VMS cybersecurity: all about cameras

Many organizations use different camera models from different manufacturers. This makes a lot of sense for organizations managing a range of spaces across multiple sites. After all, a security camera on a highway has a different job to do than one in a parking lot or in the immigration area of an airport.

For large projects though, it can be challenging to keep track of all cameras. The first step is asset management: knowing what you have. If all of your cameras are already connected to video management software (VMS), therein lies your list.

Different organizations have different cybersecurity needs. A local restaurant chain with three locations is going to be less concerned with a cyber attack than a company that provides electricity to most of a country’s citizens. With that in mind, you need to decide on the priorities that make sense for your organization. Here are some examples that you might want on your cybersecurity assessment list:

• HTTPS: If you’re reading this article, you probably only want to use cameras that support HTTPS. It’s a type of encryption that helps block cyber criminals from hijacking a video camera’s communication and the VMS client or server. Even if you work in a low-risk sector, this is a good “basic cybersecurity” box to tick.
  
  
• Tamper detection: Some advanced cameras come with tamper detection features that alert you if anyone has physically or digitally interfered with the device. On the one hand, if a camera is physically placed where it would be almost impossible for a person to reach it, then maybe it’s less necessary. On the other hand, if you’re a retailer with a theft insurance policy that requires tamper detection of security cameras, the choice is simple.
  
  
• Cybersecurity policies and certifications: These are especially valid for government projects, which may involve defense, healthcare or critical infrastructure. The stakes are higher when it comes to national security and public safety. Private organizations also have a lot to lose if money-making activities are blocked due to a security incident. If any of this rings true, you’ll want to check if a camera vendor has a way for customers to report vulnerabilities, a team to respond to incidents, if it’s been ISO/IEC 27001 certified or if it’s been penetration (pen) tested by an independent third party.

You can often find this information by looking up the manufacturer’s online documentation, opening the settings of the camera’s interface and/or reaching out to their customer support team.

It might be that your cameras are already installed exactly as they should be. Here are a few guidelines to help determine if that’s the case.

• Mounting cameras in hard-to-reach places is generally good advice, but you need to weigh this against the job you need the camera to do. For example, face-level positioning may be necessary for identification purposes in airports. License plate cameras might need to be installed around 10 feet (three meters) from the ground, which, while much higher than face-level, is a lot more reachable than, say, 23 feet (seven meters).
  
  
• Use protective casings for cameras and conduits for exposed cables. The former shields cameras from deliberate attempts to steal, damage or disable them and the latter protects cables from being cut, unplugged or otherwise tampered with. For outdoor installations, these physical barriers also help with weatherproofing.
  
  
• If all else fails, make sure that your camera SD cards are encrypted. That way, even if someone physically removes the SD card from a camera, they won’t be able to read the data without the decryption key.

Firmware updates often address known security vulnerabilities. Manufacturers release updates to fix these vulnerabilities, protecting your camera from being exploited by hackers. So, naturally, staying up to date makes a lot of sense. However, here are several considerations to through prior to updating:

• Device life cycle: There might be firmware updates available for some of your devices. But if the latest update is two or three years old and the expected lifetime of the camera is almost up, you might want to evaluate whether it’s even worth the update. It might make more sense to swap out the device.
  
  
• What’s included: There is a small chance that the update could mean losing support for a functionality or process that you currently depend on. For example, you want to make sure that requirements for password complexity, HTTPS, etc. in the latest firmware version stay at a level that you need.
  
  
• Backwards compatibility: Sometimes a VMS provider will decide to stop supporting a specific camera manufacturer. It’s unlikely that the VMS provider will remove the camera drivers that they previously developed. Nevertheless, you want to make sure that your VMS has an updated driver to match the latest camera firmware. Otherwise, you might end up wasting time and having to downgrade the firmware to re-establish a connection with your VMS.
  
  
• Firmware source: To be on the safe side, always download directly from the camera manufacturer’s website. Going through the checksum that comes with the firmware will also raise alarm bells if it’s been tampered with.
  
  
• Testing: Getting the latest firmware on one or a few cameras will let you know if there are any major bugs that could interrupt your security operations. If testing goes well, then you can proceed to updating the rest of the cameras.

Okay, you’ve confirmed that an update is a good idea. Hopefully, you have a VMS that gives you a fast, easy way to check which firmware your cameras are running and the time since the last update. From there, you can either update in bulk or one-by-one.

As mentioned, your VMS needs to be running drivers that match the firmware of any connected cameras. While a camera's new firmware is unlikely to break the connection to your VMS, you might need the new driver to support the latest camera-side functionality.

The latest drivers should be available on your VMS provider’s website. Taking Milestone’s XProtect VMS as an example, updated drivers are installed on the recording server, which can take up to five minutes to reboot. It’s important to know that the camera feeds connected to the server won't be recorded during the reboot (unless you have a backup for recording).

Even if you only have a single security camera running, please double-check that it does not still have a factory-set admin account and password. More modern cameras won’t even have this factory option, but many older ones do. Even if 99.9% of your cameras are password protected, just one vulnerable camera can compromise your entire installation.

If you operate in a higher-risk, regulated sector, then this is one of the bases that you probably have covered. In which case, you can move on to:

• Password strength: Ideally, no one should know a camera password. It’s more safe and more efficient to let your VMS generate complex passwords for you. That way, no one will remember a password off the top of their head and be able to repeat it verbally and/or remember it when they leave your organization. It will also make it more difficult for a bad actor to brute force into a device.
  
  
• Bulk updates: While automatic password generation is a good idea even for smaller projects, the benefits of bulk updates increase with the number of cameras you’re managing. In addition to generating passwords, a VMS should also let you update them in bulk.

Putting your VMS on a separate network limits the damage an attacker can do. They’ll have access to the compromised VLAN, yet won’t be able to go further. Let’s look at a couple of infographics that showcase two common VLAN setups that customers use when deploying Milestone’s XProtect VMS.

• If your organization is smaller and/or at lower risk of a cyber attack, you could create a camera VLAN and a VMS client VLAN with a single switch, allowing them both to communicate with the server.

• In a more advanced corporate environment, where the office network shares infrastructure with the security network, it’s advisable to create a third VLAN for certain sensors, file servers and computers frequently used by employees. This approach allows the physical infrastructure to be shared while the virtual separation adds an extra layer of security.

Organizations that need to use managed switches for their video security cameras typically include those with complex security requirements, high data traffic or stringent regulatory compliance needs. If any of that rings a bell, we recommend using the IEEE 802.1X authentication protocol on your switches and cameras. This protocol makes sure that the switch is definitely communicating with the camera and not some hacking equipment. Of course, a prerequisite is that your cameras support 802.1X. So if you’re considering which hardware to keep and what to swap out, this might be added to your list of criteria.

Encryption at rest and encryption in transit are two key components of securing data in video security systems:

• Encryption in transit: At the beginning of this article, we talked about HTTPS as a good standard of video encryption in transit. Another option that can be used along with HTTPS (or instead of it, in case your cameras don’t support HTTPS) is Media Access Control Security (MACsec). It encrypts the data on the cable between the camera and the switch. So, if you have cameras installed in public and/or outdoor spaces, MACsec is something you might want to look into.
  
  
• Encryption at rest: In the absence of encryption, unauthorized individuals who could potentially watch or steal sensitive video content. Widely acknowledged as one of the most secure encryption algorithms currently available, the Advanced Encryption Standard (AES) offers varying key lengths. AES-256 is as good as it gets, and is the preferred choice of government agencies.

Digital signing video recordings—knowing who has viewed and exported footage—is critical to law enforcement. After all, if video evidence is used in a courtroom, there can’t be any doubt as to whether it’s been tampered with. Digital signing could also be a requirement within government and defense, healthcare, financial services, critical infrastructure, retail and education.

Taking XProtect as an example of digital signing within a VMS, how it works is that a signature is applied each time a video is exported and you also get a signature from the recording server. One signature is saved at the time of recording and another at the time of export. When a signature is applied, the video itself isn’t altered or re-encoded. Instead, any signatures are stored alongside the media database, which verifies the signatures. All XProtect variants support this functionality at no additional cost.

Learn more about Milestone’s approach to cybersecurity: 

• Milestone’s Product Security Incident Response Team
• Milestone and GDPR compliance
• Milestone’s Hardening Guide

New to Milestone? Please book an XProtect VMS product demo or ask us a question! We’d be happy to hear from you.