Security systems solutions are designed to keep customers and their facilities safe, detect intruders, and obtain visual evidence and identification. But with growing integration between sensors and devices through the Internet of Things (IoT), the industry is on high alert that security devices might not be secure enough.
In most vertical markets, the stakes are high when it comes to data loss. In critical infrastructure, users risk heavy regulatory fines for compromised or disrupted video. In retail markets, users rely on video to avoid liability and loss, and in healthcare, privacy regulations such as the Health Insurance Portability and Accountability Act require video streams separate from personal data.
Network vulnerabilities may include distributed denial-of-service attacks, which overload networks with frequent or high volumes of traffic or requests until it is no longer functional; malware, which can be used to steal or destroy data when introduced to the system through email or software downloads; password attacks and attempts to steal users’ passwords to gain system access; phishing, which tricks users through a trusted third-party into sharing sensitive data; and ransomware, a type of malware that locks users out of their system.
In January, according to The Washington Post, hackers circumvented video-surveillance storage devices and infected recording units with ransomware just days before the presidential inauguration, causing Washington, D.C., police and city officials to scramble to reinstall units. City officials said ransomware left police cameras unable to record between Jan. 12–15. This cyberattack affected 123 of 187 network video recorders in the city’s public surveillance system.
According to the Federal Communication Commission’s Cybersecurity Risk Reduction white paper, issued on Jan. 18, “reasonable network management must include practices to ensure network security and integrity, including by addressing traffic harmful to the network such as denial-of-service attacks.” The white paper expressed concerns about the “burgeoning and insecure IoT market [that] exacerbates cybersecurity investment shortfalls [because] the private sector may not have sufficient incentives to invest in cybersecurity beyond their own corporate interests.”
Access control systems and communications may also be compromised.
“Cyberspace is an inherently hostile environment and safeguards have to be built-in,” said Adam Firestone, senior vice president of Solutions Engineering for Secure Channels Inc., Irvine, Calif. “You don’t just build a system and slap defenses on top of it. You have to build resiliency from the beginning and demand that from manufactured systems.”
Opportunity and differentiator
Salvatore D’Agostino, CEO, IDmachines LLC, Brookline, Mass., said managing risk through securely configured security solutions is becoming critical and will be a differentiator in the marketplace for security providers. IDmachines provides consulting, integration services and technology for identity and credentialing. It recently launched the Eidol technical automation platform to address cybersecurity.
Manufacturers are looking for ways to automate and provide cybersecurity hardening through product.
“The move to open topography can cause cyber vulnerabilities in everything from video to access control proximity cards to Wiegand communications,” D’Agostino said.
One important standard in access control that contractors should look for is Open Supervised Device Protocol secure bidirectional communications that allows peripheral devices such as card and biometric readers to interface with control panels or other security management systems. Another method to protect communications from controller to network is Transport Layer Security 1.2.
The Security Industry Association (SIA), Silver Spring, Md., is taking a proactive approach, creating the SIA Data Privacy Advisory Board. The board will include stakeholders from within and outside the security industry to develop and promote guidelines to enhance the security of sensitive data. Designed to promote best practices at every level, the board will work with manufacturers, integrators, end-users and others.
“Security devices must never be security vulnerabilities,” said Don Erickson, CEO, SIA, in a written statement. “The SIA Data Privacy Advisory Board will help SIA member companies and others better understand the threats to their data and the best ways to mitigate risks to secure their customers’ information.”
ECs must do their part in making security-system installations safer. Start by asking manufacturers and suppliers about safeguards and consider the installation of separate network infrastructures for security and video surveillance. Insist that clients install firewalls and antivirus software and protect all networks and devices with two-factor authentication, which is a process of providing a complex password and using a device or credential unique to the individual. Train technicians on cybersecurity best practices and make it part of the philosophy of the company’s physical security division. It’s an important exercise that will add value to operations and future sales.