From Physical To Cyber - Locking down network video surveillance

From Physical To Cyber

Locking down network video surveillance

Both physical security and IT professionals place great importance on cyber security. When it comes to protecting people and assets in 2012—as PhySec systems are increasingly moving into the all-digital realm—the data created by video and access control communications falls under the cyber umbrella, and both camps must be well-versed in the threats of the other.

From Physical To CyberIn fact, ASIS International President Eduard Emde, CPP, stated in a recent interview that he was “convinced that 2012 will continue to be dominated by all facets of cyber-related security risks.” In another recent piece of news, the ASIS International 58th Annual Seminar and Exhibits and (ISC)2, the world’s largest not-for-profit membership body of certified information security professionals, announced that the second annual (ISC)2 Security Congress will be collocated with ASIS in Philadelphia in 2012. This places greater emphasis on the increasing importance and interdependence of both physical and Information Systems Security in the network ecosystem.

But why now? Why the seemingly sudden need to educate the respective security owners—logical and physical—on what the other hand is doing? It’s simple: physical security is moving toward intelligent devices. Intelligence devices produce data and provide a portal into the enterprise infrastructure. Both the data and the portal must be protected.

Network video surveillance systems are composed of “edge” devices, such as network cameras and encoders that produce video content, and metadata, control, analysis, media search and content management, storage and display components. Physical and logical infrastructure provides connectivity between categories and also conforms to useful standards (e.g., 802.1x and port-based network access control). This ensures a user or device cannot make a full network connection until he or it is properly authenticated.

To the IT-focused world, the cameras, encoders and readers will be just another node on the network (when it comes to securing their infrastructure, that is). Thus, the physical security practitioner must be able to relate to the need for proper authentication.

Authenticate for a Secure State

Aside from making their IT counterparts happy, physical security practitioners, too, need to understand the importance of protecting their data—namely the video and its quality.

An important trend in IP video development is the increase in the power and sophistication of today’s network video cameras, making them small computers, complete with solid-state storage, room for on-board security, video content analysis apps, and enhanced image processing. Improving the fidelity of the video content right at the source provides the physical security industry with problem-solving technologies like wide dynamic range and improved ultra-low-light performance. With more important processes at these “non-person entities” and edge devices, it is vital that they be resistant to intrusion exploits and they achieve a trusted identity.

To date, most physical security practitioners and integrators practice some form of logical security with password protection and user-assigned permissions. Best practice dictates that the default passwords for network-connected physical security devices (cameras, encoders, etc.) be changed upon installation. However, as the industry moves to all-IP and the IT world becomes increasingly more influential in the installation and maintenance of surveillance systems, the physical world must abide by IT security best practices: namely, authentication and standards acceptance.

The National Institute of Standards (NIST) recently published an education video illustrating how the National Strategy for Trusted Identities in Cyberspace will work. The goal is to establish identity solutions and privacy-enhancing technologies that will improve security by authenticating individuals and infrastructure. In this structure, the selection of secure and independent identity providers is followed by users proving their identity and the provider issuing a trusted credential.

Users, especially in the government arena, have started to apply this structure to network video. Cameras and encoders will be expected to run a cryptographic application that communicates to a digital certificate authority that registers, validates and, in some cases, revokes the network device’s access to core digital video services.

Just like the mobile banking customer who must answer security questions and validate site keys, the network video camera will “prove” its identity through this validation process. The world of “non-person entities” can also include Voice over IP (VoIP) communications, electronic access control readers, intelligent perimeter sensors and mobile devices. A secure application on a smartphone can initiate a payment of funds to a quickserve establishment’s owner/operator while decoding video and statistical content such as customer volume from the “meta” or “feature” data.

For the world of video, not only does this methodology protect camera streams from being accessed and the cameras themselves from being controlled, but recordings that reside on the server are safe. If unauthorized access does occur, steps can be taken to corrupt the video file so it is unplayable for the hacker.

Permission to Come Aboard: How it Works

The specification of a network video surveillance system architecture and function, together with the authentication requirements, can enhance the definition of use cases—which in the IT/ software/engineering realm means a list of steps that define interactions between a “role” (a human, camera, etc.) and the system as a whole.

The network video authentication requirements can be looked at on a step-by-step basis:

  • Verify the network video plus metadata or “Digital Multimedia Content” (DMC) source(s) with Network Intrusion Detection Systems (IDS) and Network Management Systems (NMS) for authorized consumption of network resources.
  • Provision the appropriate DMC-source(s) network resources in accordance with NMS and Quality of Service (QoS) definitions, as defined by the user/integrator.
  • Verify the DMC user/consumer(s) (such as smartphones and workstations) with IDS and NMS for authorized consumption of network resources (bandwidth, etc.) and access to DMC source(s).
  • Process DMC-source(s) Public Key Infrastructure (PKI) certificate(s) and validate or reject, as required.
  • Provision appropriate DMC user/consumer(s) network resources and DMC source(s) access in accordance with NMS, QoS definitions, local and global rules, and credential authorities. Establish the validity of the identity credential presented as part of the authentication transaction. Process DMC user PKI certificate(s) and validate or reject, as required using revocation status checking and certificate path validation.
  • The DMC user/consumer(s) then can access DMC-source live or recorded content.

Growing Need for Authentication

Network video allows police officers to be more operationally effective in fighting crime. Video and Physical Security Information Management (PSIM) applications are designed to give authorities minute-by-minute situational awareness about public safety and crime, as well as to a number of medical emergencies to which officers respond on any given day. The flexibility and performance of network security solutions are equally important to the valuable content and intelligence these systems provide.

Therefore, the necessity of improved authentication in public safety applications is becoming of greater importance. The Department of Homeland Security’s “Hot Spots of Terrorism and Other Crimes in the United States, 1970 to 2008” report, January 2012, illustrates the need for enhanced public safety through tools like video surveillance in major cities such as New York, Miami, Washington, D.C., Chicago, Los Angeles and San Francisco. Nearly 30 percent of all attacks took place in just five counties in the United States, permitting focused efforts of video surveillance as forensic and observation tools.

Should a pen tester or hacker gain access to a law enforcement vehicle or command center’s video content and surveillance device, movements in real time can be tracked and security in these areas of high risk become compromised. Video could also be potentially altered, destroyed or lose the proper chain of custody.

This, of course, isn’t a new problem—and network cameras and encoders today have the same IT security protocols and certificates in place as any other network-connected device—but as more physical security devices connect to the network and practitioners increase their use of critical digital surveillance, increased digital security must be considered.

Even at the Consumer Electronics Show in January 2012, a “Digital Health Summit” showed how doctors are using technology to eliminate distance and borders and be preventative in their treatment approach. Network video will enhance this style of treatment and require proven security. Of course, this type of sensitive data must be protected not only for peace of mind but also, in some cases, for compliance requirements.

And while authentication of devices provides an extra layer to the system, it’s comforting to know that the validation of trusted network devices also makes bandwidth management easier for the IT administrators. It’s a logical companion to network management systems, which is another point that will gain favor in the growing IT/physical security management relationship.

Hackers will forever search for ways to compromise a system— and unfortunately no network-connected system has proven unhackable. Even today we see hackers targeting teleconferencing systems. So as the inevitable use of IP-based surveillance systems grows and becomes more public, we can close the window of opportunity on hacking threats through authentication before it opens.

This article originally appeared in the April 2012 issue of Security Today.

About the Author

Steve Surfaro is an industry liaison at Axis Communications.

Featured

  • Choosing the Right Solution

    Today, there is a strong shift from on-prem installations to cloud or hybrid-cloud deployments. As reported in the 2024 Genetec State of Physical Security report, 66% of end users said they will move to managing or storing more physical security in the cloud over the next two years. Read Now

  • New Report Reveals Top Security Risks for U.S. Retail Chains

    Interface Systems, a provider of security, actionable insights, and purpose-built networks for multi-location businesses, has released its 2024 State of Remote Video Monitoring in Retail Chains report. The detailed study analyzed over 2 million monitoring requests across 4,156 retail locations in the United States from September 2023 to August 2024. Read Now

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

Featured Cybersecurity

Webinars

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3