There is no doubt that for many businesses and organisations across the UK, if they have CCTV cameras on the corporate network, it is these now networked cameras which are fast becoming the most vulnerable devices on their networks in terms of the risk of cyber-attacks by malicious actors.
It is said that human beings are the biggest risk factor for businesses when it comes to hackers, but could there be another, equally dangerous threat lurking in the IT shadows in your business?
Key reasons for the increasing vulnerability of CCTV systems are fivefold:
- Surveillance cameras today have much more in-built data storage and processing power than they used to have. They are effectively mini-PCs in their own right. If they can be penetrated by hackers, malware could be uploaded into them and from there spread across an exposed corporate network. Alternatively, compromised cameras can become the devices through which valuable corporate data is extracted from an organisation’s systems.
- As the cyber security threat landscape has become more complex and exploit types have simplified and proliferated, cyber security protection has become a much more specialist job, demanding expensive cyber specialist skills which need regularly updating. Many firms simply cannot retain these skills within existing IT budgets. IT managers in many organisations up and down the country often no longer have the up-to-date cyber skills needed to properly manage the array of threats to their ever-expanding networks.
- There tends to be a disconnect between the network/IT managers in many organisations and the FM and/or security departments which look after the CCTV systems day-to-day. This disconnect can lead to a higher risk that surveillance cameras will not be subject to the same patching and updating rigours of other networked devices. They can simply get forgotten.
- Network cameras increasingly have a capability to ‘call out’ to the manufacturer’s servers for the enablement of additional, usually cloud-based, functionality or services. Not all manufacturers will first require consent or action for this to take place and therefore some devices can immediately present a security risk when added to the network. What is the security posture of the manufacturer’s servers? Can they be trusted? Is it documented and does it conform to security standards such as SOC-2 or implement methodologies around OWASP, for example? In addition, there is increasing concern that certain manufacturers’ call-out functions contain backdoors which can be exploited by a nation state.
- Most network cameras contain open-source packages on their (typically Linux) operating systems. Their operating systems are usually cut-down versions of either open source or commercially maintained Linux distributions. They will all contain software applications, such as web servers, which are maintained by the Linux community and not the manufacturer themselves. This can lead both to slow turnover of cybersecurity patching by the manufacturer and early cybersecurity end-of-life for the camera when the package is no longer maintained by the community, or is replaceable by the manufacturer.
Cyber security is gaining awareness at board level
Fortunately, cybersecurity is a topic which has finally made it all the way into the boardroom. No networked corporate system is immune from the scrutiny of the director in charge of keeping systems secure from ransomware, Distributed Denial of Service Attacks (DDoS) and other cyber-attacks.
Major household name companies have been damaged by data breaches over the last few years including Nintendo, Easy Jet, Yahoo, Equifax, LinkedIn, Twitter, the NHS and the Marriott group. Hacks and breaches have become a reality for many, and they became highly visible to the outside world from 25th May 2018 onwards when the UK GDPR went live – forcing companies to report data breaches .
The Data Protection Act 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements. Data protection became a whole lot more important as picking up a fine which could permanently damage a company’s finances loomed large; while company reputations have become increasingly challenged through much more mainstream news reporting of cyber breaches, and swift proliferation of negative news reports via social media platforms.
And in IT departments as well
There is a growing realisation by more IT departments that securing all devices on their network is a bigger job than many can manage consistently. NW Security noted that a recent rise in interest in accreditation for Cyber Essentials Plus has served to raise awareness of the vulnerability of CCTV systems which are increasingly attached to the corporate network.
Cyber Essentials Plus demands that companies bring in an independent penetration testing specialist to run an internal penetration test. These tests, all too often, highlight the heightened threat of a cyber-attack from CCTV cameras, particularly those which have not been updated with the latest firmware updates and are therefore easier to penetrate by hackers.
A Cyber Essentials Plus internal penetration test can also force an organisation to improve their systems and their processes to increase their cybersecurity posture to pass the test. The problem does not exist in isolation for network cameras or software-based video management systems.
NW Security often finds in its diagnostics work when it begins working with customers, that a firm’s CCTV cameras are simply attached to the corporate network like any other workstation or network printer.
However, it makes far more sense for CCTV cameras to be ringfenced from the rest of the corporate network by setting up a separate VLAN (Virtual Local Area Network) for them and associated video management systems. A VLAN offers a logical separation from the rest of a corporate network, it limits the risk if a CCTV camera is hacked. This separation comes close to replicating the key advantage which traditional analogue-based CCTV systems offered as they existed in splendid isolation from the corporate network prior to migration onto the network in recent years.
Best of Breed Approach to Manufacturer Selection
NW Security Group goes further and only specifies hardware and software vendors which have robust firmware and cyber protection updating regimes. There are only a handful of camera manufacturers and video management software (VMS) providers fully transparent and committed to keeping their devices and software fully up to date in terms of cyber protection.
We work closely with those vendors, such as Axis Communications and Milestone Systems, while warning against those firms which do not have a robust firmware or software updating regimes. How often do you get updates from Microsoft for your Office365 suite or to keep your desktops secure? Try counting the number of times your PC auto-requests a software update cycle next month. Recently, as Windows 11 operating system upgrades have been going through, there have been several updates each month. Many of these contain security patches. And if you work with Linux you’ll be used to seeing security patches dropping in almost every day!
This sort of firmware updating regime needs to be applied all the way through to your network cameras and VMS in our view. If you haven’t had a firmware update on your CCTV cameras for two years or more, your CCTV system WILL be exposed to greater risk of penetration by malicious actors – it’s that simple.
It’s also a fallacy to think that vulnerable devices on a ‘protected’ internal network pose no risk. We come across this excuse frequently and this thinking is dangerous. Insider risk can be as important to understand and prepare for, as network penetration by external hackers. The human factor is always the trickiest to work around and if an external hacker does find a way in, they will go straight for the most vulnerable devices on the network. It is no longer safe or sustainable to allow your systems, any system, to fall behind in security patching.
See the Axis Cybersecurity Hardening Guide on our resources page.
Beware of upfront cost-driven buying
All too often, we see companies which have a very tight budget for CCTV system upgrading. When budgets are squeezed, they tend to go in the direction of low-cost devices and software which is, all too often, inherently insecure.
Companies just need to think slightly more long-term when making this investment, asking the question ‘what is the likely Total Cost of Ownership of this new system?’ Are you in fact buying a future problem which will expose your company to much greater risk and cost down the line? These are the sorts of challenging questions decision-makers should consider.
Finally, in an increasingly ethically conscious and Environmental, Society and Governance-focused (ESG) business world, it also makes sense to think about the total cost of any new CCTV system to the environment. The focus must be on specifying, recommending, building, and maintaining CCTV systems which can be cyber secured for the long-term, and are capable of being upgraded and updated as new video analytics capabilities reach the market and security patches come out.
Networks change over time, both intentionally and unintentionally, and the addition of cameras and video recording software can sometimes fly under the radar of IT teams. Stakeholders need to ensure that IT departments are aware of all additions to the network and have the time and resources to apply the necessary cybersecurity measures for the continued safe operation of the business.Our Services Our Solutions