The physical security world is no stranger to convergence; it’s not that long ago we were talking about the convergence of physical security onto the IP platform. But that was then. Using the IP protocol for communications in physical security is so common now it’s hardly worth talking about IP convergence, it simply is.
Today, however, physical security companies are faced with a new type of convergence, that between physical and cybersecurity, and this is something we have no choice in. In the IP convergence game, you could select to stick with analogue technology, but ignoring cybersecurity in your physical security installations (or ignoring physical security in your cybersecurity projects) is asking for trouble in this IoT world. In this article, when we refer to convergence, it will mean the convergence between physical and logical security (or cybersecurity.
It is in the realm of the Internet of Things (IoT) that we see the real impact of convergence. Other articles in this feature indicate how many billions of devices are going to be connected in the next two or three years. Physical security devices (cameras, access control readers, alarms, perimeter monitors and so forth) are simply part of this growing network of things that are now communicating.
This is a good thing. It provides us with more information about more things and events in real time (or near real time) and allows us to proactively manage situations before they become an emergency. In the paper Heightening the Security of IoT Networks, by Simon Holt from Mouser Electronics, the author notes: “The advent of the Internet of Things (IoT) has many potential benefits for society – including such diverse aspects as home automation, environment monitoring, Industry 4.0 implementation and – in the longer term – smart cities. The incredible scale of IoT networks, and their resulting pervasiveness is where this technology gains its value – comprising billions of connected nodes all acquiring data which can then be compiled, analysed and subsequently acted upon. However, it is also where its vulnerability lies.”
A simple example comes from NEC XON (see last month’s issue of Hi-Tech Security Solutions for the full story). The company can monitor devices, such as surveillance cameras, and detect if anything has gone wrong or been changed so as to alert customers of possible cyber-attacks. What are monitored are not the video images, but the hardware: is the firmware up to date, has it been changed, has the camera been accessed from an unknown IP address and other ways in which a camera could have been attacked. If the answer to these questions is yes, an alert is raised for investigation as the camera may have been tampered with.
Why is this a big deal? For one, if your camera is taken over by a third party, it could be switched off when a physical attack takes place; secondly, it could be used to gain access to the corporate network and data; and thirdly, it could be used to launch attacks on other systems via the Internet.
Holt explains: “By definition, the greater the number of IoT nodes, the larger the attack surface will be for malicious third parties to target. Once a weakness has been uncovered and a breach made, the whole network can be infiltrated thereafter – with malware basically rendering it inoperable, denial of service (DoS) attacks preventing continued communication, or sensitive information being extracted for industrial espionage purposes.”
A fishy story
Attacks like those mentioned above are not new and are definitely not in the realm of science fiction. Gemalto offers examples of how this has happened in the IoT world, and remember, an IoT device is any device capable of communication, just like your camera, alarm systems and other physical security devices. Some of these examples include:
• The Mirai botnet attack is nothing new in this industry. According to Gemalto, “The malware infects IoT devices by attempting to log in using common credentials (such as admin/password). IoT devices ranging from routers to video cameras and digital video recorders have been found to be infected by Mirai, which can coordinate their use to create a botnet with millions of devices.”
And as widely reported, “In 2016, Mirai-infected devices were used to launch the world’s first 1 Tbps Direct Denial of Service (DDoS) attack on servers at the heart of Internet services, successfully taking down parts of Amazon Web Services and its clients – which include Github, Netflix, Twitter and Airbnb.”
• Another bit of malware, perhaps less known is Reaper. Apparently based on Mirai to a degree, Reaper first came to light at the end of 2017 when around 20 000 to 30 000 devices were found to have been compromised by Reaper, which could be used to launch crippling DDoS attacks.
• Satori is another Mirai-like malware that doesn’t try to guess or use default credentials to access devices, it targets vulnerabilities in specific types of Wi-Fi routers. “Second, Satori has been discovered infecting smart processor architectures that were previously ignored by IoT malware, SuperH and ARC.”
And for those who think ‘who would want to attack our cameras’, remember that security researchers discovered that someone had launched an attack on a casino to get hold of its ‘high-roller’ database by hacking the thermostat in a fish tank on the premises. (The thermostat was connected to the network and automatically monitored to ensure the temperature of the water was within specific boundaries. One can’t have dead fish floating around a fancy casino.)
For an in-depth look at securing your devices from cyber threats, the Gemalto white paper ‘IoT security, the key ingredients for success’ provides insights into the process. It suggests there are three areas that need your attention:
1. The devices themselves,
2. Gateways, networks and connections, and
3. Cloud applications and users.
Using the three points above, it’s clear that converged security is a complex process. In the security market, most vendors have already considered this and make it easier to take care of the device security: firmware is updated and there are ways to control who can access the camera and so on. Additionally, in the case of Mirai, all vendors that deserve your attention already force users to change the default passwords on installation. The responsibility is on the user or installer to make sure the passwords they choose are good.
No matter what the vendors may do or enable in their systems, the installers and users bear the ultimate responsibility for ensuring their security installations are cyber secure. And while we are not all cybersecurity experts, there are basic concepts that can easily be addressed to create enough of a barrier to discourage scoundrels looking for an easy opportunity. Like all criminals, cyber criminals also first look for soft targets.
To find out more about how to ensure the cybersecurity of physical security installations, Hi-Tech Security Solutions spoke to a few local experts about the issue. Their answers are below (in brief).
MJ Oosthuizen, G4S Secure Solutions (SA)
MJ Oosthuizen is the national sales operations manager at G4S Secure Solutions (SA). He says cybersecurity has an underlying basis on hacking: “to steal databases containing the personal details, logins and passwords of millions of account holders”. A reputable integrator should specify good quality equipment from reliable manufacturers which are tried and tested, and offer backup support from the manufacturer level when things start to go wrong.
“Generally, reputable security firms will attempt to avoid budget and consumer brands and opt for professional quality equipment. However, the end user, or budget carrier, often steers the integrator into a lower cost solution, which often is the key to the backdoor of the potential security threat.”
When asked about whether African installers and integrators are cybersecurity aware when it comes to installing equipment and full solutions, he notes that the question should be “what not knowing about cybersecurity threats” means to integrators.
“It’s very easy to pop a camera onto someone’s Internet connection, opening ports (if required) and allowing it to run to a hosted server ‘somewhere’ in the world. Or leaving the default security settings in place, because we all know our clients will configure their own preference and change their own password etc., ‘when they have a moment… .’
“We find that there is not enough time spent on getting to know the security settings which can make or break the installation per product.”
In addressing the question of “how to ensure your equipment is secured against these types of attack, Oosthuizen says the major cyber-attack platforms for systems are:
• Windows OS.
• Linux OS.
• DVRs, NVRS, VMS.
• Endpoints (cameras).
• Firewall ports.
Some basic checks to avoid intrusion via the above include:
• Prevent unauthorised access to areas where video is monitored, as unauthorised access to the system may be possible through an unattended and unlocked computer or other device. If using mobile devices, configure them to delete all data after repeated failed access attempts in case they are lost or stolen.
• Hackers often exploit network switch ports 80 (http) and 21 and 23 (Telnet), so make sure these and any others are disabled. Improve security by placing individual departments on individual subnets.
• Each product in an IP-based security system has a unique MAC (Media Access Control) address. A suitable managed switch allows the security system to use MAC addressing to control access to computers, cameras and network video recording devices.
• Users of the system should have individual logons and strong password practice should be implemented. Single sign-on and password management apps both help to overcome the security problems of weak passwords and that of username and password re-use that is widely used for gaining access to multiple accounts, both personal and for business.
A question often raised is that of integration. If users buy their kit from one vendor, one could assume the integrated system in more secure, but is this the case? Oosthuizen explains that it all starts with system design, and more importantly, what the requirement for the system is. Allowing remote access, as example, needs to be understood and mapped. The next step is to understand the device’s security where this remote access will be managed from. The risk of security does not only emanate from the source (recorder/camera) side, but also from the remote client side.
“Remember, access details are available on the client and exposure on this device can easily provide ‘controlled’ access.”
Rudi Taljaard, Gijima
Rudi Taljaard is the chief solutions architect at GSS (Gijima Security Systems). In his view, being cybersecurity aware is of paramount importance with the strong uptake of IP transmitted security information/data across private and potentially public network infrastructures. “This makes critical information being transmitted vulnerable to ‘man in the middle’ and similar attacks. It is the responsibility of system integrators (SIs) to share threats and vulnerabilities with end users and to inform them of the measurements and standards available to secure their security applications.”
If cybersecurity is ignored and a skilled hacker accesses the network, they can compromise any device they want or extract any information from the database they feel will be valuable to sell. The recent trends show hackers also using devices on the network for cryptocurrency mining and stealing personal information (employees, customer records, etc.).
Taljaard notes that one can’t generalise in terms of the skill levels SIs hold regarding the cyber question, but an SI cannot claim SI status in the security (or any other) space if they do not have cybersecurity skills. “Even in the normal data space it is expected of an SI to have sufficient design and implementation cybersecurity skills. This is also one aspect that customers must very clearly specify and focus on in the design and implementation phases of any project.”
When it comes to ensuring equipment we use is secured against these types of attack, Taljaard says that many suppliers, like Genetec, have features in their products which help enforce simple things like forcing you to change the default username and password before you can add the camera or access control system to their platform. He adds that many companies make use of SIEM (security information and event management) solutions to keep all their security information centralised and more easily available to the right personnel.
They also offer training on how to be cyber vigilant and provide helpful and useful information in system hardening guides. “The fact that software vendors are able to create encryption keys from Certificate Authorities and match those with third-party camera manufacturers, who are also able to create the certificate on their cameras, shows the industry is moving in the right direction.”
Addressing the question of how secure integrated systems are, Taljaard stresses that integration is always an issue as you cannot guarantee the integrity of the communication between the databases unless it has
been written with secure coding methods. “When you are opening multiple databases sharing information between each other, there is always a higher risk of attack. This as opposed to a platform which unifies multiple technologies like video, access control, LPR etc. on a common database, which can ensure its integrity and security.
The question of skills also comes into play here. Is it enough for your SI to have integration skills or should they ensure they keep cybersecurity skills on board as well? Again, Taljaard says this is a difficult question to answer as the requirement for cybersecurity differs when dealing with different clients in different environments. “If we talk about a system integrator like Gijima, the answer is most probably yes. Normally, SIs have been exposed to and are well skilled in the cybersecurity space and have been for some time This is not something new as cyber-attacks and hacking have been part and parcel of our environment for years and we have equipped and educated ourselves to minimise the risks and try to prevent breaches.”
Jan Erasmus, NEC XON
Jan Erasmus is the business lead for surveillance and analytics at NEC XON. He says that being cybersecurity aware is a very important factor with today’s IP enabled physical security equipment and it needs to be discussed from day one when a security solution is planned.
“With the enablement of old traditional ‘physical’ devices that range from light controllers, HVAC to the physical security devices such as IP cameras and biometric access control devices, hackers have been targeting these new set of vulnerabilities to get access to a company’s IT Infrastructure.”
In the past, cyber and physical security had little in common on any level and integration of these systems was either too complex or just too expensive for most companies, he adds. Within companies you always had physical security being managed by a security manager or the facilities manager, and the cybersecurity by the CIO or IT manager. This split between the two departments ensured that they never discussed their requirements or projects with each other to share the risks of running separate systems on the same LAN and WAN infrastructure.
“NEC XON realised the need to engage with both cyber and physical security management and inform them how we can converge their security systems, ensure that they understand how we treat the systems in a unified manner and then also identify the risks in the networked enabled equipment and educate them how to close these ‘paths of least resistance’ that hackers will try to exploit. Management in many companies have also realised that with new SMART solutions offered for buildings, the risk has grown, and more companies have now merged cyber and physical security within one department.”
Most SIs have still not realised the risk of just installing a network-enabled device onto a company’s network without preparing the device properly with the required security protocols. Erasmus thinks it is a case of ‘ignore the problem and if something happens, then they will deal with it’, instead of skilling up technicians and sitting down with the client to do a more secure design, even if it is more expensive.
“However, bigger OEMs have realised the risk and they do have standard installation procedures (SIPs) that force technicians to change usernames and passwords and other security settings on a device before the device can be configured and activated on the network,” he notes. These SIPs do not completely mitigate the risk, but with cybersecurity personnel being aware of installations of all these types of IP enabled equipment as well as other IoT devices, proper security measures can be planned for and activated as required.
“With NEC XON’s Cyber Defence Operating Centre (CDOC), we can monitor our client’s network and IT infrastructure for any intrusions or malicious behaviour,” Erasmus explains. “We can also monitor all hardware equipment on the network, for example, the status of an IP camera and ensure that if this camera suddenly generates a lot of traffic on the network, we can shut it down and do a full diagnosis on the camera to understand why it is generating the amount of traffic. This allows us to be pro-active, rather that reactive to an incident.”
When it comes to ensuring one’s equipment is secured against cyber-attacks, Erasmus says the biggest security vector risks with physical security equipment is physical tampering at the device layer, and the cybersecurity vulnerabilities across the embedded software, communications and the application layers of the equipment. The physical tampering at device layer can include, but is not limited to:
• Easily accessible ports including USB, SD card and Ethernet ports on cameras, biometric readers and even PCs used for workstations by the security personnel.
• Theft of devices.
• Removal of certain parts etc.
The biggest cyber threat is open ports on equipment as this can give direct access to the network or allow malicious software to be downloaded onto equipment that can infect the network. The cybersecurity vulnerabilities can include and are not limited to:
• Web browser access to equipment with no username or password protection.
• Not updating firmware of devices as vulnerabilities are made public.
• No encryption on the communication layers of the devices.
• No secure network or any secure access to the network.
The bigger OEMs have realised the importance of cybersecurity for their devices, and on the device software and communications layers there have been huge improvements.
To ensure that all the risks caused by the vulnerabilities of physical security and other IoT devices are mitigated is not a very easy task. It is crucial to identify the gaps and then to create a strategy for your solution and products to be used by focusing on the device hardware, device software, communications, platform and application layers.
He suggests one has to think about the following for each layer:
1. Device Hardware:
• How can we safeguard the devices installed?
• What are the risks if a person gets physical access to my device?
• Wil the person be able to use the access as a backdoor into my network or other systems?
• Are there open ports that will create an intrusion opportunity?
2. Device software:
• Does the equipment have proper user and password management?
• Is there any anomaly detection of the device or system?
• Do we have a firewall for the network?
• Is the data encrypted at rest and during transfer?
• Are there firmware patches available and have the patches been installed?
• Do we have encryption on all communications?
• Is our network secure?
• Is the access to the network secure, for example, connectivity to the Wi-Fi network?
• Are the best practises in IT security addressed in the software platform we use?
• Do we have a secure hosting environment, for example the server room?
• Does our software platform allow identity management?
• Does the software platform allow for user management?
• Does the software platform allow for API authentication as well as authorisation?
• Does our application authenticate and authorise?
• Are application injections secured?
“Following this gap analysis and doing a proper strategy assessment across all the layers will ensure that the biggest threats are addressed,” Erasmus continues. “It is also wise to choose a well-known and tested OEM solution that has a good reputation in the market. This will ensure that equipment can be installed and commissioned knowing that the risk is very low from a physical as well as cybersecurity threats.”
Theshan Mudaly and Nompumelelo Mdima, Axiz
Having heard from the SIs on the topic of convergence, Hi-Tech Security Solutions also spoke to Theshan Mudaly, pre-sales engineer, and Nompumelelo Mdima, business development manager, advanced technologies, at local distributor Axiz to get some insights from the IT side of the equation.
Mudaly says that the convergence between physical and logical is an issue that security vendors are aware of because of the rapid growth of IoT. One can find many vendors already incorporating protection services for these devices into their products because they ae aware of the risks.
“Any device with an IP address is vulnerable, whether it’s a security product or some other IoT system,” he says. “The starting point to keeping these devices secure is to keep them behind a firewall when possible, while also ensuring their firmware is always up to date.”
He adds that it shouldn’t be necessary to say, but it is: don’t use the default passwords and don’t choose passwords that are easy to guess as these are your first line of defence.
Mdima adds that PoPIA is adding to the general awareness people have about protecting their data, and as a result data loss prevention (DLP) is becoming more important in all businesses. “People are realising the value of their data in its various forms. Companies have lots valuable information, like ID numbers, bank account details and contact information in their databases which need protection.”
When it comes to managing the security of your organisation, she advises all information be managed centrally through a single console in a SIEM (Security Information and Event Management) solution that can integrate various brands’ solutions. Using one product to protect everything electronic is not a realistic option at the moment, so being able to integrate the output from various products into a single console is key.
Mudaly agrees that integration is a critical aspect of a successful security solution. “The days of stand-alone applications that don’t talk to any other applications are long gone.” Axiz realised this and focuses its security distribution arm on a number of products that can all be integrated to form a coherent defence, or ‘security fabric’.
McAfee is one of the brands Axiz represents and Mdima says the McAfee SIEM product is designed to provide an overview of the organisation’s security posture by integration data from multiple external sources. Mdima says the SIEM allows organisations to “get real-time visibility into all activity on systems, networks, databases, and applications.”
For smaller companies, both Mdima and Mudaly highlight McAfee’s new MVision product as a good all-round security option. MVision is a cloud-based security solution aimed at small businesses; it keeps the company updated and secure 24 x 7. Using the product gives companies “visibility into data, context, and user behaviour across all cloud services, users, and devices”.
Citing its cost-effectiveness and ease of setup and management, Mdima says MVision can also be managed from anywhere there is an Internet connection. This makes it a good option for resellers as they are able to offer the solutions to multiple clients, which they can manage centrally if the customer agrees to allow information sharing and access to their systems (they can choose to or not).
The focus on smaller companies is not out of the ordinary for Axiz since these companies often have poor cyber defences but still hold valuable data. Mudaly says the company and its project team are geared to assist their channel dealing with these organisations by providing skills for implementation and maintenance services, as well as training for the channel and their customers.