Cyber Security: Critical specifications
The benefits of networked security solutions – openness, flexibility, ease of integration, remote connectivity, etc. – can equally be seen as risks when considering the issue of cyber security. Achieving a balance between the two aspects of the technology is essential for modern security solutions, and understanding the requirements of a secure system is pivotal to this. With the help of Andrew Pigram, Managing Director of Bosch Security UK & Ireland, Benchmark considers how appropriate specifications can help.
The move from analogue to digital technologies in the world of security systems – and specifically in the video surveillance market – makes a lot of sense. For example, the ability to move beyond the PAL standard allowed enhanced resolutions, and the reduced frequency demands of digital signals over analogue ones enabled multiple channels of video to be transmitted over a single cable.
However, the migration also introduced the issue of cyber security for many installers and integrators.
The switch from analogue to digital signals saw many of the ‘rules’ of securing systems and their data change, which obviously introduced the need for a higher degree of complexity. The reason is that IP-based networks are a very open platform designed to be easy to access.
In the analogue video surveillance world, it was hard to ‘break in’ to a system. DVR software was usually standalone, and the physical device was typically inside a secure area. Cameras at the edge could possibly be accessed, but an attacker could not get any further. The system itself could not be accessed from the camera, nor could the data.
With the migration to IP, the vulnerability did spread to the edge of the surveillance solution. If an attacker could gain access via a device’s LAN port, they were effectively inside the intelligent ‘heart’ of the system.
Putting together the facts that the system extends to the edge, is based on an open platform and is increasingly integrated with other systems makes the need for cyber security vital when designing solutions. It’s the price of the multiple benefits that the technology delivers.
When considering a system with devices on the edge – cameras outside a building or on the perimeter – connected to a network, which in turn links in with the corporate network, which itself forms part of a multi-site backbone with access from various personnel including some third parties, the requirements to make that secure are very complex.
For many installers and integrators, the focus when designing a system should be to eliminate any unnecessary weaknesses in the system through careful design, and then make certain that the few points of the system which touch other networks are secure.
Robust by specification
In order to achieve a greater degree of cyber security, reputable and established security manufacturers are working harder to make their products more robust and inherently resilient. In the past the onus was on making devices easy to install, which in turn led to them being less secure. Modern products, however, make it easier to close down any vulnerability points.
This not only delivers a high degree of security but also encourages installers and integrators to implement the correct level of protection dependent upon the requirements of the system.
Manufacturers such as Bosch are concentrating on achieving the right balance between ease of configuration and a device that ultimately defaults to being secure, with further cyber security being available via additional configurations.
There are certain features and functions that manufacturers who are serious about cyber security ensure are available. For example, 802.1X is a standard for port-based network access control, providing an authentication mechanism to devices wishing to connect to a LAN. It’s common on many well specified networked security devices and for a majority of end users it will be considered as an important feature.
Data encryption will also be important for many, so functionality such as SSL 256 bit encryption is often sought out. Both 802.1x and SSL are standard IT-based functions and so are understood by end users.
Edge devices from Bosch also include TPM (trusted platform module) which is a dedicated security chip which stores all of the authentication keys and certificates. This ensures that the security of the device is itself kept secure.
Increasingly, credible manufacturers are implementing secure password policies. These ensure that when a device is powered up for the first time, a secure password needs to be set. Often with cameras using default passwords it is possible to forget to change the authentication details once configuration is complete. If that happens on one camera in a system with hundreds of cameras, and it is found by a cyber attacker, the entire system could be compromised.
Implementing a secure password policy is not difficult, so if a manufacturer is not doing so installers and integrators must question if they have also avoided the implementation of other security features?
As already mentioned, a balance needs to be struck between functionality and security. In an age where customers demand openness and flexibility, this creates further challenges. It has less to do with integrations and more to with the issue of an attacker ‘injecting’ spurious code into devices, as can happen with devices in the IT and IoT sectors.
Bosch has engineered its devices so that third party code cannot be loaded into them. Additionally, code cannot be changed because it is both encrypted and verified with a security key.
This approach is somewhat similar to that taken by Apple. Code can only be uploaded from a known source and is certificated to ensure it is genuine. Even a single digit change in the code will be detected and rejected as unauthenticated.
The result of this approach is that if anyone did succeed in hacking into a device, they couldn’t do anything to the code once in there!
One area where the security industry can learn from the IT sector is with regard to manufacturers’ vulnerability policies. These statements cover bugs and vulnerabilities, and set out the policy for declaring and fixing these, as and when they occur.
The security industry hasn’t always been proactive in addressing issues. Typically, if a bug exists it is not declared. Instead a new firmware upgrade may be released, advertised as offering performance increases, and there is a hope that people will upgrade. They then wait to see if the vulnerability will die off via upgrades before criminals discover it.
A vulnerability policy sets out conditions for a response to issues based upon their severity. It outlines how long the manufacturer has to inform all partners and the time period for a fix. These commitments ensure that partners are kept updated with open and honest information about any potential threats and risks.
If more security manufacturers adopted this approach, they would be duty-bound to communicate issues with partners under the terms of the partnership agreement, but also to provide a resolution within a prescribed time frame.
As the use of networked solutions grows, these are things that end users will inevitably expect from security companies. It would therefore be a benefit if such issues were taken on board sooner rather than later.
The security sector has seen many of its working practices change significantly as networked solutions become more common. This does present challenges, but these need to be addressed in order for the whole industry to progress.
Learning lessons from the IT sector can help, as can better education and communication on the evolving threats.
Importantly, installers and integrators need to ensure that they work with trusted manufacturers and suppliers who can help them keep their systems secure.