Industry Voice: Assessing the State of Video Surveillance Device Security

March 25, 2019
JCI’s Williamson provides insights into security system fact and fiction

The steady migration of video surveillance systems onto organizational networks and the growing vulnerability of IoT devices present technology challenges to security professionals all along the solutions food chain. For vendors, building security into their video devices creates a resiliency that endures throughout the product’s lifecycle and provides systems integrators trusted technology they feel safe specifying for end-user clients.

Editorial Director Steve Lasky recently sat down with Johnson Controls’ Jon Williamson to get his assessment of the state of security in the video surveillance world. Williamson is the Director of Cyber Solutions for Building Technologies & Solutions at Johnson Controls, a global diversified technology and multi-industrial leader serving a wide range of customers in more than 150 countries. Jon holds a Bachelor of Science degree in Mechanical Engineering from the University of New Hampshire and is a ISC2 Certified Secure Software Lifecycle Professional (CSSLP) and ISA/IEC 62443 Cybersecurity Expert.  He has a diverse background with over 24 years of experience in operational technology, as an integrator, a product manager and a technology officer. As the Director of Cyber Commercialization, Jon is focused on creating and driving go-to-market strategies for Cyber Solutions at Johnson Controls. He can be reached at [email protected].

Q&A

Steve Lasky: What role does the video surveillance technology vendor play in ensuring the solutions they are providing to clients are safe and secure? How do they achieve these goals?

Jon Williamson: It’s important that a vendor has a strong cybersecurity program that not only places safeguards within the product but is also a holistic program that will assure the product is resilient throughout its entire lifecycle. This includes from the point of initial development and requirements phase through testing before it is released to the market as well as the secure deployment of those devices, along with their ability to respond to new threats with patches and upgrades throughout its serviceable life.

Tyco has established product policies to govern this secure development lifecycle and to ensure these policies are always applied to products we release. We’ve taken measures such as having a dedicated team of experts who are available to assist with each of our product teams and have appointed security champions embedded in those teams to assure the policies are carried through. We also maintain a dedicated incident response team to address any issues as we believe that cybersecurity requires a comprehensive initiative and is not to be taken lightly.

We also believe that part of a vendor’s role is to alert end users as soon as there is a new threat advisory with communications covering mitigation, available patches and updates that can address the concern. A push notification security advisory is available to all our customers who register.

System integrators should also be educated about secure planning, deployment and maintenance procedures and we offer training in these areas. Most importantly, integrators should be versed in the operational technology angle of cybersecurity to complement general knowledge validated by cybersecurity certifications.

Lasky: What are the main points of risk that end users performing a risk assessment on their organization’s video surveillance system should look for? What do you perceive as the most dangerous current threats to an IP-based video system?

Williamson: When looking for threats you need to look at the entire threat landscape, which can be broken out into three focus areas. First are external threats. This is the internet hacker trying to penetrate the building and take control of any device that they find, which can include cameras and video recorders. Next is the internal threat. Most incidents are generated by an internal actor vs. an external actor, and even though a camera or Network Video Recorder (NVR) may be isolated from other parts of the network, there is still risk from internal threats.  The third component is the unintentional threat. Despite best intentions, systems can be misconfigured and mismanaged, resulting in an easier target for the attacker.

It’s important to remember that there will always be hackers and internal people who will try to do harm, so their behavior is not within your full control - but their impact can be minimized via good defenses. As the system owner, what is usually easier to control are the unintentional threats. To mitigate these threats you can ensure you have good system design, good cybersecurity processes in place and compliance with company policies.

While the internet hacker is the most obvious threat, the internal threats may pose a greater attack risk, such as when employees or service technicians share credentials. If the service technician shares credentials between multiple people when someone leaves the service company that person may still have access to the system. Another common area of risk is assigning administrative privileges to too many people. Everyone on a surveillance system should be configured so they have the least privilege authorizations based on a “need to know” basis. For example, a lab manager should only have access to video of his specific department, not other areas within the building.

Lasky: What are some of the most basic overlooked security risks for networked video?

Williamson: By far the most basic and overlooked risk in network video is the default password and users not changing the default credentials when deploying a new device. Our systems and devices have measures in place that force users to change default passwords when configuring a new device. In fact, we’ve seen legislation from states like California that would stipulate that products must be shipped with a unique password or they must force the user to change the default password during setup, so there are some steps in the right direction being taken.

Lasky: With video being just another edge device in the growing IoT world, explain some of the best practices that should be employed when an organization implements its process and procedures to protect its entire video system, be it at rest, in motion or in use.

Williamson: We have had smart connected cameras and NVRs for decades now and attackers are trying to leverage the explosion of more connected devices to do harm. The best defense is to limit the attack surface. The more features on a device that you turn on and the more points of access that are enabled on a device, the larger the attack surface. This is just like doors and windows in your home. If you have a door in your house that you never use you should always keep that door locked. You don’t need every port on a device to be open and you should only keep open the ones that are needed.

Lasky: Does cloud migration increase video system vulnerability? Why or why or not?

Williamson: This is a common misconception about cloud that it is inherently riskier. There is a secure cloud and there is an insecure cloud, just as there are secure and non-secure on-premise deployments. Cloud-based solutions need to be analyzed just like on-premise deployments. Don’t assume you are going to get more or less protection by going with one solution over the other. While there are some inherent protections that the cloud might provide in terms of perimeter defense, such as when you use a platform like Amazon Web Services (AWS) and Microsoft Azure, that does not mean your specific application running in the cloud maintains a sufficient level of protection. Remember that a network is only as secure as its weakest link, and the same mantra holds true for cloud.

About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes the magazine's Security Technology Executive, Security Business, and Locksmith Ledger International, and the top-rated website SecurityInfoWatch.com. He is also the host of the SecurityDNA podcast series.Steve can be reached at [email protected]