Cybersecurity threat in cctv surveillance

Over the past five years, we have witnessed the progression of digitalization in the surveillance industry and also seen the industry's rapid development. In these five years, we have seen how the smart surveillance industry has explored the dream of the Internet of Things and we are happy to see that the industry is at the forefront of developing, exploring and implementing IoT technology.

Without a doubt, the development of the smart surveillanceindustry must conform to digitalization, networking, and smart technology trends. However, cybersecurity is a completely new field for the surveillance industry and the openness of networks have interconnected security systems which were formerly independent and completely isolated, promoting data flow and sharing in ways that have drastically improved society. This has brought about even more innovative opportunities, enabled the Internet of Things industry to grow, and has pushed the development of civilization to new heights.

During the surveillance industry's transformation from “analog”, “isolated”, and “data acquisition”, to “digital”, “networked”, and “smart”, we have seen the benefits that the digital and networking revolution brings to the surveillance industry. However, we have also witnessed the slow spread of various types of malicious cybersecurity attacks from the Internet to the surveillance industry. Furthermore, since current security systems are based on “seamless” switching from original security systems, some of the industry's features may contain possible security defects when placed in a networked environment.

Cybersecurity is not just a problem for certain countries or companies. All stakeholders, governments, and companies must understand that cybersecurity is a problem that everyone in the world faces, and that meeting these challenges requires international cooperation, risk aversion methods, and use of cybersecurity best practices. With the sharp rise in “cyber-attacks in America”1, ransomware like “EternalBlue” and similar incidents, it is apparent that we have entered a new era in the fight against cybercrime. To effectively handle security issues, various stakeholders must form mechanisms of trust and cooperation.

Security Threats in the Internet of Things

Security threats in the Internet of Things can be categorized as perception-layer threats, network-layer threats, and application-layer threats.

Perception Layer
•Device theft or damage: Internet of Things assets that lack physical protection and are deployed in remote places are susceptible to theft and damage.

•Device tampering or counterfeiting: Outdoor terminals and distributed installations are easily accessed which means physical attack, tampering, and counterfeiting is possible.

•Attacks using known vulnerabilities: Examples of known vulnerabilities include expired OS or software, and unpatched vulnerabilities. The enormous number of IoT devices means there are challenges to the update and maintenance processes.

•Attack and authentication bypass mechanisms:Use of default or weak passwords in the Internet of Things environment.

•Theft of sensitive information:Sensitive information in plain text form is preset within the device and is easy to read and tamper with.

•Remote control devices:There are still test and debug ports in the firmware, making it vulnerable to remote access from attackers if the correct security protection measures are not taken.The debug port does not have restrictions on code execution which means that attackers can take complete control of the device via this port.

•Theft of private information:Private information leakage during the collection, transfer or processing of data on the Internet of Things.

Network Layer
Network penetration via wireless access: The defects of wireless protocols, such as the lack of effective authentication may lead to unauthorized access to private information.

•Attacking unencrypted network traffic: Unencrypted communication is prone to hijacking, repeating, tampering, and eavesdropping by an intermediary. During communication among devices, the cloud, andmobile terminals, attackers can access sensitive data if the control commands and collected data are not encrypted.

•Attacks and intrusion from the Internet:S ecurity issues faced by IP systems: attacks and intrusions from the Internet.

•Denial of service attack:DDoS attacks caused by viruses.

Application Layer
• Difficulties in managing the upgrade process and security of the various and scattered devices managed by the platform layer.

•Privacy and security risks caused by unauthorized access.

•Not updating and/or checking security configurations for an extended period of time.

After considering the many hidden security risks in Internet of Things hardware, software, and environment, and the complexities of computational capabilities, Hikvision has created its video-centric Internet of Things solution with an all new security framework in mind to establish a multidimensional security system that can ensure endpoint devices, data, applications, systems and network security, while also adhering to safety requirements.

Software, hardware, and cloud services are closely linked in Hikvision’s Internet of Things solution platform. They work together to provide the most secure and transparent experience for users. Many security features are enabled by default, and key security features, such as device activation and device encryption, cannot be modified to prevent users from accidentally disabling these functions.

Network and Information Security in the Surveillance Industry

The surveillance industry began as analog before moving to digital. During the analog era, surveillance systems operated in private networks, so the industry was focused on product cost, performance, and ease of use. The cybersecurity features of the systems at that time were not the main focus, but as the surveillance industry developed rapidly toward network connectivity, it moved directly from analog to digital, the industry's initial failure to contemplate cybersecurity issues led to the advantages of the original analog equipment, such as its strong usability, to deviate from the best information security practices for the digital era. In the past, surveillance industry vendors generally enabled default support for all protocols to make it more convenient for users to use devices from all manufacturers. They also enabled automatic protocol selection in the server. Although these settings make it much more convenient for the client, they do not follow information security best practices.

The surveillance industry has encountered cybersecurity issues in recent years because of the way the products and the industry developed. However, the existence of these issues does not mean the entire industry is as vulnerable as some might claim. Furthermore, the industry is now making a concerted effortto deal with potential security risks, and is implementing effective counter-measures.

Objectively speaking, cybersecurity issues are not issues specific to the surveillance industry, but are issues that society as a whole face. Looking at the overall field of IT, cybersecurity issues exist in all fields, and the following basic consensus exists:

• The Prevalence of Security Vulnerabilities
There is no such thing as an IT system or product with no security vulnerabilities. In fact, security vulnerabilities are very common. There are millions of lines of code in each product, and if only one parameter is incorrectly set, or if the positioning of two lines of code is incorrect, this may lead to a high-risk vulnerability in a system. Currently, automated or manual techniques cannot be used to detect all potential cybersecurity issues. Therefore, product security issues are common.

• Security is for the Entire System
The security of a system cannot be guaranteed by the security of a single point. The entire system must be secured. To ensure the security of video surveillance systems, the front-end, back-end, network, security devices and the platform system must work together and complement each other to form a system that provides defense in depth. A cybersecurity issue with any device in the link will be a vulnerability that could expose the entire system.

• Third-Party Open Source Software Security
A variety of third-party open source software is currently used in various types of systems. Such software is open, shared, and free, and is playing a growing role for software developers. Open source software is also a very important component in the software supply chain. But as companies enjoy the benefits of open source software, such products also carry huge security risks. In recent years, open source software has suffered frequent high risk vulnerabilities, for example Struts2, OpenSSL, etc. Many of these components are used in the lower layers of information systems and have a very broad scope of application. Vulnerabilities therefore exhibit critical security risks and have been detrimental to entire industries, not just specific products.

• Security is in Dynamic Balance
There is no such thing as “absolute” security. Security can only be relative. Offensive and defensive games are always zero-sum. Mechanisms and techniques that are considered secure today may be insecure tomorrow. Products that are considered “secure” today may be hacked tomorrow. This means that there is no final destination in security. Every product will have information security issues during its life cycle; the question is if and when these issues will be exploited.

• Products Security Management
The most important element in system security is security management. Even with systems that are more secure, if the user cannot manage or operate them properly then system security cannot be maintained. Currently, some security issues within the surveillance industry are mainly due to “inappropriate” usage by users and by ineffective security management. Many cybersecurity devices still have “weak” passwords and some security systems do not have firewalls or other security equipment installed. Users also need to develop good security habits, take regular note of security announcements from manufacturers, update to the latest firmware and install patches as soon as possible. Eventually, all Internet-connected devices need to support a patching process that informs users when a patch needs to be installed.

Commitment To Security

Value CCTV strives to use leading privacy and security technologies to protect customers’ personal information and to protect user data in comprehensive ways.Hikvision uses an integrated security infrastructure for its entire Internet of Things video surveillance ecosystem. Value CCTV also has a professional security team responsible for providing support on all surveillance products. This team provides security reviews and testing of released products and products in development. The security team also provides security training and actively monitors new security issues and threat reports.