Users of IP connected CCTV systems should be taking cyber security seriously, members of the British Security Industry Association’s CCTV section have warned.
In a front page article in The Times on Friday, September 16, Nigel Inkster, former Director of Operations and Intelligence at MI6, was quoted raising concerns about the threat to national security through vulnerabilities in IP (Internet Protocol) connected CCTV systems. While the integration of video surveillance with IP networks carries significant benefits – including offering potentially cheaper and easier installation, the ability to distribute video images more widely and the ease at which additional cameras can be added to the network later – they are also potentially vulnerable to cyber attacks, the BSIA says.
Unsecured cameras can become the weak link that provides hackers with an entry point to a network. From here, the risks to businesses may include: sabotage, such as disrupting operations, potentially leading to lost productivity and revenue; stolen personal data, such as financial or health information, potentially resulting in loss of customer trust, denigration of brand, and ultimately lost profits; stolen intellectual property or trade secrets, such as marketing plans or research and development data that could result in a loss of competitive advantage; extortion, where the company or individuals pay ransom to regain access to their system or data; regulatory action or negligence claims, such as penalties from a government agency or civil lawsuits, the association points out.
Mitigating these risks must be a priority for each party involved in the supply chain. Manufacturers should ensure that accidental design or implementation errors are kept to a minimum and that systems are regularly scanned for vulnerabilities. They should be proficient in secure coding and testing procedures and should ensure that their products are capable of supporting the stringent controls necessary for secure network communication. This may include:
End to End Encryption with SHA-2 & TLS
Encrypted database communication
System auditing, alerting and management
Denial of service protection
Restriction of ports, protocols and services
Highly customisable user access and permissions; and
Archive, failover and high availability.
Chairman of the BSIA’s CCTV section, Simon Adcock, says: “Responsible installers and integrators will conduct a risk-based approach to any system design, taking into account the origin of the hardware in the design and whether this presents potential risk to the customer. Anyone who is designing a system or making decisions on behalf of an end user should be considering the security of the hardware they are installing, ensuring that it is robust and manufactured responsibly. Responsible installers will also ensure that the system they have installed is protected from cyber attacks by changing manufacturer’s default system credentials.
“Ultimately, an end user must take responsibility for the security of their network. When procuring an IP connected surveillance system, end users must use the services of a reputable installer / integrator that is fully committed to best practice. They should also ensure that they have comprehensive cyber security and information security policies in place.”
Visit www.bsia.co.uk.
