Cybersecurity Basics: Network Hardening
Cybersecurity is an increasingly important issue for installers and integrators. End users are demanding secure systems, and they want evidence that appropriate steps are being taken. It is also vital that those designing and implementing security solutions are aware of – and able to implement – the latest cyber security principles and practices.
The challenge with many systems and services is that they must be easy to access and use to keep end users happy, but they also need to protect against the rising tide of cybercrime. In the security market, installers and integrators need to ensure that their solutions are easy to manage and operate, but it is equally vital that they don’t create a potential entry-point into an end user’s corporate network.
Despite the increased emphasis on cybersecurity, some suppliers still take a somewhat lackadaisical approach to device hardening, placing the onus on the installer or integrator to ensure the system is secure. While this allow claims such as ease of installation and configuration to be made, it also means that cybersecurity takes something of a back seat.
The reason some suppliers are happy to do this is because they are separated from the final customer by the installer or integrator. As the people who effectively ‘sell’ the system to the customer, they carry the can when things go wrong rather than the manufacturer.
Luckily for installers and integrators, a number of leading manufacturers don’t share this view. Many offer features and functions which allow device hardening to be implemented with ease. It is always worth checking which functions manufacturers have built into their devices to assist with hardening their products. If they haven’t included any additional cybersecurity functionality, that should be a red flag as to how seriously they take cybersecurity.
However, cybersecurity is not all down to the manufacturer. There are additional steps – many common sense and straightforward – which installers and integrators can take to enhance device hardening and boost cybersecurity for their customers.
Plan to harden
When planning a system, hardening can be considered and addressed before the system is even installed. Jon Williamson, Product Manager, Cyber Protection Program, Johnson Controls, states, ‘A hardening plan begins with understanding the project requirements, as well as any regulation or company policies that the system will need to comply with. If the specification does not list cybersecurity requirements, enquire with the customer before bidding. It can be costly to accommodate such constraints after the project starts.’
It is important to understand users’ concerns. Some end users refuse to allow internet connectivity on local security networks. This gives them total control over the system, and effectively ring-fences the infrastructure from external attacks.
Unfortunately, many manufacturers demand that a system does have internet connectivity, because it makes life simpler for them with regards to licensing, manuals and additional software components as the onus is on the installer or integrator to download them. If there is no operational need for WAN connectivity, avoid it. If a user demands no external connectivity but a manufacturer can’t support that, look elsewhere!
There are two simple tasks that improve cybersecurity: keeping up to date with device firmware and changing default authentication details.
Always change default passwords. That might seem obvious, and an increasing number of manufacturers are implementing secure password policies which force changes on initial boot-up. If this is not a function of a product, ensure default authentication details are changed.
It is worth creating unique accounts for all users and removing default accounts after initial log-in. Accounts with admin privileges are the most dangerous if compromised. Use stronger passwords for these.
Configure users and assigned roles according to ‘least privilege’ practices. This means users are only given permissions necessary to execute the functions required by their role.
When changing passwords, if a secure connection can be set, use it. Also, if there are options for anonymous connection or setting addresses remotely, disable these.
Modern networked security devices include a variety of services and processes, many of which make the camera discoverable. Some of these could also offer additional access routes to the system. If discovery features are included, these should always be disabled once the device address configurations have been made.
With regard to additional networking services, if you are not using them, turn them off. This reduces the potential attack surface area. Often cyberattacks will be based upon a ‘hit and hope’ mentality. The less ports or services they can hit, the better the chance of avoiding opportunist attacks.
The approach of ‘least functionality’ can be a benefit. This means only the functions required for the planned applications are enabled. This includes disabling unused ports, services, applications and features.
None of these steps require any special skills or additional software or hardware. Any reputable device should allow such configurations to be carried out. With many edge devices, additional security elements can be implemented.
Many edge devices include IP filtering. This enables specified IP addresses which are either allowed or denied access to the device. Obviously with many systems, it is only necessary for the server or management device to access edge devices.
User privileges can also be useful. By tightening down who can access what or change configurations, it’s another step towards hardening the edge device.
One final point is that audit trails within devices can be used to assess whether any unauthorised attempts to access the edge device are taking place. Manufacturers can help you understand how to best use and manage logs to remain abreast of any suspicious activities.
Device hardening can significantly enhance cybersecurity, and can be implemented with ease when using credible devices.