Sunday, September 1, 2019

System integrator role in SSA Business

System integrator role in SSA Business

Yam, you know SSA is stands for Security Safety Automation (SSA Integrate). A security systems integrator by definition specializes in bringing together subsystems into a whole and ensuring that those subsystems function together. When the goal is physical security, those subsystems might be Video surveillance, Access control, Intrusion, FDA or Emergency notification, BAS, computer networks and more. Some security suppliers have established business simply on the procurement and installation of systems predefined by others. More fully developed are considered ‘design-build’ integrators. However the most capable security integrator is a full service provider capable of supporting your operations in every phase of the security system lifecycle:
1.   Security risk or needs assessments,
2.   System engineering and design for the major technologies,
3.   Broad access to the leading product lines,
4.   Custom engineering when required,
5.   Alternate investment options,
6.   Procurement, staging, installation, commissioning and training,
7.   Full lifecycle service and maintenance,
8.   System functional and technology upgrades.

A client who selects an integrator fully capable in all the above can then take advantage of his unique perspective on what are the key ingredients for successful development of a physical security program that is supportive of a healthy enterprise.
Working with a full service security provider also reinforces quality. Consider why this is so. If, for instance, the integrator offers long term service and maintenance for the system he installs, then both the service provider and the customer are motivated that the design should be solid and the installation of high quality. And if the integrator can offer attractive long term financing, even operational leases, then he again has a further stake in the caliber of the security provided.
System integration is defined in engineering as the process of bringing together the component sub-systems into one system (an aggregation of subsystems cooperating so that the system is able to deliver the overarching functionality) and ensuring that the subsystems function together as a system, and in information technology as the process of linking together different computing systems and software applications physically or functionally, to act as a coordinated whole.
System Integrators in the automation industry typically provide the product and application experience in implementing complex automation solutions. Often, System Integrators are aligned with automation vendors, joining their various System Integrator programs for access to development products, resources and technical support. System integrators are tightly linked to their accounts and often are viewed as the engineering departments for small manufacturers, handling their automation system installation, commissioning and long term maintenance.

Are there tangible ways that we see interoperability trending in the industry?
There is certainly movement toward standard-compliant products but it is slow. I attribute this mainly due to engineers reusing portions of old or outdated specs along with their lack of knowledge of the current product offerings. IP cameras will help move the standards along since more and more clients are aware of megapixel technology and it forces the engineers to become more current.

Where do you see underserved or untapped opportunities for security systems integrators to provide integration and automation expertise?
Video and access technology have the potential to be integrated well beyond the traditional Big Brother stereotype applications. One example is warehouse distribution and processing applications where repetitive tasks performed incorrectly can slow production or cause injuries. Video analytics could be modified to monitor physical movement and monitor improper technique that could lead to injuries.
These videos could initiate notifications to HR and management staff to alert them to potential problems before they occur. Access to machines and forklifts could be controlled through HR records. Integrating the access system to training and safety certifications could help reduce unqualified employees from accessing and enabling critical operational systems. Security could monitor the traditional video footage, HR could assemble incident reports tagged with the video and management could build and expand training programs with real world examples.

Another area of potential growth is the smart building. A fully integrated structure including security, lighting, HVAC and building controls that provides a return on investment along with the ability to remotely manage a site.

How can a locally-based or small regional company have successes in enterprise-level organizations?
Local companies can have a distinct advantage over the national integrators. First, the small or regional company must be technically advanced and focused on cutting-edge technology so they can provide a value to an enterprise-level client. They must also network with similar dealers with related product lines so they can establish an installation network throughout North America or the regions they are required to service. They can also become an agent for the enterprise client and coordinate all installations and manage that system for that client. Compare that level of service to the big integrators. Yes, they have a handful of talented individuals that truly get the big picture and these men and women travel the country and the world implementing systems. But once the job is completed, they’re off to the next one and you may never see them again.

How can smaller integrators differentiate to better compete?
A commitment to service is the local integrators greatest strength. Through continuing education of its technical staff and building working relationships with clients, a local integrator can react quickly and see the big picture of their customers’ needs and requests. As the IT department begins to dominate the physical security industry the local integrator can help be a bridge between the security professionals and the sometimes frustrating “smartest man in the room” syndrome of the IT staff . Most integrators have a great respect for the current and former local and national law enforcement professionals we work with every day. Their knowledge of where and why a camera is placed and how to implement the concentric rings of security, lighting control and placement is invaluable. The human element of security beyond pure technology is something that some IT professionals do not always grasp. Integrators can successful bridging that gap when they strive to clearly communicate with both departments.
What is the Solution Development Process With a Full Service Systems Integrator?

Risk Assessment. Your integrator should be able to assist or guide you in this first step toward development of a security solution. The industry standard for this is the ASIS 7-step general security risk assessment guideline. The guideline defines a process which starts with identification of assets and risk events and ends with a solution cost benefit analysis. Properly done the end product is not only the security you want and need but a documented rationale for the investment.

Financial OptionsSimilar to many internal enterprise processes the best electronic security solution is sometimes planned to be phased-in over time to give the client the best possible security function progressively. Nonetheless a full service integrator enables you to tailor acquisition of enhanced security in a manner which meets your needs. As an example, reasonably priced capital leases can push the cash flow impact of security into outer years. Due to current accelerated tax depreciation in effect these leases can in some instances reduce the net cost below that of an outright purchase. If a full service integrator has the internal resources – service fleet, repair department, stocked inventory, etc. – to maintain their installed systems they may also offer and administer operational lease programs to the security solutions they provide. These leases differ from capital leases in that ownership of the physical security equipment is retained by the service provider yet the site installation and its sustained operability is available as a monthly service fee.

Design. The functional design should clearly define for the end user the extent of the solution’s protection. It may involve multiple technologies for the most effective solution. Minimizing the burden placed on general staff to maintain security and respond to emergencies should typically be a demonstrable objective.
Value driven component selection may require a number of different supplier sources. Exterior components will be weatherproof, interior components will be vandal and wear resistant as needed. System operation will be well protected from the dangers of tampering, surges, electrical strikes, etc. as well as single points of failure if possible. A good design will not dead-end the customer but position the delivered security solution for adaptation to meet anticipated future needs. Good designs may even enhance as well as protect enterprise and site operations.
Installation & Commissioning. The installation should conform to and even exceed state and federal regulations and guidelines and be performed by licensed personnel as required. The installation should be safe for all onsite, reflect excellent workmanship and conduct should be courteous and respectful to all involved. System configuration should be performed by individuals with good system knowledge. The end user training should be complete enough to address at least typical daily tasks and provide them the resources they need to reinforce the training and administer further if required. This is most likely provided by a resource positioned to be a partner in meeting your security needs.
System Maintenance and Service. The overarching goal is to maintain the operability of your security solution with the same effectiveness experienced as it was commissioned. But electronics degrade and fail and sites often continuously require system tweaks as they grow. A good service program will make available to you certified service personnel as well as standard and emergency response times you can depend on. The best providers will often maintain stock for repair and loan and even have in house bench repair capability for rapid, cost effective turn around. And if you have outgrown your security systems or they are generally showing their age a good provider can offer mid-life upgrades and/or ‘system refreshes’ which progressively secure your operations and people.

Enterprise Security is Not A Commodity.
Why is enterprise physical electronic security more than just a commodity to be procured? Because the security risks are multiple, varied and changing. Some which occur infrequently are the most potentially damaging. An outside perspective developed from meeting a variety of client needs can help prioritize. The current solution state of the art is technical, multidisciplinary and rapidly evolving. There is not a consumer protected design-bid-build process which guarantees success. Only a subset of security industry service providers are equipped and positioned to reliably assist you from needs development through to system maintenance.

Trust on your selective System Integrator or Solution Service Provider.
System Integrator who really work in different system with different brand system, they are know who or which OEM  has good service support. No one integrator is wise for all product. System Integrator surve customer. OEM will not provide service.


Tips to choose Best System Integrator in India
·         Choose a systems integrator who has a list of successful projects with appreciation letter from customer. Check references, talk to their clients and take reviews. Find out for how long they have been in the field.
·         System Integrator should have long-term relationship and close ties with the leading OEMs. These relationships allow an integrator to keep up to date on new technologies, get the best prices, and provide you with the most complete support network available. The best integrators focus on customer needs and build solutions using best of breed technologies. They should have a broad range of products they have worked with and enough staff to handle different areas of the project.
·         The integrator should prove that they understood your requirements. Take Quote from multiple System Integrators. Be especially careful if you get lower price than expected or that others have quoted. Make sure the system integrator doesn’t over commit during negotiations.
·         System Integrator should have specialized expertise and that can be applied to create an architecture that ensures security, flexibility, and scalability to meet your IT service availability demands. Focus on their knowledge, techniques and skills. Make sure they have full knowledge of system engineering, as well as sufficient experience to handle your project.
·         If you don’t have in-house expertise for making the integrator selection, consider hiring a third-party technical consultant to establish selection criteria and/or participate in the review process. Get involved at the zero level in the planning, simulation, detailed layout, software handling techniques and maintenance requirements as much as you possibly can in order to get the biggest possible benefits. In this point our Writer can help, you may connect with this article writer.
·         Keep up-to-date milestone records during the course of the project. If you have to replace an integrator, refer to the specification and decide on a fair settlement covering payment for all completed deliverables. System Integrator should have a knowledge transfer process in place. This ensures you have the time and resources necessary to ensure your team understands the work product and can continue on – independently and successfully.
·         Look for an integrator that listens to your needs, communicates well, and provides customized solutions for your business.
·         Select an integrator that has a large, experienced engineering core with a holistic understanding of your entire ELV ecosystem. This will facilitate better design, deployment and support.

·         System Integrator 2/3 team member should have Membership their own technology field like: ASIS International, SIA (SECURITY INDUSTRY ASSOCIATION), FSAI, National Safety Council.


For a Free Consultation Call: +919903280406
Please find below my details.













































Saturday, August 24, 2019

SSA Integrate - Fire alarms and BAS

SSA Integrate - Fire alarms and BAS

The integration of Building Automation System and fire alarm systems can result in overall reduction in equipment, installation, and maintenance costs while still maintaining the level of safety required for these systems to operate. 

With the advent of smart building technology, heating, cooling, electrical, lighting, security, and other systems need monitoring and intercommunication for optimized efficiency and operation. With sophistication comes the need for a building automation system (BAS) to allow for nearly seamless operation of these various interrelated equipment.
When the fire alarm system takes control of equipment that is not a listed component of the fire alarm control unit, the fire alarm system must either override the natural operating mode of the building equipment or pass off that command via a simple switch or data communications to the building mechanical systems. Likewise, each manufacturer’s BAS has its own protocol for monitoring conditions and communicating operational commands to maintain the proper building environment and efficiency. There are also standard open communication protocols such as LonTalk and BACnet that can be used to communicate with a multitude of equipment from various manufacturers in order to achieve an integrated building system. 
The communication protocol for a fire alarm control unit to communicate to and from its indicating (input), initiating (output), and sometimes notification appliances is typically an analog or digital communications signal carried over what is referred to as a signaling line circuit (SLC). Because communications signals are typically proprietary protocol, each SLC is dedicated to a specific manufacturer’s equipment and cannot include connection of incompatible devices that use a different signal protocol.
Therefore, in order to integrate system alarm and control functions with the BAS in a manner other than relay logic, fire alarm system manufacturers had to also design and support the open communication protocols used for building automation, in a manner that would not compromise the integrity or the operation of the fire alarm system. This process of sharing information between both fire alarm and BAS came to be known as bridging, or open gateway processing. Because of the strict code and listing requirements of fire alarm systems, much of this communication has been primarily limited to one-way communication. However, some manufacturers of both fire alarm and BAS do produce equipment such as gateways that are listed for bi-directional communication with their equipment. 

Make a case of a building with separate building automation and fire alarm systems: When the building engineer receives a call from an occupant complaining about increased temperature or whistling air within the ductwork and finds that the fan is shut down or a damper is closed, the building engineer is more apt to call a controls contractor to investigate the problem before he calls their fire alarm service provider. Should the problem be related to an override of controls by the fire alarm systems, not only does the building engineer have to wait for the controls contractor to diagnose the problem, he also has to call the fire alarm contractor to come out and fix the problem. This process can take time to correct; meanwhile, building occupants are uncomfortable and inconvenienced.
Sometimes this can even lead to finger-pointing between the two service providers as to whose problem it really is. In this scenario, the fire alarm control of a fan or a damper is required to be ahead of the hand-off-auto switch for the power to the equipment so the inadvertent shutdown of the equipment does not inhibit the operation of the fire alarm feature. A failure of the fire alarm system control relay could shut down the fan or close the damper without an alarm being present on the fire alarm system or fault condition occurring on the fire alarm control unit. 

Because many components that affect air and smoke movement within a building are shared between HVAC and fire alarm systems, let’s take a step backward in the evolution of the building process. When building systems are being commissioned for proper operation by either an authority having jurisdiction (AHJ) or an independent third-party group, coordination must occur between multiple trades. At this point in the construction process, each trade is independently looking to complete its own scope of work and more often than not is under pressure to finish the specific scope in a designated timeframe. Sometimes this leaves a disconnect between the fire alarm and mechanical trades that results in disruption during start-up and commissioning. 

The integrated system approach allows for those individuals responsible for controlling air movement to be focused on proofing and balancing the mechanical system, while the fire alarm contractors focus on the detection and annunciation of the alarm events. Much in the same manner as referenced in the previous example, the problems can get resolved more expeditiously and the systems can be brought on-line. 

If we focus on the installation of a building management system (BMS) and a fire alarm system, we see many similarities. Each of these control systems is classified as low-voltage systems that communicate to their respected devices through an analog or digital signal. Their wiring methods and materials are similar, and often their respective equipment is located in the same general area and is performing the same basic functions with one significant difference: the fire alarm system uses individual point addressable monitor and control modules while the BAS uses digital input/output driver assemblies that communicate with different protocols. 
Why is this important? Because the BAS still requires individual pairs of conductors to each point being controlled or monitored by the digital input/output module, resulting in more wire being needed and longer installation time.

When considering SSA system integration, the ability of the BAS to control a smoke control system operation falls under the auspice of the jurisdiction’s building code, often based on the model building codes. The IBC has been adopted by a large portion of the United States and is used in this article as an example. IBC Section 909 covers smoke control systems, the procedures for determining system parameters, the acceptable methods that may be used to accomplish smoke control, and the requirements to document the system’s actual performance. It recognizes that the smoke control system is a life safety system and must maintain the same high level of reliability required for any type of fire protection or fire alarm system.

Section 909 requires smoke control systems to be initiated by sprinkler system or smoke detection system operation, depending on the type of system being designed. It also requires systems providing control input or output to the mechanical smoke control systems to comply with Section 907 (Fire Alarm and Detection Systems) and NFPA 72: National Fire Alarm and Signaling Code, and states that such systems must be equipped with a control unit that complies with UL 864 and has to be listed as smoke control equipment.

Using a fire/smoke damper that is part of an engineered smoke control system complying with International Building Code Section 909 as an example, at each damper location we have a smoke detector for detection of smoke, an actuator that controls the opening and closing of the damper, and an end switch to provide positive confirmation of the damper open and closed position. Because the fire alarm system already needs to have circuitry to this location for individual smoke or duct smoke detectors, that same pair of wires can be used to monitor the open and closed position of the damper, essentially eliminating two pairs of wires back to the BAS controller. The position status signals of the damper can then be transmitted from the fire alarm system, through the gateway, and into the BAS along with the active alarm point information. This leaves the wiring to the actuator as the only BAS wiring needed at the damper location.
As another example, let’s use a stairway pressurization fan that is being controlled by a variable frequency drive (VFD). Typically, a VFD would be connected to the BAS via a digital signal while the fire alarm system would provide override of the VFD using dry contacts to stop it or put it into a smoke mode condition. Allowing the BAS to perform all of the control functions permits the adjustment of the fan speed through the BAS to regulate for atmospheric conditions by employing other equipment connected to the BAS, such a digital differential pressure sensors. Using the BAS solely for control eliminates any connection to the fire alarm system, with the activation commands being sent through the gateway.

Taking advantage of the aforementioned efficiencies gained by integrating the BAS with the fire alarm system requires planning in the design process. This planning process is the same whether it is a design build or a design assist type of project delivery. The building owner and operator must be involved in the process of establishing the design criteria or at the least have influence over it. In a typical design build or design assist process, the integration of these two systems is an afterthought and often never considered. The end user must be made to understand that the efficiencies gained by integration will pay dividends long into the lifecycle of the building.

Integrated systems require enough time to test and to verify that the system interoperability is functioning properly. It is important that the engineer as well as the installing contractor and the equipment vendors understand the impact of these requirements on providing an approved and code compliant installation. 
Due to the complexity of these systems and the required integration, testing must confirm that the functions and sequences work correctly under both automatic and manual modes.

The inspection and testing of integrated systems is usually exasperating and time-consuming, and often requires multiple rounds of retesting before all the deficiencies are corrected. This is often caused due to all of these different systems being completed late in the schedule and not enough time to “get the kinks out” prior to final testing. Anything that can expedite the commissioning process is beneficial to the overall project. 

One of the advantages of using the BAS as an integrated part of the smoke control system is the system’s ability to modify operating conditions to accommodate actual ambient conditions through the use of VFDs. The design of smoke control systems is based on many variable conditions, including temperature, wind conditions, and the quality or “tightness” of the construction. These conditions tend to make testing and adjusting of the smoke control system difficult at best.

Integrating BAS can help minimize test stress by adjusting the fan speed of individual fans through programming. In a situation of excessive stair pressurization, the individual fan can be adjusted to limit its airflow to the stair, resulting in a lower level of pressure affecting door opening forces. Similarly, for individual zone smoke control system performance, the fan speed can be adjusted on a zone-by-zone basis, based on the fire alarm signal received by the BAS. 

The downside to this operation is that the BAS controls are typically located remotely to the fire alarm control panel and the firefighters’ smoke control panel, both of which normally reside in a fire command room. BAS controls and system components are usually located for the convenience of the building’s staff and HVAC equipment. Under test conditions, additional personnel may be required to monitor the BAS controls to make any required modifications. 

While modifying fan output for each smoke zone condition is a more expedient method to obtain approval, it also provides future opportunities to inappropriately change the settings, possibly making the system ineffective. Care must be taken to limit access to this programming and provide logging procedures to document when and why changes are made.
Take a note: Fire condition is determined by the Fire Alarm Control Panel. AHU will automatically shutdowns the whole system with associated interlocks.

Question: How can the reliability of the fire alarm system be maintained while mixing data with other non-emergency inputs?
Answer: In reality the fire alarm system reliability is unaffected by other integrated systems when using the BACnet protocol due to the required use of the gateway interface. The gateway keeps the other signals on the network form affecting the fire alarm system.

Question: Building automation systems are more and more residing on an owner's IT network. If a BACnet gateway is used to interface to the fire alarm system, instead of hardwired connections, this device would reside on the owner's network which is likely not UL listed. Have you come across this concern?
Answer: The BACnet gateway itself is required to be listed, but not the system. So the fire alarm system devices or zones would be connected to the listed gateway and then the other side of the gateway would be connected to the network allowing the objects to be transmitted to the BAS, for example. Once again we are still required to use the listed gateway as the interface but the balance of the non-fire alarm system equipment does not need to be listed for fire alarm use. Having said that there are changes proposed to NFPA 72-2019 that would allow direct connection to the Ethernet or a network under certain conditions. These proposed changes have not yet been officially adopted.

Question: Do you recommend integrating the building fire alarm system and the BAS in an office building that undergo tenant fit-outs on a continuous basis?
Answer: With any system design in any building or occupancy planning is imperative. Knowing beforehand that the occupancy is to be offices and knowing that tenant fit-out occur on a regular basis, it is incumbent on the original system designer to include system changes and expansion in his or her design. Just because frequent changes to a system are expected does not preclude integrating all of the systems. It does require more coordination and provided that happens the systems should remain reliable.

Question: Does OEO override designated and alternate recall operation?
Answer: No, just the opposite. All recall features (elevator lobby smoke detectors for example) would input to the OEO controller and it would relinquish OEO or those floors in recall.

Question: How would elevator shunt trip for a sprinkled hoistway or elevator equipment room operation work into the OEO sequence of operation?
Answer: As stated previously, when these types of operations occur during or prior to OEO, these operations would take priority over the OEO and all OEO for the affected elevators would cease and all signs and voice messages would revert to “Do Not Use The Elevators, Use The Stairs” operation. 

Question: How would the use of BACnet interface to emergency control systems, requiring supervision of control wiring, address this code requirement?

Answer: NFPA 72-2019 (and previous editions) require supervision to within 3 ft of the controlling device or no supervision if the device operation is fail-safe, meaning if the connection to the device is severed, the emergency device operates as required. The gateway could be determined as the connection to the controlling device and as long as that was within 3 ft of the controller it would be considered code-compliant. This is unlikely to happen and other design considerations will need to be considered to ensure that the performance of the emergency control system is code compliant. Given the many types of configurations, there can be no one definitive answer to the problem until the actual field condition is evaluated.

Tuesday, August 13, 2019

Cyber threat into Video Surveillance

Cyber threat into Video Surveillance
Yes we all are known US ban HikVision, Dahua and IPVM media cover full story time by time. Security systems are changing at an ever-increasing pace and are making more use of standard Information Technology (IT) products running over a Local Area Network (LAN) or Wide Area Network (WAN) e.g. across the Internet, where they can be remotely monitored and controlled. As a result of using Internet Protocol (IP), the opportunity has arisen for manufacturers to develop new generations of equipment from control panels, cameras, and door controllers, to fully integrated systems combining fire, access control, CCTV, intruder and building control systems. These “integrated” systems are often called security management systems as they bring together the management of all aspects of an organization’s security.
Closed-circuit television (CCTV) is a TV system in which signals are not publicly distributed, but are monitored, primarily for surveillance and security purposes. CCTV systems rely on strategic placement of cameras and observation of the camera’s input on monitors. As the cameras communicate with monitors and/or video recorders across private coaxial cable runs, or wireless communication links, they gain the designation “closed-circuit” to indicate that access to their content is limited to only those with authorisation to see it. First we need to understand below few things:

What is a network?

In simple terms, a network provides a means of communicating data between two or more computer-like devices. A network can be a LAN and can incorporate a Wireless element of networking (WLAN). Where the network has the need to communicate outside of a single LAN, a WAN is used. A WAN can connect LANs together to communicate with users and computers in other locations. The most well-known example of a WAN is the Internet.
Why use an IP network?
Traditionally, many security systems have been linked to remote monitoring centres using modem type devices connected to a telephone line to exchange information. Using a network introduces many benefits, for example a substantial financial saving compared to dial up solutions. Additionally, the use of a network can improve quality of information and the time required to connect and exchange information.

Digital formats are being chosen by many industries such as music, telephone (voice over IP networks), TV, photography etc. With so many industries making use of IP technology, networks have become extremely robust. As a result, the use of a network can make the exchange of information between a security system and a remote monitoring centre more efficient.
Internet Service Provider (ISP)
The connection between your premises and the monitoring location may use an ISP to provide the service. When choosing an ISP, you should endeavour to establish the level of service being offered. Additionally, it may be prudent to have a second ISP link. The connection between your premises and the ISP is perhaps the weaker link so if you do have concerns, you should investigate an alternate means of communication from your premises into the ISP, i.e. GPRS, GSM (mobile service providers).

Bandwidth
Bandwidth requirements (space on your network to operate) should be discussed with your IT manager. The bandwidth required to operate a CCTV system may be considerable. Your security system provider will be able to advise you on the bandwidth requirements. As a general guide, CCTV systems require considerable bandwidth to send video images over a network whereas access control, intruder alarm systems and visitor management systems that only send small amounts of data, do not require much bandwidth.

Company usage policies
You will also need to consider company policies relating to “what is allowed” to use an existing network. If the nature of your business dictates that the network shall only be used for specific applications, then this may immediately determine that a separate network must be installed for the security system.

Now SSA Integrate company Integrating existing security with IP security solutions. As now common backbone are under TCP/IP. The network of connected sensors, devices, and appliances commonly referred to as the Internet of Things (IoT) has completely changed the way business works. This is as
true of the heavy hauling and freight industry as any other. At any moment, various players in the industry can get a sense of vehicle health, cargo safety, and whether or not any infrastructure is in need of repair.
Some products allow a mixture of analogue and digital security equipment to be combined, and this means that there is not always a need to move completely to an IP based system if an existing security system is in place.
The ‘hybrid’ approach is more common where two or more security sub systems are combined to create an integrated solution. The data in a hybrid system will usually come together at one or more PC’s. Non-IP systems are often connected to a PC using a serial port, whereas IP systems will be connected over the network.

A cyber-attack at targeted points in a country or region’s network could leave it crippled, preventing people from receiving much-needed goods and services. Fortunately, it doesn’t have to be that way.
Now cyberattacks on CCTV systems making news headlines on a weekly basis of late, there is a good deal of concern and uncertainty about how at risk these systems are, as well as why they are being attacked.
In October 2016, 600,000 internet connected cameras, DVR’s, routers and other IoT devices were compromised and used to for a massive Bot Net to launch what was the largest Denial Of Service (DOS) attack the internet had experienced to date.
In 2014, a US ally observed a malicious actor attacking the US State Department computer systems. In response the NSA traced the attacker’s source and infiltrated their computer systems gaining access to their CCTV cameras from where they were able to observe the hackers’ comings and goings.

In the lead up to the 2017 US Presidential inauguration, 65 per cent of the recording servers for the city of Washington CCTV system were infected with ransomware. How did the attack take place? Whilst unknown, it most likely occurred by the same means as other common PC hacks such as infected USB keys, malicious web sites, or phishing attacks.
What was the impact? The system administrators had to wipe the infected systems and reinstall the video management system so it’s entirely possible a good deal of footage was lost, and the system was rendered inoperable for a time.
May, 2018, over 60 Canon cameras in Japan were hacked with “I’m Hacked. bye2” appearing in the camera display text. How did the attack take place? Simple. IP cameras were connected to the internet and were left on default credentials. It appears that the hackers logged into the cameras and changed the on-screen display. What was the impact? Other the defacement of the camera displays and some reputational damage, there doesn’t seem to have been much impact from these attacks.

How did the attack take place? Yet again, devices were left connected to the internet and were left on default credentials. In this case, the attackers developed software that scoured the internet searching for vulnerable devices, which they then took control using their own malicious software.

What lessons can we learn from these attacks?
Don’t connect your devices directly to the Internet. If you need to have a camera or CCTV system be remotely accessible, port forwarding all inbound traffic to your system is just asking to be attacked. Use a VPN, use non-standard network ports, enable 2 factor authentications, or use a remote access service. While these measures won’t guarantee your security, they will certainly make you less of a target for attackers that are scouring the internet for vulnerable systems.
Just because it connects to a bunch of cameras, doesn’t mean that your NVR isn’t a computer. All the cyber security advice that is applicable to traditional IT is just as applicable when said computer is used as part of a CCTV system.

On Aug 13, 2018, The US President has signed the 2019 NDAA into law, banning the use of Dahua and HikVision (and their OEMs) for the US government, for US government-funded contracts and possibly for 'critical infrastructure' and 'national Security’ usage.
US government is effectively blacklisting Dahua and HikVision products, this will have a severe branding and consequentially purchasing impact. Many buyers will be concerned about:
·         What security risks those products pose for them
·         What problems might occur if they want to integrate with public / government systems
·         What future legislation at the state or local level might ban usage of such systems

On Jun 06, 2019 Hanwha Techwin is dropping Huawei Hisilicon from all of their products. Its belongs to China’s origin. Backdoor entry are open on product.

The tightening noose around Chinese technology firms is driven by the Trump administration’s view that China poses an economic, technological and political threat, a stance that country is likely to retaliate against. The two companies prompted concern that they could be employed in espionage, according to people familiar with the matter. Last week, the administration banned Huawei Technologies Co. from purchasing American technology amid similar suspicions of spying capabilities and Chinese laws that could require home-grown firms to hand over information if asked.

Hikvision, which is controlled by the Chinese government and Dahua are leaders in the market for surveillance technology, with cameras that can produce sharp, full-color images in fog and near-total darkness. They also use artificial intelligence to power 3D people-counting cameras and facial recognition systems on a vast scale.

A Chinese firm whose subsidiary has been shortlisted to supply security cameras for the national capital is on a US watch list, with an advisory on threats, including remote hacking and potential backdoor access. 


Concerns have also been raised on the firm being owned by the Chinese government, adding a twist to the controversy over a Delhi government project to install 1.5 lakh CCTV cameras across the city.  Now question is how you Prevent Malware Attacks:
1.   Manage your router: Earlier this year, the FBI recommended that everyone reboot all home routers and small office routers. In a previous blog on the subject, Davis stated that “rebooting will disable the active malware called “VPN Filter" which has infected hundreds of thousands of routers across the Internet, and it will help the FBI assess the extent of the infection.” While this was an isolated incident in time,
2.   Disable UPNP: UPNP will automatically try to forward ports in your router or modem. Normally this would be a good thing. However, if your system automatically forwards the ports, and you leave the credentials defaulted, you may end up with unwanted visitors.
3.   Disable P2P: P2P is used to remotely access a system via a serial number. The possibility of someone hacking into your system using P2P is highly unlikely because the system’s user name, password, and serial number are also required.
4.   Disable SNMP if you are not using it. If you are using SNMP, you should do so temporarily, for tracing and testing purposes only.
5.   Disable Multicast: Multicast is used to share video streams between two recorders. Currently there are no known issues involving Multicast, but if you are not using this feature, you should disable it.
6.   Cameras connected to the POE ports on the back of an NVR are isolated from the outside world and cannot be accessed directly.
7.   Only forward the HTTP and TCP ports that you need to use. Do not forward a huge range of numbers to the device. Do not DMZ the device's IP address.
8.   Protect your computer from vulnerabilities: Clean up your computer by removing old software programs no longer in use, and make sure to install patches regularly. Updating firmware safeguards equipment by patching known vulnerabilities often adds features and sometimes will improve system performance.
9.   Use firewalls and firebreaks (network segmentation): Place devices behind firewalls to protect them from untrusted networks, such as the Internet. And, use network segmentation—splitting a network into separate networks that are isolated, not connected—so a compromise in one part of the network won’t compromise the other (i.e. human resources and finance). This works much like a firebreak, which is a strip of land in a wooded area or forest where the trees have been removed to prevent a fire from spreading.
10. The network your NVR and IP camera resides on should not be the same network as your public computer network. This will prevent any visitors or unwanted guests from getting access to the same network the security system needs in order to function properly.


Some Protection Protocols:

Cyber security procedures for video surveillance devices across the threat spectrum require certain protection protocols.

Weaponizing IP Cameras (Threat High)

Most IP cameras today are manufactured with an open operating system, or basic kernel, that gives no real consideration to data or cybersecurity. For years, people have asked about the security of the video that their system produces; now, people are asking if their IP camera system can be used against them.
Think of an IT administrator who has worked diligently to secure a network, servers and mobile devices who then finds out that the 200 recently installed IP cameras on the edge of that network that are vulnerable to root kits, can be weaponized and used as attack platforms against their own network – and there is no way to monitor them.

This may seem far-fetched, but in Sept. 2016, 1.5 million IP cameras, DVRs and L3 network devices were highjacked in the largest DDOS attack ever seen. So what are the current fundamental considerations that an organization needs to take into consideration before placing an IP camera on their network? 

Protection Protocol:

·         The operating system (OS) on a video device should be a closed OS that runs in limited memory space.
·         Nothing should be able to be written to the device itself with the exception of digitally signed firmware. If the device has the ability to run third-party apps, it can be weaponized.
·         Common ports should be disabled by default. From a vulnerability and pen testing perspective, the more ports that are open, the more opportunity there is to leverage a device or the services on that device.
·         Video devices should utilize HSTS/ HTTP Strict Transport Security if you are going to implement end-to-end security. This protocol helps protect against protocol downgrade attacks, cookie high jacking, as well as forces an HTTPS connection to the device.
·         Consider devices with a built-in “firewall” to prevent dictionary attacks from Botnets.
·         Monitor user accounts and access to the video devices. Most IP cameras are installed with the default user name and password, and if installed on an accessible network, a connection can be established from anywhere in the world. Devices should have a force password feature that also adheres to password policies, such as length and complexity.
·         Monitor a device’s chain of custody. The vendor should have a secure chain of custody during a manufacturing process all the way through to the final sale. If they are not manufactured in a controlled environment, video devices can be tampered with at any time prior to being sold to the customer

Attacking Servers and NVRs (Threat High)

Most VMS servers and NVRs reside on either a Windows operating system or some flavor of Linux. There is an illusion of security that most of us have with regards to OS security, but just take a look at an OS vulnerability chart and that illusion will quickly disappear.
A base unpatched Windows Server 2012 OS has 36 vulnerabilities; a standard Linux distribution has 119. Most vulnerability that machines are subject to are a result of “add-ons” – such as Internet Explorer (242) and Chrome (124). While Windows Server is a more secure platform, it is also a bigger target due to its market share and utilization.

Protection Protocol:

·         As with any machine on a network, it is imperative that the most current updates and patches are applied to video system devices.
·         Ensure a VMS can work within your network policies and environment while a network firewall and anti-virus software are operational.
·         Use hardened password policies, restricted physical and network access, and disable USB ports.

Recorded Video (Data at Rest-Threat Medium)

The two primary purposes of any video system are to act as a deterrent and to be used as admissible evidence in a court of law, if needed. Technically, digital video falls under the scrutiny of the Federal Rules of Evidence (FRE) as it pertains to digital evidence, and authenticity affects admissibility.

Most NVR systems write video in a base file format such as *.AVI,*.G64, *.MKV. If the video drives are accessible via network share, they are subject to tampering.

Protection Protocol:
·         Video, if written in a readable format, should be encrypted to reduce accessibility and the possibility of tampering.
·         Video devices should use some form of hashing as a form of authenticity. Hashing provides the “Data Fixity” of a file and is a form of admissible evidence. Older forms of authenticity, such as water marking can be considered video tampering.
·         The VMS should also provide a way to protect original incident video for any undefined time beyond the system’s retention time in case of prolonged court cases.  

Playback and Export (Data in Use-Threat Medium)
The current biggest threat to recorded video is internal employees posting incident video footage to social media or leaking it to the press. The need to keep recorded video secure is paramount for many reasons. Unrestricted access to recorded video can cause several different types of issues, including legal and HR incidents. 

Protection Protocol:
·         Be sure your VMS provides granular privileges concerning the export, deletion and protection of recorded video.

Streaming Video (Data in Motion-Threat Low)
While the actual threat of streaming video being intercepted and used in some way is low, the knowledge that the data from a specific IP address is video can be used against you. From the aspect of network enumeration, an attacker now knows he has non-PC target(s) that he can try to leverage.

Protection Protocol:
·         Video devices should be able to utilize HTTPS communications, with certificates. This ensures secure end-to-end communications including control channels and video payload.
·         Video devices should be equipped with a Trusted Platform Module (TPM) to securely store certificates utilized in different secure network scenarios such as 802.1x  and Public Key Infrastructure (PKI).
·         Your video devices should have features that provide the ability to disable certain protocols such as ICMP, Telnet, and FTP.

Few Current Development:





3. IPVM Report