Managing Data in a Hyper-connected World
The amount of security cameras deployed in various situations all over the world is constantly growing. Applications range from securing critical infrastructure to home security. Convergence of physical security and IT security as a trend in the industry force us to have a closer look on data security. We begin to realize that connectivity benefits without precautions leaves us vulnerable to cybercrime. At Intersec in Dubai, GIT SECURITY had the opportunity to discuss these aspects with Markus Wierny, Head of Product Management Firmware, Software and Storage at Bosch Security Systems.
GIT SECURITY: Are we becoming more vulnerable to cybercrime in this hyper-connected world and is there an effect on video surveillance?
Markus Wierny: Things have definitively changed with the move from classic analogue closed circuit CCTV systems to integrated IP video surveillance systems. Everything is connected, integrated and part of an overall IT system and yes, this has effects on video surveillance. If you look at the dark side, we need to recognize that even a single weak link in the surveillance set-up can jeopardize the entire system of a company or organization. Video surveillance systems are not in the center of hacking attacks yet, but the threat of malware infiltration, privilege misuse, intrusion of privacy and side channel attacks is undeniable. The industry already had serious security concerns to video surveillance systems with the Linux worm Darlloz, the Heartbleed bug in OpenSSL, the Shellshock or bash bug or the Linux Ghost bug.
How do you cope with these security threats?
Markus Wierny: Starting with the point of data capture, it is crucial for us to secure data as good as possible. A systematic approach is needed to ensure data is securely transmitted, stored and only accessible by authorized people. We see our role here as part of a global IT security infrastructure and this is why we use proven standard IT security measurements and technology like TLS/SSL encryption.
Several steps are necessary to be on the secure side. The first thing we suggest is a password assignment on every setup and not to allow default passwords. Then we need to make sure that the data is transmitted encrypted. We can handle this task with standard encryption methods like the Advanced Encryption Standard AES-256 for video and control panels. This enables a secure connection to our own systems but also to third party systems. Another step is to create trust when you connect devices or log-on to systems. We are assigning each component with an authentication key so that data exchange is possible only between trusted partners. Data is encrypted by using cryptographic keys. These keys are only known by sender and receiver. Therefore data is protected even in case of a breach, because the (private) key is needed to decrypt the data. Another measure is that our cameras can only be updated with firmware that is can be identified as a Bosch authentic (signed by Bosch) firmware file. The cryptographic keys are stored in the Trusted Platform Modules (TPM) of our systems and inside the Bosch IP cameras.
What are the next steps after ensuring a safe connection and encryption of data?
Markus Wierny: To secure data, it is crucial to administrate the user access rights properly, so that only authorized individuals get access to the data. To ensure easy management of user access rights we use IT industry standards and support 3rd party solutions for Public Key Infrastructure (PKI) and the management of user access rights. To protect core devices like servers, clients and storage devices we use onboard Trusted Platform Modules that store authentication rights and support the Microsoft Active Directory. All devices get regular updates via security patches and we have successfully passed NIST and penetration tests regularly. Since years already we equip our edge devices, cameras and encoders, with a Trusted Platform Module to make the systems even more secure.
How does this protection of edge devices work?
Markus Wierny: Even our entry-level models have an onboard TPM. The TPM is a chip like being used on SecureCards that is embedded in our camera hardware which acts like a safe that stores and issues keys. The TPM automatically creates self-signed unique certificates and signage requests once required. Also clients and servers use certificates for authentication, and the system supports certificates with encrypted private keys and Public Key Infrastructure can be loaded. A PKI is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. We use state-of-the-art X.509 certificates with up to 2048 bit keys to ensure maximum compatibility and security.
Do the protection measurements you recommend for a better security affect the integration of third party devices and software?
Markus Wierny: If you want a very secure system you need to make sure all components are reliable when it comes to security. Like I mentioned before, even a single weak link in the system can put the entire system at risk. This is why we disable “unsecure” ports and protocols and the execution of 3rd party software by default and force all communication to be encrypted. Higher demands for data security will affect the choice of devices that you may want to integrate for a project. There arev, for example, open camera platforms on the market that allow running third party software on cameras and devices, but this opens a gate for hackers and we think the risk is higher than a possible benefit.
Where do you see the biggest need for enhanced data security measurements in the security industry?
Markus Wierny: We have seen a strong demand in all verticals for about 18 months. Of course, clients in the governmental sector and in banking are extremely sensitive about this topic but we have also talked to retailers who have had security breaches and fear data leakage. Critical infrastructure projects are most at risk, but even in home security applications, you would not want to see videos taken from your living room, distributed on the internet. We at Bosch do a lot to educate the various channels like consultants and end customers on that topic. We are also very active in ONVIF to include appropriate security measurements in the upcoming ONVIF specification and new ONVIF profiles. Another action we took is to talk to our partners to help them develop more secure systems. When it comes to data storage for example, the secure chain often stops and non-encrypted data is stored. Of course data centers and data storage are often physically secured but you cannot exclude the possibility of video data theft. This is why we develop own solutions and systems together with partners like Genetec that store encrypted data to minimize this risk.