Members of the British Security Industry Association’s (BSIA) CCTV Section have issued a stark warning that end users of IP-connected CCTV systems should be taking cyber security very seriously indeed.
In an article published by The Times, Nigel Inkster (former director of operations and intelligence at MI6) raises concerns about the threat to national security through vulnerabilities in IP (Internet Protocol)-connected CCTV systems including components manufactured in countries that have a reputation for State-sponsored espionage.
While the integration of video surveillance solutions with IP networks carries significant benefits – among them the offer of potentially cheaper and easier installation, the ability to distribute video images more widely and the ease with which additional cameras can be added to the network at a later date – they’re also potentially vulnerable to cyber attacks.
Unsecured cameras can become the weak link that provides hackers with an entry point to a network. From here, the risks to businesses may include sabotage (such as disrupting operations, potentially leading to lost productivity and revenue), stolen personal data (eg financial or health information, potentially resulting in loss of customer trust, the denigration of a brand and, ultimately, lost profits) and stolen intellectual property or trade secrets. Marketing plans or R&D data that fall into the wrong hands could result in a loss of competitive advantage.
There’s also the potential for extortion, whereby the company or individuals involved have to pay a ransom to regain access to their system or data, or perhaps regulatory action or negligence claims (such as penalties from a Government agency or civil lawsuits).
Mitigating the risks
Mitigating these risks must be a priority for each party involved in the supply chain. Manufacturers should ensure that accidental design or implementation errors are kept to a minimum and that systems are regularly scanned for vulnerabilities. They should be proficient in secure coding and testing procedures and also ensure that their products are capable of supporting the stringent controls necessary for secure network communication.
This may include end-to-end encryption with SHA-2 and TLS, encrypted database communication, system auditing, alerting and management, Distributed Denial of Service protection, the restriction of ports, protocols and services, highly ‘customisable’ user access and permissions and archive, failover and high availability.
Simon Adcock, chairman of the BSIA’s CCTV Section, explained: “Responsible installers and integrators will conduct a risk-based approach towards any system design, taking into account the origin of the hardware in the design and whether this presents a potential risk to the customer. Anyone who’s designing a system or making decisions on behalf of an end user should be considering the security of the hardware they’re installing, ensuring that it’s robust and manufactured responsibly. Responsible installers will also ensure that the system they’ve installed is protected from cyber attacks by changing the manufacturer’s default system credentials.”
Adcock went on to state: “Ultimately, an end user must take responsibility for the security of their network. When procuring an IP-connected surveillance system, end users must use the services of a reputable installer or integrator that’s fully committed to Best Practice. They should also ensure that they have comprehensive cyber security and information security policies in place.”
*Members of the BSIA’s CCTV Section are fully committed to Best Practice and comply with all relevant security standards. To locate a reputable CCTV supplier for your surveillance project visit www.bsia.co.uk