As cybersecurity breaches become more prevalent, system integrators will evaluate a vendor’s product line by asking not only, “Is this the right video surveillance product for this application?” but also, “Is this product as cyber-secure as possible?” Companies that design and manufacture surveillance products need to beat integrators to that second question – and get it right.
Of course, ensuring cybersecurity best practices has to be an ongoing and collaborative effort among manufacturers, integrators and end-users, but responsible manufacturers are taking the lead in cybersecurity.
All three parties – integrators, end-users and manufacturers – are responsible for cybersecurity in unique ways. Integrators need to be knowledgeable and well-trained on industry-standards and the brands they install; end-users need to understand their security systems, and ensure that all employees use best practices.
While all three need to be vigilant, responsible manufacturers lead the way. They constantly reevaluate and improve their internal processes and they are also an active resource for integrators, end-users and the security industry as a whole. No networked appliance is invulnerable, but putting cybersecurity best practices in place can help guard against attack. Not if, but when, an issue occurs a trusted manufacturer-partner acts swiftly and efficiently to identify and resolve it.
Where to Begin
First and foremost, hardware must provide a platform that makes network safety simple and reliable. A solid cybersecurity plan starts with products designed to effectively implement the three As: Authentication, Authorization and Accounting. Manufacturers that integrate these principles into product design provide users with a strong foundation for network safety, and integrators should be looking for products that conform to them.
Additionally, be sure your manufacturer keeps its firmware updated. This includes fixing problems that come up through a product’s lifecycle, eliminating any reported bugs. Manufacturers should always notify customers of firmware and software updates, noting simply and clearly each iteration in a public forum – a specific page on its website or in a company newsletter, for example. A simple method for notifications goes a long way to keep integrators and security personnel apprised of new versions.
End-users who have an in-house IT professional or IT department should already have a contingency plan in place for cyber attacks. For mid-sized and smaller companies that outsource IT-related needs, the vulnerabilities abound. When – not if – an attack occurs, precious time and resources will be jeopardized. System integrators are essential at these moments, but they will likely rely on the technologies inherent and available in the component’s design. Manufacturers play their own vital role here with smart technologies, competent protocols and clear communication long before a crisis occurs.
Is ‘Password’ Still Your Password?
Anyone who keeps up with the news knows that infiltrations are often made possible because of default passwords. The number of users who do not change their system passwords from the default setting is both staggering and frightening. Nevertheless, vendors who design password-protected products need to provide clear information on their website and in company communications on how to change passwords – and integrators should do this immediately upon installation.
Look for manufacturer partners who help raise awareness about best practices by creating an online resource dedicated to security education, posting company videos with instructions on changing passwords and upgrading firmware, information on how to report a security concern or a potential vulnerability, training technical support teams to respond appropriately in a crisis situation, etc.
Many manufacturers have begun a “secure activation program” or something similar. This new design feature does not provide a default password at all; instead, it requires an extra step on the part of the integrator during installation – usually a phone call to tech support. In this design, the integrator must create a unique password at the initial power-up of the component.
Other Manufacturer-Created Cyber Solutions
Manufacturers can integrate yet another often underappreciated means of protection: locking cabinets and housings. Enterprise-level users knowingly keep servers and video recorders in their own scaled-down Fort Knox; however, it is the smaller operations – ones whose offices double as broom closets – that need this added barricade.
Physical access to hardware, cables, and even desktop computers creates added vulnerability. An invisible or inaccessible NVR will not tempt the offhand opportunist.
Additionally, manufacturers can take the lead by requiring routine product testing by third parties to identify any Achilles’ heel before a cyber criminal does. In other words, they hire a hacker.
The bad guys spend untold numbers of hours searching for weaknesses, so manufacturers should beat them to the punch. Be sure your vendor partner contracts third-party security data and analytics companies to perform regular penetration tests and vulnerability assessments of products. Third-party testing and Capability Maturity Model Integration (CMMI) certification are robust tactics to ensure cybersecurity.
Response Strategies
As soon as possible after a security breach or vulnerability is discovered, manufacturers should update the firmware involved in order to correct the issue. Integrators, dealers, distributors, known users (depending on the business relationship) and other vendor partners should all receive emails informing them of the firmware upgrade required.
All cyber-related news and information should be reproduced somewhere on the manufacturer’s website – whether a support page, sidebar on the homepage, or something similar. These notices should be precise and concise, with clear step-by-step instructions for maintaining or restoring security.
Once again, it must be repeated that some form of contingency plan should be in place before a breach is ever reported.
Distributors, channel partners and customers should also have received contact information for their system manufacturer’s security response center, tech support call center, or other group dedicated to fielding reports of security concerns. Smart integrators will consider the effectiveness of these support services when they decide which companies to partner with.
Finally, social media portals should also be used; in fact, the are often the most effective means to spread the word and call immediate attention to problems. Nowadays, this is more or less industry-standard behavior; but for those who are slow to catch up, companies should consider the various social media platforms if only for this very purpose. This has proven to be an incredibly rapid method of getting the word out both from vendor to partner and vice-versa, as well as among end-users, integrators and other vendors.
Remember: no one is immune, simply lucky. If someone wants to spend enough time and effort they can find a way to get onto any device that is attached to the Internet. If the past is any predictor of the future, it stands to reason that security manufacturers with the most effective cyber protection will prove to be the best partners to their integrators.
Alex Asnovich is director of marketing for Hikvision USA Inc. Request more information about the company at www.securityinfowatch.com/10215768.