufacturer or industry expert, may not always be the best approach.
Effective cybersecurity requires a collective responsibility to be truly effective. It cannot be solely left to the manufacturer, service provider, installer, integrator or the end user. Cybersecurity that delivers protection against evolving external threats requires a culture of best practice and on-going effort to achieve the required level of protection. Any weakness in one area of a solution can potentially expose the entire system to threats and possible attacks.
Manufacturers of edge devices are well placed to implement security features and offer advice with regard to securing their nodes. Suppliers of software will be able to assist and support with regard to ensuring their products are credible and robust. Hardware-based management devices and controllers can also be exploited, so again their manufacturers are the best source of education and support.
However, it matters not if the edge devices, control hardware and software are all locked down to prevent unauthorised intrusion or tampering if the network itself is not secure.
The biggest threat that many mainstream sites face is often not from a professional attacker looking to specifically target a facility, but from errors and complacency.
Strengthening cybersecurity requires a good degree of understanding about how the network infrastructure works, along with familiarity of the best ways to minimise ongoing risks.
One of the biggest issues is network configuration. Security installers and system integrators must ensure they have the necessary skills to create a fully secure network. For example, certificates can add a layer of protection but aren’t used as much as they should be in security applications.
Integrators are at times confused about how certificates should be used. The knowledge needed to set up certificates, for example, is often lacking which means many sites might be missing out on the enhanced security that such an approach can offer.
A very important part of establishing and continuing cybersecurity protection is the creation of ‘trusted’ connections between the various elements of the system. SSL (secure socket layer) certificates can be used to ensure a secure connection is established.
SSL certificates makes use of public and private keys, typically working together to create the encrypted connection.
In many applications, best practice would be to deliver encrypted links from the camera or other edge device to the recorder or controller, and again from the recorder or controller to the VMS or other GUI.
This requires the skills to establish correct configurations at the switch as well as the ability to create certificates at the server. It also requires the ability to contain and configure the switch ports, which are the access points to the network.
HTTPS (Hyper Text Transfer Protocol Secure) is very similar to HTTP, but with one important difference. With HTTPS, the data transferred is encrypted using SSL or TLS (transport layer security). These security processes apply encryption to the data which is being transferred, so it is secure at all points in the network.
Many professional security network video products include built-in support for the implementation of HTTPS, which makes it possible for video and other data to be securely viewed using a standard web browser.
The use of HTTPS can have an impact on the communication link in terms of speed. As a result, frame rates might be decreased. This must be considered if the application has a requirement for real-time video.
The reason that SSL can reduce the speed of network connections has to be with process of establishing trusted identities. When a user initially opens an SSL session, the two nodes instigate an elaborate and complex ‘handshake’ procedure to establish the actual connection. This involves data being sent between the two. Once the SSL connection is made, the processing elements in the devices on both sides of the link have to encrypt and decrypt data before it can be used.
This isn’t to say that SSL should not be deployed, but it is important for integrators to consider both the pros and cons of the approach.
The biggest weakness
By configuring a network correctly and implementing strong authentication credentials, installers and integrators can reduce the margin for error with regard to exposing the system to potential attacks exploiting any vulnerabilities. However, the biggest cause of security lapses still comes down to human interaction.
This might be that an engineer doesn’t configure something properly, or security elements are not correctly set up. It highlights the fact that if any of the critical configuration processes can be automated, the potential points of vulnerability are reduced.
It is a concern that the majority of IT providers of network infrastructure don’t look to implement any degree of automation. Therefore, it has to be argued that anything which can increase cybersecurity implementation is a step in the right direction. Some security industry infrastructure providers have already introduced elements of automation, and as such are responding in a positive way to industry needs.
It is critical to source IT devices from companies that understand IT, cybersecurity and the smart solutions industry.
Cybersecurity needs to touch all parts of a system, from edge devices to central control and management products. However, if the network itself is not properly configured and secured, then all efforts to protect the system could be in vain.