Cybersecurity is set to become an increasingly important issue for installers and integrators in 2018. End users are demanding secure systems, and they want evidence that appropriate steps are being taken. It is also vital that those designing and implementing advanced security solutions are aware of – and able to implement – the latest cybersecurity principles and practices.
Cybersecurity is an evolving threat that the physical security industry must take seriously. It is a fact that lax levels of protection have, in the past, made some security systems relatively attractive to those implementing on-line attacks. It also must be accepted that hacking a system via its security devices is seen as ironic and a bit of a scalp for cyber criminals. For installers and integrators, security manufacturers and service providers, the time for talking is over. Adherence to cyber security best practice is the minimum expected by customers.
For a good few years now many credible security manufacturers have taken steps to develop intrinsically secure products. The vast majority of professional security devices, software packages and systems include the tools required to make them secure. All it takes is an understanding of the functions and how they are configured, along with a dedication to deliver the best solutions possible for the customer.
Throughout 2018 Benchmark will take a closer look at cyber security, including offering a series of ‘hands-on’ articles that outline the steps that should be taken, consider how the configurations affect performance and explain the background to what is actually happening.
The goal is to ensure that security systems not only perform well but also resist the evolving threats and risks online!
Addressing the basics of cyber security
Jeff Whitney, VP Marketing, Arecont Vision & Member SIA Cyber security Advisory Board
Installers and integrators should choose products that provide adequate cyber security protection, only using devices that include basic security protection, such as user ID and passwords that can be enabled during or after system commissioning. Passwords are far from perfect, but are an essential first step with most systems.
Password practices should adhere to the current industry standard of up to 16 ASCII characters in length, and vary from device to device. For large networks, a secure password management system is recommended.
Equally important is that the balance between the user experience and cyber security protection is not a ‘one-size-fits-all’ solution. It must be adjusted for the specific requirements of the environment and associated risk.
Products selected should only be from manufacturers who have a demonstrated commitment to cyber security awareness, education and protection, and who are supportive of industry efforts and standards.
A growing number of devices, ranging from tablets and phones, home appliances, security alarms, manufacturing equipment, and even entire buildings are part of the growing IoT infrastructure. None of these devices should be allowed onto the network without verification that they are cyber-secure to current standards.
It is good policy to separate surveillance systems onto individual, dedicated IP networks or subnets.
Sharing a single network for different systems and purposes increases both performance issues and the risk exposure to cyber attack. Typically, IT professionals will implement network segmentation as a standard practice.
Separate networks or subnets lessen the risk of a breach or cyber attack spreading beyond the targeted system, as well as lessening the risk of QoS (Quality of Service) impact.
‘Air gapping’ segments or entire networks, especially those that do not require Internet access or connection to the wider corporate network on a regular basis, is a good step for cyber protection.
Only use devices that support firmware and security updates. This is often overlooked for IoT devices. Any device connected to the network should be regularly checked for new firmware updates, tested and updated, just as IT typically does for devices under its control.
Limit access to systems, data and infrastructure to those who require it on a regular basis. A single password for all cameras, DVRs, NVRs, data storage, etc. is not secure. Enforce password changes on a regular basis.
Never use default passwords! An increasing number of breaches and cyber attacks are made using default log-ins. Security devices are no exception. Implement a strong password policy and enforce it.
Manufacturers that are serious about cyber protection should have a documented strategy for testing and integrating other components of the network infrastructure securely. A testing and/or certification lab for third party products is a strong indicator that they are serious about cyber security.
Regularly scan the network for viruses and malware, as well as for security vulnerabilities. This basic step is often overlooked for security networks.
Installers and integrators need to ensure that all staff are aware of and educated in the risks and challenges of cyber security. Everyone needs basic cyber security awareness, and it should be part of the staff training and development.
Both IT and security departments should include cyber security as part of their regular reviews and assessments of the infrastructure and system.
Mitigation and recovery plans are key. Having a disaster recovery plan in place for the aftermath of potential cyber attacks shows end users that the system installer or integrator had adopted a responsible approach.
Finally, consider the risk and potential for damage to your company, its partners and its customers. It may be that cyber security insurance is key to mitigating the financial aspect and liability of such a risk.
Risk levels will vary based upon environment and organisation, and not every application will be appropriate for this type of protection.
Quality is a security issue
Mogens Abel-Bache, Director of Engineering VMS Development, Milestone Systems
Our world runs on software. Every mobile phone, every new car relies on code. Given this, the quality of software matters. Because it’s widely used and important, low-quality software just isn’t acceptable.
We all know the feeling: we click on something and the computer freezes. This usually happens when we have forgotten to save an important document. This is one of the hallmarks of low quality software. We might accept this if it is a free utility, but not with mission-critical software like a security system.
Software should be reliable, reasonably bug-free, meet the users’s requirements and expectations, and be maintainable. This last point is critical for good cyber security.
High quality software is achieved by having skilled people taking qualified design choices.
This has many facets: knowing the customers, their needs and expectations; knowing how to get the optimal solution from the technology; not holding on to outdated choices, but making necessary changes at the right time; ensuring that the software behaves as expected with the performance, stability and security required; keeping the software secure and updated.
Bad quality is hard to fix because of required changes and retesting. It can take much longer to identify and fix a software bug than to develop a quality feature from the beginning.
Creating software takes time that has to be funded somehow. Commercial software carries a price but guarantees updates, bug-fixes and plans for new features.
A VMS, for example, might be free, but if no one updates the software or handles new features, it might be costly later.
One part of software quality is security. What does the supplier do about users with malicious intent; those who are looking for backdoors and loopholes?
Quality includes securing the software from cyber attacks. Cyber security has to be built in from the start. It must be a part of the mindset of the software creator.
Milestone has a security life cycle concept, constantly training its software engineers in developing the most secure software. The software is evaluated by an independent third party, providing continuous feedback.
Milestone is open about this and shares its cyber security initiatives with the Milestone community.
Securing wireless transmission links
Shimon Hochbaum, Director of Product Management, Siklu
Wireless network hardening can take just two steps. The first is to select a millimetre wave radio for the wireless links. These operate in the 60/70/80GHz spectrum, forming pencil-thin beams which naturally isolate the links from interferences and jamming. There are no spectrum survey requirements. It is important to change any default authentication or encryption parameters to lock down the communication link.
The second step is to lock down and harden the link. Management traffic can be isolated from regular traffic using a VLAN or a physical out-of-band management port. Secured protocols based on SSL are then activated for all management traffic, optionally signed with the trusted certificate of the enterprise.
Lastly, ACLs (access control lists) are added as another layer of protection to the management agent, like any other network device.
While the network is now, these first steps should be followed by good daily practices: enforce the use of centralised user management servers, which control the access of users to devices, enforce the password management rules, all this while using industry standards such as RADIUS or TACACS. No local user name and password means no backdoor into the network equipment. Check also that the vendor releases patches or updates in the form of signed and encrypted software, which prevents hackers from utilising an update to take over the network equipment.
Designing a LAN with security in mind
Steven Fair, EVP, NVT Phybridge
Security intrusions are on the rise, but you can strengthen a network to be more resilient to hackers’ attacks while making it more efficient and easier to manage. Following are five best practice points for securing a company’s LAN.
Build a dedicated point-to-point network, which implements the structure that is most resistant to intrusion. Whether repurposing UTP or coax cable, the end result needs to be the same: a point-to-point network that is far more resistant to intrusion due to the dedicated structure of its make-up. With a P2P network, the risk of intrusion is limited to an individual tapping into the physical wiring (which is a far bigger problem), while the point-to-point connections that exist on the multi-faceted IP network remain secure.
Deploying long reach point-to-point connectivity across the LAN can enhance security. The ability to run a cable from the LAN switch to the device without requiring additional Ethernet switches to extend PoE beyond 100 metres is one way to secure any connection. A point-to-point network enables you to create dedicated, longer reaching connections to a device. No interruptions in that connection means no potential points-of-entry by an intruder.
Add another layer of protection with MAC address port locking. To further protect the network from intrusion, MAC address port locking is critical. This advanced PoE switch feature enables exclusion of a device from the network if an intrusion is detected. MAC address port locking is important for layering more security into a network. Many PoE switches do not have this feature; choose a proven solution that does.
IT and security departments are known to butt heads when it comes to managing their own network requirements. For the most part, IT’s policies and procedures prevail, forcing the security team to implement solutions under its control. These conflicts can be eliminated, however, with the P2P network structure co-existing with the many production LANs (such as voice, video, and security). With the P2P structure, both IT and security departments can manage their own unique LAN requirements without exposing the ubiquitous network to hacks or security breaches.
Finally, always optimise power management, ensuring critical capabilities keep working efficiently at all times. Centralising LAN switches can ensure critical back-up power is delivered to the network for continuous device operation in the event of a major disaster or power outage. This capability speaks for itself, not only with securing the network, but also for the safety of people on-site. In addition, a centralised model ensures efficient management of switch port utilisation, enabling load-balancing of the power requirements being delivered to support devices throughout the LAN.
Reducing the attack surface
Steve Kenny, BDM Architecture & Engineering Program, Axis Communications
Reducing the attack surface of a system or device is a standard practice in cyber security. The attack surface is made up of the different points where an attacker can attempt data entry or extraction. The attacker only needs to succeed in violating one point, so the fewer that exist, the better.
The goal when reducing the attack surface is to reduce the amount of code running, limit the number of potential entry points and to close down any services that are not essential to the operation of the system.
An additional benefit to the reduction of a system’s attack surface is that by switching off non-required functions and reducing the code being executed, the resources will be freed up which could enhance performance.
As the access routes to a device and availability of services are increased, so is the potential exposure to cyber attacks. Benefits such as remote access and third party integration can also create vulnerabilities, so if they are not required, best practice is to disable them.
If devices, services and applications do not need to interact, installers and integrators should try to limit connectivity between them.
Additionally, segmenting the security system from the core network is a good measure, thereby reducing risks of security resources and business resources adversely affecting each other.
It is important to understanding and deploy industry standard security protocols when suitable, including multi-level user authentication/authorisation, password protection, SSL/TLS encryption, 802.1X, IP filtering and certificate management.
Thankfully an increasing number of security manufacturers, including Axis Communications, have responded to demands for more secure systems and have added features and functions which are specifically aimed at enhancing cyber security. Such functionality should always be deployed.
It is also critical that installers and integrators ensure firmware for products is regularly updated. Whilst some take the attitude that if a device works as expected it is not worth updating the firmware, it must be remembered that upgrades include security patches and bug fixes that eliminate evolving vulnerabilities.
An important part of attack surface reduction is the hardening of endpoints. An endpoint is an edge device. Such devices might be cameras, codecs, detectors, door readers or any other IP-connected device that is positioned in an insecure area.
The servers and software, storage units, power management systems and other essential peripherals may be installed inside a secure area, but this does not mean they are not vulnerable to a cyber attack. Edge devices, the endpoints, could potentially offer a connection from the outside world into the core of the system.
When considering outside interference, many consider connectivity to a WAN such as the internet as the weak point. Their focus is on protecting this and not a potential intrusion via an unprotected endpoint.
It is important to consider the security of all endpoints, because in a worst case scenario a criminal could disable the entire system by accessing it via such a connection.
Taking steps to harden endpoints include some basic tasks. Ensuring that devices are updated with any firmware upgrades is essential. Password management is important, as is ensuring that user permissions are applied in a way that helps the customer restrict control of the system to authorised personnel only.
Deploying appropriate encryption is also pivotal. All credible security devices will support this, and it is important that installers and integrators understand how to use it correctly. If in doubt, ask the manufacturer. Axis offers a wide range of documentation and educational resources.
Many security devices have features designed to simplify installation and set-up. Some will be used by the installer or integrator, and others are designed for the end user. Once these features have been used, best practice is to disable them.
It is also prudent to ensure that the end user is made aware of any risks associated with services running which they might want to remain active.
The use of IP filtering should also be implemented. Most security endpoints can be configured to allow access solely by trusted servers within the system. IP filtering can help ensure that other devices cannot gain access to them.
Implementing the right features and functions
Kiran Pillai , Senior Product Marketing Manager, Bosch Security
Security data is increasingly connected across local and global networks. A growing number of edge components send data to core components over the Internet, where digital intruders and hackers loom.
Even a single weak link in a security set-up can jeopardise an entire system. For example, skilled hackers can stage so-called man-in-the-middle attacks, hijacking communications between an edge device and server. Once hackers have access, they can inject alternate data to conceal illicit activity, or manipulate data to selectively remove certain details or persons from the scene.
It is vital to take a best practice approach that considers the entire system infrastructure. This creates trust by assigning every component in the network an authentication key. Data is secured from hackers by encrypting it at the hardware level, using a cryptographic key that is safely stored in a built-in trusted platform module (TPM). It is also wise to implement a PKI (public key infrastructure).
Security data is often highly critical and sensitive, so there needs to be a systematic approach to maximise data security by considering physical safety and cyber security simultaneously.
Basic steps that should be supported include password enforcement at set-up, disabling of any execution of third party software on the device, firmware updates via signed firmware files only, and the execution of cryptographic operations for authentication and encryption inside a trusted platform module (TPM).
When it comes to data storage devices, again cryptographic operations, for authentication and encryption should be based in a TPM, Microsoft Active Directory should be supported for safe management of user access rights and regular updates via security patches should be available.
Insecure ports, such as Universal Plug and Play, should be disabled by default, network authentication using the 802.1x protocol is advised, as is support of AES encryption. Factory-loaded signed certificates should be required on all devices, with integral TPM for secure cryptographic operations.
Seek out manufacturers whose devices have been subjected to vulnerability and penetration tests performed by independent cyber security vendors. There is, however, little point focusing on the security of a single component when there’s an entire infrastructure to consider. All network-wide communications between edge devices and management servers should be assigned an authentication key. This electronic signature makes it possible to verify the legitimacy of network components to ensure an infrastructure of trust exists.
Locking out connection violations
Skip Haight, VP Marketing, Comnet
Features that allow port lockdown in case of a disconnection, such as Port Guardian, a firmware-based feature integrated into ComNet’s self-managed and managed switches, can enhance security. These disconnect a port if an attack is detected. Edge IP devices are physically connected to the network by a cable through a standard electrical TX port. If that connection is tampered with by disconnecting the cable, Port Guardian locks out that port’s connection to the network.
In simple terms, if someone attempts to disconnect an external edge device and hack into the network through its port, the disconnection triggers that port being locked down, preventing access. A notification is sent to the administrator so that the port can be reset when the threat has been eliminated. The port can be reset via SNMP or via a web-management capability.
With such an approach it’s not the device being protected, but the network. Hackers can gain access through any external network port, allowing them the potential of turning a security system off. Locking down disconnected ports might not protect the actual device, but it does prevent access to the network.
The key benefit is that the port’s lockout is caused by the disconnection of the network cable and not the connection of another device.
Port Guardian prevents access to the network and its functions by breaking the physical transmission connection. Once the port is physically disconnected, nothing can be done to reconnect it until an administrator allows this.
The importance of solid foundations
Tim Biddulph, Head of Product and Solutions, Hanwha Techwin
A good starting point for any company providing electronic security systems or services is to demonstrate to potential customers that it has done everything possible to protect its own IT infrastructure against the threat of a cyber attack. For example, Hanwha Techwin Europe has participated in the UK Government-backed Cyber Essentials Scheme.
Conducted by the Department for Business, Energy and Industrial Strategy, the industry supported scheme is designed to help organisations protect themselves against common cyber attacks. The certificate awarded to compliant companies verifies that they have procedures in place to minimise the threat of an attack on the IT infrastructure. The scheme even extends to cover laptops and other IT devices which are used by field based employees.
Beyond the scope of the Cyber Essentials scheme, the company remain vigilant to ensure its Wisenet cameras, recording devices and software entrusted to protect property, people and assets are equipped to minimise the threat from cyber attacks.
There is an understanding of the importance of being open and honest with customers when new cyber security threats are identified and as such, Hanwha Techwin has resources in place to enable it to move quickly to develop further advanced versions of the firmware to combat these.
System integrators and security installers involved in high security or mission-critical projects will need to ensure that all systems forming part of an IP-based integrated security solution are protected from cyber attacks to a very secure level. This will involve setting up port-based access control for network devices, such as network switches, bridges and wireless access points in order to provide a robust network security environment.
For these type of projects, the recommendation must be that installers and system integrators use cameras which enable 802.1X, which is a standard method requiring certificates to prevent unauthorised devices being connected to the network.
The vast majority of mainstream installations are unlikely to need this very secure level of protection, but all should have certain security protocols in place as standard. Most of these are very simple and will seem obvious, but it is surprising how many manufactures have not yet built them into the firmware of their cameras. In this respect, the recommendation is that only cameras with the following default levels of security should be installed.
It is important not to use cameras with pre-configured weak passwords where the user is not required to make changes (for example, 0000, admin or 1234).
For cameras it is recommended to use three or more combinations of upper and lowercase letters and numbers for a password that is eight characters long, or two combinations for a password that is made up of ten characters or more. For recording devices, a longer password should be used, such as 15 characters, whilst a 31 character password should be used for video management software (VMS).
A limit for the number of log-in attempts should be available. After a prescribed number of consecutive password entry failures, the log-in should be locked.
HTTP Authentication should be used (digest only, as this encrypts the details). This will protect passwords during HTTP communications.
‘Back Door’s should be eliminated. This involves the removal of all services which can remotely access the video surveillance system.
Camera configuration information should be encrypted, as should firmware. The latter s against a malware injection into a camera’s firmware.
Watermarking and encryption of extracted video is also important to ensure the integrity and confidentiality of captured video.
Finally, all logs should be retained after a factory reset. This will prevent malicious deletion of logs.
The reality in a connected world is that cyber criminals will attempt to identify and exploit vulnerabilities to breach network security. It is vital all devices are secured to prevent networked video devices and systems from serving as entry points.
Although no manufacturer can offer 100 per cent guarantees of cyber security, security installers and system integrators should only recommend devices and software from trusted suppliers.
Create a ‘hardening’ plan
Jon Williamson, Product Manager, Cyber Protection Program, Johnson Controls
A hardening plan begins with understanding the project requirements, as well as any regulation or company policy that the system will need to comply with. If the specification does not list cyber security requirements, enquire with the customer before bidding. It can be costly to accommodate such constraints after the project starts. IT departments have been known to come in after the fact and expect compliance not specified in the project scope.
One of the simplest hardening techniques is physical security. Controlling who can access components addresses one attack vector. Surveys show that more cyber incidents are caused by internal actors than external ones. Physical access control can provide privileged functionality, such as resetting a device to factory defaults, accessing its configuration functions or disrupting its wiring.
Default accounts and passwords make a hacker’s work easy and are the most exploited attack vector. These values are often published, commonly known or guessable.
The first step is to change any default passwords and create unique accounts for users. Avoid using default accounts after the initial log-in. Policies should include restrictions for password length, complexity, reuse limitations and expiration. Accounts with administrative privileges are the most dangerous if compromised: consider using stronger passwords for these. Sharing generic accounts removes traceability and should be avoided.
Configure users and assigned roles according to ‘least privilege’ practices. This means users are only given permissions necessary to execute the functions required by their role. A similar approach is ‘least functionality’, where only the functions required for the planned applications are enabled. This includes disabling unused ports, services, applications and functions.
If the system permits integrations to an identity management system such as Microsoft Active Directory (AD), user accounts can be remotely managed. If an account is changed or disabled centrally, this occurs across all managed components.
Drawing a diagram of the valid communication paths can help. Ensure it identifies all client connections, all device-to-device connections, all protocols and TCP/UDP ports, the direction of all communication paths (in/out or both) and all network equipment.
Use this to help disable unused communication interfaces such as USB, Ethernet and wireless interfaces. For active communications, granularly limit the active protocols and ports to those that are required. For example, if a configuration webpage is not in use, disable the component’s HTTP and HTTPS ports.
If a web server is needed, choose HTTPS over HTTP communications. Disable HTTP and its port altogether, but leave the HTTPS port active. Changing the TCP/UDP number from its default value is not always possible, but doing so can make things more difficult a hacker.
Always enable event logging. Recorded user activity and connection attempts can provide valuable information detecting misuse and incident forensics. Applications and operating systems (OS) can often have separate hardening settings. This is true for Windows and Linux environments.
Whitelisting further restricts what can communicate with, or run on, the endpoint. Whitelisting provides an explicit list of known good entities. It is more effective than blacklisting which only restricts known bad entities. Whitelisting can be used to limit communications to or from an IP addresses, MAC addresses, network segment, etc.. If static IP addresses are known, then an IP whitelist can help secure the endpoint. If dynamic (DHCP) IP addresses are used, then MAC or an IP range whitelist can be used.
Applications that won’t be used in the solution should be removed. For Windows and mobile environments it is common to have superfluous applications installed by default. Unused applications contribute to the overall active surface and raise the likelihood that the system will have a vulnerability.
Finally, run baseline comparisons. Tools such as Microsoft Security Compliance Manager (SCM) and Microsoft Baseline Security Analyser can be used to compare a Windows configuration to a baseline. Available baselines can include government compliance requirements.