Cyber Security For Video Surveillance Study 2016

By: IPVM Team, Published on Apr 27, 2016

This study provides the foundations for video surveillance professionals to understand the importance of cybersecurity, what is being done to enhance cybersecurity and what providers are viewed as the best and worst at cybersecurity.

100 integrators answered the following 5 open-ended questions on cyber security:

  • How important is cyber security in your customers' decision making process?
  • What type of customers are most concerned about cyber security? Why?
  • What steps do you take to ensure cyber security for your customers video surveillance systems?
  • Which security manufacturers do you feel are strongest in terms of cyber security? What do they do that makes you feel this way?
  • Which security manufacturers do you feel are weakest in terms of cyber security? What do they do that makes you feel this way?

They provided detailed color commentary on each point, so you can understand their mindset and approach.

Summary

The key trends revealed in the study:

  • Overall, cyber security is not very important for customer's decision making process.
  • The 4 segments showing highest cybersecurity concern were government, banking, education and healthcare
  • Steps taken to secure systems were generally basic. While various techniques were mentioned, changing default password was the most common.
  • Western video surveillance manufacturers were viewed as the strongest in cyber security.
  • Chinese, and specifically Hikvision, was selected as the weakest in cyber security.

Full details, integrator explanations and our analysis is shared inside.

Low Importance

Most customers rank cyber security of low importance in their decision making process. Nearly half of all responses indicated this:

Customer indifference was often noted as the reason for low priority:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

  • "It is not important at all"
  • "My customers rarely express a concern over cybersecurity in their decision making process."
  • "Low but because most don't know the risks"
  • "A majority of the customers that we have interacted with don't really care about cyber security related to the surveillance systems."
  • "Customer are pleasantly ignorant of the issue, and when they are not the spectre of cost drives them back into the cave where the shadows show them what they prefer to see."

Several integrators indicated they actively try to make customers more aware of cyber security risks:

  • "We have yet to find clients worried about this yet, but we try our best to make a case for why it is crucial."
  • "Not sure most are thinking about this when they should be."
  • "It is often overlooked until brought to their attention."
  • "I'd say mostly unimportant. The only time they perceive a threat is when I point out vulnerabilities."
  • "At this time, most client do not seem too worried still, but we are definitely bringing it up to their attention."

Government, Banking, Education, Healthcare - Most Cyber Security Aware

Large customers and those with regulatory requirements were most likely to have higher concerns around cyber security.

  • "Critical for mid to large size customers. IT resources view remote access to VMS solutions as points for potential breach. Some insist on AV and other lockdowns via Group Policy."
  • "Larger corporate, municipal or institutional clients are much more concerned"
  • "Clients who have been breached, clients with big business backgrounds & clients with something really important to lose whether that be valuable data or confidential data."
  • "Our big customers, they know the Topic and they look at it and is very important."

Banks, government entities, schools and healthcare organizations commonly have an IT department that is responsible for network security. These organizations have high awareness of risk, as comments indicated.

  • "Education and IT companies as they see the risks more often"
  • "Medium to large businesses due to either contracted or on site IT management staff with an understanding of and instruction to keep networks safer."
  • "Government - most likely due to previous scandals"
  • "Banking, because they need maximum security"
  • "Financial sector, Law firms, Government. They are worried about hackers taking over their systems and spying on them using the video surveillance system, or using the video surveillance system as a backdoor to their network."
  • "Government and Banks are most concerned since they have valuable data in case the physical security network and data network were connected."
  • "Financial, medical, education. They have been breached and are getting FBI bulletins etc"
  • "The bulk of our client base is financial, so the concern is obvious and governed by law and documented policy. It is easier in those cases. Some of our manufacturing clients are just as concerned, but they have dedicated staff to work with us."

From the responses, smaller customers do not rank cyber security as a primary consideration the way larger organizations do. Smaller organizations are less likely to be direct targets, and a data breach is less likely to become headline news.

Methods For Securing Equipment Vary

Changing default passwords was the most common step taken to enhance cyber security.

About 10% of responses indicated VPNs were used to enhance security.

Dedicated or segregated networks were frequently listed:

  • "Segregated camera / device networks if at all possible (virtually or physically)"
  • "Separate network segments"
  • "We setup a separate physical network for the video system or use VLANs."
  • "We physically separate the video surveillance network from other networks (internet, corporate LAN etc.)"
  • "Keeping the video system on a separate network or secure VLAN if possible"

Encryption in various forms is also used, though not as consistently as might be expected:

  • "Use of Encryption (for remote connections, for wireless connectivity."
  • "In high end systems, we use 256 bit SSL encryption between camera's and server."
  • "Typically through a VPN. Small business and residential customers who also have a DMP alarm system use the virtual keypad app from DMP; it uses a 2048RSA certificate and 256AES encryption for the VPN, this is, in my opinion, the most secure solution we offer."
  • "Proper encryption and passwords in place."
  • "enable encryption(HTTPS, SSL) to communicate with cameras, encryption of video on hard drives, using certificates to confirm authenticity of devices, etc."
  • "Use strongest available encryption when using wireless gear."

Keeping software and firmware updated, and deploying anti-virus software were listed, but not as frequently as the above steps.

Penetration tests, or regular outside testing/verification was not commonly mentioned.

Relying on the customers IT department to take responsibility for cyber security was also referenced:

  • "We install equipment behind their security equipment. If they would like to add any other protection it is up to them."
  • "Our larger customers who have in-house IT personnel or contract third party IT companies set up remote access themselves."
  • "We also work closely with their IT departments to conform to their rules and configurations."
  • "Defer to their IT support"
  • "We leave it up to client's IT departments for the internal portion"
  • "We installed the system the client has implemented security measures on the system servers."
  • "Very little if any - it's my customer's corporate security and IT department responsibility"

This approach would not work for a small customer who has no IT department, but in the case of larger organizations it may be wise to allow the customer to decide how their physical security devices are going to be remotely accessed, secured, or connected to other networks.

Manufacturers Listed As Most Secure

Camera manufacturers received a lot more votes than VMS companies in terms of perceived security.

Axis was by far the most cited, with nearly one third of responses:

  • "Axis. They offer the ability to configure 802.1x and set up HTTPs through the camera configuration pages and they address cybersecurity issues in some of their whitepapers and technical guides."
  • "Axis, they are a true network solution provider."
  • "Axis Communications. They're the only manufacturer we talk to who actually talks about cybersecurity"
  • "Axis and Exacq are aware of these problems and have specific development that is sensitive to this."
  • "Axis has had a cyber security focus for years with dedicated personnel. Their cyber hardening guide is pretty solid, though if you're not careful, they can still be compromised"
  • "The larger manufacturers, like AXIS, allow the integrators to implement any changes within their products, that we see fit. Other manufacturers, don't allow us to change their default users and related passwords."
  • "AXIS with up to 5 layers of security."
  • "Axis comes to mind as they don't have default passwords on their products, making you set one upon installation."

Axis also has a hardening guide that provides recommendations for enhancing security for Axis products.

A few integrators disagreed about Axis, with one noting the risk of adding third party apps to Axis cameras and another commenting:

"Axis - because of their Windows only .NET platform for software (Axis Media Control plugin), reliance on Java for plugins (VMD3, etc), reliance on Windows only for certain functionality of cameras (anything audio related, AMC) and 100% Windows-only VMS (not that we would use their VMS). Also, they allow short passwords and allow brute force hacking attempts with unlimited password guesses."

Avigilon:

  • "Avigilon's built-in mass password update, stupid simple firmware updates, and easily-visible status of encrypted/unencrypted control comms puts them high on my list as well."
  • "Avigilon they are applying multiple level of authentication, adopting encryption (between cameras & NVR, between clients & servers)"
  • "Avigilon - They do talk to some ONVIF devices, but their own cameras seem to have a better encryption between their software."

Bosch:

  • "Bosch - additional password and video transport security"
  • "Bosch cameras, multiple certificates for accessing securely."
  • "Bosch is using COA's in all their IP cameras with the option of a 3rd party COA that's used by the DOD and other agencies within the government that really takes it to the next level in terms of true cyber security at the edge."

Bosch also has a data security guide.

Genetec:

  • "We are using Genetec and Bosch mostly, they have advanced security features, stream encryption, for example. Probably because they provide Enterprise systems solutions for enterprise customers who have bigger requirements regarding IT security."
  • "Genetec is making large strides to implement encryption and is easily configured to control access."
  • "Genetec - They are more of an IT related company"

Genetec makes a hardening guide available in their partner portal

Milestone:

  • "Milestone is pretty good - they have some interaction required to change devices etc."
  • "Milestone - They keep up with windows updates and seem to write to the latest camera software. Avigilon - They do talk to some ONVIF devices, but their own cameras seem to have a better encryption between their software."
  • "Milestone, Axis, Brivo - They all have take a good hard look at their own technology and products, vulnerabilities, written white papers on best practices and put their products through audits."

China / Hikvision As Least Secure

For the least secure products, Hikvision was the predominantly mentioned brand, Dahua came up repeatedly, and several others mentioned "Chinese cameras" as insecure overall.

  • "Hikvision - only because of what has been reported."
  • "Hikvision, we faced many security problems during the implementation of their VMS. easy to be hacked."
  • "Hikvision, I heard rumors about Chinese government spying on customers via Hikvision DVRs and camera's."
  • "Hikvision has a bad reputation, again and again"
  • "Hikvision and any cheap manufacturers. They either don't care or don't have the resources to insure their systems are secure."
  • "Hikvision - Backdoor recently discovered and Chinese government involvement with the company."
  • "Hikvision. They changed their login to make you change the default usernames and passwords with their updated firmware versions but I still don't entirely trust the security of the products."
  • "Most brands we have used have some sort of flaws, but Dahua is by far the worst. Hikvision, Samsung/Hanwha/Techwin, and others have also had security issues too. Specifically, Dahua still allows ONVIF access using default creds and this cannot be disabled. Hikvision has had many known flaws, most of which have been fixed. Samsung Wisenet cameras were shipped with a bug that once logged into the web interface of the camera, that browser maintained an authenticated session that could not be logged out of. You were forced to clear all browser data in order to log out."
  • "Hikvision, it seems like they are trying to cover something up. I no longer trust them. Love their cameras but don't trust them. We're looking for a new recording solution."
  • "Hikvision. Though they made some improvements after being thoroughly pwned, they only did so in response to outside pressure. There needs to be a culture of security as a primary concern--not an afterthought."
  • "Hikvision has a division of the communist party inside their offices."
  • "Dahua. They have their back door passwords that are easy to find on the internet so no matter how well you protect the system with a good password or HTTPS, anyone that has IP access to the camera can get in."
  • "Off brand Chinese cameras are the worst... I've scanned some that have had open ports which were not even listed as a service in the firmware."

Hikvision does have a Security Center page on their website, with a link to report issues and a cyber security best practices video.

5 reports cite this report:

Hikvision Backdoor Confirmed on May 08, 2017
The US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory for...
Top Surprises in the Video Surveillance Industry 2016 on Nov 29, 2016
The top 3 surprises of 2016 for integrators surveyed by IPVM were: The race to bottom, repeating 2015's Top Surprise Result New -...
Why Surveillance Pros Rationally Won't Care About The Massive Dahua Mirai Attack on Oct 05, 2016
The physical security industry has been fairly indifferent to cyber security (e.g., see the Cyber Security For Video Surveillance Study). Here, we...
Axis Critical Security Vulnerability on Jul 06, 2016
Axis has disclosed a 'critical security vulnerability' in most Axis products shipped in the past ~6 years. Risk of Vulnerability This has been...
Hikvision Rejects Responsibility for Hacked Hikvision Cameras on May 10, 2016
After a massive number of Hikvision cameras were hacked, Hikvision has added new, and questionable legal language, declaring that Hikvision will...
Comments (3) : PRO Members only. Login. or Join.

Related Reports

Video Surveillance 101 Course Opened on Dec 12, 2019
IPVM is adding a Video Surveillance 101 course, designed to help those new to the industry to quickly understand the most important terms,...
Hikvision DS 2nd Gen Intercom Tested on Dec 12, 2019
With its newest IP intercom, Hikvision proclaims users can 'get full control over an entrance' regardless of where it is installed, home or office...
Acquisitions - Winners and Losers on Dec 10, 2019
Most major manufacturers have been acquired over the last decade. But which have been good deals or not? In this report, we analyze the...
IP Camera Installability Shootout 2019 - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Uniview, Vivotek on Dec 09, 2019
What are the best and worst cameras to install? Which manufacturers make it the hardest or easiest to install their cameras? We tested 35 total...
Viisights Raises $10 Million, Behavior Analytics Company Profile on Dec 09, 2019
Viisights, an Israeli AI analytics startup marketing "Behavioral Understanding Systems", announced $10 million Series A funding. We spoke to...
Bosch Budget 3000i Cameras Tested on Dec 05, 2019
Bosch has long had a hole in its lineup for, as it describes, "competitively-priced cameras". Now, Bosch has released its 3000i series cameras...
AVTech ~$70 IP Cameras Tested Vs Dahua and Hikvision on Dec 04, 2019
Taiwanese manufacturer Avtech is taking direct aim at low cost leaders Dahua and Hikvision with ~$70 starlight and white light illuminator...
Directory of Access Reader Manufacturers on Nov 27, 2019
Credential Readers are one of the most visible and noticeable parts of access systems, but installers often stick with only the brand they always...
Vunetrix Health Monitoring Company Profile on Nov 26, 2019
Vunetrix boasts that they make the integrators the 'HERO' by using Vunetrix's monitoring. We spoke to Vunetrix to better understand their...
Top 2020 Trend - AI Analytics on Nov 22, 2019
170+ Integrators answered: What do you think will be the top industry trend in 2020? Why? For the 4th year in a row, AI/video analytics was...

Most Recent Industry Reports

ADT CEO Not Worried About DIY: "2 Discrete Markets" on Dec 13, 2019
ADT's CEO is not worried about DIY, characterizing DIY and ADT's DIFY as "2 discrete markets" at the Imperial Capital Security Investor's...
Hikvision CEO Alleged Illegal Activities Investigated on Dec 13, 2019
Hikvision's CEO Hu Yangzhong is under investigation for suspected illegal activities, according to the PRC's securities regulator. This has become...
Video Surveillance 101 Course Opened on Dec 12, 2019
IPVM is adding a Video Surveillance 101 course, designed to help those new to the industry to quickly understand the most important terms,...
Verkada Notification Outage on Dec 12, 2019
Verkada is suffering an event notification outage and analytic search failures. Inside, we examine what the issues are, what Verkada told IPVM...
Hikvision DS 2nd Gen Intercom Tested on Dec 12, 2019
With its newest IP intercom, Hikvision proclaims users can 'get full control over an entrance' regardless of where it is installed, home or office...
Honeywell 30 Series Cameras Tested Vs Dahua and Hikvision on Dec 11, 2019
Honeywell has infamously OEMed Dahua and Hikvision for years, but now they have introduced an NDAA-compliant line, the 30 Series, claiming "lower...
"Good Market, Bad Business Models" - Residential Security on Dec 11, 2019
Industry banker John Mack, at his company's annual event, took aim squarely at the problems in the residential security...
IP Camera Browser Support: Who's Broken / Who Works on Dec 10, 2019
For many years, IP cameras depended on ActiveX control, whose security flaws have been known for more than a decade. The good news is that this is...
Acquisitions - Winners and Losers on Dec 10, 2019
Most major manufacturers have been acquired over the last decade. But which have been good deals or not? In this report, we analyze the...
IP Camera Installability Shootout 2019 - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Uniview, Vivotek on Dec 09, 2019
What are the best and worst cameras to install? Which manufacturers make it the hardest or easiest to install their cameras? We tested 35 total...