Wednesday, March 15, 2023

Camera Ban Due to Zero Cyber Security

 Camera Ban Due to Zero Cyber Security

Since what some experts considered a password-free engineering hack was found between firmware layers in HikVision cameras around 5 years ago, CCTV cameras manufactured in China have been squeezed from Australian federal government contracts, despite the fact no Chinese-made video surveillance camera in Australia (or anywhere else in the world) has been found transmitting video streams to the Chinese Government. 


The US communications regulator singled out tech giants Huawei and ZTE and surveillance camera makers Hikvision and Dahua. Spy chiefs have warned that the US could be vulnerable to economic espionage or digital sabotage.

The UK Government departments have been told to stop installing surveillance cameras made by Chinese companies on "sensitive sites" because of security concerns.

Both the UK and Scottish governments have banned Hikvision plus other PRC providers from certain government usage for national security reasons, in a sea change for UK video surveillance.

The Governor of New Hampshire has banned products from certain PRC companies including Dahua, Hikvision, and TikTok for use on state networks or devices in an executive order.

Security threat accusation is made against the Smart City project. The Mangaluru City Corporation (MCC) has installed Hikvision brand CCTV cameras in the city. This company is of China origin.

The Indian government has restricted PRC manufacturers such as Dahua and Hikvision from bidding on Indian government projects.


At this point, it’s worth noting that almost all professional CCTV cameras are installed on secure subnets supported by dedicated switches, servers, and video management systems, or they are installed standalone on DVR and NVRs. These systems log network actions from authorised users, including camera views, saves, searches and applications of analytics functionality, where this applies.

It goes without saying that no pro-grade network intrusion detection system could fail to alert network engineers to the transmission of big band video signals from secure network ports to an external network location. It would generate an immediate alert, remedial action and public condemnation.

While IP cameras can upgrade firmware automatically over public networks and will undertake handshakes with a manufacturer’s servers, these actions are ubiquitous across network devices of all types and, in the case of CCTV cameras, can be deactivated, with devices either left using original firmware, or upgraded manually.

Typically, network-based electronic security systems are updated manually by security teams managing system maintenance. These Australian security techs are highly integrated with an end user’s security operations team and will respond at a moment’s notice to issues of camera performance, network failure, or network breach.

Further, in compact applications, such as in the suburban high street offices of MPs, 3-4 CCTV cameras are installed in a basic star configuration that revolves around a PoE NVR/DVR supported by a dedicated keyboard, mouse and monitor. They are not connected to local data networks, let alone hooked to out of country servers – unlike a significant number of other manufacturers, neither Hikvision nor Dahua offers VSaaS in Australia.

Typically, the basic turret cameras used in such applications are mid-wide angle, have modest resolutions, fixed lenses, and are installed with an outward-facing angle of view covering front and rear entrances, car spaces and foyers to allow recording of events for police investigation after an incident.

Recordings are undertaken on local hard drives and written over after 30 days. Viewing of footage and event searches can only be undertaken by a person with access control rights to the location, and who is authenticated with a password issued by a nominated system administrator – typically an admin assistant or office manager who works on-site.

These cameras are installed for safety and security, not to ‘spy’ on MPs. Nor are these cameras being ‘found’ by shocked staffers in third-tier government applications, as if the cameras crept in at night and hung themselves onto walls, as some news websites have implied.

These CCTV systems were installed in plain sight by professional Australian security technicians using products supplied and supported by professional Australian security distributors with technical support from suppliers’ local operations, after an official government tender process.

These cameras and related systems were chosen by government decision makers because they offered the best performance for the least cost. This is not an imperative that will change when government agencies next take locations with modest security requirements to tender.

Similar strictures around installation and governance apply to the 11 Hikvision cameras at the Australian War Memorial, which are likely external bullet cameras installed to view choke points and entries, and are entirely governed by local subnet rules and managed and viewed using an over-arching video management system provided by a third party.

This server-based VMS brings together all the cameras across the site onto a video wall for monitoring by a dedicated security team. It’s normal for a major site like the Australian War Memorial to have multiple camera brands and camera types installed for different reasons at different times with different priorities of budget. Expensive upgrades are undertaken in stages.

Milestone has discontinued technology partnerships with "mainland China" companies, including mega-manufacturers Dahua and Hikvision, the company confirmed to IPVM.

Ambarella, a major supplier of AI chips for IP cameras, has stopped selling to Dahua, Ambarella confirmed to IPVM.

Western Digital and Seagate are no longer selling to Dahua due to US semiconductor export controls imposed on Nov 2022, IPVM has confirmed with WD directly and from sources for Seagate.

ADI has stopped relabeling Dahua, a year after the company secretly started selling relabeled Dahua gear as an ADI house product, despite the NDAA ban, human rights sanctions, and the FCC designation of Dahua as a threat to national security.

The most cyber secure IP surveillance camera is Mobotix, however, the Australian government rarely uses this brand, despite its enormous operational flexibility and impeccable cybersecurity credentials. Bosch, Axis and iPro are also highly regarded, and tier 1 offerings from everyone else – including HikVision and Dahua, which put considerable effort into cybersecurity and transparency to correct early issues that impacted all CCTV camera makers – are close behind.

Unsurprisingly in the current geopolitical climate, Chinese CCTV cameras are by far the most examined network devices when it comes to cyber security, and their camera firmware and supporting management solutions are constantly trawled through by experts looking for issues in devices that, despite their ‘surveillance’ function, are static edge sensors, governed by the settings of the network switches and servers that manage them.

It’s impossible to believe the Australian government’s highly qualified cybersecurity experts are not perfectly aware that edge devices, like CCTV cameras, when properly commissioned and installed on well-designed and secure data networks, are impossible to access remotely, and can’t be infected by ‘spyware’ in the way a mis-managed workstation or laptop might be.

Instead, they must be acutely aware the greatest security threats to security systems are posed by errors in network application, a failure to activate camera cybersecurity settings during installation and pre-commissioning, and weaknesses in the physical security around network components. And cybersecurity experts must know such risks apply to every networked device across a department’s topology – phones, switches, wired and wireless routers, laptops, servers, apps – not just to devices offering click-worthy headlines.

In our opinion, given the highly evolved state of cybersecurity in professional CCTV cameras (and intercoms), the possibility edge devices in secure subnets from any camera manufacturer, could suddenly breach network security settings and start operating unilaterally is so vanishingly small that cybersecurity can’t be the problem.

Instead the government’s core issue seems to be one of uncertainty and misunderstanding around a technology that, when properly installed and managed, leaves virtually no room for uncertainty at all.

Ref:
IPVM Portal
Sen network
US, UK web pages

Wednesday, March 1, 2023

Fenced for Perimeter Protection

Fenced for Perimeter Protection 

Securing a private or public building is a complex issue, right from any perimeter and entrance point to internal asset management. Instead, optimal security solutions can only be achieved by going back to basics, understanding individual environments and integrating security systems to achieve unique requirements.

The 2022 Crime Report from the Association of Convenience Stores (ACS) shows that, in the past year, 89% of store staff faced abuse in their job, with 35,000 incidents of violence, 9% those resulting in personal injury.

The perimeter is the first line of defence. It inhibits and delays intruders. Unfortunately, history has taught us that even the most impenetrable perimeter can still be breached.

Therefore, sensitive sites should not be on the fence when it comes to investing in the right security technology for the right application. A genuinely intelligent system is key to a successful security solution.

Delaying the intruder is essential. If it takes a security team five minutes to deploy intervention, but the time to target is three minutes, then a security solution needs to create a delay of at least two minutes. If there are layers in place that take three minutes to penetrate, then the response team will have time to apprehend the perpetrators before they reach their target.

In terms of physical perimeter security, layers of technology should be applied starting with the outer perimeter, such as the fence line; the inner zone perimeter, such as specific buildings or key infrastructure; the building face perimeter, such as the external building shell; and finally, the internal perimeter, such as internal space where restricted access is necessary. Solutions within each layer should help delay, deter, and detect intrusion.

There are a wide range of technologies that make up an intelligent outer perimeter. To deter people from attempting to gain unauthorised access, a site can use signage or physical barriers. Sites requiring a more secure perimeter typically “harden” the physical barrier using high security palisade or welded mesh products. These barriers are designed to delay intruders and serve as a physical deterrent by preventing unauthorised access. Additionally, perimeter fences ensure the safety of the public – protecting people from entering sites where they may unwittingly expose themselves to risk, injury or even death.

However, while many businesses use gates, fencing, and other structures to keep intruders out, these only delay an intrusion. That is why highly secure sites should look to include elevated detection technologies such as monitored pulse, energised fences. A monitored pulse fence both deters and detects criminals or trespassers. A grid of energised wires is often enough to prevent someone from attempting to climb or break through the fence. Monitored pulse fences comply with international safety standards and are designed to deliver a short but safe shock and acts as a highly effective deterrent.

Additional technologies such as full integration with video management systems provides a visual record of events that can be viewed as a live stream and later used as evidence if required. Designing an effective perimeter security solution is a significantly more complex process than it appears at first glance. The consultant, architect, or engineer has many factors they need to consider in the process, including understanding the site requirements and environment, and selecting which technology or combination of technologies will have a direct impact on the success of the system.

For example, a highly secure yet discrete site, where the customer doesn’t want to “advertise” what they do by way of a visually intimidating perimeter, may use discrete technologies such as buried sensors, laser curtains and microwave. The possible intrusion risks balanced against the requirements of the site will determine the type of sensors used – these risks can range from vandalism or protests by activists to criminal theft, espionage, and terrorism.

One of the main requirements from customers when it comes to an intelligent perimeter solution is a high probability of detection and low false alarm rate. For sites requiring higher levels of perimeter protection, like prisons, it is crucial that perimeter security is as sensitive to tampering on the fence line as possible to prevent and detect perimeter breaches. However, a highly sensitive fence line can be subject to false alarms due to factors such as disturbances from wildlife and environmental extremes.

In recent years, there has been a shift to intelligent, integrated perimeter solutions where detailed reporting and configuration can be carried out on the performance of the perimeter technology. While perimeter security is an organisation’s first and arguably best, line of defence, integration with other technologies is key in effectively securing a site. Essentially, a security management system that brings everything together can provide a truly intelligent multi-layered perimeter solution.

An integrated approach provides the control room operator with all the information associated with an attempted attack to their fence line, ultimately assisting with faster response times. On top of that, cyber security threats are becoming a very real risk to perimeter protection and are forcing a rethink in how and what technologies are installed, with a shift towards more intelligent and integrated solutions. An end-to-end approach is vital. A cyber security vulnerability can occur along any of the communication channels, from the fence detector to the device that displays the alarm to the security guard.

Gallagher considers each communication link and device to assure the complete security of a perimeter protection system. Their security solutions are engineered to meet stringent standards that define how high security sites around the world should be protected and are backed by the implementation of government standards to validate their effectiveness. Gallagher undertakes internal and external penetration testing of their products to ensure they are hardened and secured to mitigate the risk of cyber-attacks.

During pandemic, Gallagher supplied perimeter security solutions to ensure protection. Gallagher’s intelligent deterrent and detection technologies continue to be utilised across small to medium commercial and industrial facilities, right through to larger correctional, utility, and high-profile government sites.