Three Cybersecurity Risk Issues to Consider with Surveillance Systems
Connected physical security equipment, like networked surveillance cameras and smart access control systems, offer many advantages for facility and safety managers responsible for securing the premises of retail, industrial, government, and other organizations. Integrated IP-video recording systems with cloud-based recording and administration features are popular among users with little time to purchase and integrate different camera, cabling, and video storage hardware.
Research on this physical security slice of the Internet of Things (IoT) device market and real world events, however, show adoption of these systems introduces complex cyber risk issues.
In 2020, our Forescout Research Labs team set out to identify the top 10 riskiest IoT devices as part of an exhaustive study analyzing 8 million devices across more than 500 enterprise deployments. We looked at factors like the frequency and severity of vulnerabilities discovered in these platforms and unique risks posed by where and how they are typically installed. Physical access control systems were the riskiest class of devices. Building HVAC systems came in second, and connected camera systems came in third. The fact that in-demand physical security and camera systems claimed two of the top three categories shows the scale and stakes of cyber risk management around these systems.
These risks must be assessed and handled jointly, typically by otherwise very different teams focused on the safety of employees and facilities versus the security of corporate networks and data. Here are a few crucial principles to bear in mind.
A well-managed deployment is a secure deployment.
Who Will Own the Devices—and Their Attack Surface?
Physical and cybersecurity professionals need to collaborate more than ever because they are both accustomed to the relentless change and consequences of risks to business operations, particularly more than a year into the COVID-19 pandemic.
Connected cameras are a great example of where these worlds collide. A facility manager might have the authority to evaluate, purchase, and deploy cameras—working almost exclusively with the camera vendor to take delivery of the devices, install them via Wi-Fi on the network, and set-up credentials to remotely administer the system’s footage and recordings.
While this sounds like an isolated project, in reality each of those cameras add new computing devices to the network with their own operating system, IP stack, and other software features. Any of these can contain vulnerabilities or otherwise expand the total digital attack surface falling under cybersecurity teams’ responsibility.
A well-managed deployment is a secure deployment, so establish up-front who is responsible for data and imagery these devices gather, versus their security footprint. In practice, this means physical and cybersecurity teams identifying where cameras will be physically be installed and ensuring they have a grasp of which networks the cameras will need to access as part of the deployment. It is important to make sure network segmentation is in place isolating cameras and other IoT devices away from more sensitive facility equipment and IT assets.
Keep an Eye on Third-Party Risk
Today, the reality with connected cameras and other physical security controls is you are seldom buying just a camera, badge reader, metal detector, or other hardware. There is usually a private cloud or other networked function embedded by the equipment’s manufacturer. Sometimes, this connectivity is an active feature set—like the ability to view and manage devices on the fly from a mobile app. Other times, connectivity is more hidden. A vendor may require the device to access the Internet through your network for things like warranty eligibility or product updates.
The common denominator is you end up opening your network to an entire third-party ecosystem, whether you realize it or not. Users ignore this risk at their peril; it cannot go unmanaged.
In the case of the recent Verkada camera breach, for example, an intruder was able to obtain login credentials that let them access Verkada’s independent back-end cloud platform. This, in turn, meant the intruder could peer into the video feeds of numerous Verkada camera systems deployed around the world—unbeknownst to those customers.
Users ignore this risk at their peril; it cannot go unmanaged.
Verkada is simply one high-profile case. These types of cloud-powered camera systems are used everywhere and have clear deployment, usability, and performance advantages. Do not lose sight of the fact that you inherently shoulder increased third-party risk when you bring service providers on your network, meaning you need to understand how you and the vendor will handle things like credentials and data storage.
Security Devices Should Never Gain Automatic Trust
As IoT-driven physical safety and surveillance devices expand in features and computing power, the most important principle is to never grant devices automatic or special privileges simply because of their security labeling.
If we look inside their code and hardware, these devices function much like video-conferencing systems, smart thermostats, building automation tools, and other nontraditional devices long known to need strong zero trust security policies. Zero trust means you account for every device on the network, do not extend access privileges simply because something has connected previously, and monitor device behavior so you can take action if something begins behaving strangely.
No technology is perfect and cyber risk management is all about risk tolerance, trade-offs, and mitigating what you can. This includes risks to people and property like fires and burglaries, as well as digital threats to employee data, priceless trade secrets, or corporate reputations. Buyers of connected physical surveillance systems must weigh these risks and ultimately use mitigations like network segmentation to demonstrate that while these devices can enhance needed physical protections, measures are in place to keep irreplaceable data out of the blast radius should cameras, gates, or motion sensors be employed in an attack.
Elisa Costante is vice president of research at Forescout Technologies, Inc. Follow her on Twitter: @ElisaCostante. Connect with her on LinkedIn.
