Implementing a Video Plan

Designing a security system with cybersecurity in mind

• By Stuart Rawling
• Jun 18, 2020

There’s a specific paradigm shift in the world of video that might be bigger than the transition from analog to IP more than 15 years ago.

Over the last decade, the emergence of the Internet of Things (IoT) and a demand for more video data has changed the way businesses operate. But as the rise in connectivity increases, so too does the need for increased security for physical assets, networks, and valuable corporate data. As a result, a dialogue between cyber, IT and physical security is necessary to help leaders gain a greater knowledge of how to best collaborate to ensure complete protection.

This is especially poignant for government security professionals who must communicate with aligned internal departments to drive strategies that help identify vulnerabilities in a more proactive manner. The result of these conversations: A truly comprehensive approach to security intelligence.

To maintain a high level of security and ensure business continuity, government agencies seek solutions that help predict and identify threats in real time. But often, there are too many alerts generated by too many systems, and none of this data is integrated together and therefore, not actionable.

Linking cyber and physical security together transforms data into intelligence, which helps agencies connect the pieces of any situation together and present a unified risk assessment to the right stakeholders. By capturing and analyzing data in real time, government organizations gain a visual representation of risks across the business while accessing information related to the most critical events taking place. Not only does this process enable a higher and more proactive level of protection, but it also helps facilitate a plan of action based within unified intelligence.

No market more than the government segment is facing more challenges in today’s business and security landscape. Security leaders in this market have to focus on securing every single aspect of their network infrastructure, which includes confirming software updates and firmware on surveillance cameras are completed on-demand and as available. In addition, as more and more physical security devices become networked connected, encryption and vulnerability testing are essential to ensure secure data transfer and storage.

With so much information captured on a daily basis, agencies need to evaluate how to secure not only video data but also an entire video surveillance system. In the past, this meant making sure best practices were enforced so that an individual could not physically tamper with a camera; however, now the focus also incorporates IT processes, such as ensuring that no one can access the camera and its data via the network. This marks quite a change from years past when cybersecurity wasn’t part of any physical security conversation. But the adoption of IP-connected devices makes a cyber attack a genuine possibility.

Within federal, state, and local governments, the combination of IT and security teams, along with the involvement of procurement, has made the decision-making and budgeting process more complex. However, technology providers have learned much about the specific needs of this market while maintaining the integrity of the product life cycle.

That’s where the strategic design of a solution that encompasses video and the intelligence it can bring comes into play. In essence, software providers have worked to maintain the demands of integrators serving the government space and their end users by incorporating several protocols that help guide interconnectivity and provide a significant amount of protection against threats. This can be achieved through several methods:

Understanding ownership. While many federal agencies employ experts in the field of physical and cybersecurity, technology providers must play a role in positioning these organizations to proactively detect evolving threats. But this effort is not without its challenges. The identification of stakeholders becomes critical early on when working on a project. Agencies can make this easier by understanding who will be involved in implementing a new video-centric solution across an organization.

Deciphering risk. Government organizations are constantly working to determine risk factors, determining how to address various risk factors with not only policies and processes, but also technology. These organizations often look to integrator and manufacturer partners to help identify the solutions that can address these various risk factors.

Video data is one area where this is essential. With so much information that needs to be protected, security leaders need to evaluate how to secure not only video data, but also the entire video surveillance system, which includes video management. This is where cybersecurity protocols and guidance can come into play to help protect, along with the design of products that better leverage these tools.

Identifying tools. One way to decipher risk is through the concept of “security by design,” which is an approach to software and hardware development that aims to make systems as free from vulnerabilities and protected from attacks as possible. This is especially important for devices that run on a network. But the design should be coupled with additional touch points for monitoring the health of the system, and government agencies are required to also provide ongoing oversight of a network to protect critical information.

One tool that is commonly used to scan networks to identify issues is NESSUS, an open-source network vulnerability scanner that uses the common vulnerabilities and exposures architecture for easy cross-linking between compliant security tools. The functions include malware detection, configuration auditing, target profiling, sensitive data discovery, and more.

There is a suite of other tools and hands-on penetration testing that should be built into the product development lifecycle that continue to identify potential vulnerabilities and ensure there are no “back doors” into the system. Some other best practices include assigning various user levels where possible to protect pieces of the system and being diligent about ensuring the right level of access for the user. Finally, taking steps to encrypt all communications between devices is essential.

This includes the way the video transmits to the operator workstation, where it is stored, and all the connections between these various locations; they must all be encrypted to ensure the most secure data sharing capabilities are in place.

But this is just the tip of the iceberg. In order to fully identify the right tools, it is essential to know the risk.

Examining the Supply Chain

A big part of the landscape for navigating cybersecurity protocols across the government sector is adherence to the strict standards put in place to protect the network, such as the use of IPV6, the Federal Information Processing Standard (FIPS) 140-2, and (in access control) the use of the Federal Government Identity, Credential and Access Management (FICAM) standards. As a result of the nature of today’s threats, the federal government has taken steps to ensure these protocols are met and executed.

The National Defense Authorization Act (NDAA), which specifies the budget and policies of the Department of Defense (DoD), prohibits the purchase and installation of video surveillance equipment from select Chinese companies in federal facilities. This act has created a ripple effect across much of the security industry, as integrators work to make sense of the products they can and cannot use for government-related projects.

In this regard, cybersecurity and national security go hand-inhand, as the idea is to minimize the perceived risk moving forward. One way some camera manufacturers have started to limit this risk is by examining the supply chain and making adjustments on where various components of a camera originate. Another is by engaging in a General Services Administration (GSA) Schedule Contract used to sell to federal agencies (as well as state and local government on occasion). GSA also requires several requirements to be met, including country of origin standards or compliance with the Trade Agreements Act (TAA).

Speaking the Language

Early in the design process, it’s critical for integrators and manufacturers alike to understand the needs of the government space. This means implementing measures that foster this communication. Many integrator companies and security manufacturers are taking the necessary steps to form internal task forces made up of cybersecurity and former DoD professionals who have a working knowledge of the demands of the government sector.

Part of this involves engaging with professionals that keep current on the threats this market faces. For example, professional services departments made up of network specialists, consulting, and deployment specialists, are being formed to address some of the significant challenges that federal agencies face as it relates to access.

Some of these individuals have top-secret clearances, meaning they can access areas of a facility that are considered visually classified and offer a significant amount of support beyond the traditional integrator or installer. This makes a real difference in understanding and being able to speak the language of a federal agency, IT department, or security leader in this space.

Vulnerability Testing

A critical component for designing for data protection is engaging in vulnerability testing of a system to evaluate the security risks in a software system and reduce the probability of a threat. In the government sector, for example, this includes STIG configuration (or the Security Technical Implementation Guide).

STIGs are the configuration standards for DoD that contain technical guidance to “lockdown” information systems and/or software that might otherwise be vulnerable to a malicious attack. In essence, this helps standardize network security protocols that aim to identify vulnerabilities and address them before they become a risk. Building these protocols into a product goes a long way in helping secure a government organization’s systems.

Keep Up-to-Date

Cyber threats continue to increase and evolve in sophistication, and security leaders — both IT and physical — need to maintain a proactive approach to mitigating this risk. As government entities continue to embrace the connected world, new cyber vulnerabilities will come to light. As a vendor in the video surveillance market, we are entrusted to provide secure products and guidelines to safeguard solutions from various types of risks, including cyber vulnerabilities.

One of the best ways to reduce network vulnerabilities associated with video surveillance is to ensure strong levels of data protection. Highly secure encryption and role-based access control are two capabilities that elevate security while meeting the compliance requirements of government agencies.

Government security leaders need to evaluate what parameters work best for their specific environments while being cognizant of emerging risks and how to proactively address them. Regardless of the specific application, a secure, compliant video surveillance infrastructure built on common cyber security protocols enable organizations to maintain strict levels of cyber and physical security to ensure physical and data security, protecting business, employees, and assets along the way.

This article originally appeared in the May/June 2020 issue of Security Today.