Showing posts with label Aug 2019. Show all posts
Showing posts with label Aug 2019. Show all posts

Saturday, August 24, 2019

SSA Integrate - Fire alarms and BAS

SSA Integrate - Fire alarms and BAS

The integration of Building Automation System and fire alarm systems can result in overall reduction in equipment, installation, and maintenance costs while still maintaining the level of safety required for these systems to operate. 

With the advent of smart building technology, heating, cooling, electrical, lighting, security, and other systems need monitoring and intercommunication for optimized efficiency and operation. With sophistication comes the need for a building automation system (BAS) to allow for nearly seamless operation of these various interrelated equipment.
When the fire alarm system takes control of equipment that is not a listed component of the fire alarm control unit, the fire alarm system must either override the natural operating mode of the building equipment or pass off that command via a simple switch or data communications to the building mechanical systems. Likewise, each manufacturer’s BAS has its own protocol for monitoring conditions and communicating operational commands to maintain the proper building environment and efficiency. There are also standard open communication protocols such as LonTalk and BACnet that can be used to communicate with a multitude of equipment from various manufacturers in order to achieve an integrated building system. 
The communication protocol for a fire alarm control unit to communicate to and from its indicating (input), initiating (output), and sometimes notification appliances is typically an analog or digital communications signal carried over what is referred to as a signaling line circuit (SLC). Because communications signals are typically proprietary protocol, each SLC is dedicated to a specific manufacturer’s equipment and cannot include connection of incompatible devices that use a different signal protocol.
Therefore, in order to integrate system alarm and control functions with the BAS in a manner other than relay logic, fire alarm system manufacturers had to also design and support the open communication protocols used for building automation, in a manner that would not compromise the integrity or the operation of the fire alarm system. This process of sharing information between both fire alarm and BAS came to be known as bridging, or open gateway processing. Because of the strict code and listing requirements of fire alarm systems, much of this communication has been primarily limited to one-way communication. However, some manufacturers of both fire alarm and BAS do produce equipment such as gateways that are listed for bi-directional communication with their equipment. 

Make a case of a building with separate building automation and fire alarm systems: When the building engineer receives a call from an occupant complaining about increased temperature or whistling air within the ductwork and finds that the fan is shut down or a damper is closed, the building engineer is more apt to call a controls contractor to investigate the problem before he calls their fire alarm service provider. Should the problem be related to an override of controls by the fire alarm systems, not only does the building engineer have to wait for the controls contractor to diagnose the problem, he also has to call the fire alarm contractor to come out and fix the problem. This process can take time to correct; meanwhile, building occupants are uncomfortable and inconvenienced.
Sometimes this can even lead to finger-pointing between the two service providers as to whose problem it really is. In this scenario, the fire alarm control of a fan or a damper is required to be ahead of the hand-off-auto switch for the power to the equipment so the inadvertent shutdown of the equipment does not inhibit the operation of the fire alarm feature. A failure of the fire alarm system control relay could shut down the fan or close the damper without an alarm being present on the fire alarm system or fault condition occurring on the fire alarm control unit. 

Because many components that affect air and smoke movement within a building are shared between HVAC and fire alarm systems, let’s take a step backward in the evolution of the building process. When building systems are being commissioned for proper operation by either an authority having jurisdiction (AHJ) or an independent third-party group, coordination must occur between multiple trades. At this point in the construction process, each trade is independently looking to complete its own scope of work and more often than not is under pressure to finish the specific scope in a designated timeframe. Sometimes this leaves a disconnect between the fire alarm and mechanical trades that results in disruption during start-up and commissioning. 

The integrated system approach allows for those individuals responsible for controlling air movement to be focused on proofing and balancing the mechanical system, while the fire alarm contractors focus on the detection and annunciation of the alarm events. Much in the same manner as referenced in the previous example, the problems can get resolved more expeditiously and the systems can be brought on-line. 

If we focus on the installation of a building management system (BMS) and a fire alarm system, we see many similarities. Each of these control systems is classified as low-voltage systems that communicate to their respected devices through an analog or digital signal. Their wiring methods and materials are similar, and often their respective equipment is located in the same general area and is performing the same basic functions with one significant difference: the fire alarm system uses individual point addressable monitor and control modules while the BAS uses digital input/output driver assemblies that communicate with different protocols. 
Why is this important? Because the BAS still requires individual pairs of conductors to each point being controlled or monitored by the digital input/output module, resulting in more wire being needed and longer installation time.

When considering SSA system integration, the ability of the BAS to control a smoke control system operation falls under the auspice of the jurisdiction’s building code, often based on the model building codes. The IBC has been adopted by a large portion of the United States and is used in this article as an example. IBC Section 909 covers smoke control systems, the procedures for determining system parameters, the acceptable methods that may be used to accomplish smoke control, and the requirements to document the system’s actual performance. It recognizes that the smoke control system is a life safety system and must maintain the same high level of reliability required for any type of fire protection or fire alarm system.

Section 909 requires smoke control systems to be initiated by sprinkler system or smoke detection system operation, depending on the type of system being designed. It also requires systems providing control input or output to the mechanical smoke control systems to comply with Section 907 (Fire Alarm and Detection Systems) and NFPA 72: National Fire Alarm and Signaling Code, and states that such systems must be equipped with a control unit that complies with UL 864 and has to be listed as smoke control equipment.

Using a fire/smoke damper that is part of an engineered smoke control system complying with International Building Code Section 909 as an example, at each damper location we have a smoke detector for detection of smoke, an actuator that controls the opening and closing of the damper, and an end switch to provide positive confirmation of the damper open and closed position. Because the fire alarm system already needs to have circuitry to this location for individual smoke or duct smoke detectors, that same pair of wires can be used to monitor the open and closed position of the damper, essentially eliminating two pairs of wires back to the BAS controller. The position status signals of the damper can then be transmitted from the fire alarm system, through the gateway, and into the BAS along with the active alarm point information. This leaves the wiring to the actuator as the only BAS wiring needed at the damper location.
As another example, let’s use a stairway pressurization fan that is being controlled by a variable frequency drive (VFD). Typically, a VFD would be connected to the BAS via a digital signal while the fire alarm system would provide override of the VFD using dry contacts to stop it or put it into a smoke mode condition. Allowing the BAS to perform all of the control functions permits the adjustment of the fan speed through the BAS to regulate for atmospheric conditions by employing other equipment connected to the BAS, such a digital differential pressure sensors. Using the BAS solely for control eliminates any connection to the fire alarm system, with the activation commands being sent through the gateway.

Taking advantage of the aforementioned efficiencies gained by integrating the BAS with the fire alarm system requires planning in the design process. This planning process is the same whether it is a design build or a design assist type of project delivery. The building owner and operator must be involved in the process of establishing the design criteria or at the least have influence over it. In a typical design build or design assist process, the integration of these two systems is an afterthought and often never considered. The end user must be made to understand that the efficiencies gained by integration will pay dividends long into the lifecycle of the building.

Integrated systems require enough time to test and to verify that the system interoperability is functioning properly. It is important that the engineer as well as the installing contractor and the equipment vendors understand the impact of these requirements on providing an approved and code compliant installation. 
Due to the complexity of these systems and the required integration, testing must confirm that the functions and sequences work correctly under both automatic and manual modes.

The inspection and testing of integrated systems is usually exasperating and time-consuming, and often requires multiple rounds of retesting before all the deficiencies are corrected. This is often caused due to all of these different systems being completed late in the schedule and not enough time to “get the kinks out” prior to final testing. Anything that can expedite the commissioning process is beneficial to the overall project. 

One of the advantages of using the BAS as an integrated part of the smoke control system is the system’s ability to modify operating conditions to accommodate actual ambient conditions through the use of VFDs. The design of smoke control systems is based on many variable conditions, including temperature, wind conditions, and the quality or “tightness” of the construction. These conditions tend to make testing and adjusting of the smoke control system difficult at best.

Integrating BAS can help minimize test stress by adjusting the fan speed of individual fans through programming. In a situation of excessive stair pressurization, the individual fan can be adjusted to limit its airflow to the stair, resulting in a lower level of pressure affecting door opening forces. Similarly, for individual zone smoke control system performance, the fan speed can be adjusted on a zone-by-zone basis, based on the fire alarm signal received by the BAS. 

The downside to this operation is that the BAS controls are typically located remotely to the fire alarm control panel and the firefighters’ smoke control panel, both of which normally reside in a fire command room. BAS controls and system components are usually located for the convenience of the building’s staff and HVAC equipment. Under test conditions, additional personnel may be required to monitor the BAS controls to make any required modifications. 

While modifying fan output for each smoke zone condition is a more expedient method to obtain approval, it also provides future opportunities to inappropriately change the settings, possibly making the system ineffective. Care must be taken to limit access to this programming and provide logging procedures to document when and why changes are made.
Take a note: Fire condition is determined by the Fire Alarm Control Panel. AHU will automatically shutdowns the whole system with associated interlocks.

Question: How can the reliability of the fire alarm system be maintained while mixing data with other non-emergency inputs?
Answer: In reality the fire alarm system reliability is unaffected by other integrated systems when using the BACnet protocol due to the required use of the gateway interface. The gateway keeps the other signals on the network form affecting the fire alarm system.

Question: Building automation systems are more and more residing on an owner's IT network. If a BACnet gateway is used to interface to the fire alarm system, instead of hardwired connections, this device would reside on the owner's network which is likely not UL listed. Have you come across this concern?
Answer: The BACnet gateway itself is required to be listed, but not the system. So the fire alarm system devices or zones would be connected to the listed gateway and then the other side of the gateway would be connected to the network allowing the objects to be transmitted to the BAS, for example. Once again we are still required to use the listed gateway as the interface but the balance of the non-fire alarm system equipment does not need to be listed for fire alarm use. Having said that there are changes proposed to NFPA 72-2019 that would allow direct connection to the Ethernet or a network under certain conditions. These proposed changes have not yet been officially adopted.

Question: Do you recommend integrating the building fire alarm system and the BAS in an office building that undergo tenant fit-outs on a continuous basis?
Answer: With any system design in any building or occupancy planning is imperative. Knowing beforehand that the occupancy is to be offices and knowing that tenant fit-out occur on a regular basis, it is incumbent on the original system designer to include system changes and expansion in his or her design. Just because frequent changes to a system are expected does not preclude integrating all of the systems. It does require more coordination and provided that happens the systems should remain reliable.

Question: Does OEO override designated and alternate recall operation?
Answer: No, just the opposite. All recall features (elevator lobby smoke detectors for example) would input to the OEO controller and it would relinquish OEO or those floors in recall.

Question: How would elevator shunt trip for a sprinkled hoistway or elevator equipment room operation work into the OEO sequence of operation?
Answer: As stated previously, when these types of operations occur during or prior to OEO, these operations would take priority over the OEO and all OEO for the affected elevators would cease and all signs and voice messages would revert to “Do Not Use The Elevators, Use The Stairs” operation. 

Question: How would the use of BACnet interface to emergency control systems, requiring supervision of control wiring, address this code requirement?

Answer: NFPA 72-2019 (and previous editions) require supervision to within 3 ft of the controlling device or no supervision if the device operation is fail-safe, meaning if the connection to the device is severed, the emergency device operates as required. The gateway could be determined as the connection to the controlling device and as long as that was within 3 ft of the controller it would be considered code-compliant. This is unlikely to happen and other design considerations will need to be considered to ensure that the performance of the emergency control system is code compliant. Given the many types of configurations, there can be no one definitive answer to the problem until the actual field condition is evaluated.

Tuesday, August 13, 2019

Cyber threat into Video Surveillance

Cyber threat into Video Surveillance
Yes we all are known US ban HikVision, Dahua and IPVM media cover full story time by time. Security systems are changing at an ever-increasing pace and are making more use of standard Information Technology (IT) products running over a Local Area Network (LAN) or Wide Area Network (WAN) e.g. across the Internet, where they can be remotely monitored and controlled. As a result of using Internet Protocol (IP), the opportunity has arisen for manufacturers to develop new generations of equipment from control panels, cameras, and door controllers, to fully integrated systems combining fire, access control, CCTV, intruder and building control systems. These “integrated” systems are often called security management systems as they bring together the management of all aspects of an organization’s security.
Closed-circuit television (CCTV) is a TV system in which signals are not publicly distributed, but are monitored, primarily for surveillance and security purposes. CCTV systems rely on strategic placement of cameras and observation of the camera’s input on monitors. As the cameras communicate with monitors and/or video recorders across private coaxial cable runs, or wireless communication links, they gain the designation “closed-circuit” to indicate that access to their content is limited to only those with authorisation to see it. First we need to understand below few things:

What is a network?

In simple terms, a network provides a means of communicating data between two or more computer-like devices. A network can be a LAN and can incorporate a Wireless element of networking (WLAN). Where the network has the need to communicate outside of a single LAN, a WAN is used. A WAN can connect LANs together to communicate with users and computers in other locations. The most well-known example of a WAN is the Internet.
Why use an IP network?
Traditionally, many security systems have been linked to remote monitoring centres using modem type devices connected to a telephone line to exchange information. Using a network introduces many benefits, for example a substantial financial saving compared to dial up solutions. Additionally, the use of a network can improve quality of information and the time required to connect and exchange information.

Digital formats are being chosen by many industries such as music, telephone (voice over IP networks), TV, photography etc. With so many industries making use of IP technology, networks have become extremely robust. As a result, the use of a network can make the exchange of information between a security system and a remote monitoring centre more efficient.
Internet Service Provider (ISP)
The connection between your premises and the monitoring location may use an ISP to provide the service. When choosing an ISP, you should endeavour to establish the level of service being offered. Additionally, it may be prudent to have a second ISP link. The connection between your premises and the ISP is perhaps the weaker link so if you do have concerns, you should investigate an alternate means of communication from your premises into the ISP, i.e. GPRS, GSM (mobile service providers).

Bandwidth
Bandwidth requirements (space on your network to operate) should be discussed with your IT manager. The bandwidth required to operate a CCTV system may be considerable. Your security system provider will be able to advise you on the bandwidth requirements. As a general guide, CCTV systems require considerable bandwidth to send video images over a network whereas access control, intruder alarm systems and visitor management systems that only send small amounts of data, do not require much bandwidth.

Company usage policies
You will also need to consider company policies relating to “what is allowed” to use an existing network. If the nature of your business dictates that the network shall only be used for specific applications, then this may immediately determine that a separate network must be installed for the security system.

Now SSA Integrate company Integrating existing security with IP security solutions. As now common backbone are under TCP/IP. The network of connected sensors, devices, and appliances commonly referred to as the Internet of Things (IoT) has completely changed the way business works. This is as
true of the heavy hauling and freight industry as any other. At any moment, various players in the industry can get a sense of vehicle health, cargo safety, and whether or not any infrastructure is in need of repair.
Some products allow a mixture of analogue and digital security equipment to be combined, and this means that there is not always a need to move completely to an IP based system if an existing security system is in place.
The ‘hybrid’ approach is more common where two or more security sub systems are combined to create an integrated solution. The data in a hybrid system will usually come together at one or more PC’s. Non-IP systems are often connected to a PC using a serial port, whereas IP systems will be connected over the network.

A cyber-attack at targeted points in a country or region’s network could leave it crippled, preventing people from receiving much-needed goods and services. Fortunately, it doesn’t have to be that way.
Now cyberattacks on CCTV systems making news headlines on a weekly basis of late, there is a good deal of concern and uncertainty about how at risk these systems are, as well as why they are being attacked.
In October 2016, 600,000 internet connected cameras, DVR’s, routers and other IoT devices were compromised and used to for a massive Bot Net to launch what was the largest Denial Of Service (DOS) attack the internet had experienced to date.
In 2014, a US ally observed a malicious actor attacking the US State Department computer systems. In response the NSA traced the attacker’s source and infiltrated their computer systems gaining access to their CCTV cameras from where they were able to observe the hackers’ comings and goings.

In the lead up to the 2017 US Presidential inauguration, 65 per cent of the recording servers for the city of Washington CCTV system were infected with ransomware. How did the attack take place? Whilst unknown, it most likely occurred by the same means as other common PC hacks such as infected USB keys, malicious web sites, or phishing attacks.
What was the impact? The system administrators had to wipe the infected systems and reinstall the video management system so it’s entirely possible a good deal of footage was lost, and the system was rendered inoperable for a time.
May, 2018, over 60 Canon cameras in Japan were hacked with “I’m Hacked. bye2” appearing in the camera display text. How did the attack take place? Simple. IP cameras were connected to the internet and were left on default credentials. It appears that the hackers logged into the cameras and changed the on-screen display. What was the impact? Other the defacement of the camera displays and some reputational damage, there doesn’t seem to have been much impact from these attacks.

How did the attack take place? Yet again, devices were left connected to the internet and were left on default credentials. In this case, the attackers developed software that scoured the internet searching for vulnerable devices, which they then took control using their own malicious software.

What lessons can we learn from these attacks?
Don’t connect your devices directly to the Internet. If you need to have a camera or CCTV system be remotely accessible, port forwarding all inbound traffic to your system is just asking to be attacked. Use a VPN, use non-standard network ports, enable 2 factor authentications, or use a remote access service. While these measures won’t guarantee your security, they will certainly make you less of a target for attackers that are scouring the internet for vulnerable systems.
Just because it connects to a bunch of cameras, doesn’t mean that your NVR isn’t a computer. All the cyber security advice that is applicable to traditional IT is just as applicable when said computer is used as part of a CCTV system.

On Aug 13, 2018, The US President has signed the 2019 NDAA into law, banning the use of Dahua and HikVision (and their OEMs) for the US government, for US government-funded contracts and possibly for 'critical infrastructure' and 'national Security’ usage.
US government is effectively blacklisting Dahua and HikVision products, this will have a severe branding and consequentially purchasing impact. Many buyers will be concerned about:
·         What security risks those products pose for them
·         What problems might occur if they want to integrate with public / government systems
·         What future legislation at the state or local level might ban usage of such systems

On Jun 06, 2019 Hanwha Techwin is dropping Huawei Hisilicon from all of their products. Its belongs to China’s origin. Backdoor entry are open on product.

The tightening noose around Chinese technology firms is driven by the Trump administration’s view that China poses an economic, technological and political threat, a stance that country is likely to retaliate against. The two companies prompted concern that they could be employed in espionage, according to people familiar with the matter. Last week, the administration banned Huawei Technologies Co. from purchasing American technology amid similar suspicions of spying capabilities and Chinese laws that could require home-grown firms to hand over information if asked.

Hikvision, which is controlled by the Chinese government and Dahua are leaders in the market for surveillance technology, with cameras that can produce sharp, full-color images in fog and near-total darkness. They also use artificial intelligence to power 3D people-counting cameras and facial recognition systems on a vast scale.

A Chinese firm whose subsidiary has been shortlisted to supply security cameras for the national capital is on a US watch list, with an advisory on threats, including remote hacking and potential backdoor access. 


Concerns have also been raised on the firm being owned by the Chinese government, adding a twist to the controversy over a Delhi government project to install 1.5 lakh CCTV cameras across the city.  Now question is how you Prevent Malware Attacks:
1.   Manage your router: Earlier this year, the FBI recommended that everyone reboot all home routers and small office routers. In a previous blog on the subject, Davis stated that “rebooting will disable the active malware called “VPN Filter" which has infected hundreds of thousands of routers across the Internet, and it will help the FBI assess the extent of the infection.” While this was an isolated incident in time,
2.   Disable UPNP: UPNP will automatically try to forward ports in your router or modem. Normally this would be a good thing. However, if your system automatically forwards the ports, and you leave the credentials defaulted, you may end up with unwanted visitors.
3.   Disable P2P: P2P is used to remotely access a system via a serial number. The possibility of someone hacking into your system using P2P is highly unlikely because the system’s user name, password, and serial number are also required.
4.   Disable SNMP if you are not using it. If you are using SNMP, you should do so temporarily, for tracing and testing purposes only.
5.   Disable Multicast: Multicast is used to share video streams between two recorders. Currently there are no known issues involving Multicast, but if you are not using this feature, you should disable it.
6.   Cameras connected to the POE ports on the back of an NVR are isolated from the outside world and cannot be accessed directly.
7.   Only forward the HTTP and TCP ports that you need to use. Do not forward a huge range of numbers to the device. Do not DMZ the device's IP address.
8.   Protect your computer from vulnerabilities: Clean up your computer by removing old software programs no longer in use, and make sure to install patches regularly. Updating firmware safeguards equipment by patching known vulnerabilities often adds features and sometimes will improve system performance.
9.   Use firewalls and firebreaks (network segmentation): Place devices behind firewalls to protect them from untrusted networks, such as the Internet. And, use network segmentation—splitting a network into separate networks that are isolated, not connected—so a compromise in one part of the network won’t compromise the other (i.e. human resources and finance). This works much like a firebreak, which is a strip of land in a wooded area or forest where the trees have been removed to prevent a fire from spreading.
10. The network your NVR and IP camera resides on should not be the same network as your public computer network. This will prevent any visitors or unwanted guests from getting access to the same network the security system needs in order to function properly.


Some Protection Protocols:

Cyber security procedures for video surveillance devices across the threat spectrum require certain protection protocols.

Weaponizing IP Cameras (Threat High)

Most IP cameras today are manufactured with an open operating system, or basic kernel, that gives no real consideration to data or cybersecurity. For years, people have asked about the security of the video that their system produces; now, people are asking if their IP camera system can be used against them.
Think of an IT administrator who has worked diligently to secure a network, servers and mobile devices who then finds out that the 200 recently installed IP cameras on the edge of that network that are vulnerable to root kits, can be weaponized and used as attack platforms against their own network – and there is no way to monitor them.

This may seem far-fetched, but in Sept. 2016, 1.5 million IP cameras, DVRs and L3 network devices were highjacked in the largest DDOS attack ever seen. So what are the current fundamental considerations that an organization needs to take into consideration before placing an IP camera on their network? 

Protection Protocol:

·         The operating system (OS) on a video device should be a closed OS that runs in limited memory space.
·         Nothing should be able to be written to the device itself with the exception of digitally signed firmware. If the device has the ability to run third-party apps, it can be weaponized.
·         Common ports should be disabled by default. From a vulnerability and pen testing perspective, the more ports that are open, the more opportunity there is to leverage a device or the services on that device.
·         Video devices should utilize HSTS/ HTTP Strict Transport Security if you are going to implement end-to-end security. This protocol helps protect against protocol downgrade attacks, cookie high jacking, as well as forces an HTTPS connection to the device.
·         Consider devices with a built-in “firewall” to prevent dictionary attacks from Botnets.
·         Monitor user accounts and access to the video devices. Most IP cameras are installed with the default user name and password, and if installed on an accessible network, a connection can be established from anywhere in the world. Devices should have a force password feature that also adheres to password policies, such as length and complexity.
·         Monitor a device’s chain of custody. The vendor should have a secure chain of custody during a manufacturing process all the way through to the final sale. If they are not manufactured in a controlled environment, video devices can be tampered with at any time prior to being sold to the customer

Attacking Servers and NVRs (Threat High)

Most VMS servers and NVRs reside on either a Windows operating system or some flavor of Linux. There is an illusion of security that most of us have with regards to OS security, but just take a look at an OS vulnerability chart and that illusion will quickly disappear.
A base unpatched Windows Server 2012 OS has 36 vulnerabilities; a standard Linux distribution has 119. Most vulnerability that machines are subject to are a result of “add-ons” – such as Internet Explorer (242) and Chrome (124). While Windows Server is a more secure platform, it is also a bigger target due to its market share and utilization.

Protection Protocol:

·         As with any machine on a network, it is imperative that the most current updates and patches are applied to video system devices.
·         Ensure a VMS can work within your network policies and environment while a network firewall and anti-virus software are operational.
·         Use hardened password policies, restricted physical and network access, and disable USB ports.

Recorded Video (Data at Rest-Threat Medium)

The two primary purposes of any video system are to act as a deterrent and to be used as admissible evidence in a court of law, if needed. Technically, digital video falls under the scrutiny of the Federal Rules of Evidence (FRE) as it pertains to digital evidence, and authenticity affects admissibility.

Most NVR systems write video in a base file format such as *.AVI,*.G64, *.MKV. If the video drives are accessible via network share, they are subject to tampering.

Protection Protocol:
·         Video, if written in a readable format, should be encrypted to reduce accessibility and the possibility of tampering.
·         Video devices should use some form of hashing as a form of authenticity. Hashing provides the “Data Fixity” of a file and is a form of admissible evidence. Older forms of authenticity, such as water marking can be considered video tampering.
·         The VMS should also provide a way to protect original incident video for any undefined time beyond the system’s retention time in case of prolonged court cases.  

Playback and Export (Data in Use-Threat Medium)
The current biggest threat to recorded video is internal employees posting incident video footage to social media or leaking it to the press. The need to keep recorded video secure is paramount for many reasons. Unrestricted access to recorded video can cause several different types of issues, including legal and HR incidents. 

Protection Protocol:
·         Be sure your VMS provides granular privileges concerning the export, deletion and protection of recorded video.

Streaming Video (Data in Motion-Threat Low)
While the actual threat of streaming video being intercepted and used in some way is low, the knowledge that the data from a specific IP address is video can be used against you. From the aspect of network enumeration, an attacker now knows he has non-PC target(s) that he can try to leverage.

Protection Protocol:
·         Video devices should be able to utilize HTTPS communications, with certificates. This ensures secure end-to-end communications including control channels and video payload.
·         Video devices should be equipped with a Trusted Platform Module (TPM) to securely store certificates utilized in different secure network scenarios such as 802.1x  and Public Key Infrastructure (PKI).
·         Your video devices should have features that provide the ability to disable certain protocols such as ICMP, Telnet, and FTP.

Few Current Development:





3. IPVM Report