27-11draft
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
IS NOW<br />
Combining thermal security cameras with video management systems.<br />
www.flir.com<br />
Untitled-20 1 18/02/16 10:18<br />
cctv kit - how secure?:<br />
In surveillance,<br />
cyber has<br />
consequences<br />
58<br />
Pictured: Public<br />
space CCTV,<br />
Harrogate<br />
About Mike Gillespie<br />
The MD of the<br />
information security<br />
consultancy Advent<br />
IM is a director of the<br />
Security Institute. He<br />
was a speaker at our<br />
ST17 conference in<br />
September in Glasgow;<br />
and last month spoke<br />
beside the Surveillance<br />
Camera Commissioner<br />
Tony Porter in London.<br />
Visit www.advent-im.<br />
co.uk.<br />
Regular readers will have seen my<br />
previous articles on the growing<br />
proliferation of the use of CCTV in<br />
the UK, or, as it should now more<br />
accurately be called, Surveillance<br />
Camera Systems, writes our regular<br />
contributor Mike Gillespie.<br />
If the vast numbers of vendors<br />
peddling their wares at the many<br />
physical security events across<br />
the UK this year is anything to go by,<br />
then this growth in the deployment of<br />
surveillance systems shows no sign<br />
of abating just yet. Also interesting<br />
to note was the ever increasing<br />
sophistication and capability of the<br />
software used to control, manage and<br />
integrate these systems with other<br />
security and building management<br />
systems. Finally, vendors talking<br />
about cyber security were<br />
conspicuous by their absence.<br />
Meaning IP<br />
Sure, there were the odd rumbles of<br />
what amazing levels of encryption<br />
this device had or that DVR used,<br />
there were even some manufacturers<br />
claiming to now have secure<br />
communications between their<br />
command and control software<br />
and various devices, and numerous<br />
manufacturers were adopting the<br />
word ‘cyber’ when what they were<br />
really meaning was IP technology.<br />
The UK is widely acknowledged<br />
as one of the leading deployers of<br />
NOVEMBER 2017 PROFESSIONAL SECURITY<br />
surveillance cameras, and it is hard<br />
now to walk any major high street<br />
without being monitored on numerous<br />
systems, a point often made by<br />
campaigners and privacy advocates<br />
alike. If my years in physical and<br />
cyber-information security have<br />
taught me anything, it is that things<br />
do not stand still, that change is an<br />
inevitable part of life, and in security<br />
this is especially so, with new threats<br />
emerging all the time.<br />
Mirai<br />
Surveillance systems are increasing<br />
in number and technical complexity;<br />
this is expanding the threat potential<br />
and sometimes the threat is not local,<br />
it comes from cyberspace. Cyber<br />
criminals and opportunists alike are<br />
continuing to exploit vulnerabilities<br />
that exist in these surveillance<br />
systems, vulnerabilities highlighted<br />
on numerous occasions over the last<br />
few years, vulnerabilities that last<br />
year enabled DVRs to be part of<br />
one of the biggest ever Distributed<br />
Denial of Service (DDoS) attacks<br />
when the Mirai botnet took down a<br />
host of social media, corporate and<br />
communication systems, and that<br />
this year enabled ransomware to<br />
effectively disable the surveillance<br />
capability in Washington DC in<br />
the run-up to the inauguration of<br />
President Trump.<br />
Non-mainstream IT<br />
DDoS and ransomware are just two<br />
of a growing number of examples<br />
of cyber attacks on non-mainstream<br />
IT systems including surveillance<br />
systems. Surveillance systems may<br />
also offer a less challenging way into<br />
other, more secure networks, such<br />
as corporate networks, and indeed,<br />
the nature of connectivity these days<br />
means that a vulnerable surveillance<br />
system could even be inadvertently<br />
offering threat to our wider supply<br />
chain partners. So, why are these<br />
systems so attractive to attackers and<br />
why are attacks so successful? The<br />
simple answer: because these systems<br />
are not being designed and built to<br />
be secure. That’s right, our security<br />
systems are not secure by design, and<br />
in many cases come out of the box<br />
horribly insecure. Often, this is in<br />
part exacerbated by the complexity of<br />
the supply chain, with software and<br />
boards being bought in from a range<br />
of sources, without adequate quality<br />
management to ensure that they<br />
offer a degree of security. In some<br />
cases there is embedded firmware<br />
that is vulnerable to attack, with no<br />
viable means for the manufacturers<br />
to update it to a more secure version.<br />
In other cases there are hard-coded<br />
usernames and passwords, perhaps<br />
as simple as ‘admin’ and ‘password’,<br />
built into software and these cannot<br />
be changed. And in far too many<br />
cases, in today’s convenient world<br />
of plug and play, they are being<br />
installed and configured by people<br />
who subsequently leave all of the<br />
components with their default<br />
settings, including easy to guess<br />
passwords. All of these are security<br />
basics, they are easily remedied and<br />
in so doing we at least offer up some<br />
resistance against attack.<br />
Guide<br />
We can see then, that getting cyber<br />
security in surveillance systems<br />
wrong, could have disastrous<br />
consequences. This is why I leapt<br />
at the opportunity when the UK<br />
Surveillance Camera Commissioner<br />
asked me to lend my cyber security<br />
experience and understanding to<br />
the National Surveillance Camera<br />
Strategy working group and to lead on<br />
drafting a cyber guide for surveillance<br />
cameras. The work that has already<br />
been done on this strategy is so solid<br />
and well done it is a great platform<br />
for us to build on and move forward.<br />
The change in how we use, manage<br />
and secure cameras needs careful<br />
guidance and a good framework. I<br />
welcome and support all of the work<br />
being done by Tony Porter and all of<br />
the ‘strand leads’ working to improve<br />
standards in this area. It takes us in<br />
the right direction and I encourage<br />
the security industry to get on board<br />
and adopt its recommendations. The<br />
bad guys are currently winning, and,<br />
through our lackadaisical approach to<br />
cyber, we continue to make ourselves,<br />
and everyone that our surveillance<br />
system connects to, easy targets. We<br />
need an understanding of cyber risk at<br />
every stage of our surveillance system<br />
lifespan; manufacture, specification,<br />
procurement, installation, lifecycle<br />
management and maintenance. p<br />
www.professionalsecurity.co.uk<br />
p58 Gillespie <strong>27</strong>-11.indd 1 11/10/2017 12:06