Because of the nature of the security systems sector, many manufacturers are focused on the creation of either edge devices or central control and management systems. This inevitably means that the advice they offer with regard to cyber security concentrates on those two areas within a networked solution. However, it is vital that the network infrastructure itself is not vulnerable, and that is as important – or arguably more important – than security nodes. With the help of Darren Giacomini, Director of Networking at BCDVideo, Benchmark considers how to achieve secure infrastructure.
When considering cyber security, the very first task is to understand a user’s priorities and expectations. Having a cast-iron idea of a specific cyber security solution, based upon the advice of one manufacturer or expert, may not be the best approach.
Cyber security requires a collective responsibility to be truly effective. It cannot be solely left to the manufacturer, the installer or integrator or the end user. Cyber security that works requires a culture of best practice and on-going effort to achieve the required level of protection. Any weakness in one area can potentially expose the entire system.
Manufacturers of edge devices are well placed to implement security features and offer advice with regard to securing their nodes. Suppliers of software will be able to assist and support with regard to ensuring their products are credible and robust. Hardware-based management devices and controllers can also be exploited, so again their manufacturers are the best source of education and support.
However, it matters not if the edge devices, control hardware and software are all locked down to prevent unauthorised intrusion or tampering if the network itself is not secure.
The biggest threat that many mainstream sites face is often not from a professional attacker looking to specifically target a facility, but from errors and complacency.
Strengthening cyber security requires a fair degree of understanding how the network infrastructure works and being familiar with the best ways to minimise risks.
One of the biggest issues is network configuration. Many security installers and system integrators lack the necessary skills to ensure that a network is fully secure. For example, certificates can add a layer of protection but aren’t used as much as they should be in security applications.
Installers and integrators are at times confused about how certificates should be used. The knowledge needed to set up certificates, for example, is often lacking which means many sites might be missing out on the enhanced security that such an approach can offer.
A very important part of establishing and continuing cyber security protection is the creation of ‘trusted’ connections between the various elements of the system. SSL (secure socket layer) certificates can be used to ensure a secure connection is established.
SSL certificates makes use of public and private keys, typically working together to create the encrypted connection.
In many applications, best practice would be to deliver encrypted links from the camera or other edge device to the recorder or controller, and again from the recorder or controller to the VMS or other GUI.
This requires the skills to establish correct configurations at the switch as well as the ability to create certificates at the server. It also requires the ability to contain and configure the switch ports, which are the access points to the network.
One of the technologies that BCDVideo includes in its networking switches is Shortest Path Bridging. This technological advancement can enhance performance as well as automating some cyber security elements.
A need for automation?
Instead of using complex protocols, Shortest Path Bridging (SPB) makes use of pre-defined paths to transmit system data. The approach allows effective streaming while supporting efficient use of network resources, ensuring ports do not become a bottleneck.
Shortest Path Bridging makes use of a technology known as Fabric Attach, which allows an authenticated edge device such as a camera to ‘drive’ the configuration to the network port. This means that unless an authenticated device connects to the port, it will be a dead port. This can enhance the cyber security as unauthenticated devices will not deliver the appropriate configuration. Essentially, the port will not be usable until a trusted device activates it.
There are other ways in which a similar result can be achieved but these require advanced configurations and a good knowledge of managing authentication. The Fabric Attach method is better suited for security applications. This is because the industry is heading in a direction where manufacturers will increasingly need to automate some of the cyber security processes to ensure systems are robust.
While IT skills and knowledge are growing within the security industry, it is not at the level where it needs to be for applications where significant high risks need to be addressed.
BCDVideo recognises that infrastructure manufacturers are increasingly going to have to automate some of the configuration processes to assist installers and integrators and is moving in this direction.
It is possible to achieve a correctly configured network based upon some simple parameters when carefully designed and considered automation is deployed. It also has to be remembered that many security installations are completed in phases, with different teams working on separate elements of the overall solution. In such cases it is vital that the network itself is properly configured, because if it is not right then it is high likely that none of the security elements will perform as expected.
As well as offering an automated approach, Fabric Attach can ensure that any connection which does not have the appropriate authority simply cannot access the network.
The biggest weakness
By configuring a network correctly and implementing authentication you can reduce the margin for error with regard to exposing vulnerabilities. However, the biggest cause of security lapses comes down to human interaction.
This might be that an engineer doesn’t configure something properly or security elements are not correctly set up. It once again highlights the fact that if many of the critical configuration processes can be automated, the potential points of vulnerability are reduced.
It is a concern that many providers of network infrastructure don’t look to implement any degree of automation. Therefore, it has to be argued that anything which can increase cyber security implementation is a step in the right direction.
If installers or integrators are happy to connect up a network switch, establish that it has a connection and leave it as it is, then potential issues will not be addressed. This highlights that the industry has to implement a higher level of education at all levels.
Additionally, installers and integrators should look to source IT devices from companies that understand IT, cyber security and the security industry.
Cyber security needs to touch all parts of a system, from edge devices to central control and management products. However, if the network itself is not properly configured and secured, then all efforts to protect the system could be in vain.