You may be great with security and surveillance, but what about protecting the networks your customers’ video or other sensitive data and information is riding on? Are you selecting the correct products, cyber-hardened from the ground up to ward off attacks and adopting installation and networking practices that proactively address potential issues? It’s a new world when it comes to cyberthreats, and providing IT-level expertise will be a necessity to win over customers and attain future profitability.
In any security installation, your customers—facility owners, school administrators, corporate security, homeowners and others—probably inquire early on about cyber protection plans. It’s not only video that requires attention. Any device riding on the network and using open communications, such as Wi-Fi, requires attention.
The widespread nature of cyberthreats continue to play out every day. In April 2018, a consumer reported that his daughter’s identity was stolen, not through an illegal skimmer but the store’s video surveillance system. Apparently a hacker read the card and PINs from footage to get the necessary information for the takeover.
That’s just one small example of the problem’s magnitude, which also extends to your internal company networks with sensitive customer data.
A major manufacturer of CCTV cameras, DVRs and other devices was recently forced to issue an emergency software patch to its connected devices because of vulnerabilities. It found camera models from another provider had a severe security flaw and called the firm to issue a repair. A global maker of IP cameras was accused of having a “back door” that left households and businesses vulnerable to uninvited viewers looking into their homes and protected premises through their surveillance devices—open for the world to see.
Increased integration between devices, the booming internet of things (IoT) and billions of connected smart sensors, which communicate and of which security is a part, can pose a significant cybersecurity risk, so security contractors need to establish procedures to protect information streaming back and forth. In addition, as physical security installations are increasingly integrated with the IT infrastructure, instead of being segmented to their own network or VPN, it’s expected that precaution needs to be taken before a security project gets inked.
Selection of product
Rob Simopoulos, co-founder and partner at Launch Security, Portland, Maine, said there can be significant differences in the way each manufacturer goes about securing devices.
“As you select the products you are going to deploy, make sure you ask the questions of the manufacturer in regards to what they are doing to harden their solutions,” he said. “Many manufacturers are now providing cyber-hardening deployment guides that match with their products. Have your team educated on those guidelines, and follow them in your installations. Slide away from manufacturers who don’t take cybersecurity of their products seriously.”
Simopoulos also advised a review of UL 2900, Standard for Software Cybersecurity for Network-Connectable Devices.
“See if the products you are installing are working towards meeting these guidelines,” he said.
Interconnected devices can be vulnerable to cyberthreats, in particular through the vector of software used to manage them, according to Ken Modeste, director of connected technologies at UL, Northbrook, Ill.
“Securing the supply supports hardening of supply chain components for resilience to attacks, and UL believes third-party testing and certification around robust standards like UL 2900 that involve product testing and performance can provide that capability,” he said. “A third-party review of potential product security solutions and risks, such as UL’s Cybersecurity Assurance Program, can help assess potential vulnerabilities as you search for a secure supply chain.”
The good, the bad and the unknown
“Utilizing network-enabled devices provides many benefits to security integrators and end-users,” said Yotam Gutman, vice president of marketing, SecuriThings, Israel. “It is now possible to deploy multiple sensors in remote locations with ease and access all surveillance equipment on the go.”
However, inherent risks need to be considered.
- Network intrusion: An intruder can use a connected security device to gain access into an organization’s IT infrastructure and utilize it for a full-scope cyberattack.
- Bypassing security apparatus using cyber means: Intruders gain access to a CCTV network and manipulate it to break in and leave without a video-trace, all while the guards are watching prerecorded footage in a loop.
- Infected security devices used for nefarious means and to infringe privacy: Even a secured network can be compromised by pre-installed malware that can be remotely activated. IoT devices are often timed sensors that capture footage, sound and other information (such as building entrance and exit patterns). As such, a hacked device could be used as a small connected computer and the information captured, sold or used for nefarious ends—from extortion, preying on innocents and planning physical intrusion.
- Damage to the device, low availability: IoT devices infected with malware are operating in a manner that far exceeds the device’s planned use. These devices could be infecting other devices “recruit” them to their botnet, participate in denial-of-service attacks or mine crypto currencies. Such activities put considerable strain on the devices, causing disconnections, malfunction and even breakage which requires frequent, expensive maintenance and replacement.
Gutman added that contractors need to make sure devices they purchase and install are properly configured and have basic security features.
“IoT devices needs to be connected in a way that permits access only to their owners,” he said. “Having robust passwords is important, as well as managing the users who are accessing the information. Whatever you do, don’t leave the device with the default settings and passwords.”
“As a contractor, you must do the best you can to ensure you are following best practices to keep your company, customers and employees protected from cyber breaches,” Simopoulos said. “Contractors have lots of sensitive data they must protect on their network, much of it customer related. Customer facility floor plans (some high risk), network topology designs, IP addresses and device details are just a few examples of data that resides on your network.”
Security providers also need to get their own house in order.
“You may have or may begin to see your customers asking about what your cybersecurity hygiene looks likes at your company before they work with you and third-party cyber-security vendor reviews are beginning to grow in the standard contracting process,” he said. “Contractors are beginning to see questions appearing on RFPs across the country requesting information on what their cybersecurity practices are. In the end, you are protecting your customer’s data, sometimes remotely connecting to their systems and they have a right to ensure you are doing it correctly.”
In addition, a separate discipline of provider is emerging that can assist low-voltage contractors in developing a comprehensive cybersecurity program that includes developing policies and plans, conducting assessments to tell you where you stand and train your team on the latest threats and attacks to look out for.
“Not all devices need to be connected to the internet,” Gutman said. “Consider whether the risk outweighs the potential benefits. Having a device connected to a local network greatly reduces the ‘attack surface’ it presents to potential hackers.”