www.sptnews.ca

Features
The cyber war: no room to relax


June 26, 2019
By Neil Sutton
Neil Sutton
Mobotix's Cactus Concept.

When it comes to security camera systems, it might be fair to say that cybersecurity has moved from an afterthought to top of the agenda in the last few years, but that doesn’t mean anyone can sit back and say they’ve licked the problem.

Publicly acknowledged breaches, botnets and known vulnerabilities (some of them published on public websites) have changed the game for almost everyone in the security equipment business, whether they manufacture or program the tools, install them, or use them on an ongoing basis. There is a growing awareness that cybersecurity simply has to be a top consideration — and not only because the cameras themselves could be vulnerable to cyberattack. They could be the weak link in a network which could ultimately result in much greater damage, whether that means compromised data or a sullied reputation, or more likely both.

One of the first and biggest steps on this road to realization is acknowledging that today’s cameras are basically computers, with many of the same pros and cons.

“I would say, over the past three years, our customers’ knowledge and sophistication has changed pretty dramatically,” explains Brian Lipscomb, manager, advanced cyber solutions, for systems integrator Convergint Technologies. “In the early stages, it wasn’t as clearly understood that with security technologies, we are essentially installing computers on a wall. The difference between the camera and a laptop computer — they all carry the same pieces and parts and vulnerabilities.”

Around this understanding, a subset, or specialty within the overall security industry has developed: safe cyber practices that recognize that how a device is installed and maintained may be just as important as the job it was designed to do in the first place.

German surveillance manufacturer Mobotix refers to this as the “Cactus Concept” — a set of guidelines the company publishes for the benefit of installers and end users. “The actual cyber protection guide that we offer is pretty thorough,” says Joe Byron, vice-president of sales, Americas, Mobotix.“I’ve been in the industry a while, and I’m not going to name names, but I think this is stronger than most out there, in terms of hardening our solutions.”

Byron elaborates that the Cactus Concept is both a mindset, in terms of best practices and white papers, but also a technology solution offered through product development and safeguards. The company provides some assurances, for example, by penetration testing some lines of its products via a third party.

It’s also a matter of choosing one’s partners carefully, adds Byron, invoking a Reagan-era catchphrase “Trust but verify.” He says the company aligns itself with technology and integration partners who share a similar mindset and “want to become an extension of our Cactus Concept…. We must be diligent about choosing the right technology partners to move forward with. It’s a dynamic process to stay up on these partners.”

Niall Jenkins, consulting associate director, security and building technology at research firm IHS Markit, says this best practices approach has become more common in the vendor world and many “now offer a program to improve the cybersecurity of their devices and software. Often this process starts with the training and education of their integrator and end-user partners.”

He says that vendors are more likely to offer encryption and consider how their products interoperate with others in the technology chain. “All of this activity is driving improvement in the cybersecurity of video surveillance products.”

Lipscomb also believes a number of technology vendors have stepped up their game in recent years and there is a realization that the stakes are much higher today. “They know that the products are creating additional threat footprints for our clients, so they’re putting a lot more effort into developing products that have inherent security capabilities,” he says.

Those clients are also changing and today, many of the decision makers, when it comes to installing security equipment, work for the IT department, not the security department.

Working with IT

“We almost inevitably work with IT departments across the board on every new or existing installation. I would put that at the 90th percentile or greater,” says Lipscomb. “For the past few years, it’s been the standard. It’s been more prevalent once we transitioned from analogue to digital…. Before that, you didn’t touch firewalls and switches and routers and those kinds of things. Now that occurs on virtually every installation.”

The end user might be more attuned to potential cyber vulnerabilities, but they still rely heavily on outside expertise. “What you find is that there’s this gap in the middle [between manufacturer and user] that we have to fulfill to keep systems operational,” says Lipscomb.

The situation becomes more acute when dealing with a smaller customer who might not have the in-house resources or budget of an enterprise user with a large IT department at their disposal. “Our educational processes are much more important in those environments. They’re getting it, but it takes them longer to get there and it takes them longer to get budget,” he says.

Large or small, almost everyone needs help of some kind. Stanley Security, for example, offers a managed services program to help customers with their cyberhygiene issues on an ongoing basis. The company offers solutions for small and medium-sized businesses but also for enterprise customers that may own 250,000 cameras, says Lance Holloway, director of vertical technology for Stanley.

“There’s so much going on. It’s such a broad and fluid topic that I find that a lot of people that are not native to the IT world can get run over pretty quickly, or worse yet, they can get some false assumptions around if a single widget or device can take care of them when in reality they may need multiple layers of protection,” he says.

“The program for servicing, etc., starts with just basic password and firmware maintenance on all of your known devices and discovering, frankly, all the devices. There’s a couple of products that we can use that can basically find and detect security products and other IP devices on the network. And we usually do this in conjunction with another IT department or with transparent permissions. Some people are not happy with you putting something on their network that is going to begin sniffing out the network, because it behaves similar to an attack, so we need to make sure that’s done correctly.”

One of the biggest issues, says Holloway, is dealing with older equipment on the network — devices that a user may not even realize are still in the field and still potentially a weak link if not managed properly or removed.

“Once this report comes back, you may be aware of 100 devices that you put in last year, but there may be 30 more devices that one of your predecessors put in that are still out there. It could be a network video recorder still on Windows XP, which is actually more common than people would like to think,” says Holloway.

Reducing risk

Mountain View, Calif.-based software developer Viakoo builds “service assurance for IoT environments,” according to the company’s CEO Bud Broomhead. “We actually diagnose what the root cause of the problem is, then make a recommendation to the stakeholder as to how to fix it… Because it’s 2019, there’s a huge cyber aspect to the equation now.”

Viakoo introduced a password checker three years ago. But today’s cybersecurity is more than just regular password and firmware updates, he says. It’s also about documentation. “What’s happening in the system, any changes that are made to the system, who made the change… who authorized it to happen, when did it happen…? There’s a whole piece around compliance that we address as well,” he says. “Part of delivering service assurance is capturing an historical record of what the state of the edge device was at any moment in time. We keep that historic record, so it’s used by forensic auditors.”

While technology, awareness and implementation may be much improved when it comes to cybersecurity, there is no auto-pilot mode. Ongoing vigilance seems to be the key to a much lower risk profile.

And while cameras may have taken the lion’s share of attention when it comes to cyber-awareness in security systems, they are by no means the only vulnerable area.

“For the past year or so, there has been a real awakening that operational technology (OT), like building controls systems, building automation systems, as well as physical security systems, all have similar vulnerabilities to one another,” says Lipscomb at Convergint. He estimates that between 50 and 75 per cent of OT devices are not patched regularly or properly maintained.

“It’s really a culture shift,” adds Holloway. An upside of IP systems is efficacy in terms of network deployment which “was very attractive. We could put those items out there and see the green lights come on and everybody was very happy and we could go home. Now, with the lights coming on, we’re only halfway there.”

An ongoing program of maintenance and support is required, he says, whether that comes from the end user or a professional services organization. “That regimen has to be put into place.”

Cybersecurity awareness is “the highest it’s ever been,” says Mobotix’s Byron, “but it doesn’t mean we should let our guard down. The sophistication of the technology working against us could be even stronger moving forward.” 

This story appeared in the June/July 2019 edition of SP&T News Magazine.