Cyber Security in Surveillance Networks

In most cases, video surveillance systems have the task of increasing the physical security of an object. This presupposes that the system itself is protected against real and virtual risks. In practice, however, it can often be observed that the protection of video surveillance networks is not approached systematically or is not carried out carefully enough. There is no switch that you can simply flip for system security. Rather, it depends on many different parameters that must be set up in a well-coordinated manner.

What aspects and mechanisms influence the security of a video surveillance system? After clarifying this question, it is important to consider and define the influencing factors both individually and in the network with one another. An abstracted video network can be divided into the two components “Technology” and “Organization,” which are firmly connected to each other. The coupling takes place via the people involved and via existing processes. The “Technology” factor includes network and port security, the products used and their properties and possibilities. The “Organization” component includes aspects such as customer requirements, planning, technical execution, documentation, training and operational security. To increase network security, a holistic approach is important that includes different measures.

 

Security at the network level
The technical equipment of a video network offers many possibilities to increase its security. Last but not least, it depends on the chosen products and the expertise of the planners and installers. They must always keep up to date through regular training courses, as the technologies used are constantly changing.
The term “network security” describes the secure communication between the existing network devices. These are usually IP Switches with management function. In addition, the communication between the end devices such as network cameras or video servers is also considered. An attacker who wants to carry out the most efficient and effective attack on the network will try to start at this level, as this allows him to disrupt or spy on the entire network. Effective protection against such a hacker attack is provided, for example, by communication in a separate VLAN. This also has the advantage that the access options for pure video users and those for network administrators can be differentiated. In addition, it is possible to protect the communication within the network or the network management with certificates and encryption.

 

Port security protects the network
In addition to network security, it is also important to pay attention to port security at the technical level. The ports of an IP Switch represent the doorways on the communication paths. At these physical points, traffic can be monitored and filtered, for example, according to which data packets are allowed to pass at all. The content of the packet can be checked by considering the protocol. Also, the sender and receiver must be known and authorized participants in the network. Deviations in these parameters indicate a defect or an attack on the port. Built-in mechanisms ensure that in the event of manipulation, network traffic is restricted at this point or even interrupted by shutdown. Specifically, this can be controlled by creating access control lists. However, further port security functions and the isolation of applications or devices can also minimize possible attack risks at the port level. High-quality IP Switches create and manage these functions themselves in some cases, but the corresponding parameterization of the devices requires clear specifications during planning as well as good specialist and product knowledge of the installer.

 

Consider organizational factors
In general, the structures of video networks are less dynamic than office networks. Nevertheless, a regular review of the organization and the effectiveness of the functions used is recommended. Organizational aspects are more complex and, in some cases, more abstract compared to the technical factors. These aspects are also more frequently neglected. The best technology is useless if it is unclear what goals are to be achieved with the technical possibilities. An IP Switch with sophisticated security functions cannot contribute to network security if access to the Switch is left in the delivery state and no new password is assigned. Physical security does not begin in the server room. We sometimes find absurd conditions in systems. In one example, each camera was clearly labeled with the IP and MAC address from the outside. In another case, some cameras at publicly accessible locations were connected to conventional network sockets. Such conditions make it easy for attackers to unplug the existing camera and connect their own PC.

 

Planning in focus
A central goal of planning should be to define the requirement for a video network with regard to the security of the object to be monitored. It must therefore be clear what is to be achieved with the video network. Only when this statement is concrete and measurable can the installer design his approach and his decisions in a targeted manner. In addition to the technical definition of devices and functions, the planner must also specify the processes for installation, acceptance, administration and documentation. For example, he will define what requirements are placed on the creation and management of access data. The times when a technician spontaneously assigns a password while setting up a Switch and notes it down somewhere should be over. Rather, he should precisely define the form of the password during planning and determine where and how the password is documented, who has access to it and what happens when an employee leaves the company. At the same time, the regulations must not be too complicated or restrictive so that the employees involved are picked up.

 

Make standardized processes comprehensible
In addition to the specifications for handling passwords, it is important that the processes for defining, setting up and checking the technical aspects of a network are clear and standardized. An installer should be able to handle such processes and apply them as uniformly as possible to all systems. This includes the definition of IP addresses in the network, the classification of VLANs or the procedure for expanding an existing system with additional cameras – always taking into account customer requirements. Here too, the aim is not to generate complicated process descriptions, but to define instructions and rules that are as simple and flexible as possible, which are understood and mastered by all those involved.

 

Documentation for network analysis
In order to regularly check the functions of a video surveillance system and to be able to guarantee fast, effective support, a meaningful and transparent documentation of the system is essential. For this, it is necessary to consider during planning what should be documented in what form. The network Switches can also be a help here. Devices that provide evaluations, the diagnosis of data streams and diagrams make it easier for the operator to monitor and analyze a running network. The corresponding performance characteristics of a Switch in interaction with the expertise of the installer significantly support IT security. However, a secure network has many aspects that must be considered holistically. A helpful step towards effective security is to bring all those involved to a good and equal level of knowledge through training courses.