Cybersecurity for Physical Security Devices

June 14, 2021
Four considerations to build a cyber-secure foundation for security technology deployments

This article originally appeared in the June 2021 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.


As more ransomware and cyber-attacks hit critical infrastructure, government and corporate targets, security directors are demanding that technology suppliers specifically address the cybersecurity of all newly deployed systems.

As national news spread of the recent hack of more than 150,000 cloud-based Verkada physical security cameras (read more at www.securityinfowatch.com/21213804), it cast another spotlight on a large-scale example of what can go wrong if cybersecurity measures are not hardened – as the explosion of IoT devices, including security cameras, create ever-expanding threat surface areas.

The hack resulted in elicit access to thousands of cameras through a broad cross section of society, from hospitals, schools and corporate offices to police stations and jails. Not only were the hackers able to see into a variety of facilities, they accessed certain private data as well – for example, they saved video footage taken from the home of Verkada employee, of inmates in detention facilities, and insight on who used access cards to enter certain hospital rooms and when.

With network breaches, compromised user information, regulatory fines, and lost consumer confidence all major concerns, it is no surprise that security directors feel vulnerable. These attacks leave them feeling exposed, and ultimately skeptical of the ability and integrity of both the technology and the providers who install it. Organizations of all types increasingly possess sensitive data that often lives online via third-party networks or in the cloud, such as personally identifiable information, intellectual property, customer data, protected health information, and industry and government data. Without tight cybersecurity measures, all this proprietary information is susceptible for extraction by hackers looking for weak points in the security chain.

Securing Physical Security Devices

This growing attack surface area has become an enticing, asymmetrical opportunity for independent and state-sponsored hacking groups to disrupt adversaries and/or enrich themselves and their respective backers. Thankfully, the Verkada breach was performed by an international hacker collective whose goal was to highlight the omnipresence of video surveillance and the overall ease of breaking into a cloud-based system, not as some broader nefarious espionage plot or ransom scheme.

Now is the most important time to secure digital assets and harden each piece of technology and software that integrators tie into customer networks. Cybersecurity considerations should be an integral part of a technology suppliers’ development, including sustaining processes that consist of internal and external vulnerability tests, stringent code reviews, and rigorous IT protocols. Security systems for critical infrastructure and government applications should be backed by proven cybersecurity policies, NDAA compliance, and technology features that are designed to keep information and networks secure.

For integrators and their customers, a cybersecure physical security program should include four key considerations to help maintain the cybersecurity integrity of physical security devices. While network breaches can be unpredictable, these four key cyber security recommendations can help better position integrators and end-user organizations from attack:

1. Cybersecurity product features;

2. Conduct routine penetration testing;  

3. Create closed networks for physical security devices; and

4. Use suppliers who are committed to cybersecurity and comply with National Defense Authorization Act (NDAA) regulations.

Cybersecurity Product Features to Look for

Cybersecurity is not just a feature, it is also a mindset. Hardening security systems from outside hackers requires hardware that supports the latest cybersecurity features, as well as procedures to ensure best practices are consistently followed. When selecting hardware vendors to partner with, integrators should look for the following tangible features to ensure the hardware will integrate well with an end-customer’s overall cybersecurity strategy:

  • IEEE 802.1x Authentication: Safeguards Ethernet local area networks (LANs), or the edge security network, from unauthorized users whose credentials do not match the authentication server.
  • Transport Layer Security (TLS) Protocol: Acts as a cryptographic protocol between cameras and video management systems to ensure connections between equipment and servers are secure and private.
  • Hypertext Transfer Protocol Secure (HTTPS): Enables secure communication over a computer network; this communication protocol is encrypted via TLS.
  • User Authentication: Enforces a strong password policy and forces default passwords to be changed on first use. Passwords should always remain highly random, using a combination of letters, numerals, and symbols and not follow a guessable pattern. Passwords should also be changed regularly.
  • No Backdoor Accounts: Ensure there are no backdoors to access cameras. Depending on the supplier, technical support teams should be able to download firmware to the device to allow for troubleshooting and then re-download non-backdoor firmware once the session is closed. If the vendor has left a backdoor for the support team, this vulnerability can be exploited by hackers.
  • Access Control via Firewall: Protects application servers from untrusted networks and traffic; enables users to “allow” services they are using and “block” those they are not. Services that can be turned on or off include Real Time Streaming Protocol (RTSP), Universal Plug and Play (UPNP), vendor-specific proprietary APIs, and Internet Control Messaging Protocol (ICMP).
  • Digest Authentication: Ensures only an encrypted version of a password is saved on the server so that it cannot easily be decoded.
  • Signed Firmware: Vendors must provide a mechanism for signed firmware upload to ensure malware cannot be loaded onto security hardware. Additionally, integrators should ensure that diligent firmware updates to the latest available versions are performed to ensure any vulnerabilities are addressed and closed.
  • Configuration Lockdown: Protects against multiple failed log-in attempts.

Penetration Testing

A vital element to staying cybersecure is staying current on the latest risks. A strong cybersecurity strategy is one that continually runs tests on all products and firmware to identify what new threats are out there. Equipped with this data, integrators and end-users can ensure that solutions have the latest defense features to mitigate these threats.

Conducting internal and third-party penetration tests where technicians attempt to breach their own cameras is a key vendor practice to ensure solutions can defend appropriately. Vendors should subscribe to libraries of known cybersecurity vulnerabilities to regularly check products against these threats, generate reports on findings, and make technical adjustments as needed. These vulnerabilities and subsequent fixes should be reported promptly to integrators, who should, in turn, patch end-user systems.  

Similarly, integrators can partner with third-party cybersecurity penetration firms that use threats or techniques beyond what is available in vulnerability libraries. These external reviews can be offered with a fee or other form of RMR attached.

Integrators should also instruct end-users to periodically spot check the log files from individual security devices, VMS software, firewalls/VPNs, and related components of the security network to help point out signs of attack or intrusion. In many cases, attack attempts can be noticed before access is gained, and appropriate actions can be taken to keep attackers out of the network. If attackers did gain access, log file review may help to identify the scope and source of the attack.

On-Premise Video Storage and Closed Networks

Despite the convenience of cloud storage, it is typically not as secure as on-premises storage, and recent cyber breaches, which the Verkada breach specifically shed light on. With cloud-based video storage, where video is hosted and stored on a remote online server through the Internet, there is greater exposure and opportunity for login credentials to be compromised as well as for attacks by external hackers. On-premises storage solutions – when all servers and client workstations are located onsite – means that only authorized company personnel can review and manage physical security devices, and no one outside of the network can gain access to devices on the network. Additionally, when edge devices are on a closed network separate from a customer’s corporate network, the security solutions are separated from external, internet and remote access – ultimately strengthening the security system’s defense against outside attacks by closing off the attack surface area to other parts of the network.

While closed networks are generally less feasible for smaller clients, enterprise integrators targeting highly secure facilities in critical infrastructure and other entities managing sensitive information should present an on-premises video storage and closed network option as a strong alternative to the cloud.

NDAA Compliance

Beyond utilizing equipment with cyber defenses, 64 percent of integrators who participated in the 2019 Security Business State of the Industry survey (access it at www.securityinfowatch.com/21111490) indicated that a vendor’s country of origin impacts their decision to recommend or buy a product.

The National Defense Authorization Act (NDAA) was certainly one catalyst for this finding – specifically Section 889 of the bill, which prohibits government agencies from procuring or using equipment produced by Hikvision, Dahua, Huawei, ZTE Corporation and Hytera Technologies for the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes.

Consequently, many integrators and manufacturers shifted to other trusted vendors (Read more on this shift at www.securityinfowatch.com/21149274).  

A Moving Target

While these recommendations are useful, it is important to remember that cybersecurity is an evolving process and typically depends on variables specific to a site, installation environment, or use case. Thus, no universal playbook of recommendations or procedures exists.

That said, implementing these four recommendations will provide, at minimum, increased cyber hardening features and practices relative to common default installation programs – a valuable foundation for cybersecurity that can help security directors feel less vulnerable.

Kai Moncino is Strategic Global Business Development Manager for FLIR Systems Inc. Request more info about the company at www.securityinfowatch.com/10213696.

About the Author

Kai Moncino

Kai Moncino is Strategic Global Business Development Manager for FLIR Systems Inc. Request more info about the company at www.securityinfowatch.com/10213696.