Cyber Security For Video Surveillance Study 2016

This study provides the foundations for video surveillance professionals to understand the importance of cybersecurity, what is being done to enhance cybersecurity and what providers are viewed as the best and worst at cybersecurity.

100 integrators answered the following 5 open-ended questions on cyber security:

• How important is cyber security in your customers' decision making process?
• What type of customers are most concerned about cyber security? Why?
• What steps do you take to ensure cyber security for your customers video surveillance systems?
• Which security manufacturers do you feel are strongest in terms of cyber security? What do they do that makes you feel this way?
• Which security manufacturers do you feel are weakest in terms of cyber security? What do they do that makes you feel this way?

They provided detailed color commentary on each point, so you can understand their mindset and approach.

Summary

The key trends revealed in the study:

• Overall, cyber security is not very important for customer's decision making process.
• The 4 segments showing highest cybersecurity concern were government, banking, education and healthcare
• Steps taken to secure systems were generally basic. While various techniques were mentioned, changing default password was the most common.
• Western video surveillance manufacturers were viewed as the strongest in cyber security.
• Chinese, and specifically Hikvision, was selected as the weakest in cyber security.

Full details, integrator explanations and our analysis is shared inside.

Low Importance

Most customers rank cyber security of low importance in their decision making process. Nearly half of all responses indicated this:

Customer indifference was often noted as the reason for low priority:

• "It is not important at all"
• "My customers rarely express a concern over cybersecurity in their decision making process."
• "Low but because most don't know the risks"
• "A majority of the customers that we have interacted with don't really care about cyber security related to the surveillance systems."
• "Customer are pleasantly ignorant of the issue, and when they are not the spectre of cost drives them back into the cave where the shadows show them what they prefer to see."

Several integrators indicated they actively try to make customers more aware of cyber security risks:

• "We have yet to find clients worried about this yet, but we try our best to make a case for why it is crucial."
• "Not sure most are thinking about this when they should be."
• "It is often overlooked until brought to their attention."
• "I'd say mostly unimportant. The only time they perceive a threat is when I point out vulnerabilities."
• "At this time, most client do not seem too worried still, but we are definitely bringing it up to their attention."

Government, Banking, Education, Healthcare - Most Cyber Security Aware

Large customers and those with regulatory requirements were most likely to have higher concerns around cyber security.

• "Critical for mid to large size customers. IT resources view remote access to VMS solutions as points for potential breach. Some insist on AV and other lockdowns via Group Policy."
• "Larger corporate, municipal or institutional clients are much more concerned"
• "Clients who have been breached, clients with big business backgrounds & clients with something really important to lose whether that be valuable data or confidential data."
• "Our big customers, they know the Topic and they look at it and is very important."

Banks, government entities, schools and healthcare organizations commonly have an IT department that is responsible for network security. These organizations have high awareness of risk, as comments indicated.

• "Education and IT companies as they see the risks more often"
• "Medium to large businesses due to either contracted or on site IT management staff with an understanding of and instruction to keep networks safer."
• "Government - most likely due to previous scandals"
• "Banking, because they need maximum security"
• "Financial sector, Law firms, Government. They are worried about hackers taking over their systems and spying on them using the video surveillance system, or using the video surveillance system as a backdoor to their network."
• "Government and Banks are most concerned since they have valuable data in case the physical security network and data network were connected."
• "Financial, medical, education. They have been breached and are getting FBI bulletins etc"
• "The bulk of our client base is financial, so the concern is obvious and governed by law and documented policy. It is easier in those cases. Some of our manufacturing clients are just as concerned, but they have dedicated staff to work with us."

From the responses, smaller customers do not rank cyber security as a primary consideration the way larger organizations do. Smaller organizations are less likely to be direct targets, and a data breach is less likely to become headline news.

Methods For Securing Equipment Vary

Changing default passwords was the most common step taken to enhance cyber security.

About 10% of responses indicated VPNs were used to enhance security.

Dedicated or segregated networks were frequently listed:

• "Segregated camera / device networks if at all possible (virtually or physically)"
• "Separate network segments"
• "We setup a separate physical network for the video system or use VLANs."
• "We physically separate the video surveillance network from other networks (internet, corporate LAN etc.)"
• "Keeping the video system on a separate network or secure VLAN if possible"

Encryption in various forms is also used, though not as consistently as might be expected:

• "Use of Encryption (for remote connections, for wireless connectivity."
• "In high end systems, we use 256 bit SSL encryption between camera's and server."
• "Typically through a VPN. Small business and residential customers who also have a DMP alarm system use the virtual keypad app from DMP; it uses a 2048RSA certificate and 256AES encryption for the VPN, this is, in my opinion, the most secure solution we offer."
• "Proper encryption and passwords in place."
• "enable encryption(HTTPS, SSL) to communicate with cameras, encryption of video on hard drives, using certificates to confirm authenticity of devices, etc."
• "Use strongest available encryption when using wireless gear."

Keeping software and firmware updated, and deploying anti-virus software were listed, but not as frequently as the above steps.

Penetration tests, or regular outside testing/verification was not commonly mentioned.

Relying on the customers IT department to take responsibility for cyber security was also referenced:

• "We install equipment behind their security equipment. If they would like to add any other protection it is up to them."
• "Our larger customers who have in-house IT personnel or contract third party IT companies set up remote access themselves."
• "We also work closely with their IT departments to conform to their rules and configurations."
• "Defer to their IT support"
• "We leave it up to client's IT departments for the internal portion"
• "We installed the system the client has implemented security measures on the system servers."
• "Very little if any - it's my customer's corporate security and IT department responsibility"

This approach would not work for a small customer who has no IT department, but in the case of larger organizations it may be wise to allow the customer to decide how their physical security devices are going to be remotely accessed, secured, or connected to other networks.

Manufacturers Listed As Most Secure

Camera manufacturers received a lot more votes than VMS companies in terms of perceived security.

Axis was by far the most cited, with nearly one third of responses:

• "Axis. They offer the ability to configure 802.1x and set up HTTPs through the camera configuration pages and they address cybersecurity issues in some of their whitepapers and technical guides."
• "Axis, they are a true network solution provider."
• "Axis Communications. They're the only manufacturer we talk to who actually talks about cybersecurity"
• "Axis and Exacq are aware of these problems and have specific development that is sensitive to this."
• "Axis has had a cyber security focus for years with dedicated personnel. Their cyber hardening guide is pretty solid, though if you're not careful, they can still be compromised"
• "The larger manufacturers, like AXIS, allow the integrators to implement any changes within their products, that we see fit. Other manufacturers, don't allow us to change their default users and related passwords."
• "AXIS with up to 5 layers of security."
• "Axis comes to mind as they don't have default passwords on their products, making you set one upon installation."

Axis also has a hardening guide that provides recommendations for enhancing security for Axis products.

A few integrators disagreed about Axis, with one noting the risk of adding third party apps to Axis cameras and another commenting:

"Axis - because of their Windows only .NET platform for software (Axis Media Control plugin), reliance on Java for plugins (VMD3, etc), reliance on Windows only for certain functionality of cameras (anything audio related, AMC) and 100% Windows-only VMS (not that we would use their VMS). Also, they allow short passwords and allow brute force hacking attempts with unlimited password guesses."

Avigilon:

• "Avigilon's built-in mass password update, stupid simple firmware updates, and easily-visible status of encrypted/unencrypted control comms puts them high on my list as well."
• "Avigilon they are applying multiple level of authentication, adopting encryption (between cameras & NVR, between clients & servers)"
• "Avigilon - They do talk to some ONVIF devices, but their own cameras seem to have a better encryption between their software."

Bosch:

• "Bosch - additional password and video transport security"
• "Bosch cameras, multiple certificates for accessing securely."
• "Bosch is using COA's in all their IP cameras with the option of a 3rd party COA that's used by the DOD and other agencies within the government that really takes it to the next level in terms of true cyber security at the edge."

Bosch also has a data security guide.

Genetec:

• "We are using Genetec and Bosch mostly, they have advanced security features, stream encryption, for example. Probably because they provide Enterprise systems solutions for enterprise customers who have bigger requirements regarding IT security."
• "Genetec is making large strides to implement encryption and is easily configured to control access."
• "Genetec - They are more of an IT related company"

Genetec makes a hardening guide available in their partner portal

Milestone:

• "Milestone is pretty good - they have some interaction required to change devices etc."
• "Milestone - They keep up with windows updates and seem to write to the latest camera software. Avigilon - They do talk to some ONVIF devices, but their own cameras seem to have a better encryption between their software."
• "Milestone, Axis, Brivo - They all have take a good hard look at their own technology and products, vulnerabilities, written white papers on best practices and put their products through audits."

China / Hikvision As Least Secure

For the least secure products, Hikvision was the predominantly mentioned brand, Dahua came up repeatedly, and several others mentioned "Chinese cameras" as insecure overall.

• "Hikvision - only because of what has been reported."
• "Hikvision, we faced many security problems during the implementation of their VMS. easy to be hacked."
• "Hikvision, I heard rumors about Chinese government spying on customers via Hikvision DVRs and camera's."
• "Hikvision has a bad reputation, again and again"
• "Hikvision and any cheap manufacturers. They either don't care or don't have the resources to insure their systems are secure."
• "Hikvision - Backdoor recently discovered and Chinese government involvement with the company."
• "Hikvision. They changed their login to make you change the default usernames and passwords with their updated firmware versions but I still don't entirely trust the security of the products."
• "Most brands we have used have some sort of flaws, but Dahua is by far the worst. Hikvision, Samsung/Hanwha/Techwin, and others have also had security issues too. Specifically, Dahua still allows ONVIF access using default creds and this cannot be disabled. Hikvision has had many known flaws, most of which have been fixed. Samsung Wisenet cameras were shipped with a bug that once logged into the web interface of the camera, that browser maintained an authenticated session that could not be logged out of. You were forced to clear all browser data in order to log out."
• "Hikvision, it seems like they are trying to cover something up. I no longer trust them. Love their cameras but don't trust them. We're looking for a new recording solution."
• "Hikvision. Though they made some improvements after being thoroughly pwned, they only did so in response to outside pressure. There needs to be a culture of security as a primary concern--not an afterthought."
• "Hikvision has a division of the communist party inside their offices."
• "Dahua. They have their back door passwords that are easy to find on the internet so no matter how well you protect the system with a good password or HTTPS, anyone that has IP access to the camera can get in."
• "Off brand Chinese cameras are the worst... I've scanned some that have had open ports which were not even listed as a service in the firmware."

Hikvision does have a Security Center page on their website, with a link to report issues and a cyber security best practices video.