The perennial issue of cybersecurity is unlikely to go away in our lifetime. And when it comes to the security industry, video surveillance technology can be some of the most vulnerable to bad actors. Luckily there are commonsense measures experts say integrators can take to help mitigate the risk for themselves and their customers — whether they look to the integrator to be the expert in these things, or they are more cyber-savvy with a long list of requirements either driven by regulatory concerns or their own internal rules.

“Strengthening cybersecurity requires a focus on three fundamental areas: aligning with the core pillars of security (confidentiality, integrity and availability — CIA); ensuring end-to-end data security; and embracing proactive security management,” says Kristin Plitt, vice president of marketing and sales development, IDIS Americas, Coppell, Texas. “CIA principals must be integrated into every aspect of system design and deployment.”

That isn’t to say it will be easy, she adds. “There are challenges. The rapid expansion of IoT devices has created new vulnerabilities, particularly in managing confidentiality and integrity. Each connected device represents a potential entry point for cyberattacks, making it harder for organizations to maintain a secure environment. Legacy systems present an additional hurdle. Many older systems were not designed to meet modern cybersecurity standards, which increases risks to both availability and data integrity.”

SDM spoke with several industry experts about what they would consider to be their top three “cybersecurity fundamentals.” While each had slightly different orders and ways of explaining it, the basic advice can be put into three main buckets: processes, protocols and people.

bigjom / iStock / Getty Images Plus via Getty Images

Processes: Choosing & Hardening the Right Devices

Will Knehr, senior manager of information security and data privacy for i-PRO Americas, Houston, says device hardening would be his starting place. This includes things like turning off unused ports, encryption and changing default passwords.

“A lot of devices are put out with everything turned on,” he says. “I look at it like this: every service port that you have turned on is sort of like leaving a window or a door in your house open. It creates a potential entry point for bad actors to take advantage of. For example if you don’t need the file transfer protocol on your device, then turn it off.”

Encryption is another big one, Knehr says. “Things like usernames, passwords or any recorded data that is stored on the device itself should all be encrypted, and the data that comes off of that device should be encrypted as well.”

There are tools out there that allow people to monitor what is going on and pull data off a network, intercept it and replay it back to the device, he warns. “So they can do things like change configurations, move or turn off a camera, whatever they want to do to a device.” Encrypting makes that more difficult.

Default passwords are another thing to watch for. “I know a lot of integrators use the same credentials over and over again on projects, so it’s important to make sure they are changing those back before they leave,” Knehr says.

Finally, lifecycle management is a critical piece of the equation, Knehr adds. “We see this a lot where people will deploy the devices but they will never go back and update the firmware on them.” A lot of manufacturers fix vulnerabilities and update the firmware, but that only helps if it is implemented on the customer’s end.

“The biggest example of this was the Mirai Botnet attack,” Knehr says. “It was the most prolific, impactful IoT attack ever. They gained hold of somewhere between 600,000 and 1 million IoT devices, depending on which article you read. And the weirdest thing about that was the vulnerability was patched two years before the attack was recognized or realized. If people had just been updating their firmware they wouldn’t have been affected by it.”

Satish Raj, chief technology officer at Pro-Vigil, San Antonio, Texas, agrees. “If you look at the weakest link here, it is usually the IoT element at the edge. Those are the ones people typically buy off the shelf and forget about things like security patches. Simple things like managing firmware patch updates or a firewall can make a significant difference.”

Along with these examples, another piece of advice is to make sure you choose the manufacturer that can best help you implement all these measures and keep up to date with vulnerabilities.

“In my experience, surveillance equipment is the weakest link in cybersecurity for video surveillance systems,” Raj says. “Integrators and dealers should closely scrutinize the equipment that they deploy.”

Knehr adds, “I would encourage integrators to do vendor risk assessments. Whatever manufacturer you are working with, ask them how they are securing their devices. Ask them how they are securing the supply chain. Ask, when they are vetting new products to put on their cameras, how are they making sure they are secure?”

Aaron Saks, director of product training, Hanwha Vision America, Teaneck, N.J. calls this a “foundation built on a supply chain of trust and based on working with a trusted manufacturer to ensure that anything you’re putting on your network is vetted and tested. … Integrators should focus on finding trusted partners who can provide comprehensive, secure solutions tailored to the customer’s needs, rather than just selling individual products.”

In some cases, the right manufacturer can make some of the other recommended processes even easier, Saks adds. For example, some manufacturers will make their products secure by default, he says, “Meaning that the camera’s out-of-the-box settings are already the recommended settings to make operation easier for users, and easier for integrators to give them the best advice.”

Raj adds that all of this advice may seem “basic” but it is the best place to start, and one that many integrators might tend to overlook in favor of more cutting-edge tools. “Any integrator should start by putting in place basic device (equipment) security measures. If you’re new to this, or you’re looking at how to get quick ROI from security measures, start with the equipment. Something as simple as updated firmware can make a significant difference in your security posture.”

Wayne Dorris, program manager, cybersecurity, Axis Communications, Chelmsford, Mass., agrees. “Cybersecurity should be seen as an ongoing process, not a feature. Cybersecurity is a shared responsibility, and integrators play a vital role as the bridge between the end users and the manufacturer, ensuring that the security requirements of the end user — such as password policies, encryption requirements and user management protocols — are implemented correctly across the devices and solutions provided. By adhering to these requirements, integrators help create a secure environment that not only meets the end user’s needs and complies with industry best practices, but also ensures alignment between the manufacturer’s technology and the user’s organizational policies.”

“

A lot of devices are put out with everything turned on. I look at it like this: every service port that you have turned on is sort of like leaving a window or a door in your house open. It creates a potential entry point for bad actors to take advantage of.

– Will Knehr, i-PRO Americas

putilich / iStock / Getty Images Plus via Getty Images

Protocols: Use the Best Technology & Network Architectures

Beyond just choosing the right manufacturer to work with, there are also technologies that can make cybersecurity easier — or more difficult — as well as ways of implementing the system that promotes better cyber-hygiene, according to the experts.

Technology involves both the hardware and software used in the video surveillance system itself, Dorris says. “Secure devices, like cameras and recorders, as well as secure network infrastructure, are essential to protect video data from cyber-threats. Strong encryption, authentication and network defenses help safeguard the system from attacks”

In order to do this, integrators must stay informed about new technologies, protocols and capabilities in new video surveillance products, Dorris adds. “As technology evolves, so do potential threats, and integrators need to ensure they’re working with up-to-date tools. For instance, implementing device management platforms can help end users maintain good cybersecurity hygiene by regularly monitoring and updating security devices across their networks.”

Some newer technologies, however, can be double-edged swords when it comes to cybersecurity.

“AI-powered threat detection is emerging as a significant help, enabling real-time identification of unusual network activities and potential breaches,” says Tim Palmquist, vice president, Americas, Milestone Systems, Oswego, Ore. “Cloud-based solutions and video security as a service (VSaaS) are also proving beneficial, offering automated security updates and sophisticated encryption options. However, the increasing connectivity of devices and expansion of IoT in video systems is creating more potential entry points for attackers.”

Mathieu Chevalier, principal security architect and manager, Genetec, Montreal, says that, on the whole, cloud is still a net positive. “You get some free stuff with the cloud. In terms of cyber, I mean that it’s typically easier to keep your system updated.”

Plitt suggests that AI-driven analytics are playing an increasingly important role in cybersecurity. “They enhance system availability by enabling rapid threat detection and real-time response to potential vulnerabilities,” she says. “This proactive capability is essential in today’s fast-paced security environment, where even minor delays in threat identification can lead to serious consequences.”

When it comes to networks themselves, Knehr says it is important to segment networks to ensure that IoT devices are separated from the rest of the production network. “The thought process there is twofold,” he says. “One is so that if someone does take advantage of a security system, they can’t control across the network and go into the production side of the house. The most famous example of that was the Target breach. They came in through a backend vendor and were able to eventually get credit card data and all kinds of other information. The other is that people trust us to deploy a security system to make them more secure and the last thing you want to do is introduce a vulnerability into their networks. But that also goes both ways, because if the production network is compromised you don’t want to lose your security systems, either.”

Chevalier says another tech practice that is just starting to be utilized in the security industry is identity certificates. “Traditionally, we use passwords for authentication. But the thing is that passwords are meant for human to machine authentication. So you’re in front of your website, you want to prove it’s you, so you enter your passwords. Now strangely, in our industry, when a VMS system wants to authenticate to a camera, you use password. So for machine to machine authentication, we still use something called a password that is not meant really to be used like that. It’s more for human to machine. So the solution is a strong identity certificate. It’s something that is stronger and that you don’t need a human to memorize [something]. So I see a trend for this to improve.”

This type of thing is still in its infancy, however, he says. “All actors in the ecosystem need to support it for that to work. With Genetec we are supported with two or three camera manufacturers but not the hundreds of others that haven’t implemented it yet,” Chevalier explains. It is definitely something to watch for in the future, however.

Another protocol that is getting more popular is Zero Trust architecture, a security framework that considers anyone or any other system not trusted by default and requires verification and authentication before allowing access to any system or data.

“Ultimately, addressing these challenges requires a combination of adopting advanced technologies and phasing out outdated systems,” Plitt says. “By leveraging solutions like Zero Trust architecture and AI-driven analytics while remaining vigilant about IoT vulnerabilities, organizations can significantly strengthen their cybersecurity posture.”

funtap / iStock / Getty Images Plus via Getty Images

People: Make Cybersecurity a Way of Life

Anyone with any knowledge of cybersecurity or IT will tell you the No. 1 threat is the human element. That is why the most often cited and best advice revolves around the people who are implementing and using the systems.

One of the first, and best courses of action is training. “Addressing the human factor requires structured cybersecurity training for employees, ensuring awareness of phishing risks, password hygiene, and response protocols for potential breaches,” Palmquist says. “Combining technical measures with consistent education builds a resilient defense.”

But not just any cybersecurity training will do, Knehr advises. “Invest in cybersecurity training and have it be a regular part of your cadence. But make sure you are getting tailored cybersecurity training to this industry. You don’t need to do something like Top Tier Security Plus because that is probably going to be a little too much.”

The important thing is to start somewhere, he adds. “Have some sort of regular cadence, even if it is once a year, or as I prefer, the elephant analogy of taking one bite at a time and do a little bit every month.”

Dorris puts people and training as his top piece of cybersecurity advice. “Ensuring that everyone understands and is trained on security best practices — e.g. using strong passwords and recognizing potential threats — helps prevent human errors that can lead to security breaches,” he says. “Training and awareness are critical for integrators. … Certifications such as the SIA Security Industry Cybersecurity Certification (SICC) are an excellent starting point for installers. This certification provides essential knowledge and can help create a foundation for secure system installation. Additionally staying up to date with training on key manufacturer products and solutions is very important.”

Chevalier adds, “If you just want basic cybersecurity, start by implementing best practices and getting more knowledgeable about it. Do some training. Maybe you will realize when you dig into it, it’s not rocket science, at least at the basic level.”

Another important people factor is doing regular penetration or similar testing.

“Integrators and dealers should focus on fostering a culture of cybersecurity awareness and transparency,” Palmquist says. “Regular audits and collaboration with ethical hackers can proactively identify risks. By championing both technical and educational initiatives, integrators can empower clients to safeguard their systems effectively while enhancing their own reputation for trustworthiness.”

Plitt agrees. “Proactive cybersecurity means staying ahead of threats. Regular vulnerability assessments and penetration testing are critical to uncovering weak points before they become issues.

“Integrators should prioritize conducting comprehensive cybersecurity audits,” she adds. “These audits can help identify vulnerabilities and ensure that systems align with the core cybersecurity pillars of confidentiality, integrity and availability as well as Zero Trust principles. A thorough audit evaluates network segmentation, access controls, firmware updates and data encryption practices, providing a clear path to strengthening system security.”

At the end of the day, cybersecurity is everyone’s problem, and it is incumbent on everyone in the chain to help solve it, Dorris says. “The key action that integrators and dealers should take this year is to ensure that cybersecurity requirements are clearly defined and verified at the outset of any project. It’s essential to align all stakeholders — the end customer, integrator and manufacturer — early on to ensure everyone is on the same page. After all, cybersecurity is a shared responsibility, and each party must fulfill their role to create a safer, more secure environment.”

Doing so not only benefits the customer, but also puts the dealer and integrator in a position of trust, Plitt adds. “End users often underestimate cybersecurity risks until an incident occurs. By educating customers on secure deployment practices and the long-term benefits of robust systems, integrators can help mitigate risks while highlighting the value of investing in security. This includes showing how secure systems protect sensitive data, ensure operational continuity and reduce liability.

“In an evolving threat landscape, integrators who take these steps will stand out as trusted advisors, ready to guide their customers through the complexities of modern society.”

The Potential Threat of AI

matejmo / iStock / Getty Images Plus via Getty Images

Of all the newer technologies, AI is uniquely positioned to be both a possible help and a potential threat when it comes to cybersecurity. Will Knehr of i-PRO Americas says this is the one that keeps him up at night.

“We’ve got all kinds of different advanced detection and different AI systems that are going into these devices, he says. “And a lot of folks that are developing these analytics aren’t actually doing any kind of security or vulnerability testing on them. Any time you put something like an analytic onto a camera system, it has to run off of something. So oftentimes what I’ve seen is they’re running off older versions of software because they’re just developing the analytics to work and not really considering the security implications of it. So now you’ve put this great analytic onto this camera system that can detect whatever it is you’re trying to do with this device. But it has now introduced a cybersecurity vulnerability into it because it’s running off of this old version of Apache or this old Java or whatever. So that does scare me. I think a lot of folks are deploying these tools onto these camera systems and not considering the security implications of it, not doing the proper penetration testing, software testing, or hardening portion of the house.”

Wayne Dorris of Axis Communications shares similar concerns.

“AI is both helping and hindering cyber efforts of video surveillance. AI is helping to defend networks by discovering anomalous processes or intrusions on networks that in the past may have been overlooked. [But] AI is also hindering cybersecurity, particularly video integrity. The proliferation of deep fake videos and the use of AI for phishing presents challenges if video authenticity methods are not used to properly discern what was a real video versus what is faked by AI. While some manufacturers do have methods for video authenticity more needs to be done by the video surveillance industry as a whole.”

Disclaimer – This post has only been shared for an educational and knowledge-sharing purpose related to Technologies. Information was obtained from the source above source. All rights and credits are reserved for the respective owner(s).

Keep learning and keep growing

Source: SDM Magazine