The bad guys aren’t supposed to be able to hack a video surveillance system, period.
Recent headlines about a casino scam in Melbourne brought the consequences of an insecure security system front and center as scammers allegedly walked off with $32 million after using the casino’s surveillance system to cheat at cards.
While we may never know the technical specifics of this case (and we probably shouldn’t), I would like to make a few design and operational suggestions that can significantly reduce the likelihood of this happening in your back yard.
Technically, we generally set up two separate networks for IP-based systems: a camera network and a workstation network. We like these to be separate networks rather than separate VLAN segments on the same network, to minimize the risk of a hacker circumventing the network switch.
All servers (NVRs) have two network cards and talk to both networks, but the servers and the cameras are the only equipment on the camera LAN. Any outside communication to the security system is done through the workstation LAN. This makes network security easier, as all camera access has to be done through the video management software, which can be as robust as you choose.
Limited access
We also like to limit outside access to proprietary clients rather than to a web-based interface, wherever possible. This adds an extra layer of security beyond the login and password, as your hacker would need the specific software to access your cameras, not just a browser.
This won’t help in the case of a targeted hack, but it will help keep out the casual “joyrider” which estimates say is responsible for the majority of intrusions.
If full-time remote access is not required, you can combine a technical layer with an operational layer. In gaming systems we have designed, there is occasionally a need for remote access to the system by the installing integrator for troubleshooting, upgrades, and maintenance.
In those cases, you can make the Internet link patchable, with a short RJ45-to-RJ45 patch cable. It is ordinarily left disconnected, and a call to the command center is required to initiate access.
Once credential information is exchanged, the cable is connected, the work is done, another call is made, and the link is broken. This limits the window of opportunity for hacking and provides a physical record of who accessed the system as well as when.
Threats to system reliability
The need to properly set up passwords, permissions, and the proper levels of security goes without saying — there are simply too many times where the software and hardware security features don’t even need to be hacked, as they were never set up properly. This pays off in greater system reliability as well, in an unexpected way.
We have found that the greatest threat to system reliability isn’t always from the outside, it’s from the late-shift security guard manning the command center who fancies himself an expert on computers. With eight hours of quiet time and no one looking over their shoulders, we’ve seen complex system servers turned into bricks, as settings were changed and recording came to a grinding halt.
Don’t ignore the social engineering aspect of these systems as well.
I was recently performing a system evaluation for a new client and wanted to look into the server settings. Knowing the integrator that had installed the system used the same password on all its projects, I walked up to the server control keyboard and monitor, and entered the password. Like magic, I was in, looking at the configuration settings, and feeling pretty proud of myself for remembering that login and password combination.
Until I looked down at the keyboard, that is. On the wrist rest, was a post-it note with seven layers of scotch tape protecting the writing on that piece of paper — which, of course, was the login and password information for the system administrator.
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
interesting info… I trust you are right… as this days nothing is 100% secure… same apply to Surveillance Networks… same as a data… it could be hacked and accessed… I think we would need to create new standards for security for the Serveillance Networks…
Interesting article.
I do agree with you to have separate nets, one for cameras and their managing and controlling servers and one for PC net, but having two net cards in a server with window OS might cause a new type of risk caused by internal routing in that server.
That’s a great point. System design and network topology gets you just so far. At some point you need to look at the hardware and software and verify that these products are also vigilent about network security and that they aren’t punching holes in your carefully designed “walls”.
I’m not sure if there’s a need for standards for the security industry. There are already plenty of guidelines and techniques that are utilized by the IT industry, and at the end of the day these are just IT networks. Being IT standards compliant might be better than reinventing the wheel.
Maybe this is clouded by my personal philosophy. I don’t believe that the world needs more standards (or laws, or rules, or regulations) as much as it needs people to pay more attention to the ones we already have.
I think you are right… in your point of view… but our points of view could be depending on few factors… one of them where are we coming from… in Canada we luck in some area of the security fields… rules and regulations/standards… in other are we just have to many… plus I’m not counting legal loopholes…
Robert, excellent article. There seems to be a bit of a divide in the industry when it comes to using dual NIC’s vs. a VLAN on the clients existing network. My preference (and the preference of most of my clients) has always been to use dual NIC’s and keep the two networks independent of each other. However, I have also heard the argument that creating a VLAN on the clients network can greatly reduce installation times. In theory I would have to agree that this is true, but as security professionals we need to think of security in a broader… Read more »
Firms should invest in securing their networks. Some ‘savings’ early would probably translate to costs several times over due to some breach. Might as well dish out and not compromise on a good security system rather than end up having to pay for it later.
I agree with you, Robert. We already have too many standards as it is; I think it would be more useful to concentrate on improving systems rather than ensuring that everything is compliant with one more standard.
Also, having a ‘standard’ for security might not be very applicable. If there’s one thing I’ve learned, it’s that you need to be really flexible in this field. Just as those who intend to breach your systems are resourceful, you should be able to adapt quickly to block their attempts.
Dual network interface cards versus a VLAN could be one of those “theory versus practice” debates, or at least it is in my book. The VLAN is a great way to go. You can have separate networks running down the same cable. It’s cleaner from an installation perspective, just as secure as separate networks, And while the hardware is pricier, there’s less of it, and pricing continues to drop. In practice, you can’t just pop a new box in if a network switch fails — well, you can, but everything will be on one LAN unless you program it up.… Read more »
You raise a great point: “Just as those who intend to breach your systems are resourceful, you should be able to adapt quickly to block their attempts.” The biggest security “weak link” is usually a person, not equipment or programming. Most of the big data breaches we hear about had a human component. And this isn’t always someone subverting their employers safeguards, or selling out. It’s the person who tells their password to the guy on the phone who says he’s from IT. Or the person who writes the passcode to a keypad on the doorframe because they can’t be… Read more »
The difficuty is that we are always reacting to the hackers. They will always have the advantage, because they pick the time, place and method, and we must then react to the hack. While we react, even if it takes just a few minutes, they can steal everything they want. A lot of what is taken will never be missed until it is used somehow – most of what is stolen is so mundane, we won’t even notice when it is used. Encryption can help, but I submit that any code devised by man can be broken eventually, and any… Read more »
Great Article, This really hits home the notion that CCTV is no longer in an electricians scope of work but is in a real world transition to IT.
Robert All very interesting points…. but how far do we expect the CCTV installer to go? Are they expected to be IT Security experts too ! In small to large security companies the installing and commissioning engineer knows mainly his part of the job and then who takes the initiative to communicate with the client to ensure that their network is secure and to what level ? The design engineer may cover it in the proposal… It may be the project engineer or project manager raises the issue during installation or All may be naive regarding these issues but someone needs to recognise… Read more »
To some extent, yes. Maybe not experts, but security installers should certainly be familiar with IT security and ensure that the basics are covered. This is no different than having to be surge protection experts, or cabling experts (remember all the different flavors of coaxial cable we had to learn or risk losing CCTV signal down CATV cable just because they are both called RG59?). There’s a lot demanded of the security installer, but it’s no different than what a plumber, electrician, mechanic, or other skilled tradesman has to know, work with, and understand. And asking for help is always… Read more »
On the one hand, I find myself thinking “how can you have a home computer network without understanding the basics of network security?”
On the other hand, there are variations of the old adage, “The cobblers shoes are always in need of repair.”
We’re moving into an era of ever increacing simplicity in terms of getting things to work, but ever increasing complexity in terms of haviing them work well.