A number of concerns have been raised recently regarding the security of IP video surveillance systems.
In this blog we discuss these concerns as it is extremely important that they are taken seriously.
The great irony for companies is that implementation of security may, in fact, become their most vulnerable asset. Therefore, it is critical that installers and system integrators take special care and consideration of all the associated network security implications. In the UK, we continue to refer to the technology as CCTV (Closed Circuit Television) but IP network technology makes it anything but ‘closed circuit.’ Like all networked applications, network surveillance systems are vulnerable and need protection.
The level of protection will depend on the application and the available budget. At a very minimum security companies should include a deliverable as part of their service to explain in detail how they plan to ensure the data cannot be accessed or transmitted outside of those people authorised to have access. In addition, IT departments need to understand the surveillance applications, so that they design their infrastructure to support the application while ensuring it remains protected.
This should include a list of all the equipment used, known vulnerabilities, a list of steps they have taken to combat those vulnerabilities, such as secured endpoints (i.e. NVR, workstation, mobile devices), their password policy, security protocols, encryption and an on-going security plan. Hackers never stand-still; they are always looking for weaknesses to exploit and in the end, they will find them no matter how secure you make the environment. So, protection is an ongoing task that should be part of any maintenance contract. We at Mirasys are always evolving our products to be better and as such new releases may contain updates that help improve the security of systems from external unwanted access. Microsoft is also doing the same. Linux and Apple based systems are hackable as well (with Linux being open source it is even easier to hack). Therefore, it is important that their updates are applied as they become available.
So, what should you do to ensure your network system is safe from vulnerabilities?
At Mirasys we see numerous systems, cameras and even NVRs still using their default logins. Google this and you can find them all in a few seconds. This is such an easy thing to do but, for some reason, many people overlook this important feature. However, even worse they change the passwords and don’t tell anyone what they are. In some cases, this would require a complete system rebuilding, if passwords are lost.
Firstly, change the passwords and even the usernames on the cameras. If the cameras do not support a password change, send them back.
Next, change the default Administrator password on the NVR and as always make it something tricky. Mirasys support several levels of security. Create your Admin level users (these will be able to make changes to the system, so make sure there are not too many). Each user should have their own Username and Password, so their action can be audited by the system. Generic users IDs are definitely not advised. Give the administration log-in to as few people as possible. The fewer people that can access the system the more secure it will be. To help you with the process of regular password updates, Mirasys support the Active Directory integration. To prevent a network sniffer easily finding passwords and accessing into your system, the HTTPS transmission protocol should be used as this will ensure passwords are transmitted fully encrypted and deciphering them would become an enormously difficult task.
- Assess existing and future remote access risks
Remote network access can be a great way for network administrators and integrators to save on truck rolls and costly on-site visits. Remote network access can be accomplished in a number of ways.
VPN (Virtual Private Network) can be used to establish secure connections between two or more LANs, or to have a well-protected point-to-point connection over the Internet. VPN uses encryption and authentication protocols preventing unknown computers from accessing data delivered between two or more local network sites. It can run 24/7 and does not require any user intervention.
Often remote access can be granted on-demand using remote desktop tools to a workstation on the network. Systems like VNC and GoToMyPC are great alternatives for on-demand access, but they do require user intervention to launch. It is generally not a good idea to leave these tools running all the time. If a device must be exposed to a public Internet, there will need to be port forwarding. If there is an option, use an obscure port instead of the standard ones (22, 23, 25, 80, 554, etc.).
- Take security to the next level with VLAN and QoS
Virtual LANs (VLANs) improve security by segmenting traffic into multiple virtual networks. IP-based video surveillance equipment or general office LAN traffic may exist on the same physical switch, but the VLAN ensures the networks are invisible to each other and unreachable. VLANs are often deployed with Quality of Service (QoS), which prioritises network traffic so video quality is not impacted.
- Prevent unauthorised remote access with firewalls.
Many surveillance systems are purposefully not connected to the Internet; instead, they are connected to a separate LAN. This reduces risk but may make service more difficult as updates to software and firmware — otherwise downloaded — must be loaded over USB or other means.
Firewall devices and programs protect computers from cybersecurity threats by controlling communication between local and WAN (Internet) networks. They limit traffic to specific IP addresses and ports that have been authorised.
- Maintain regular backups
Having timely, complete backups will ensure that any outage from hacking is minimal. Malware such as ransomware is on the rise. Ransomware encrypts the files on a system and then asks for payment before a key is sent to unlock the data. Without regular backups, your customers may have to pay up.
- Disable unused switch and network ports, and any other unused services
Another easy, but typically overlooked step is to disable all unused ports. This mitigates the risk of someone trying to access a security subnet by simply plugging a patch cable into a switch or unused network jack.
Unnecessary services on viewing workstations and servers should be turned off. These may include manufacturer-specific update utilities, Microsoft update services, Web services, etc. These may act as a backdoor for hackers or viruses, consume additional processor and memory, and increase start-up time. They should be disabled or set to operate only when manually started.
Note that this does not necessarily prevent unauthorised access, as someone could unplug a device (camera, workstation, printer) from a previously authorised port or jack and access its port, unless measures such as MAC filtering or 802.1X are in place.
- Breakout control from data networks
If the network design allows it, breaking out the control plane from the data plane is a good idea. This is especially true if your customer is running keyboard and mouse controls for remote systems.
Customers can keep their local control network off the public Internet, making it difficult for hackers, while allowing for more flexibility in video routing. This generally will require end devices to have two network interfaces or the use of dongle devices that send keyboard and mouse control over a separate Ethernet network.
- Create and enforce a security policy
All the steps above are even more effective when documented as part of a written and strictly enforced security policy. If an end user does not have a security policy in place, you as the integrator may choose to create one as part of your documentation. You would then require it to be followed in order for the warranty to be enforced and to limit liability in case of a breach.