What Every Integrator Should Know About Interoperability
Interoperability, by simple definition, means the ability of computer systems or software to exchange and make use of information. But when it comes to network security — and cybersecurity in particular — things aren’t quite as simple.
Video surveillance and access control systems are encompassing an ever-broadening spectrum of subsystems, such as visitor management, intrusion, fire detection and building automation. Advanced technologies, including wireless locks and Bluetooth Low Energy (BLE) and Near-field communication (NFC) readers are also being integrated. No longer are these systems secure behind the firewall of a local area network (LAN); they are now reaching over the wall to encompass wide area networks (WAN) and Cloud services.
Although network interoperability has been a buzzword for video surveillance and access control systems for the past several years, we’ve only recently begun to realize that there are a host of other issues that need to be addressed other than just using the IT framework that offered easy connectivity. The surveillance industry is still learning why cybersecurity is so critically important and how networks can be vulnerable by a misstep of an installation technician. The headlines tell countless stories about end users who have lost vital information.
In the future, these operational technology systems will be connected by an open architecture that will have a common communication and security, allowing us to use standards-based security protocols. However, as it stands now, they require manufacturers to work together using application programming interfaces (API) or the ONVIF interface in many devices to integrate these systems.
Defining OT & IT Systems
Let’s address the question, “What is in the system?”
Operational technology (OT) encompasses systems that we use to do our jobs and create an output. In physical security it is video surveillance, access control, intrusion, mass notification and others. In production it is the PLC that runs the conveyor belt, the oven that melts steel or the loom that makes material for clothing. These and many other formerly standalone systems now use the IT infrastructure to transport the data from one component to the next.
As OT and IT collide, how does an organization keep track of what is connected to the network?
OT systems add components that a typical IT system hasn’t recognized in the past. These components generate data that must then be transported and stored by the IT structure. The data consists of items such as temperature, pressure, flow, intensity and countless other data points that may be applicable to an operation. The critical concern has become how these components have been evaluated for potential points of network entry.
It’s imperative to remember that each of these systems has different methods and abilities to repel a cyber attack. When these disparate systems are integrated together it further complicates cybersecurity. It is these integrations that create “gaps in the wall,” allowing hackers to breach the security of the network. As these gaps are discovered, the manufacturers are closing them and restoring the security of the network. But there is still much work to be done by innovative integrators seeking to succeed in the increasingly complex cyber space.
Fortunately, one of the easiest cyber protection measures to implement is to maintain ALL the connected systems with the latest firmware upgrades and system patches that the manufacturers provide. Most hackers likely won’t have to dig too deep to find new ways to invade a system. Rather, they will most likely take known vulnerabilities and attempt to invade systems that are not protected.
By following manufacturers’ hardening guides, which outline the basic security precautionary measures they can put in place, integrators can protect their end users from common cybersecurity problems. Here’s a look at those basic ones, but read on for tips on implementing the more complex and sorely needed ones as well.
Foundational Cybersecurity Measures
As any hardening guide worth its salt will tell you, there are several security measures to put in place to help keep networks secure. Here are some of the basics you should pay attention to:
Current firmware — Upgrading to the most up-to-date firmware is an important process of cybersecurity. Besides adding new features, firmware upgrades include bug fixes and the newest cybersecurity protection.
Default settings — Before you start programming, make sure the equipment is clear of any previous programming by resetting the hardware to factory default settings. It’s a good practice to reset even out-of-the-box controllers to factory settings.
Master password reset — The master password is used to control administrative privileges. It is the most important means of protection for a security device. It is imperative to set a new master password. Be sure to create a hard-to-guess password of at least eight characters using upper and lower case letters, numbers and special characters. Do not use the same password for different sites or customers. Keep this password protected and do not give it out for system management purposes.
Set administrator and user passwords — Each administrator and user should have their own individual user name and password so they can be edited or deleted without affecting the other users. Grant admin privileges only to those who require it. Users should have limited access to make system changes.
Network settings — Most security equipment comes defaulted for dynamic host communication protocol (DHCP). This makes it easy to set up IP addresses. However, it also makes it easy to capture equipment and change the IP address. Set all equipment to static IP addresses to lock down the equipment to a fixed IP address.
Set time and date — From a forensic security perspective, it’s important that the date and time are correct so the system logs and other audit trails are timestamped with the correct information. The most common way to do this is by synchronizing the time with the server that is storing the security system management software. The security equipment and the software should always be using the same timestamp.
Disable unneeded features — Every feature increases the ability of a cyber attack. Any features that are not being actively used, such as the audio function in a camera, should be disabled.
Edge storage encryption — If your equipment has edge storage, such as an SD card, encryption must be applied to protect the information. This will prevent the ability to capture or view the information if the SD card is removed. The minimum standard should be AES-128 encryption.
These are some of the basic functions that need to be addressed on any device that is connected to the network whether it is an IP camera, access control panel or other OT device. But there is much more that can be addressed to help clients protect their networks and confidential data.
Advanced Cybersecurity Measures
Most security devices have additional security features that are disabled by default. Enabling the features outlined below will reduce the success of a cyber-attack.
IP address filters — Enabling this feature will allow the system to keep an inventory of authorized devices and clients. IP filtering will prevent the device from responding to network traffic from any other clients.
HTTPS encryption — Hyper Text Transfer Protocol Secure (HTTPS) encrypts the traffic between the client server and the security equipment. HTTPS should be enabled for all administrative tasks.
Securing open ports — Only ports that are required for WAN communication should be open. All other ports should be closed.
IEEE 802.1X network access control — All device connections are a point of attack on the network, especially connections that sit outside of the walls of the facility. 802.1X is a security authentication protocol that uses two-way encryption to authenticate the connected device. Before any communication takes place, 802.1X checks the device against the stored list of authorized devices and only allows authorized devices to access the network.
Importance of Cyber Risk Assessments
With all of the devices that clients have connected to their networks over many years, how do they know that it is adequately protected from network intrusion? This is where a cyber risk assessment identifies potential vulnerabilities of intrusion into their system.
The concern that many are having is that unlike IT intrusion where loss of data can be damaging to reputation, OT intrusion can affect life safety depending upon the systems that are infiltrated.
A client needs to consider having a cyber assessment performed on their network. A full assessment can provide identification of all devices connected. According to sagedatasecurity.com, these include manufacturer, data type, interfaces, firmware version, uses of the system and where the data is going.
A cyber assessment can also reveal any threats to the network, including access (malicious or accidental), misuse of data by authorized user (social engineering et al.), unintended exposure to data by an unauthorized party, loss of data, disruption of service and the risk level associated with the event.
Once the risks have been identified, how do you mitigate them? Many of the risks identified by an assessment can be remedied by a couple simple functions. These include:
- Enforcing existing company policies
- Creating new policies where gaps have been identified
- Adding cyber components that can help with risk reduction
- Adding software that can help with risk reduction
- Changing the equipment that is causing the vulnerability with a device that can perform the function and meets cyber standard
Where Do We Go From Here?
Just as physical security continues to evolve as new security threats and vulnerabilities are discovered, cybersecurity methods need to adapt in the same way. It needs to not only defend the network against the threats it is facing now, but also continue to develop to repel the cyber attacks of the future.
Cybersecurity is not a destination, it is a journey. Continual verification of system performance must be performed to determine if the individual risks have been reduced. There will always be some risk level, but is it a risk the organization can accept becomes the question.
To that extent, organizations must continue to monitor the systems and processes that interoperate. The problem in the physical security market is that upgrades are continuous by each manufacturer. When one manufacturer upgrades their component, corresponding systems that interact with that component need to be upgraded. These upgrades cause a ripple effect across an OT system.
For example, follow this scenario:
- A subcomponent manufacturer upgrades the operating firmware of a component used in IP cameras.
- The camera manufacturer needs to take advantage of the feature that is now offered by the component. This requires the camera manufacturer to upgrade the firmware of the camera.
- The video management software (VMS) needs to offer the camera upgrade to clients, so it in turn needs to upgrade to a new release.
- The access control system that was integrated with the VMS, must upgrade to maintain the compatibility between the systems for sharing information and therefore must upgrade.
- This access control upgrade may cause a subcomponent of the access control system to require an upgrade to maintain compatibility with the system.
These upgrades are constant, but also create gaps in security as one leads to the next creating a vulnerability between devices and/or systems. Many times, those gaps are forgotten about and the organization can fall into an unknown risk.
To protect customers’ networks, those serving them must be vigilant in continually keeping a pulse on any and all upgrades needed and/or newly available, deploying proven security measures, and proactively staying up to date through trainings and other educational offerings on the cybersecurity challenges and solutions of today and tomorrow.