Ray Bernard’s March 2019 update on physical security industry product and system hardening guides.
The physical security industry lags the IT industry by five years in terms of adopting information technology for electronic security systems. Figure 1 to the right is one perspective on that from Brivo Systems. However, the security industry’s adoption of IT practices lags even further behind – as long as fifteen years when it comes to computer and network security issues.
Thus, even though the industry has been putting devices onto corporate networks for over 20 years, with one primary exception: Axis Communications, manufacturers did not start producing hardening guides for their products and systems until 2016.
In the past two years over two dozen companies have taken cybersecurity for physical security systems seriously. Let’s see what we find at ISC West 2019.
Cybersecurity Wakeup Call
2016 was also the year when networked security video deployments were hit hard by hacker malware. 1.5 million networked cameras and recorders were infected and commandeered into hacker botnets. Several highly publicized infections occurred between late 2016 and mid-2017, as reported by Krebs on Security, Forbes, Penta Security, Trend Micro and many others.
Several security industry manufacturers have also had product vulnerabilities publicly reported by security researchers, and most have responded well and are upping their cybersecurity game.
Taking Cybersecurity Seriously
As of March 2019 the following companies have published cyber security and/or product hardening guidance. One company provides a camera network hardening appliance. Congratulations to these companies for stepping up to the plate:
- Avigilon: the page “Avigilon Protection Against Cyber Vulnerabilities” provides descriptions of cybersecurity features including a bulk-camera-password-change capability (copy and paste this non-secure link: http://avigilon.com/news/security/how-avigilon-is-protecting-against-cyber-vulnerabilities/).
- Axis: Vulnerability policy, hardening guide and product security program information
- Bosch: IP Video and Data Security Guidebook
- Brivo: Brivo Onair® Information Security: A Detailed Review Of Assured Control (24 pages)
- Cisco: Cisco IP Video Surveillance Design Guide, Cisco Guide to Harden Cisco IOS Devices, and other online guidance.
- Dahua: Security policy and hardening best practices
- Eagle Eye Networks: Cyber Safe Best Practices, cybersecurity blog, and Cyber Lockdown feature
- Genetec: Hardening guide
- Hanwha Techwin’s: Cyber Security page has a Network Hardening Guide, and Cyber Security guidance white paper, and their Security Vulnerability Disclosure Policy
- Hikvision: Cybersecurity Center
- Honeywell: Pro-Watch Software Suite Security Manual
- IndigoVision: Control Center Hardening Guide (21 pages), requires simple registration. Also check out the IndigoVision CyberVigilant product, a surveillance camera network cybersecurity appliance.
- Johnson Controls: Cyberprotection Program (This section of the website includes: Cyber Learning – hardening guides and other guidance, Product Security Advisories – including a link to IT and security-related best practices, and Product Security Program – including an very informative presentation file and a cyber-smart building paper)
- Lenel Systems: OnGuard 7.4 Hardening Guide (68 pages)
- March Networks: Product Hardening Guide and GDPR Guide
- Mercury Security: Mercury Security Hardening Guide
- Milestone: Hardening guide
- MOBOTIX: Camera, VMS, NAS Cyber Protection Guide
- OnSSI: Hardening guide
- Pelco by Schneider Electric: Cybersecurity Information and Resources, a page that includes Cybersecurity Support Portal, Schneider Electric Vulnerabilities Management Policy, and Cybersecurity White Papers. For some unknown reason, no camera hardening guide is provided.
- Razberi: Razberi CameraDefense is not a hardening guide but an automated appliance for hardening camera networks.
- Salient: Video Surveillance Systems Hardening Guide
- SONY: Network Video Management System Hardening Guide
- Viakoo: InfoSec white paper and 12-point video network security checklist, plus a new award-winning multiple-camera-brand Camera Firmwarw Update Manager product and with a Camera Firmward Password Manager coming soon.
- Vivotek: Security Information, Security Hardening Guide and Vulnerability Policy. On this page you’ll also find information about Vivotek’s alliance with with cybersecurity company TrendMicro, whose IoT Security software Vivotek includes in cameras and NVRs.
What Customers Expect
Cybersecurity for physical security systems is a top end user and system integrator consideration, especially for security surveillance camera systems. Product cybersecurity documentation is more important that is generally realized. For example, for large corporate customers, the cybersecurity profile of vendors is a significant factor in the cost and scope of end user cybersecurity insurance policies, which are usually negotiated annually.
The cybersecurity maturity of an IT product vendor is typically evidenced by three things:
- Product hardening guide
- Vulnerability disclosure policy
- Documentation of key aspects of the vendor’s product security program, including the vulnerability handling policy.
If your product carries the CE mark (Conformité Européenne) indicating that the product conforms to all applicable European standards, you should read the downloadable report, Software Vulnerability Disclosure in Europe: Technology, Policies and Legal Challenges from the Centre for European Policy Studies.
The hardening guide is the highest priority, as it is proof of attention to cybersecurity and deployment support.
Some examples of documenting key aspects of a vendor’s product security program are:
- AXIS Communications: Cybersecurity web page
- Octopus: Security policy web page
- Johnson Controls: Product Security Program (a comprehensive and educational section of the website)
- Vivotek: Security Information, Security Hardening Guide and Vulnerability Policy (including an impressive 1-minute overview video)
The broadly publicized cyberattacks on cameras and recorders elevated the public awareness of the importance of product and system cybersecurity protections. Hardening guides are now a standard expectation for physical security systems.
What’s In a Hardening Guide?
The National Institute of Standards and Technology (NIST) in its Special Publication 800-70 Revision 4 (February 2018), National Checklist Program for IT Products – Guidelines for Checklist Users and Developers, states:
A hardening guide is “a series of instructions or procedures for configuring an IT product to a particular operational environment, for verifying that the product has been configured properly, and/or for identifying unauthorized changes to the product.”
A good and practical hardening guide includes the following elements:
- Statement of vendor’s cybersecurity philosophy and commitment
- Guidance based on an Industry-recognized cybersecurity framework, usually the NIST SP 800-53 for federal systems and critical infrastructure organizations, or the Center for Internet Security’s Critical Security Controls
- Characterization of the deployment environments to which the controls typically apply
- Product configuration instructions, best done by reference to installation and/or user guides to minimize hardening guide document length and update requirements (meaning that referenced installation and user guides can be updated without having to update the hardening guide itself)
- Recommended use of product security features
- Considerations relating to deployment environment standard cybersecurity practices, such as IT networking requirements, use of corporate NTP time servers, and network device management
- Reference charts for network port and protocol usage
- Charts of as-shipped cybersecurity-related factory default product configuration settings
- An “About the Company” concluding page with contact information
Medium and large size organizations typically use a cybersecurity guidance framework that helps ensure their management of security risk covers the full range of cybersecurity controls that have proven to be effective. Two popular frameworks are the NIST Cybersecurity Framework and the Center for Internet Security’s CIS™ Controls. Because electronic physical security systems are built on information technology including extensive use of IoT (Internet of things) devices, both NIST and CIS are producing IoT-specific guidance materials and tools. NIST has launched its NIST Cybersecurity for IoT Program, and CIS has recently released its CIS Controls Internet of Things Companion Guide that provide very clear guidance about the applicability of individual CIS controls to IoT devices and systems.
The Center for Internet Security just recently (July 11, 2019) its CIS Controls® Microsoft® Windows® 10 Cyber Hygiene Guide, which is a white paper that you can download from this page.
Specifiers Are Taking Action
SecuritySpecifiers.com will post for free links to manufacturer’s hardening guides and cybersecurity guidance, as well as their Architect and Engineer (A&E) specifications.
SecuritySpecifiers is working on cybersecurity specifications language for inclusion in A&E specs, and will be submitting to the Construction Specifications Institute (CSI) recommendations for physical security system cybersecurity items for including in the 2018 update of the CSI Master Titles and Numbers standard.
This year, hardening guides will become a mandatory manufacturer qualifications item for many security system projects.
I recommend getting a free subscription to Security Technology Executive magazine, where my upcoming articles about Cybersecurity for Security Systems appear.
If you are a security systems specifier and you’d like to contribute to the SecuritySpecifiers initiative, please do write or call me.