Implementing a Video Plan
Designing a security system with cybersecurity in mind
- By Stuart Rawling
- Jun 18, 2020
There’s a specific paradigm shift in the world of video that
might be bigger than the transition from analog to IP more
than 15 years ago.
Over the last decade, the emergence of the Internet of
Things (IoT) and a demand for more video data has changed the way
businesses operate. But as the rise in connectivity increases, so too
does the need for increased security for physical assets, networks, and
valuable corporate data. As a result, a dialogue between cyber, IT and
physical security is necessary to help leaders gain a greater knowledge
of how to best collaborate to ensure complete protection.
This is especially poignant for government security professionals
who must communicate with aligned internal departments to drive
strategies that help identify vulnerabilities in a more proactive manner.
The result of these conversations: A truly comprehensive approach
to security intelligence.
To maintain a high level of security and ensure business continuity,
government agencies seek solutions that help predict and identify
threats in real time. But often, there are too many alerts generated by
too many systems, and none of this data is integrated together and
therefore, not actionable.
Linking cyber and physical security together transforms data into
intelligence, which helps agencies connect the pieces of any situation together
and present a unified risk assessment to the right stakeholders. By
capturing and analyzing data in real time, government organizations gain
a visual representation of risks across the business while accessing information
related to the most critical events taking place. Not only does this
process enable a higher and more proactive level of protection, but it also
helps facilitate a plan of action based within unified intelligence.
No market more than the government segment is facing more
challenges in today’s business and security landscape. Security leaders
in this market have to focus on securing every single aspect of their
network infrastructure, which includes confirming software updates
and firmware on surveillance cameras are completed on-demand and
as available. In addition, as more and more physical security devices
become networked connected, encryption and vulnerability testing
are essential to ensure secure data transfer and storage.
With so much information captured on a daily basis, agencies need
to evaluate how to secure not only video data but also an entire video
surveillance system. In the past, this meant making sure best practices
were enforced so that an individual could not physically tamper with
a camera; however, now the focus also incorporates IT processes, such
as ensuring that no one can access the camera and its data via the network.
This marks quite a change from years past when cybersecurity
wasn’t part of any physical security conversation. But the adoption of
IP-connected devices makes a cyber attack a genuine possibility.
Within federal, state, and local governments, the combination of IT
and security teams, along with the involvement of procurement, has
made the decision-making and budgeting process more complex. However,
technology providers have learned much about the specific needs
of this market while maintaining the integrity of the product life cycle.
That’s where the strategic design of a solution that encompasses
video and the intelligence it can bring comes into play. In essence,
software providers have worked to maintain the demands of integrators
serving the government space and their end users by incorporating
several protocols that help guide interconnectivity and provide a
significant amount of protection against threats. This can be achieved
through several methods:
Understanding ownership. While many federal agencies employ
experts in the field of physical and cybersecurity, technology providers
must play a role in positioning these organizations to proactively detect
evolving threats. But this effort is not without its challenges. The identification
of stakeholders becomes critical early on when working on a project.
Agencies can make this easier by understanding who will be involved
in implementing a new video-centric solution across an organization.
Deciphering risk. Government organizations are constantly working
to determine risk factors, determining how to address various risk
factors with not only policies and processes, but also technology. These
organizations often look to integrator and manufacturer partners to
help identify the solutions that can address these various risk factors.
Video data is one area where this is essential. With so much information that needs to be protected, security leaders need to evaluate
how to secure not only video data, but also the entire video surveillance
system, which includes video management. This is where cybersecurity
protocols and guidance can come into play to help protect,
along with the design of products that better leverage these tools.
Identifying tools. One way to decipher risk is through the concept
of “security by design,” which is an approach to software and
hardware development that aims to make systems as free from vulnerabilities
and protected from attacks as possible. This is especially
important for devices that run on a network. But the design should be
coupled with additional touch points for monitoring the health of the
system, and government agencies are required to also provide ongoing
oversight of a network to protect critical information.
One tool that is commonly used to scan networks to identify issues
is NESSUS, an open-source network vulnerability scanner that
uses the common vulnerabilities and exposures architecture for
easy cross-linking between compliant security tools. The functions
include malware detection, configuration auditing, target profiling,
sensitive data discovery, and more.
There is a suite of other tools and hands-on penetration testing that
should be built into the product development lifecycle that continue to
identify potential vulnerabilities and ensure there are no “back doors”
into the system. Some other best practices include assigning various
user levels where possible to protect pieces of the system and being
diligent about ensuring the right level of access for the user. Finally, taking
steps to encrypt all communications between devices is essential.
This includes the way the video transmits to the operator workstation,
where it is stored, and all the connections between these various
locations; they must all be encrypted to ensure the most secure data
sharing capabilities are in place.
But this is just the tip of the iceberg. In order to fully identify the
right tools, it is essential to know the risk.
Examining the Supply Chain
A big part of the landscape for navigating cybersecurity protocols
across the government sector is adherence to the strict standards put
in place to protect the network, such as the use of IPV6, the Federal
Information Processing Standard (FIPS) 140-2, and (in access
control) the use of the Federal Government Identity, Credential and
Access Management (FICAM) standards. As a result of the nature
of today’s threats, the federal government has taken steps to ensure
these protocols are met and executed.
The National Defense Authorization Act (NDAA), which specifies
the budget and policies of the Department of Defense (DoD),
prohibits the purchase and installation of video surveillance equipment
from select Chinese companies in federal facilities. This act has
created a ripple effect across much of the security industry, as integrators
work to make sense of the products they can and cannot use for
In this regard, cybersecurity and national security go hand-inhand,
as the idea is to minimize the perceived risk moving forward.
One way some camera manufacturers have started to limit this risk
is by examining the supply chain and making adjustments on where
various components of a camera originate. Another is by engaging in a
General Services Administration (GSA) Schedule Contract used to sell
to federal agencies (as well as state and local government on occasion).
GSA also requires several requirements to be met, including country of
origin standards or compliance with the Trade Agreements Act (TAA).
Speaking the Language
Early in the design process, it’s critical for integrators and manufacturers
alike to understand the needs of the government space. This
means implementing measures that foster this communication.
Many integrator companies and security manufacturers are taking
the necessary steps to form internal task forces made up of cybersecurity
and former DoD professionals who have a working knowledge
of the demands of the government sector.
Part of this involves engaging with professionals that keep current
on the threats this market faces. For example, professional services
departments made up of network specialists, consulting, and deployment
specialists, are being formed to address some of the significant
challenges that federal agencies face as it relates to access.
Some of these individuals have top-secret clearances, meaning
they can access areas of a facility that are considered visually classified
and offer a significant amount of support beyond the traditional
integrator or installer. This makes a real difference in understanding
and being able to speak the language of a federal agency, IT department,
or security leader in this space.
A critical component for designing for data protection is engaging in
vulnerability testing of a system to evaluate the security risks in a software
system and reduce the probability of a threat. In the government
sector, for example, this includes STIG configuration (or the Security
Technical Implementation Guide).
STIGs are the configuration standards for DoD that contain technical
guidance to “lockdown” information systems and/or software
that might otherwise be vulnerable to a malicious attack. In essence,
this helps standardize network security protocols that aim to identify
vulnerabilities and address them before they become a risk. Building
these protocols into a product goes a long way in helping secure a
government organization’s systems.
Cyber threats continue to increase and evolve in sophistication, and
security leaders — both IT and physical — need to maintain a proactive
approach to mitigating this risk. As government entities continue
to embrace the connected world, new cyber vulnerabilities will come
to light. As a vendor in the video surveillance market, we are entrusted
to provide secure products and guidelines to safeguard solutions
from various types of risks, including cyber vulnerabilities.
One of the best ways to reduce network vulnerabilities associated
with video surveillance is to ensure strong levels of data protection.
Highly secure encryption and role-based access control are two capabilities
that elevate security while meeting the compliance requirements
of government agencies.
Government security leaders need to evaluate what parameters
work best for their specific environments while being cognizant of
emerging risks and how to proactively address them. Regardless of
the specific application, a secure, compliant video surveillance infrastructure
built on common cyber security protocols enable organizations
to maintain strict levels of cyber and physical security to ensure
physical and data security, protecting business, employees, and assets
along the way.
This article originally appeared in the May/June 2020 issue of Security Today.