Cybersecurity remains a critical issue for many end users, and with an increased focus on attacks and hacking attempts, many businesses and organisations are seeking higher levels of protection for networked solutions, including smart systems, video surveillance, and integrated solutions. While many opportunistic threats can be mitigated through good housekeeping and administration of the network, there are a growing number of sophisticated attacks which need to be considered.
Today’s edge devices, such as cameras and codecs, are actually advanced computers with special functionalities suited to manage video streams. As such, they exist as nodes on a network and need to be protected just as a server or workstation might be protected. Thankfully, many manufacturers of professional systems have taken steps to increase the security of devices, even at a hardware level.
As with a more traditional network, one of the ways in which hackers attack a video network is to install malicious code on a device such as a camera. When the code is run, it then performs unauthorised actions across the network, such as infecting other devices or capturing passwords, encryption keys, certificates or other valuable data. Because the code has been run from a camera’s firmware, often the network allows the activities without any action or notification because they are being carried out by a trusted device.
The way to ensure this does not happen is too look for devices which make use of a secure operating system and which include a TPM (trusted platform module). These steps ensure that code cannot be introduced or run on the system chip as the OS is secure. Also, during boot-up, such systems can check to ensure only the correct and secure version of the firmware is running, preventing any unverified code from running.
Another area of concern occurs when data is transferred between devices on a network, such as between cameras and a server. Data can be stolen or interfered with if the communication is not protected, allowing data loss or the introduction of malicious code. To counter these risks, it is critical that the devices support robust encryption, and that devices in the communication chain are both authenticated and verified. Where encryption is used without authentication and verification of devices, ‘Man in the Middle’ attacks are still possible.
The use of Root Certificate Authentication can also enhance security. This allows the introduction of certificates during the manufacturing process, which ensures that even if a single device is compromised, the rest of the cameras and devices on the network will not be affected as every individual device has a unique certificate.
The media has featured several reports where high profile systems had video footage viewed or redirected by third parties. Aside from the vulnerabilities this introduces, many businesses and organisations are aware of the potential impact from reputational damage if their sites suffer such a violation, along with the ramifications of GDPR breaches.
Encryption should be deployed for all data transfer processes, including during storage at the edge or a central location, and back-up to archives.
If a device becomes compromised via a third part app or other service, it can allow hackers to control system actions. This in turn can lead to a wide range of problems such as malware or ransomware attacks, data loss, denial of service and a host of other cybersecurity issues. With the additional benefits on offer from the use of open platform app-based systems, this is an increasing concern for many users of video surveillance solutions. It is critical that any apps are checked to ensure integrity after updates of when cameras or other devices are booted up. With professional systems a private key – effectively an electronic signature – should be used to ensure the device and the third party app can authenticate each other, preventing the implementation of malicious code, apps or firmware.
While many devices might include a raft of cybersecurity features to help protect the device, these can be reliant on an integrator or end user ensuring all are correctly implemented. Often the business or organisation will involve its IT department to liaise with the integrator during the system design and implementation. On occasions this can lead to lack of clarity over who is responsible for the implementation of security features. It can also be the case that some functions which are left active for commissioning purposes are not switched off once the system is handed over.
The best way to reduce such risks is to ensure the specification of devices which default to secure settings, ensuring weaknesses or vulnerabilities are not introduced as a result of human error.
Finally, it is critical that manufacturers selected to supply products supply a network hardening guide for their product and have a team focused on cybersecurity. This ensures that any vulnerabilities – whether in the product or introduced as a result of changes in IT-specific software – are dealt with swiftly and competently when they arise.
The Wisenet 7 advantage
When Hanwha Techwin designed its latest Wisenet 7 chipset, it considered many of the issues facing integrators and end users in terms of cybersecurity. The proprietary chipset sets a new standard for IP-based video solutions. Wisenet 7 boasts an impressive list of technologies designed to enhance the cybersecurity credentials of the cameras.
The system uses secure boot verification, providing an extra layer of security by sandboxing different elements of the camera’s operating system. By running them in a protected space, the full boot is completed before there is any communication with other parts of the system. This prevents any interruptions to the boot process which could be exploited by hackers.
Wisenet 7 uses a separate secure operating system (OS) for encryption and decryption, as well as for the verification that apps have not been modified. The separate Linux-based API is required to access the Secure OS, eliminating the chance to implement changes from outside a camera.
An anti-hardware cloning features prevents the OS from being copied. In addition to protecting intellectual property, this ensures Wisenet 7 chipsets with Hanwha Techwin labels are genuine copies, removing the risk of a cloned device containing malicious software being used to steal sensitive data.
The Wisenet 7 chipset also uses secure JTAG ports, which are common hardware interfaces used to program, test and debug devices. Cyber criminals can gain low level control of a device via a JTAG port and might attempt to load a malicious version of the firmware. The Wisenet 7 chipset prevents this as JTAG ports are protected using a key-based authentication mechanism to which only the manufacturer has access.
UART ports are used for serial communications and can be required for debugging devices. Because they allow administrator access, they can be a target for hackers attempting to access sensitive information such as password keys. By enforcing secure access to the UART port, Wisenet 7 allows debugging to be completed without granting access to cyber criminals.
The Wisenet 7 chipset complies with UL CAP and Secure by Default standards, along with a Hanwha Techwin proprietary device certificate issuing system which embeds unique certificates into products during the development phase and manufacturing process.
The latest chipset adds a number of advances in terms of image quality and video management, but the cybersecurity advances are unprecedented and deliver a robust and reliable solution which exceeds the expectations of businesses and organisations who take cybersecurity very seriously.