Is your CCTV system cyber secure?
By Tom Reeve, Chief Communications Officer, The CCTV User Group
CCTV systems can be just as vulnerable to attack as any IT network, potentially leaving your system open to a range of attacks and abuse.
I am of course speaking of network CCTV systems – those built using IT grade equipment using the IP (or internet protocol) to transmit data between cameras, recording devices and management systems – so if you are still using an analogue system, you can skip this article and go and rotate your VHS tapes.
But if your CCTV system is built on IP, please continue reading because we are talking about cyber security and how a CCTV system such as yours could be vulnerable to malicious hacking.
You may well say, but my system doesn't connect to the internet, so we're safe. After all, this is the very definition of "closed circuit": the images are not broadcast – they are seen by a limited number of authorised users.
That they don't connect to the internet is good from a security point of view, but that may lead owners of systems to assume they need not be concerned about cyber security. However, as we will see, there are a range of vulnerabilities that apply to any networked system, and it pays to be prepared.
Cyber attacks have had significant financial repercussions on organisations across the world, including private companies and public bodies.
Redcar and Cleveland Borough Council was hit by a ransomware attack earlier this year which reportedly cost £10 million, and just recently the London Borough of Hackney was hit by a cyber attack which has severely curtailed its ability to deliver services, with widespread speculation (not confirmed by the council at the time of writing) that it is also a ransomware attack.
Cyber attacks can also result in significant loss of confidential data which can in turn lead to heavy fines, as in the case of BA. The airline was fined £20 million last week by the Information Commissioner’s Office (ICO) – it’s biggest fine to date – for a breach of its payments systems dating back to 2018 which led to the leak of the personal and financial details of more than 400,000 customers. The fine had been widely expected to be much greater, but the ICO said it took into account representations from BA and the impact of Covid-19 on its business before setting a final penalty.
ICO investigators said BA failed to identify weaknesses in its security, weaknesses which could have been resolved with readily-available security tools which would have prevented the attack “being carried out in this way”.
Being prepared for a cyber attack can not only reduce your chances of being attacked but also soften the aftermath. But what does it mean to be prepared for a cyber attack?
Many cyber security experts will tell you that it’s not a matter of if you will be attacked but when. And if attack is inevitable then being prepared is a matter of accepting that fact and establishing your defences now to reduce the damage during an attack (often referred to as mitigation) and fix the damage after the attack (known as remediation).
Gemma Moore, an information security consultant and director at Cyberis, uses hacking techniques to test CCTV systems on behalf of system owners. As she says, CCTV systems are used to detect and preserve evidence so it is essential to understand how a cyber attack could affect the integrity and availability of that evidence.
To mount an attack, a threat actor must gain access to the system and then use hacking techniques to increase their privileges, with the aim of becoming an administrator, while moving laterally through the network to find useful targets.
With sufficiently high user privileges, a threat actor can look at livestream images, change the configurations on cameras or other devices, disable devices, or attack your data by copying it, corrupting it or even encrypting it in what is known as a ransomware attack.
Gemma said you need to think about your system as a whole to identify the vulnerabilities and threats and evaluate the risk. For instance, does the management system for your CCTV system rely on your corporate network to identify and authenticate users? If so, what would happen if that system failed or was subject to a ransomware attack?
“You need to understand all of the dependencies of your CCTV system and have a plan for dealing with situations when these dependencies are compromised,” she said.
There are many strategies for mitigating and remediating attacks – and it’s best to consult a security expert to address your particular situation – but the importance of having a plan cannot be overemphasised, as Iain Cundy, CEO at Section 20 Solutions, told me.
Complying with ICO standards for data breaches and being able to contain the damage within your organisation is a mitigating factor when it comes to fines. “Having a clear plan and ability to show you have taken every possible step to protect yourself is key to limiting the financial impact,” Iain said.
In the case of BA, if it had made greater efforts to secure its payment system and yet still got hacked, the ICO could have – according to its own guidance notes – taken that into account as a mitigating factor in setting the fine.
But how can attackers gain access to your system? If it’s a closed system, it would stand to reason that it can’t be accessed from outside, but the reality is that few systems are completely closed.
Iain said that many CCTV systems – which were sometimes converted from analogue to IP in a hurry and with limited budgets – lack even the simplest cyber security tools such as VLANs and firewalls because they were judged to be low risk systems. Hence, they have a host of often under-appreciated vulnerabilities and points of weakness.
One point of vulnerability is your organisation’s internal network. There may be devices such as workstations or switching devices that are linked to the corporate network and the CCTV network. In this case, an attacker gaining access to the corporate network can use a range of hacking techniques to move laterally through the network, escalate their privileges, and gain admin level access to the CCTV network.
And looking at the same scenario in reverse, a breach of the CCTV system can provide a bridge into your organisation’s corporate network, with all the risks associated with that.
Attackers don’t even need direct access if they infect a system using detachable media, as famously happened in the case of Stuxnet and the Iranian nuclear programme. This same technique has been used to import malware into other systems.
A camera, if not sufficiently secured and isolated, can provide a gateway into the rest of the CCTV network. Cameras that are exposed to the internet can be discovered via the Shodan search tool, and if you go online, you can find numerous examples of public CCTV cameras around the world which are not secured.
And of course, there is the direct approach: cameras are widely distributed, with network access points distributed around town centres in street cabinets and the bases of poles, many of which are in isolated locations with low levels of physical security (many can be opened with a simple key). Access to one of these points for even a minute gives an attacker the chance to install a cheap eavesdropping device, allowing them to retire to a safe distance and probe the network at leisure.
Securing your system
There are different techniques for protecting your system and we can look at some of these in more detail in a future blog, but for now, we’ll sign off with a few recommendations for securing your networks now.
Iain Cundy at Section 20 Solutions said: “We understand the extreme amount of products and data that CCTV centre managers are responsible for, adding IT and cyber factors certainly don’t make the job easier. We believe the first steps taken should be to completely understand your IT estate from a network and physical standpoint. Once you have approved the need for all devices, understand what ‘normal’ looks like. How do things work, why, who do they talk to, where does the data get stored? Once you understand ‘normal’ through the pattern of life, it’s easy to understand anomalies. Any attack will create and impact at the network layer, and this should be responded to in real-time. Consider automating the response.”
And Gemma Moore at Cyberis said: “There are four key areas that will make a big difference to security compared to the default position for most of these systems:
Harden components when they are installed and configured – change default passwords and enable the built-in security features that might be present
Isolate components and their recordings from other internal networks to create isolation from cyber attacks that might affect the wider internal network
Secure access routes to management interfaces for the CCTV systems – ensure access is restricted to only those with an access requirement, that strong encrypted connections are used and that strong authentication (ideally via multi-factor authentication) is in place for all users
Consider your backup strategy, and ensure that a common threat such as ransomware cannot compromise the availability and integrity of your recordings”
* If you have a question about cyber security or anything else CCTV related that you would like us to address, please email firstname.lastname@example.org or leave a comment.