Regular readers of Professional Security Magazine will have seen my previous articles on the growing proliferation of the use of CCTV in the UK, or, as it should now more accurately be called, Surveillance Camera Systems.
If the vast numbers of vendors peddling their wares at the many physical security events across the UK this year is anything to go by, then this growth in the deployment of surveillance systems shows no sign of abating just yet. What was also interesting to note was the ever increasing sophistication and capability of the software used to control, manage and integrate these systems with other security and building management systems. Finally, vendors talking about cyber security were conspicuous by their absence. Sure, there were the odd rumbles of what amazing levels of encryption this device had or that DVR used, there were even some manufacturers claiming to now have secure communications between their command and control software and various devices, and numerous manufacturers were adopting the word ‘cyber’ when what they were really meaning was IP technology.
The UK is widely acknowledged as being one of the world’s leading deployers of surveillance camera systems, and it is hard now to walk down any major high street without being monitored on numerous systems, a point often made by campaigners and privacy advocates alike.
If my years working in both physical and cyber/information security have taught me anything, it is that things do not stand still, that change is an inevitable part of life, and in security this is especially so, with new threats emerging all the time.
Surveillance systems are increasing in both number and technical complexity; this is expanding the threat potential and sometimes the threat is not local, it comes from cyberspace. Cyber criminals and opportunists alike are continuing to exploit vulnerabilities that exist in these surveillance systems, vulnerabilities that have been highlighted on numerous occasions over the last few years, vulnerabilities that last year enabled DVRs to be part of one of the biggest ever Distributed Denial of Service (DDoS) attacks when the Mirai Botnet took down a host of social media, corporate and communication systems, and that this year enabled ransomware to effectively disable the surveillance capability in Washington DC in the run-up to the inauguration of President Trump.
DDoS and ransomware are just two of a growing number of examples of cyber attacks on non-mainstream IT systems including surveillance systems. Surveillance systems may also offer a less challenging way into other, more secure networks, such as corporate networks, and indeed, the nature of connectivity these days means that a vulnerable surveillance system could even be inadvertently offering threat to our wider supply chain partners.
So, why are these systems so attractive to attackers and why are attacks so successful? The simple answer is that it is because these systems are not being designed and built to be secure. That’s right, our security systems are not secure by design, and in many cases come out of the box horribly insecure. Often, this is in part exacerbated by the complexity of the supply chain, with software and boards being bought in from a range of sources, without adequate quality management to ensure that they offer a degree of security. In some cases there is embedded firmware that is vulnerable to attack, with no viable means for the manufacturers to update it to a more secure version. In other cases there are hard-coded usernames and passwords, perhaps as simple as ‘admin’ and ‘password’, built into software and these cannot be changed. And in far too many cases, in today’s convenient world of plug and play, they are being installed and configured by people who subsequently leave all of the components with their default settings, including easy to guess passwords. All of these are security basics, they are easily remedied and in so doing we at least offer up some resistance against attack.
We can see then, that getting cyber security in surveillance systems wrong, could have disastrous consequences. This is why I leapt at the opportunity when the UK Surveillance Camera Commissioner asked me to lend my cyber security experience and understanding to the National Surveillance Camera Strategy working group and to lead on drafting a cyber guide for surveillance cameras.
The work that has already been done on this strategy is so solid and well done it is a great platform for us to build on and move forward. The change in how we use, manage and secure cameras needs careful guidance and a good framework. I welcome and support all of the work being done by Tony Porter and all of the Strand Leads working to improve standards in this area. It takes us in the right direction and I encourage the security industry to get on board and adopt its recommendations.
The bad guys are currently winning, and, through our lackadaisical approach to cyber security, we continue to make ourselves, and everyone that our surveillance system connects to, easy targets. We need to have an understanding of cyber risk at every stage of our surveillance system lifespan; manufacture, specification, procurement, installation, lifecycle management and maintenance.
