IoT is used to create smart homes, buildings and numerous other end points
- By Jeff Whitney
- May 01, 2017
The security department has long held responsibility for
the physical protection of assets, infrastructure and
people. The operation and protection of electronic
data systems has been the responsibility of the IT department.
Today, we increasingly see the blurring of
these lines with the movement of surveillance, access control, life
safety and other physical security systems onto IP-based network
The IT approach to layered security for systems, infrastructure
and data is increasingly impacting the security department, and with
good reason. Recent cyberattacks have revealed vulnerabilities beyond
traditional IT systems and infrastructure, uncovering the potential
threat of attack on and through a wider range of network
connected devices. The Internet of Things (IoT) is rapidly growing
as network connectivity blurs the line between computing devices,
appliances, vehicles and industrial equipment. IoT is used to create
smart homes and buildings, network enabled appliances, aircraft,
automobiles, ships and trains. It is found across every market segment.
While consumers and industry professionals are excited about
the benefits, cybersecurity experts increasingly warn about the vulnerabilities
that IoT introduces to traditionally secure infrastructure.
Many manufacturers of surveillance cameras, access control and
other security systems have considered their products to be edge devices,
relying on the IT department to provide network protection in
limiting access only to those authorized to do so. This view is changing
as more manufacturers and their customers understand that any
device connected to the network requires basic cybersecurity protection
in the current threat environment.
Akamai, a vendor of content delivery network services, detailed
in its Q3 2015 State of the Internet Security Report a 180 percent yearover-
year increase from 2014 to 2015 in Distributed Denial of Service
(DDoS) attacks. Other sources agree that attacks are dramatically
increasing. Verisign, a Virginia-based infrastructure and security company,
reported in the Verisign Distributed Denial of Service Trends
Report for the 2nd quarter of 2016 that that the frequency of DDoS
cyberattacks increased by 75 percent from the same period a year before.
Industry analyst Gartner estimated in a 2014 press release that
by 2020 more than 25 percent of identified attacks on enterprises will
involve IoT network devices.
Security systems are not immune. The September 2016 attack on
Krebsecurity.com and France-based Internet hosting firm OHV was
executed using over 140,000 network cameras and DVRs. The devices
were transformed into robotic attackers or “bots” by an infection of
the Mirai malware.
The Washington Post reported that 70 percent of the video cameras
across the U.S. capital were infected with ransomware. 123 of
187 NVRs had their data encrypted by the infection in the days prior
to the Trump Presidential Inauguration in January 2017. Other network-
enabled cameras and DVRs have been reported in the media
to secretly connect to sites in China. Data, video and images have reportedly been uploaded to these remote locations without the consent
or awareness of the user. Other cameras have been infected with
malware within seconds of being connected to the Internet, or as being
While there is reason for action and a need for more education,
there is no cause for panic as the security industry is responding. The
challenge faced by manufacturers of network-enabled security products—
including surveillance cameras—is to balance ease of installation
and ongoing operation with the protection of the device, the
network and the connected infrastructure.
A product with extremely strong cybersecurity protection may
turn away customers by being too restrictive or complex for their
needs. Conversely, a product that is exceptionally easy to setup and
use may be a gateway to cyberattack.
Finding the balance between these two factors while meeting the
requirements of IT is a challenge to be solved by manufacturers.
Arecont Vision relies on its in-house developed Massively Parallel
Image Processing architecture and FPGA (field programmable gate
array) technology to eliminate or mitigate cybersecurity risks and enable
camera updates. The company also takes that further by developing
its own feature and not licensing third-party code for core
features. This eliminates the risk of hidden backdoors or of malicious
code lurking unsuspected and undetected. Other manufacturers will
have their own approaches to cybersecurity.
Being prepared is the best cybersecurity defense, regardless of the
products used. The following dozen recommendations are starting
points for any security organization formulating their own cybersecurity
Choose products that provide security protection while balancing
the user experience. Only devices that include basic security protection
such user IDs and 16 digit ASCII passwords should be allowed
on the network. The administration interface must balance ease of
installation with adequate cybersecurity protection, without making
the device unduly complicated to use and manage.
Segregate the network. Good design policy is to separate and
firewall cameras, access control, alarm, sensors, and IT systems onto
individual networks or sub-nets. Sharing a single network between
different applications increases the risk of both performance issues,
and both exposure to and the success of a cyberattack. Eliminating
unnecessary connections to the wider corporate network and to the
global Internet can also reduce the risk of successful cyberattacks.
Update firmware. All cameras, servers, NVRs/DVRs, storage devices,
switches, routers, WiFi access points and any other networkconnected
devices should be regularly updated with the latest available
manufacturer firmware to eliminate security holes. No device
that cannot be fully updated with new security measures, features or
enhancements should ever be connected to the network, and a policy
should be enforced to ensuring such updates are performed.
Limit authorization and access to only those who need it. Limit
physical and network access to individual systems, data and infrastructure
to only those who require that access. Enforce password
changes on an appropriate cycle and with any departure of employees
and contractors formerly with access.
Change default password settings. An increasing number of cyberattacks
are made using default IDs and passwords. Cameras, DVRs
and other security systems now join computers, storage and security
systems as potential network access points for a cyberattack, and often
have less security included.
No device should be allowed to connect to the network until the
default user ID and password have been reset after commissioning.
Organizations should have a strong password policy that defines
password rules and frequently requires password changes. Use a secure
password management system to keep track.
Virus scan any device or media before attaching it to the network.
All computers and media used to install or update network cameras,
servers, NVRs or storage devices should be virus scanned with up-todate
protection/detection software for malignant code before being
connected to or loaded into a shared network.
Apply special protection to cameras covering sensitive areas and
limit access. Laws limit where video recording can occur, what can be
recorded, what use can be made of it, and even who can view it. The
security system designer needs to be an expert on these local requirements
and adhere to them.
A good policy is to never install a camera anywhere you would
not want others to see the scene being covered. Sensitive areas or
personal space may not be the best choice for a camera location, particularly
with the risk of a cyberattack.
Educate your team. Employees need to be aware and educated
of the risks and challenges of cybersecurity prevention, detection,
mitigation and recovery in advance of an incident. Accidental or unintentional
exposure is major risk factor in exposing a business or
organization to cyberattack, and education is the best defense.
Integrate and follow IT and security department guidelines for devices
and access. Integrate with established IT and security department
guidelines. Follow industry guidelines, policies and regulations
as best practices to address everything from remote access, cloud networks,
unsecured networks, Bring Your Own Device (BYOD) policies,
network monitoring and data safekeeping.
Conduct regular cybersecurity reviews and assessments. Both the
IT and security departments should conduct regular cybersecurity
reviews and assessments of their infrastructure, systems and policies
throughout the year.
Preplan for cyberattack responses. Many organizations have risk assessment
and response strategies, designed for a wide range of potential
disasters and catastrophic events. Cybersecurity needs to be included
to deal with mitigation and recovery in the event of any incident.
Build and keep a disaster recovery up to date. Have a disaster recovery
plan in place before a catastrophic failure or data breach occurs.
Be sure to keep the plan up to date. Consider making commercial
cybersecurity insurance part of the program.
Establishing these types of security policy recommendations, tailored
to fit the needs of the organization, will prevent many cybersecurity
risks and help to mitigate the impact of those that are not.
Employee education is also of critical importance. Organizations
such as the Security Industry Association, ASIS International, the
Cybersecurity Policy and Research Institute, the Electronic Privacy
Information Center, and many colleges and universities are among
many that offer actionable information on cybersecurity. They are
excellent places to start learning more about how
to protect an organization.
By taking these actions, organizations can be
well on their way to cybersecurity awareness and
This article originally appeared in the May 2017 issue of Security Today.