by Ray Bernard PSP, CHS-III
Over the past year, news media have covered several major cyberattacks on Internet-connected video security cameras and recording systems. This has many corporate IT departments concerned about the vulnerabilities of networked electronic physical security systems, especially video camera systems.
Q: Our IT department asked if we have performed a cyber security assessment of our physical security systems and devices. How do we do that?
A: One approach is to tell them that you haven’t, ask for their help in performing the assessment, and prepare to support them with system and product information.
About two months ago the Devil’s Ivy (aka gSOAP) security vulnerability was announced, which impacts tens of millions of IoT devices, including security video cameras from Axis Communications, Bosch, Canon, Cisco, D-Link, Fortinet, Hitachi, Honeywell, Huawei, Mitsubishi, Netgear, Panasonic, Sharp, Siemens, Sony, and Toshiba—as well as many off-brand cameras.
The fact that highly reputable brand name products are affected is changing the general thinking about physical security product and system vulnerabilities, especially within IT departments who are responsible for the security of networks to which the camera systems are connected.
Cyber Security Assessment Preparation
Follow these steps to prepare to support IT in performing a cyber security assessment (they may have a slightly different name for it).
- Bring your security system documentation up to date.
Collect these documents:
- Design Documents. System design documents and as-built drawings. Even better is to document your entire system using the System Surveyor tool, which from this point forward will simplify system management providing near-instant system information access, and will reduce design time for system revisions and expansions.
- System Architecture Documentation. A good systems architecture document will include one or more diagrams of system deployment options, and may also include the network port configurations required. For example, Milestone Systems XProtect VMS System Architecture Document contains a “Ports used by the system” section.
- Installation Guides. Product and installation guides include installation and configuration requirements, and should include network port configuration requirements. For example, Genetec’s Security Center Installation and Upgrade Guide contains a “Default ports used by Security Center” section.
- Product and system hardening guides. The major security product and system brands have hardening guides or network security guidance documentation available on their websites.
- Obtain Vendor Security Assessment Questionnaires (VSAQs). For products and systems that will utilize or be exposed to an internet connection, ask their vendors to provide a completed VSAQ. If they don’t have one, send them to the questionnaire from the Vendor Security Alliance.
Update or produce these documents:
- Security System Network Diagrams and Current Network Configuration. If the security systems reside on the corporate network, or on a network provided by IT, then IT can provide you with network diagrams and configuration information. If some or all of the networking was provided by a security systems integrator, network diagrams and network configuration information should be part of the as-built documentation. If not, you request it from your integrator.
- Document the protections in place for Internet connections. Typically, this would include router and firewall configurations established by the IT department or by the systems integrator. When provided through the IT department, protections include policy, guidelines and requirements for acceptable computer, network and internet use. However, sometimes a security department obtains a dedicated security systems internet connection through telephone or cable services.
- System and Device Hardening Steps Taken. Document the hardening advices you have applied, based upon manufacturer and design consultant recommendations.
- Document System Management Practices.
- Device and System Updates. Document when and how systems and devices are patched and updated, and establish a sound policy for updates if you don’t already have one.
- Systems and Device Access Management. Document the access management for human users as well as system users, such as video management systems.
- User Roles and Responsibilities. List the authorized users, along with their roles, responsibilities, and the details of access provided. Verify that access has been provided according to the principle of least privilege (see Wikipedia). Delete or revise user accounts for personnel whose system responsibilities have been eliminated or changed. Be sure to include cameras and other devices having service contractor user accounts. Service contractor password management is often neglected.
- User Password Management Practice. Document the existing password management practice. Check to see if it complies with the requirements for corporate IT systems. If there is no policy in place governing the management of user accounts and passwords, create one and apply it.
- Authentication and authorization for system integrations and device management. For example, video management systems and video analytics applications utilize camera user accounts. Your security integrator or IT department can assist you in identifying how digital certificates are used, encryption keys are managed, and how API security is applied to systems integrations.
- Perform a Scan of the Network, and Optionally the Security Applications. Obtain status and performance information for the security systems infrastructure.
- Perform (or have IT perform) an Nmap (Network Mapper) or similar scan of your security system network. Alternatively, you could use a cloud-based scanning service.
- You could also obtain even more information by utilizing a cloud-based service including application level assurance, such as Viakoo, which automatically verifies the performance and integrity of physical security systems and devices, provides automated proof of system compliance (such as video retention), and collects diagnostic information for proactive and predictive infrastructure management.
- Take Action. Follow up based upon the information obtained. Disable outdated versions of TLS, SNMP and other vulnerable protocols. Use secure versions of network protocols wherever possible.
- Have Internal IT or an IT Service Provider Determine the Physical Security Systems Cyber Security Profile.
- This should include internal and external (via the Internet) system penetration testing, as well as a review to see if protections are in place given known vulnerabilities of specific products or product types.
- Create an action plan to follow up on the recommendations provided.
A big benefit of these four steps is the achieving a high level of visibility of the state of the physical security systems infrastructure, which benefits system troubleshooting and maintenance work as well as planning for system enhancements.
Write to Ray about this column at ConvergenceQA@go-rbcs.com. Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty member of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS
© 2017 Ray Bernard