This is Ray Bernard’s 2021 list of physical security industry product and system hardening guides.
The physical security industry lags the IT industry by five years in terms of adopting information technology for electronic security systems. Figure 1 to the right is one perspective on that from Brivo Systems. However, the security industry’s adoption of IT practices lags even further behind – as long as fifteen years when it comes to computer and network security issues.
Thus, even though the industry has been putting devices onto corporate networks for over 20 years, with one primary exception: Axis Communications, manufacturers did not start producing hardening guides for their products and systems until 2016.
In the past two years over two dozen companies have taken cybersecurity for physical security systems seriously. Let’s see what we find at ISC West 2019.
Cybersecurity Wakeup Call
2016 was also the year when networked security video deployments were hit hard by hacker malware. 1.5 million networked cameras and recorders were infected and commandeered into hacker botnets. Several highly publicized infections occurred between late 2016 and mid-2017, as reported by Krebs on Security, Forbes, Penta Security, Trend Micro and many others.
Several security industry manufacturers have also had product vulnerabilities publicly reported by security researchers, and most have responded well and are upping their cybersecurity game.
Taking Cybersecurity Seriously
As of March 2021 the following companies have published cyber security and/or product hardening guidance. One company provides a camera network hardening appliance. Congratulations to these companies for stepping up to the plate:
- ACTi: Hardening guide paper title titled, ACTi Security Recommendations. This was actually released in November of 2016 but I didn’t learn of it until January 2020.
- Avigilon: Although they don’t offer a hardening guide per se, see their website pages on cybersecurity for Avigilon deployments and GDPR compliance, which has a downloadable detailed two-page guide with detailed guidance for GDPR compliance.
- Axis: Vulnerability policy, hardening guide and product security program information
- Bosch: IP Video and Data Security Guidebook
- Brivo: Brivo Onair® Information Security: A Detailed Review Of Assured Control (24 pages)
- Calipsa: THE ESSENTIAL GUIDE TO VIDEO SURVEILLANCE CYBERSECURITY, a comprehensive Calipsa 2021 whitepaper.
- Cisco: Cisco IP Video Surveillance Design Guide, Cisco Guide to Harden Cisco IOS Devices, and other online guidance.
- Dahua: Security policy and hardening best practices
- Eagle Eye Networks: Cyber Safe Best Practices, cybersecurity blog, and Cyber Lockdown feature
- Genetec: Hardening guide
- Hanwha Techwin: the Cyber Security page has a Network Hardening Guide, and Cyber Security guidance white paper, and their Security Vulnerability Disclosure Policy
- Hikvision: Cybersecurity Center
- Honeywell: Pro-Watch Software Suite Security Manual
- IndigoVision: Control Center Hardening Guide (21 pages), requires simple registration. Also check out the IndigoVision CyberVigilant product, a surveillance camera network cybersecurity appliance.
- Johnson Controls: Cyberprotection Program (This section of the website includes: Cyber Learning – hardening guides and other guidance, Product Security Advisories – including a link to IT and security-related best practices, and Product Security Program – including an very informative presentation file and a cyber-smart building paper)
- Lenel Systems: OnGuard 7.4 Hardening Guide (68 pages)
- March Networks: Product Hardening Guide and GDPR Guide
- Mercury Security: Mercury Security Hardening Guide
- Milestone: Hardening guide
- MOBOTIX: Camera, VMS, NAS Cyber Protection Guide
- OnSSI: Hardening guide
- Pelco by Schneider Electric: Cybersecurity Information and Resources, a page that includes Cybersecurity Support Portal, Schneider Electric Vulnerabilities Management Policy, and Cybersecurity White Papers. For some unknown reason, no camera hardening guide is provided.
- Razberi: Razberi CameraDefense is not a hardening guide but an automated appliance for hardening camera networks.
- Salient: Video Surveillance Systems Hardening Guide
- SONY: Network Video Management System Hardening Guide
- Viakoo: InfoSec white paper and 12-point video network security checklist. Viakoo provides a cloud-based platform for IoT management, assurance, and cyber hygiene that includes an award-winning IoT IoT Firmware Update Manager that works with multiple camera brands, a Digital Certificate Manager, and an IoT Device Password Manager.
- Vivotek: Security Information, Security Hardening Guide and Vulnerability Policy. On this page you’ll also find information about Vivotek’s alliance with with cybersecurity company TrendMicro, whose IoT Security software Vivotek includes in cameras and NVRs.
- Zenitel: Its Cybersecurity Hardening Guide is based on best the Center for Internet Security (CIS) Critical Security Controls. Additionally, Zenitel is a CIS SecureSuite Member and also provides information about its own cybersecurity practices. See the note below, which was inspired by Zenitel’s network planning documentation.
Network Planning Guidance
An indication of the IT maturity of a physical security industry vendor is the level of network planning guidance provided for systems whose networked devices span the full extent of a facility’s building network and especially where the devices must interact or be accessed across multiple geographically dispersed LANs. This applies, for example, to cameras, card readers & their controllers and intercoms.
I haven’t written about this before because I didn’t know that any good examples existed that I could point to. Several leading vendors, such as Axis, Cisco, Lenel, Milestone and Pivot3 have provided extensive network design guidance for large projects to both end user customers and systems integrators as the situation warranted. Sometimes this was in the context of paid professional services; often it was free of charge.
I’m not minimizing any manufacturer’s engineering services, just pointing out that it is very broadly helpful to provide to provide network planning guidance in the form of documentation, and these two items from Zenitel are good examples of doing that: the AlphaCom XE Network Design Guide and the Installation, Configuration & Operation Technical Guide. Such documentation can act as a force multiplier to manufacturer’s engineering team efforts, in some cases places replacing, and in others simplifying and optimizing, such engineering advisory engagements. Additionally, it can provide a competitive advantage at product/vendor evaluation time, as such decisions can take place much earlier than when an engineering team is engaged, which is helpful both to the customer and the manufacturer.
What Customers Expect
Cybersecurity for physical security systems is a top end user and system integrator consideration, especially for security surveillance camera systems. Product cybersecurity documentation is more important that is generally realized. For example, for large corporate customers, the cybersecurity profile of vendors is a significant factor in the cost and scope of end user cybersecurity insurance policies, which are usually negotiated annually.
The cybersecurity maturity of an IT product vendor is typically evidenced by four things:
- Product hardening guide
- Vulnerability disclosure policy
- Documentation of key aspects of the vendor’s product security program, including the vulnerability handling policy.
In October 2020 the U.S. House of Representatives passed the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 that will now move to the Senate for consideration. The legislation sets minimum security standards for all IoT devices purchased by government agencies. In addition to requiring the National Institute of Standards and Technology (NIST) to provide the security standards based on feedback and input from standards organizations and industry leaders, the bill implements a disclosure program that requires manufacturers to disclose security vulnerabilities in their devices and how they were resolved for increased transparency to the end-users and goes deeper into the supply chain to hold more stakeholders accountable for security. Read more.
If your product carries the CE mark (Conformité Européenne) indicating that the product conforms to all applicable European standards, you should read the downloadable report, Software Vulnerability Disclosure in Europe: Technology, Policies and Legal Challenges from the Centre for European Policy Studies.
The hardening guide is the highest priority, as it is proof of attention to cybersecurity and deployment support.
Some examples of documenting key aspects of a vendor’s product security program are:
- AXIS Communications: Cybersecurity web page
- Octopus: Security policy web page
- Johnson Controls: Product Security Program (a comprehensive and educational section of the website)
- Vivotek: Security Information, Security Hardening Guide and Vulnerability Policy (including an impressive 1-minute overview video)
The broadly publicized cyberattacks on cameras and recorders elevated the public awareness of the importance of product and system cybersecurity protections. Hardening guides are now a standard expectation for physical security systems.
What’s In a Hardening Guide?
The National Institute of Standards and Technology (NIST) in its Special Publication 800-70 Revision 4 (February 2018), National Checklist Program for IT Products – Guidelines for Checklist Users and Developers, states:
A hardening guide is “a series of instructions or procedures for configuring an IT product to a particular operational environment, for verifying that the product has been configured properly, and/or for identifying unauthorized changes to the product.”
A good and practical hardening guide includes the following elements:
- Statement of vendor’s cybersecurity philosophy and commitment
- Guidance based on an Industry-recognized cybersecurity framework, usually the NIST SP 800-53 for federal systems and critical infrastructure organizations, or the Center for Internet Security’s Critical Security Controls
- Characterization of the deployment environments to which the controls typically apply
- Product configuration instructions, best done by reference to installation and/or user guides to minimize hardening guide document length and update requirements (meaning that referenced installation and user guides can be updated without having to update the hardening guide itself)
- Recommended use of product security features
- Considerations relating to deployment environment standard cybersecurity practices, such as IT networking requirements, use of corporate NTP time servers, and network device management
- Reference charts for network port and protocol usage
- Charts of as-shipped cybersecurity-related factory default product configuration settings
- An “About the Company” concluding page with contact information
Medium and large size organizations typically use a cybersecurity guidance framework that helps ensure their management of security risk covers the full range of cybersecurity controls that have proven to be effective. Two popular frameworks are the NIST Cybersecurity Framework and the Center for Internet Security’s CIS™ Controls. Because electronic physical security systems are built on information technology including extensive use of IoT (Internet of things) devices, both NIST and CIS are producing IoT-specific guidance materials and tools. NIST has launched its NIST Cybersecurity for IoT Program, and CIS has recently released its CIS Controls Internet of Things Companion Guide that provide very clear guidance about the applicability of individual CIS controls to IoT devices and systems.
The Center for Internet Security just recently (July 11, 2019) its CIS Controls® Microsoft® Windows® 10 Cyber Hygiene Guide, which is a white paper that you can download from this page.
Specifiers Are Taking Action
SecuritySpecifiers.com will post for free links to manufacturer’s hardening guides and cybersecurity guidance, as well as their Architect and Engineer (A&E) specifications.
SecuritySpecifiers is working on cybersecurity specifications language for inclusion in A&E specs, and will be submitting to the Construction Specifications Institute (CSI) recommendations for physical security system cybersecurity items for including in the 2018 update of the CSI Master Titles and Numbers standard.
Over the past year, hardening guides have become a mandatory manufacturer qualifications item for many security system projects.
I recommend getting a free subscription to Security Technology Executive magazine, where my upcoming articles about Cybersecurity for Security Systems appear.
If you are a manufacturer who would like some guidance or assistance in producing a product or system hardening guide, or in implementing or documenting vulnerability disclosure and management, call me (949-831-6788) or email me (RayBernard@go-rbcs.com).