In migrating CCTV from analogue to IP, we have greatly improved the technology for managing images from surveillance camera networks, but as always when using IT networks, we need to ensure we understand the security threats and consequences and deploy appropriate cybersecurity measures to mitigate the risks.
Genetec, a leading video management system developer, warns that cyberattacks against public-sector CCTV systems are on the rise. Without proper protection, these systems are vulnerable to attack by cybercriminals who exploit weaknesses in cameras, recorders and any other devices attached to the network to attack sensitive data and systems.
To learn more about this important topic, the CCTV User Group has invited Genetec to join us for a webinar on the cybersecurity of CCTV systems on 10 February. We caught up with Nick Smith, Business Development Manager at Genetec, to get a preview.
Register to join us for our Snapshot Webinar, “How to Talk Cyber”, with Genetec at 2.30pm on Thursday 10 February – www.cctvusergroup.com/events/snapshot-webinar-how-to-talk-cyber
UPDATE: The event was held on 10 February and attracted more than 100 registrations from CCTV professionals around the UK. Watch the recording below if you need to learn more about cybersecurity for CCTV systems.
MEMBERS ONLY: Click here to download the annotated slides from the Members area https://www.cctvusergroup.com/file-share/40707cec-87c1-4763-a4d0-379ab8f1825d
The consequences
The range of potential consequences of a breach of your IP CCTV system is so broad that it’s almost impossible to list them all, but in general terms they include the integrity of images and associated data, the functionality of the system, the security of associated networked systems and threats to external or remote systems – a list that would be recognised by just about any IT system manager.
A successful cyber attack against your system can lead to fines and other regulatory action, loss of operational capability, corruption or loss of evidence and reputational damage to the council, police force or other body that owns the system.
“It all goes to show that getting IT security right – and minimising the chances of a crippling attack – is an essential part of running a modern CCTV system,” Nick says.
What are the risks?
As an example, one type of attack that affects the integrity of your data and the functionality of your system is ransomware. Ransomware is malicious software (or ‘malware’) which encrypts critical data on your hard drives.
You may have heard about actual instances of ransomware attacks in the media or through the grapevine, but the key thing to remember is that after a ransomware attack the victim cannot access the encrypted data without paying the attacker for the decryption key. If the data is images, you won’t be able to access or view those images; if the data is configuration files, the consequences may be worse.
A successful ransomware attack may erode your operational capability to the point where you are not able to monitor or record any cameras. “There may also be a data breach because ransomware attacks often go with theft of data,” Nick says. “It’s a potential privacy violation especially if you have any cameras overlooking sensitive areas.”
The political and trust issues that ripple out from an event like this can be more damaging in the long term than the initial incident itself if not handled properly.
Opportunistic or targeted?
Most hackers are opportunistic. They use commonly-known unpatched software vulnerabilities, which is why it’s so important to patch (or update) your systems. Attackers weaponise the vulnerability by writing a computer program that automates the attack, and then, like burglars going house to house rattling doorknobs, they test their weapon against hundreds of systems until they find one that responds to the attack.
Once they find a vulnerable system, they will choose how to exploit it depending on the nature of the system, what access privileges they have gained and what they think they can get out of it. Having gained access to a system, it is not uncommon for cybercriminals to take what they can and then sell the access to another criminal gang which may have expertise in another form of cybercrime, such as cryptojacking or botnets.
The other type of attacker is the one who targets a specific system. They have a reason for attacking that system, which may be financial, political or just for fun or to test their hacking skills. In this case, they find a potential point of access and begin to attack it with a range of exploits, hoping to find one that gives them access to the network.
“Once an attacker, whether opportunistic or targeted, has established a foothold in your network, they will almost inevitably seek to escalate their system privileges through further exploits until they reach a level that allows them to achieve their goals,” Nick explains.
The scope and scale of security
Unlike a typical corporate network, CCTV systems generally have few workstations. The few workstations they do have are used to access data and control cameras and storage devices. Some may be completely isolated from external networks while others may be connected to external networks to enable the workstations to access email and websites, with all of the associated cybersecurity risks that this brings.
Because of the nature of video surveillance, cameras are usually dotted around large areas of a town or even several towns which poses a special risk to CCTV systems.
“Because they’re in public areas, each camera and network box is a potential route into the system from the outside, and it’s essential that these are secured to prevent them becoming a point of access for the cybercriminal,” Nick says. This includes securing the camera and network devices and configuring the network itself to ensure vulnerable devices are isolated from other devices via firewalls.
Quite apart from the external attack is the insider attack. Insider attacks can be deliberate or accidental. For instance, what happens if a member of staff plugs their personal USB stick into a device on your network and that USB stick has malware on it? They might have done it for perfectly innocent reasons but the impact is the same as if it were malicious.
If the system has any connection whatsoever to the corporate network, that is another point of vulnerability, not only for the CCTV network but also the corporate network should the CCTV system become ‘patient zero’ in a malware infection.
Who can you trust?
Trust is a crucial element in the cybersecurity supply chain, a chain which includes consultants, manufacturers, integrators and system engineers. All of them have a huge role to play in ensuring the security of your system, and there are many ways in which the relationship with them can go wrong. But there are steps you can take to ensure the right security posture is adopted by you and your suppliers:
Establish a shared understanding of the threat and your organisational risk appetite
As a primary component in your cybersecurity supply chain, ensure your suppliers are cyber aware and have strongly vetted their own supply chains
Establish clear policies and procedures for cybersecurity with all your suppliers
Nick says the foundations of this starts from the beginning. Cybersecurity should even be written into tender documents, covering standards, policies and procedures. Due diligence must include looking at a tender bidders’ cybersecurity reputations and satisfying yourself that they share your position and standards on cybersecurity. In the end, it’s essential that you can trust them because you will be giving them the keys (passwords and access) to your network.
You need to ensure that suppliers are not taking shortcuts with your cybersecurity by, for instance, using a shared or common password to secure your devices or storing your passwords on an insecure system, such as a smartphone or tablet. And you need a firm policy on the installation of software tools to minimise the risk of inadvertent backdoors or malware being introduced to the system.
“The responsibility and accountability has to sit with the person who leads that organisation because that person is ultimately responsible for the way that company operates,” Nick says. “They’re essentially signing that they’re going to comply with your security policies, not lay it at the feet of the system engineer – it has to sit with the executives.”
In practice, this means it must be evidenced by the supplier’s or service provider’s policies. “What are their policies when it comes to accessing networks? What is their policy if they need to take data away from your site, because sometimes they do need to take some data away, but how are they going to handle that safely?” Nick asks.
Getting the basics right
If you are new to cybersecurity, where do you start with securing your network? It is easier to build in cybersecurity from the outset, when planning a new system or a major system upgrade, but established systems can still improve their security posture by the application of general principles.
An obvious but often overlooked task is updating all of your passwords so they are unique and difficult to crack. Create a password policy and a set of procedures for managing the passwords on your devices such as a requirement to keep all passwords in a password vault, protected by a secure master password (like 1Password). Critically, make sure you enforce this policy.
Ensure you have protective systems in place including antivirus software and firewalls. Consider network monitoring software which scans for anomalous behaviour on your network such as the installation and running of executable files, attempts to communicate with external networks and configuration changes.
Train your staff in basic cybersecurity principles. Ensure they understand the policies and procedures as well as the principles of good cyber hygiene.
Ensure that all the firmware on your devices is up to date. According to figures from Genetec, 60% of devices on a typical CCTV network are not running the latest firmware. That means your cameras and recording devices among other things do not have the latest security patches in place, a gift to cybercriminals who look for unpatched devices as an easy way into networks.
Of course, keeping firmware up to date is a never-ending task. Firmware may be updated only rarely but occasionally suppliers go through a flurry of updates as they respond to vulnerability reports and try to patch bugs. Although it can seem daunting, some video management systems can help you by automating this repetitive task by monitoring the firmware versions of every connected device and alerting operators when devices are falling behind in the updates.
Although we are talking about cybersecurity, don’t forget physical security. How do you control physical access to your network and its devices? That means not only securing the control room but also the server room and the physical network devices.
It’s also important to be aware of the security of your suppliers. Is the equipment you are using secure and are the manufacturers trustworthy? The Biometrics and Surveillance Camera Commissioner has raised security and ethical concerns about using cameras and other devices manufactured by companies that have close links to repressive governments around the world.
Conclusion
Gone are the days of coax cables and analogue video. The merger of CCTV and IT technology has brought considerable benefits to CCTV, but with this added system maturity comes additional requirements for security protections.
To learn more about this critical topic, watch the recording of our Snapshot Webinar, “How to Talk Cyber” (scroll to the top of this page for the video). This hour-long webinar with Genetec covers the basics of making CCTV systems more cyber secure and includes a Q&A session with the audience at the end.
Comments