The challenges of video surveillance cybersecurity highlight some of the many issues that plague the use of connected devices in physical security systems.
This entry in our BSIMM Monthly Insights series was contributed by guest author Mathieu Chevalier with Genetec.
From a cybersecurity perspective, the physical security industry has come a long way from where it started. In particular, the video surveillance industry offers an interesting perspective into the state of this field’s cybersecurity stance.
Historically, video surveillance systems were closed and used analog technology. This started to change in 2010 with the adoption of the H.264 codec and the introduction of the first megapixel cameras, which provided better video resolution for a similar cost.
In the following five years, the penetration of IP-based systems was quick, but most forms of cybersecurity were an afterthought. System owners relied on perimeter defense, which seemed like an appropriate way for physical security teams to avoid compromise. System installers typically had more of an analog background and were only just starting to get acquainted with digital security concepts, such as encryption and certificates.
This landscape shifted in 2015, when the mainstream media started reporting high-profile hacks, such as the Mirai botnet, in which thousands of IP cameras and DVRs were infected and used to attack DynDNS servers. In the aftermath, physical security customers as well as regular users started demanding that manufacturers improve their cybersecurity practices.
Today, cybersecurity awareness in the physical security industry is much higher but still far below what a cybersecurity professional coming from another high-tech industry would expect. There’s still an important maturity gap: some customers get it, whereas others think that perimeter defense is a good enough approach for securing a CCTV system.
When Genetec first introduced the ability to encrypt video data in transit and at rest in 2016, the physical security industry saw it as an important innovation for protecting confidentiality in physical security systems. However, only a small fraction of our customers actually use it. Most video surveillance manufacturers in the marketplace use their cybersecurity practices, features, and standards as a competitive advantage, but a high percentage of video surveillance installations used in production still struggle to implement basic IT best practices. As an example, a survey of our enterprise customer database shows that 23% use default passwords on their cameras, and only 30% update their cameras to the latest firmware.
Geopolitical issues have brought increasing focus to these issues in recent months, which is causing yet another shift in awareness. Huawei, through its chip-making subsidiary HiSilicon, is powering tens of millions of low-cost video surveillance devices used in the Western market. But as was recently reported in the news, after August 13, 2019, Huawei will be under a US federal purchasing ban over fears of the cybersecurity threats it poses to national security. This means that HiSilicon devices can’t be used by the US government or in US government-funded contracts. Moreover, Hikvision, the world’s largest manufacturer of video surveillance cameras, is singled out by this ban as well, which, in turn, has prompted customers to ask questions about the overall risk posture of their own physical security systems.
We expect this trend to continue in the future and for the cybersecurity maturity gap between this industry and other high-tech industries to continue to shrink as more external pressure is applied on the people managing physical security systems.