Members of the British Security Industry Association’s (BSIA) dedicated CCTV Section have issued a stark warning that end users of IP-connected CCTV systems should be taking cyber security very seriously indeed.
In an article recently published by The Times, Nigel Inkster (former director of operations and intelligence at MI6) raised concerns about the potential threat posed to national security through vulnerabilities in IP (Internet Protocol)-connected CCTV solutions (including components manufactured in those nations harbouring a reputation for state-sponsored espionage).
While the integration of video surveillance solutions with IP networks carries significant benefits – among them the offer of potentially cheaper and easier installation, an ability to distribute video images more widely and the ease with which additional cameras may be added to the network at a later date – the end result is also potentially vulnerable to cyber attack.
Unsecured cameras can become the weak link that provides hackers with an entry point to the corporate network. From that juncture, the risks to businesses may include sabotage (ie disruption of operations, potentially leading to lost productivity and revenue), stolen personal data (eg financial or health information, potentially resulting in loss of customer trust, the denigration of a brand and weakened profits) and intellectual property or trade secrets falling into the wrong hands.
On top of that, marketing plans or R&D data appropriated by criminal types could result in a loss of competitive advantage.
There’s also the potential for extortion, whereby the company or individuals involved have to pay a ransom to regain access to their systems or data, or perhaps regulatory action or negligence claims (such as penalties issued by a Government body).
Mitigating these risks must be a key priority for each party involved in the supply chain. Manufacturers should ensure accidental design or implementation errors are kept to an absolute minimum and that systems are regularly scanned for vulnerabilities. They should be proficient in secure coding and testing procedures, and also make certain their products are capable of supporting the stringent controls necessary for secure network communication in today’s business landscape.
This may include end-to-end encryption with SHA-2 and TLS, encrypted database communication, system auditing, alerting and management, DDoS protection, the restriction of ports, protocols and services, highly ‘customisable’ user access and permissions and archive, failover and high availability.
Simon Adcock, chairman of the BSIA’s CCTV Section, told Risk UK: “Ultimately, end users must take responsibility for the security of their networks. When procuring an IP-connected surveillance solution, they must use the services of a reputable installer or integrator that’s fully committed to Best Practice. They should also guarantee that they have comprehensive cyber security and information security policies in place.”
For their part, responsible installers need to ensure that the system they’ve put in place is protected from cyber attacks by dint of changing the manufacturer’s default system credentials.