Protecting Your Building CCTV from Hackers
"You have been hacked" are the four words no manager wants to hear in today's technological world.
Andy Grove, who served as chief executive of Intel Corporation, is famous for having asserted that "only the paranoid survive." As video surveillance technology evolves, it is incumbent upon executives and IT managers to know that failure to be vigilant and willing to adapt can be fatal. Duly tasked with securing against hackers and outside threats, IT professionals have good reason to be asking questions about vulnerabilities of any system within their building. This includes CCTV systems, especially if interconnected to the company networks or the internet.
Hackers never relent. What can organizations do to protect themselves? Let's first look at what can happen and then examine countermeasures.
Sometimes the CCTV system is the direct target of bad actors. Disabling security cameras might be the prime objective. At other times there could be footage that perpetrators want to erase. But in other cases, CCTV cameras are being probed and exploited as the path to other pursuits, such as accessing private employee or HR data, pilfering customer information or credit cards, or stealing corporate secrets and intellectual property. Lastly, the goal may be to infiltrate the organization by planting malware.
When possible, all cameras should be connected to a separate and dedicated network switch. What if network switches or other equipment is being shared? In that case, a VLAN should be created for all camera equipment to prevent unauthorized access and to disallow any camera from accessing the internet. Additionally, consider keeping your NVR off the internet. There are tradeoffs here. Full isolation reduces accessibility for those who need to utilize their surveillance system remotely. Instead, it forces users to be "on-prem" to review events. Total isolation also makes it impossible to modify the system software without physically being on-site.
It is true that a completely isolated CCTV system with no internet or internal network connections greatly reduces vulnerabilities. Still, it handcuffs those who need a way to access the video surveillance system from offsite.
Asking the right questions early and implementing access control procedures while communicating these to stakeholders and service companies is imperative to keeping your organization protected and safe.
Choose the right system in the first place, only using NDAA (National Defense Authorization Act) compliant cameras and specifying NVRs with dual network cards as your standard.
Organizations should institute best IT practices and have strong firewalls in place. This will slow down bad actors across all platforms. Deliberate and cogent password management must be implemented throughout the departments, with education, enforcement, and penetration testing methods to verify success.
But what about IT concerns relative to camera systems? There are "best IT practices" related to CCTV specifically. Network credentials are required to be on the network, but how about a second (different) set of credentials required to access the CCTV portal login?
Using port-forwarding to allow outside connections requires SSL certificates issued by a trusted third-party certificate authority. Where possible, with open ports, avoid using the most common port numbers to allow traffic through the firewall. Restrict inbound traffic from all public IPs that are not specifically white-listed when possible. Practice effective password management as it relates to cameras and NVRs.
For NVRs, use strong passwords, anti-virus, and firewall protection. Protect equipment physically by locking up the NVR. Use electronic access control to allow access for those who need to be near the head-end equipment. Consider placing a micro-SD card-type camera in a location where the recorder is housed.
Employees or service personnel should only be configuring systems via laptops protected by a robust RMM solution (Remote Monitoring And Management), complete with anti-virus and malware protection.
Can someone unplug the camera in the field, and do you have alerts for this? Can you remove the camera and plug it into that network connection? If it is encrypted out to the endpoint, it cannot be used to hack in or make changes.
Find the right people and train them well. Be intentional about explaining system capabilities, risks, phishing methods, and best practices with video surveillance. Consider background checks for employees. Keep the staff fully informed and accountable. Then test "the system" with penetration testing means it will detect weaknesses in your system or the people using them.
Partner with a competent service organization that can manage your system and growth. The system is created seemingly without vulnerability and will eventually become vulnerable to changes outside that recorder: changes in technology, operating systems, and things beyond the manufacturer's control. Software support agreements allow for time to design remedies for these future vulnerabilities.
If a hacker is determined to succeed in hacking an organization, you can assume they will find an opening. But you don't want that opening to be your CCTV system, and there are myriad ways to guard against that. Be proactive and adopt a near "paranoia" for the best chance of success in securing your camera system and the other assets in your facility.