I constantly receive this same question at security conferences, and I hear them in discussions whenever the subject of camera management is raised by people who are responsible for hundreds, thousands, or tens of thousands of cameras.
Q: How can we manage the firmware updates and user account passwords for our 357 network cameras? Right now, it’s a 100 percent manual task, and we are not able to keep up with it.
A: Most organizations with large numbers of cameras can’t keep up without incurring a huge labor cost that’s out of proportion to the cost of the camera system. It’s typically been a lost cause. Now, however, if you have AXIS cameras with firmware 4.40 or later, you can use the newly-released free AXIS Device Manager software.
This is the biggest news for video surveillance systems that the security industry has seen since the network (IP) camera was introduced by AXIS in 1996. The AXIS Device Manager (https://www.axis.com/us/en/products/axis-device-manager) is an on-premise tool that positively impacts several aspects of camera management:
- Cybersecurity: A network of thousands of cameras can be automatically hardened per the Axis hardening guide and kept up to date with automatic firmware updates. Device Manager enables centralized IP address management, account, password and digital certificate management for HTTPS and 802.1x certificates.
- Documentation: Device Manager automatically scans the network and locates all online AXIS devices, including audio and access control devices, creating a database of devices and their configurations.
- Backup and Restore: Camera configuration settings can be backed up for later quick restoration.
- Deployment: Settings from one configures camera can be partially or completely copied to multiple other cameras.
- Auditability: Device Manager maintains an activity log with sort and search functions showing performed actions and changed device status.
- Total Cost of Ownership: The manual labor involved in deploying and maintaining cameras is significantly reduced.
I have seen the embarrassment caused to security managers and directors, when they have had to explain to IT personnel or higher-ups that the camera system in which their organization has invested hundreds of thousands to millions of dollars doesn’t meet IT department requirements, can’t be secured like the organization’s other computer and network systems are, and has huge labor costs involved in keeping the camera firmware up to date. Now, this can come to an end.
Moving Beyond the Status Quo
At one-time system, security was mostly thought of as “bolted-on” protection rather than something built into products. That is outdated thinking. For over a decade after network cameras were introduced, if you questioned a camera vendor about camera cybersecurity weaknesses, the standard vendor reply was, “We expect you to install the cameras on a secure network.” From a historical perspective, this is understandable, due to the decades-old mindset established by CCTV (closed circuit television) cameras. Cameras were connected directly to display monitors and/or recorders. Video was viewed from a single monitoring room. Initially, network cameras were looked upon as a replacement for CCTV cameras and were installed on closed local area networks. Enterprise networks of the kind and capacity that we have today didn’t exist at that time. Putting video onto a corporate network wasn’t feasible.
Then networks changed and networked cameras changed, but even though cameras became computers with operating systems and built-in web servers, the video industry has been slow to adopt computer and network security designs and practices.
Given the nature of today’s technologies and the threats against them, security is now an important part of the design of any networked product. Thus, cybersecurity engineering is a rapidly growing field (see https://www.cert.org/cybersecurity-engineering/) and has become a critical aspect of the design and manufacture of any electronic security system application or device. The “Building In Security Maturity Model” (https://www.bsimm.com/), originally developed in 2009, is now in its eighth iteration.
Vendor Responsibility
Securely deploying an electronic security system is the responsibility of the installing integrator. However, it is the responsibility of the vendor to manufacture securable products, to provide guidance on how to perform secure deployment, and most importantly – to make products manageable at the scale to which they are being deployed. To date, the lack of large camera system manageability has been the primary shortcoming of security video cameras.
Hopefully, other manufacturers will follow the example of AXIS, and the Security Industry Association will develop standards so that customers with multiple brands of cameras (or any type of networked security system device) can use a single application to manage them all, with vendors contributing the data or software module components required for third-party application support.
End-user customers need to be able to use automated tools to monitor and manage their systems, something that IT has been doing for decades. Hats off to ASIX Communications for breaking ground in this important area of electronic security system deployment.
Write to Ray about this column at [email protected]. Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Ray is an active contributor to the educational activities ASIS IT Security and Physical Security councils. For more information about Ray and RBCS go to www.go-rbcs.com or call 949-831-6788. Ray is also a member of the Content Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com). Follow Ray on Twitter: @RayBernardRBCS