The boom in cyberspace attacks poses a risk to IP-enabled physical security systems. How vulnerable is physical security to logical threats? A&S separates the fact from the fiction.
A jewel heist is underway, yet none of the perpetrators appear on the security monitors. Their nefarious computer whiz has successfully switched the incriminating footage with stock images, enabling them to go undetected. This heist is straight from the movies, but advancements in technology make hacking a real threat.
Security's migration to IP brings numerous benefits — connectivity, real-time monitoring and more timely responses. However, it adds vulnerability as physical security integrates with logical security.
Security breaches are a distinct possibility, regardless of why they are carried out. "Once when a security system has been in place, there's always a tendency to try to break it, either internally or externally, to test the system's resilience," said Philip Siow, Senior Technical Manager, Axis Communications. "It depends on the value of the application and how critical it is."
However, additional risk is not necessarily cause for alarm. "If it's the 7-Eleven on the corner, am I really going to attack it?" said Phil Carrai, Executive VP of Kratos. "It depends on how critical it is."
One critical application would be military reconnaissance. "A December 2009 report found militants in Iraq used US$26 off-the-shelf software — SkyGrabber from Russia — to intercept and capture live video feeds from US Predator drones on an unprotected communication link," said Andrew Chow, Senior VP of ST Electronics (Info-Comm Systems). "It is, therefore, crucial to encrypt the channel to protect against eavesdropping."
The unencrypted footage posed a real threat to American forces, but encryption could slow transmission and impact situational awareness. "Users need to decide on their objectives, as striking a balance is important as far as security is concerned," Chow said. "It's impossible to build a maximum-security prison and yet allow for ease of accessibility and convenience."
In extreme cases, online threats can translate into physical ones. Russia's online attack of Georgia in July 2008 prevented people from finding out what was going on. "Cyberterrorism was a precursor to a real war," Carrai said.
A range of virtual loopholes could affect physical security solutions. "A lot of these Internet-enabled surveillance cameras are insecure," said Bruce Schneier, security technologist and author. "Some of them have no password protection. Others have default passwords that the users don't bother to change. Potential attacks range from the relatively benign eavesdropping to the more sophisticated seizure of control."
From the dawn of interoperability and remote monitoring, hacking has always been a possibility. "There's the smart kid in pajamas to something much more malicious like industrial or state-sponsored espionage," Carrai said. "There's a huge benefit to migrating to IP — there's no reason to go back to the analog world — but the stakes have been raised."
Information security is a newer threat for physical installations. "Things like viruses and breaches of information are already addressed in current network installations," said Peter Brissette, owner of www.cctv-security-camera-systems.com. "Planting video completely from an outside source over live camera streaming or recorded information can be done, given a very specific set of circumstances."
Some attacks require on-site access. "You can get to a legitimate IP address by either physically taking over the camera or by compromising the cable in order to 'snoop' the line for the IP address," said Lee Caswell, founder and CMO of Pivot3. "Once you have a legitimate IP address, you are still bound to the access controls that were set up on initial configuration. You could presumably send in some substitute video, although interruptions in the camera flow would normally generate its own set of alerts."
IP introduces convenience and new issues. "Some concerns are a direct result of making systems easier to manage," said Will Dettmering, owner of Dettmering Consulting. "While it is true that international criminals are feverishly developing new and ingenious ways to hack networks, their relative ROI is low."
On the residential side, wealthy home owners with networked security may become targets. "Home security firms bond their installation people because of the potential for breaches, and the liability that would expose them to," Carrai said. "They could hack into homes, then turn off the access control and video systems."
Commercial users should consider risks with clearly delineated policies. "Whether a company employs three people or 3,000, technology alone cannot take the place of strict, clearly communicated and mandated organizational security policies," said Holly Sacks, Senior VP, Marketing and Corporate Strategy, HID Global. "The key is to determine how an access control system should be deployed in alignment with those security policies."
Video encryption is one way to prevent eavesdropping. "We encrypt the transmission, since we can access all the footage online," said Xiangqun Ying, Senior Engineer of Hikvision. "To the user, they feel more exposed and vulnerable. It's not much different from online banking, with HTTPS, SRTP and SSL encryption."
Adding encryption may result in delays. "Encryption on the camera is possible, but a better way is to make sure that the network and surveillance application is secure," Siow said.
Encryption should be reserved for special purposes. "If, and only if, it is critical that no one be able to view a live stream should the stream be encrypted, such as tactical drone cameras or recording for undercover police work," Dettmering said.
A more common video practice is watermarking. "The Nuuo system creates its own watermark to ensure the authenticity of videos," said Shawn Guan, Business Development Manager of Nuuo. "We have plans to strengthen the encryption part, but no significant development for now."
Hikvision combines its AES video encryption with watermarking. "We use logical access control with a sign-in and password — encryption 802.x and more — to interrogate users," Ying said. "The watermark ensures the right images are recorded."
Axis network cameras feature password protection and some extra safeguards. "We have HTTPS protection using an 802.1x radius server and filter for IP addresses," Siow said. "We have our own surveillance application system for recording and viewing, which has watermarking."
The Axis solution does not display planted video during playback. "If the video is tampered with, it will not be possible to play the recording," Siow said. "If in court, you can demonstrate how the video is recorded to prove its authenticity."
Invisible watermarking can add extra information. "Robust watermarking embeds critical information such as video frame number, camera ID, date and time stamp," Chow said. "It is designed to withstand accidental and malicious attacks such as frame control, addition, editing or swapping."
Best Practices in Data Security
While cameras and video systems have some defenses against hacking, most prevention takes place on the network level. This means end-user IT departments must work with security installers for a comprehensive solution.
"Ultimately, every device put onto a network has to be protected in two ways: The device must protect itself and the network must be used to protect the device," said Barry Keepence, CTO of IndigoVision. "Each device should have basic protection such as passwords and encryption. A firewall in the device itself adds a very high level of protection."
Converged solutions must consider logical as well as physical security. "Larger organizations typically have IT security administrators who have data security technologies to protect information residing on the computer network," Sacks said. "A properly deployed IP-enabled physical access control system that considers policy and the entire enterprise security ecosystem of perimeter, facility and data access control provides these organizations heightened levels of security through an added layer of security."
Changing user names and passwords is often neglected. "Often, we will change 'admin/admin' from standard administration rights to user rights," Dettmering said. "This means that if you log in as ‘admin/admin,' you will see only the video streams I want you to see, but not have administration rights."
Camera providers emphasized the importance of authentication. "Each camera has a password, but many users don't use it because it's a pain," Ying said.
A Malaysian SaaS remote monitoring solution requires robust codes. "VirtualEye provides a mechanism to indicate password strength when users update passwords, thus enforcing strong password input," said Alex Ng, MD of Viewtech & Communication. It also authenticates users for mobile access to video.
Information security practices for SaaS solutions should be audited externally. "A few audit standards to look for include SAS-70, SysTrust, WebTrust or ISO 27001," said Steve Van Till, President and CEO, Brivo Systems.
IT users should be alert for network breaches. "Acompany should use network monitoring software and diligently monitors its logs," Chow said. "If a specific
Ethernet port from the surveillance camera generates increased traffic and unusual packets, an administrator could simply block the port from which it is originating."
The increase in interoperability standards raises concerns about more hacking. If all devices communicate the same way, a malicious attack could be more widespread. "Once it is open, the risk may be higher for some points," Ying said.
However, most experts felt the benefits of integration outweigh the relatively small threat of hacking. "Standards are peer-reviewed by some of the best minds in the security industry and are continually being updated and enhanced, resulting in standards-based products that actually improve security," Sacks said.
Hacking: Priority or Movie Gimmick?
Hollywood makes planting video footage look like child's play. However, replacing images in real life requires significant effort.
"Usually this type of security threat is hyped by people not familiar with video surveillance," Caswell said. "Most surveillance networks are segregated from the data network to limit access and most video review is forensic, so real-time replacement techniques aren't the threat you might originally believe."
Caswell saw less technical threats as more common and worrisome. "I worry about older systems that aren't self-healing or that don't have built-in notification mechanisms. We've seen many cases where users think they are protected when the systems aren't fully operational. And then there's always collusion," he said. "You can have all the security practices you want, but none of them will guard against collusion."
The internal threat was echoed by other experts. "Who you have working for you will be the same threat it has always been," Brissette said.
Corrupt insiders pose a bigger threat than hackers. "Another more pressing security threat is camera tampering, meaning for those handling the camera to tamper with it," Siow said. "To spray paint, tilt or change focus is much easier than to hack into a camera, which can cause as much damage to its video."
Other practical issues trump virtual ones. "I see bigger issues with bandwidth, storage and video usability as more predominant issues with IP systems," Brissette said.
Power supply is another more immediate concern. "The security threats I consider more pressing are electrical or power disruption, such as a lack of backup power and a plan for dealing with power loss," Dettmering said.
Even if hackers attack, users can keep them at bay. "The biggest issue is the ability and knowledge of installers and end users to use freely available tools to protect themselves," Keepence said. "So hacking is a threat, but one which is easily overcome."
However, virtual threats should not be underestimated. "From the IP side, I'd put it in the 10 category on a scale of 1 to 10," Carrai said. "We're in the infancy stage of how people coordinate attacks on networks. You can get into a network remotely more easily than entering physically."
Users must evaluate why they installed security in the first place. "You put those systems in place to do something," Carrai said. "You need to protect them."
Hacking poses a real threat, but not an insurmountable one. "We secure our products, but if we hand you a lock and you don't use it, it's not safe," Ying said. "The end user must have an awareness of threats."