In today’s connected world, IP-based systems offer numerous breach points for cyber-attacks. Ironically, physical security systems based on IP infrastructure are among the most vulnerable systems to be attacked due to low awareness and limited offering of “hardened” security solutions.
The recent two years have seen a sharp rise in the number of companies devoted to cybersecurity. Targets from retail chains to social media accounts to critical infrastructure have all come under attack from perpetrators as diverse as organized crime rings, “hacktivists,” and even clandestine government cyber units.
“Cyberdefense has been a priority in the IT arena for decades, and with the transition from analog video to IP and the convergence of video systems into enterprise networks, it is now a major concern for physical security systems,” said Ron Grinfeld, Director of Global Vertical Marketing at FLIR Systems.
With the increasing number and sophistication of these attacks, cyberthreats are no longer only an IT problem.
The physical electronic security industry has moved steadily from the closed, protected, and sometimes proprietary communications methods of the past to open and much more vulnerable networkbased solutions. “These transitions, from analog closed circuit television (CCTV) to digital IP-based systems have exposed the physical security stakeholders to the same risks that IT departments have faced for years,” Grinfeld added.
While in the past cyber-attacks were mainly a concern for large organizations and government institutes, today they pose a significant risk for most organizations. A successful cyber-attack can result in major consequences for companies, financial loss, data theft, intellectual property or classified information leaks, and erosion of confidence by their customers.
Cybersecurity has become a real concern not just for end users, but also for manufacturers and other channel players. A recent example is PSA Security Network, one of the world’s largest security integrator alliances, which has set up a cyber committee to help educate its members on the risks and solutions available.
Common vulnerabilities of security systems
IP-based security systems, whether video surveillance or access control systems can run either side-by-side with other IT systems or they can run partially or entirely within the corporate network. As a result, an unprotected system can be a jumping board into the corporate network.
In many cases, the problem is that these systems are not treated as other end-points in the network. Whereas employees personal computers are usually password protected, it is not uncommon to see that the password in the video surveillance system unchanged as the default (sometimes easily accessible through a simple Google search).
“Many of the integrators haven’t yet adopted sound cyber hardening practices in their system implementations,” said Andrew Lanning, Co-Founder of Integrated Security Technologies and the chairman of PSA’s Cybersecurity Committee. “Vulnerabilities are numerous,” he added, detailing a long list of possible risks: “Weak password schemas, implementations, and management; wireless everything; unnecessarily open ports; outdated firmware; and outdated or copied (reused) cryptography in certificate implementations.” All these greatly increase the chances of an attacker to find an entry point into the system.
Another risk is users demand remote access and mobility. End-user requirements for remote access to their video footage have resulted in traditional DVRs, NVRs, and VMS being connected to the Internet for remote video access, thus creating more breach points outside of the security system. In addition, the use of mobile devices that can be easily hacked or stolen further compromises the security of the system.
“There is an emphasis placed on bring your own device (BYOD) and mobile for many businesses worldwide, which can compromise not only data, but physical security systems as well. Mobile devices are extremely vulnerable to digital attacks and physical attacks because of their portability,” explained Brian Lettiere, VP of Product Management at Verint Systems.
Logins, passwords, and other important information are often stored on mobile devices, which allows easy access to pertinent information. Email and social media accounts, along with applications, are just one swipe away and easily accessible to unauthorized users. Theft or loss of a device is an open door to access sensitive corporate data. In addition, smartphones and tablets are easy targets for viruses, Trojans, worms, and spyware, which makes it easy for attackers to gain access to proprietary data. Apps and even the operating system itself are not hardened and there are off-the-shelf malware that hackers can buy to hack a specific application used to access the security information.
Hagai Katz, Senior VP of Business Development and Marketing at Magal Security Systems voiced a similar opinion. “Most of the market/customers are still unaware of the risk. As an integrator we know that in most cases the awareness to cybersecurity is almost non-existent. The same problems persist: IP cameras’ default passwords are untouched; access control systems may have an external unsecured access point; no one monitors new entrants to the network (such as a new device on the network).”
Katz went on to explain that intruders today are likely to prefer committing a cyber intrusion, or a mixed cyberphysical intrusion, instead of taking the risk of actively penetrating through the fence or one of the gates.
These scenarios can include neutralizing alerts by blocking or saturating the alarms from the smart fence, creating false perceptions by freezing the video of IP cameras, or streaming recorded footage to the guard’s monitor.
Other scenarios might be penetrating the system to create fake identities by the remote production of an access card (thus allowing outside people access to the site), and of course hacking onsite operational systems, creating direct outage or damage to power, elevators, fire alarms, or even damaging production systems through pure cyber-attacks.
“The vulnerability of the security systems is a well-known industry secret,” said Jack Cohen-Martin, Co-Founder of Nuvola, a New York-based video-surveillance- as-a-service (VSaaS) provider. The vulnerability is even more complicated because it is very hard to detect cyberattacks. “It is hard to tell if a camera or another system is under a DoS (denial of service) attack or if it is just stuck. In small and medium businesses the problem is even worse since they are either unaware of cyberthreats to their security systems or just don’t care about it.”
According to Cohen-Martin, cheap equipment and common platforms only augment the problem that “equipment is not ‘hardened’ against attacks because this would make it expensive. Manufacturers save on hardware quality and software tests to keep costs low and this enables the existence of ‘back doors’ which can be exploited by attackers.”
The limited offering of hardened security solutions and low awareness of cyber threats has led physical security systems based on IP infrastructure to be one of the most susceptible systems to be attacked.
In today's connected world where IP-based systems offer numerous breach points for cyber-attacks, it is best for users to understand the vulnerabilties that these systems hold in order to help prevent their systems being hacked.