Lack of cybersecurity of video systems made headlines in 2016. The Mirai cyberattack that year impacted Internet service on the East Coast of the United States and kept several high-profile websites offline. Cybersecurity attacks later in the day were more global in nature.
The cyberattacks were carried out by a botnet, a network of bots, which are software applications (in this case, computer viruses) that communicate with each other and run tasks automatically over the Internet.
Bots can infiltrate unprotected computers and then use the computing power of their ‘hosts’ to carry out various kinds of cyber-attacks on other Internet targets. In the case of the Mirai attacks, a hidden army of bots worked together to bombard various websites with so many bogus requests that the sites became overwhelmed by the volume of traffic and could not respond to legitimate requests. It’s called a denial of service (DDS) attack.
Many of the attacking bots were hosted by IP-enabled cameras and digital video recorders (DVRs). In other words, the bots used the computing power of our industry’s video products to launch the headline-grabbing cyberattack.
Many of the attacking bots were hosted by IP-enabled cameras and digital video recorders
Since 2016, awareness of cybersecurity for video systems has grown. Today, it is understood that video solutions should be designed to safeguard communication between trusted devices, ensure that video in transit (streamed) or in storage remains encrypted, and any commands and configurations to control cameras and other devices are transmitted via a secure channel (HTTPS).
Some basic best practices can go a long way to improving the cybersecurity of video systems. A small change is to remove default passwords from products and software, and to avoid using ‘guessable’ passwords. All firmware should be encrypted to reduce the possibility of it being downloaded from the manufacturer’s website and deconstructed. Use of a secure operating system that is regularly updated can protect against video tampering, altering, spoofing and snooping.
Video surveillance systems
Another precaution is to avoid remote login using Telnet or FTP, which are less secure. Finally, use of digital certificate provides assurance that data from a third party is true and not falsified. All data should be encrypted with digital certificates. Video manufacturers often provide ‘hardening guides’ to enable enterprises to protect their systems from potential cybersecurity threats.
Video manufacturers often provide ‘hardening guides’ to enable enterprises to protect their systems from potential cybersecurity threats
Free downloadable guides and other resources provide specific recommendations on hardening video surveillance systems by applying proven cybersecurity initiatives. For example, the OnSSI Hardening Guide for Networked Video Surveillance Systems includes guidance on password strength, how to avoid poor password practices, collaboration with IT and HR departments and how to apply software and firmware security updates.
It also includes standard, advanced and enterprise cybersecurity best practices for cameras, servers and workstations and networks. Another cybersecurity requirement is data-at-rest encryption to ensure that data, such as stored video, is secure right down to the storage medium in which it is held. Hardware-level encryption, firmware protection for the hard drive, and instant, secure erasing technology allow devices to be retired with minimal risk of data misuse.
Despite the clear benefits, data-at-rest encryption lags other areas, such as network and endpoint security, in terms of the investment it currently receives. A Thales Data Threat report found that data-at-rest security was receiving some of the lowest levels of spending increases in 2016 (44%), versus a 62% increase for network and a 56% increase for endpoint security.