27-11draft

IS NOW
Combining thermal security cameras with video management systems.
www.flir.com
Untitled-20 1 18/02/16 10:18
cctv kit - how secure?:
In surveillance,
cyber has
consequences
58
Pictured: Public
space CCTV,
Harrogate
About Mike Gillespie
The MD of the
information security
consultancy Advent
IM is a director of the
Security Institute. He
was a speaker at our
ST17 conference in
September in Glasgow;
and last month spoke
beside the Surveillance
Camera Commissioner
Tony Porter in London.
Visit www.advent-im.
co.uk.
Regular readers will have seen my
previous articles on the growing
proliferation of the use of CCTV in
the UK, or, as it should now more
accurately be called, Surveillance
Camera Systems, writes our regular
contributor Mike Gillespie.
If the vast numbers of vendors
peddling their wares at the many
physical security events across
the UK this year is anything to go by,
then this growth in the deployment of
surveillance systems shows no sign
of abating just yet. Also interesting
to note was the ever increasing
sophistication and capability of the
software used to control, manage and
integrate these systems with other
security and building management
systems. Finally, vendors talking
about cyber security were
conspicuous by their absence.
Meaning IP
Sure, there were the odd rumbles of
what amazing levels of encryption
this device had or that DVR used,
there were even some manufacturers
claiming to now have secure
communications between their
command and control software
and various devices, and numerous
manufacturers were adopting the
word ‘cyber’ when what they were
really meaning was IP technology.
The UK is widely acknowledged
as one of the leading deployers of
NOVEMBER 2017 PROFESSIONAL SECURITY
surveillance cameras, and it is hard
now to walk any major high street
without being monitored on numerous
systems, a point often made by
campaigners and privacy advocates
alike. If my years in physical and
cyber-information security have
taught me anything, it is that things
do not stand still, that change is an
inevitable part of life, and in security
this is especially so, with new threats
emerging all the time.
Mirai
Surveillance systems are increasing
in number and technical complexity;
this is expanding the threat potential
and sometimes the threat is not local,
it comes from cyberspace. Cyber
criminals and opportunists alike are
continuing to exploit vulnerabilities
that exist in these surveillance
systems, vulnerabilities highlighted
on numerous occasions over the last
few years, vulnerabilities that last
year enabled DVRs to be part of
one of the biggest ever Distributed
Denial of Service (DDoS) attacks
when the Mirai botnet took down a
host of social media, corporate and
communication systems, and that
this year enabled ransomware to
effectively disable the surveillance
capability in Washington DC in
the run-up to the inauguration of
President Trump.
Non-mainstream IT
DDoS and ransomware are just two
of a growing number of examples
of cyber attacks on non-mainstream
IT systems including surveillance
systems. Surveillance systems may
also offer a less challenging way into
other, more secure networks, such
as corporate networks, and indeed,
the nature of connectivity these days
means that a vulnerable surveillance
system could even be inadvertently
offering threat to our wider supply
chain partners. So, why are these
systems so attractive to attackers and
why are attacks so successful? The
simple answer: because these systems
are not being designed and built to
be secure. That’s right, our security
systems are not secure by design, and
in many cases come out of the box
horribly insecure. Often, this is in
part exacerbated by the complexity of
the supply chain, with software and
boards being bought in from a range
of sources, without adequate quality
management to ensure that they
offer a degree of security. In some
cases there is embedded firmware
that is vulnerable to attack, with no
viable means for the manufacturers
to update it to a more secure version.
In other cases there are hard-coded
usernames and passwords, perhaps
as simple as ‘admin’ and ‘password’,
built into software and these cannot
be changed. And in far too many
cases, in today’s convenient world
of plug and play, they are being
installed and configured by people
who subsequently leave all of the
components with their default
settings, including easy to guess
passwords. All of these are security
basics, they are easily remedied and
in so doing we at least offer up some
resistance against attack.
Guide
We can see then, that getting cyber
security in surveillance systems
wrong, could have disastrous
consequences. This is why I leapt
at the opportunity when the UK
Surveillance Camera Commissioner
asked me to lend my cyber security
experience and understanding to
the National Surveillance Camera
Strategy working group and to lead on
drafting a cyber guide for surveillance
cameras. The work that has already
been done on this strategy is so solid
and well done it is a great platform
for us to build on and move forward.
The change in how we use, manage
and secure cameras needs careful
guidance and a good framework. I
welcome and support all of the work
being done by Tony Porter and all of
the ‘strand leads’ working to improve
standards in this area. It takes us in
the right direction and I encourage
the security industry to get on board
and adopt its recommendations. The
bad guys are currently winning, and,
through our lackadaisical approach to
cyber, we continue to make ourselves,
and everyone that our surveillance
system connects to, easy targets. We
need an understanding of cyber risk at
every stage of our surveillance system
lifespan; manufacture, specification,
procurement, installation, lifecycle
management and maintenance. p
www.professionalsecurity.co.uk
p58 Gillespie 27-11.indd 1 11/10/2017 12:06