The Everpresent Cyber Threat
Cybersecurity remains a significant threat for any systems which make use of network connectivity. Despite the increased focus of a few years ago following negative reports about security devices, the reality is that awareness of cybersecurity issues is still lower than it should be in the industry. While many leading companies have taken steps to increase the protection on offer, there is still more that could be done by integrators and end users.
It is not just the world of security that is undergoing a widespread migration to networked platforms. The vast majority of industries and service providers are moving across to a networked approach. The change is happening for good reason: unified platforms and data sharing deliver business efficiencies, and also enrich the personal lives of individuals. As new possibilities emerge, businesses, organisations and consumers are eager to explore them. The security industry has seen significant change, with many positives coming out of the migration to networked solutions.
It is a rare business that doesn’t want to increase efficiency, and the use of networked solutions enables this. Whether end users are seeking streamlined administration, enhanced process control, asset monitoring, system automation, control of environmental elements or business economies with regard to the consumption of resources, the move to converged platforms is well underway and is here to stay.
New and emerging technologies such as deep learning, artificial intelligence and the Internet of Things all serve to further increase the demand for converged systems and networked technologies. No industry can afford to side-step the advances if it wishes to survive, and that includes the security systems sector.
By it’s very nature, the security industry has always faced evolving threats. Because security inevitably protects items of worth, criminals will always look to find new ways of defeating security systems.
For example, many years ago, when alarm systems had large bell-and-hammer audible warning devices on the outside of buildings, criminals would stuff a rag between the bell and hammer to silence them. As a result, the industry created sounders. Criminals then worked out that a sounder filled with expanding foam could be silenced, so the industry created foam detection.
The development of ever-more secure systems came in response to evolving threats. It has always been the case and continues to be so. As security becomes increasingly networked, so the threats are increasingly moving to the cyber platform. As new threats evolve, manufacturers and suppliers create better solutions. It is important that integrators and installers ensure cybersecurity measures are properly implemented, or the reality is that security systems will have less credibility with end users.
A different mindset
Today’s installers and integrators have to adopt a new mindset when it comes to system design. Security solutions must be effective, reliable and cybersecure. Credible manufacturers have recognised the importance of cybersecurity and offer devices designed to be robust and resilient. They also offer a variety of resources to help engineers create more secure systems.
With the best will in the world, it has to be accepted that no system will ever be fully secure. For every technologist working to block evolving threats and risks, then are a dozen other technologists working just as hard to create new threats and risks. Despite this, it is vital that integrators and installers take every step they can to enhance system cybersecurity.
Locks can be defeated, but that doesn’t mean doors should not be protected by the best locks at a realistic price. The same is true of cybersecurity. It could be argued that integrators and installers who do not specify devices with the best degree of cybersecurity are being negligent given today’s technological landscape. That might sound harsh, but it how an end user will see things.
After all, many cyber risks can be mitigated by ensuring that the relevant configurations are always made to protect devices. Best practice is important to ensure systems are secure and to give end users peace of mind when specifying security solutions. If these steps are not adhered to, the customer has a right to feel let down.
Back to Basics
Cybersecurity is a complex issue, with rapidly evolving risks and threats being discovered on an almost daily basis. However, there are also several basic procedures that integrators and installers can implement that will help to reduce the risks. One of the most basic is device hardening; by reducing the attack surface, the potential number of unauthorised entry points is significantly reduced.
Many credible manufacturers apply cyber security best practices in the design and development of devices. This provides the necessary tools to enable engineers to minimise the risk of weaknesses that could be exploited in a cyber attack.
Securing a network, its devices and the supported services requires participation by manufacturers, integrators and installers, service providers and the end-user.
From an IT perspective, the camera or access control reader – or any security device for that matter – is a network endpoint similar to a laptop, desktop PC or mobile device. Unlike these more traditional IT products, the security component will not be exposed to common threats such as visiting unsafe websites, opening malicious email attachments or installing untrusted applications. However, as a network device, it does include an interface that may expose the system to risks.
In a VMS environment, the clients will access live and recorded video through the VMS server. With access control, users connect to door readers and other devices through the system controllers. Placing these centralised resources on a discrete network, through physical or virtual isolation, is a common and recommended measure to reduce exposure and risks.
Reducing the attack surface of a system or device is a standard practice in terms of cybersecurity. The attack surface is made up of the many different points where an attacker can attempt data entry or extraction. The attacker only needs to succeed in violating one point to gain unauthorised access, so the fewer of these that exist, the better.
The goal when reducing the attack surface of a system is to reduce the level of code which is running on devices, limit the number of potential entry points available to unauthorised persons and to close down any services that are not essential to the operation of the system.
An additional benefit to the reduction of a system’s attack surface is that by switching off non-required functions and reducing the code being executed on the devices, the processing resources will be freed up, which could further enhance performance.
As the access routes to a device and availability of services are increased, so is the potential exposure to attacks. Benefits such as remote access and third party integration can also create vulnerabilities, so if they are not required, best practice is to disable them.
It is vital to carry out a risk assessment in a similar way to those carried out when designing a physical security system.
Integrators and installers should apply the same processes used when protecting a typical network. This should be done despite the fact that many security devices are not exposed to the typical cyber threats associated with the management of websites, email, file transfers, etc..
If devices, services and applications do not need to interact, installers and integrators should try to limit connectivity between them.
Additionally, segmenting the security system from the core network is a good overall measure, reducing risks of security resources and business resources adversely affecting each other.
It is important to understanding and deploy industry standard security protocols, including multi-level user authentication, password protection, SSL/TLS encryption, 802.1X, IP-filtering and certificate management.
An increasing number of manufacturers have responded to demands for more secure systems and have added features and functions which are specifically aimed at enhancing cybersecurity. Such functionality should always be deployed. It should not be treated as optional. No installer or integrator worth their salt would fit an alarm system without protecting entry/exit points, so don’t leave passwords as default or bypass security features on a networked system.
It is also critical that integrators aensure the firmware for products is regularly updated.
Whilst some have an attitude that if a device works as expected it is not worth updating, increasingly the upgrades include security patches and fixes that eliminate evolving vulnerabilities. Because a device is secure today, it doesn’t hold that it will still be secure tomorrow.
An important part of attack surface reduction is the hardening of endpoints. Such devices might be cameras, codecs, detectors, door readers or any other IP-connected device that is positioned in an insecure area.
The servers and software, storage units, power management systems and other essential peripherals may be installed inside a secure area, but this does not mean they are not vulnerable to a cyber attack. Edge devices, the endpoints, could potentially offer a connection from the outside world into the core of the system.
When considering outside interference, many consider connectivity to a WAN such as the internet as the weak point. Their focus is on protecting this and not a potential intrusion via an unprotected endpoint.
It is important to consider the security of all endpoints, because in a worst case scenario a criminal could disable the entire system by accessing it via such a connection. It is worth remembering that the Target hack in the US which resulted in the theft of 70 million customers’ details and 40 million credit card details was instigated via credentials for monitoring the HVAC system.
The steps to harden endpoints include some basic tasks. Ensuring that devices are updated with any firmware upgrades is essential. Password management is important, as is ensuring that user permissions are applied in a way that helps the customer restrict control of the system to authorised personnel only.
Deploying appropriate encryption is also important. All credible security devices will support this, and it is important that integrators and installers understand how to use it correctly. If in doubt, ask the manufacturer. Most credible companies offer a wide range of documentation and educational resources to assist engineers.
Many security devices have a number of features designed to simplify installation and set-up. Some will be used by the integrator or installer, and others are designed for end user use. Once these features have been used, best practice is to disable them.
It is also prudent to ensure that the end user is made aware of any risks associated with services running which they might have requested remain active.
The use of IP filtering should also be implemented. Most security endpoints can be configured to allow access solely to a designated server within the system. IP filtering can help ensure that other devices cannot gain access to them.
A number of credible security manufacturers, have taken steps to address cybersecurity issues, and will offer support to engineers with regard to how these can be correctly deployed.
One message that cannot be conveyed strongly enough is that if unknown or unsupported products which do not come from credible security manufacturers are used, the risks of a cyber attack will increase. Buying cheap will not be such a smart move if a customer’s business is brought to its knees as a result.
Cybersecurity represents an evolving challenge for many engineers, but as with other risks, a best practice approach can help significantly.