Security Technology Executive

SEP-OCT 2017

Issue link:

Contents of this Issue


Page 9 of 69

8 SECURIT Y TECHNOLOGY E XECUTIVE • September/October 2017 • www. CONVERGENCE Q&A By Ray Bernard P SP, CH S -III • Email: ConvergenceQA@go-rbc Our IT department asked if we have performed a cyber security assessment of our physical security systems and devices. How do we do that? One approach is to tell them that you haven't, ask for their help in performing the assessment, and prepare to support them with system and product information. About two months ago the Devil's Ivy (aka gSOAP) secu- rity vulnerability was announced, which impacts tens of millions of IoT devices, including security video cameras from Axis Communications, Bosch, Canon, Cisco, D-Link, Fortinet, Hitachi, Honeywell, Huawei, Mitsubishi, Net- gear, Panasonic, Sharp, Siemens, Sony, and Toshiba—as well as many off-brand cameras. The fact that highly reputable brand name products are affected is changing the general thinking about physical security product and system vulnerabilities, especially within IT departments who are responsible for the security of networks to which the camera systems are connected. Cyber Security Assessment Preparation Follow these steps to prepare to support IT in performing a cyber security assessment (they may have a slightly different name for it). 1) Bring your security system documentation up to date . Collect these documents: • Design Documents. System design documents and as-built drawings. Even better is to document your entire system using the System Surveyor tool, which from this point forward will simplify system man- agement providing near-instant system information access, and will reduce design time for system revi- sions and expansions. Continued on page 14 O v e r t h e p a s t y e a r, n e w s m e d i a h a s c o v e r e d s e v e r a l m a j o r c y b e r a t t a c k s o n I n t e r n e t- c o n n e c t e d v i d e o s e c u r i t y c a m e r a s a n d r e c o r d i n g s y s t e m s . T h i s h a s m a n y c o r p o r a t e I T d e p a r t m e n t s c o n c e r n e d a b o u t t h e v u l n e r a b i l i t i e s o f n e t w o r k e d e l e c t r o n i c p h y s i c a l s e c u r i t y s y s t e m s , e s p e c i a l l y v i d e o c a m e r a s y s t e m s . Cyber Security Profiles for Physical Security Systems • System Architecture Documentation. A good systems architecture document will include one or more diagrams of system deployment options, and may also include the network port configurations required. For example, Milestone Systems XProtect VMS System Architecture Document contains a "Ports used by the system" section. • Installation Guides. Product and installation guides include installation and configuration requirements and should include network port configuration requirements. For example, Genetec's Security Center Installation and Upgrade Guide contains a "Default ports used by Security Center" section. • Product and system hardening guides. The major security product and system brands have hardening guides or network security guidance documentation available on their websites. • Obtain Vendor Security Assessment Question- naires (VSAQs). For products and systems that will utilize or be exposed to an internet connection, ask their vendors to provide a completed VSAQ. If they don't have one, send them to the questionnaire from the Vendor Security Alliance. Update or produce these documents: • Security System Network Diagrams and Current Network Configuration. If the security systems reside on the corporate network, or on a network pro- vided by IT, then IT can provide you with network diagrams and configuration information. If some or all of the networking was provided by a security systems integrator, network diagrams and network configuration information should be part of the as- built documentation. If not, you need to request it from your integrator. • Document the protections in place for Internet connections. Typically, this would include router and firewall configurations established by the IT department or by the systems integrator. When provided through the IT department, protections include policy, guidelines, and requirements for acceptable computer, network and internet use. However, sometimes a security department obtains a dedicated security systems internet connection through telephone or cable services. • System and Device Hardening Steps Taken. Document the hardening advice you have applied, based upon manufacturer and design consultant recommendations. Q: A: Ray Bernard PSP, CHS-III Ray Bernard Consulting Ser v ices (RBCS; w w w. go-rbcs; 9 4 9-83 1-6788), a firm that prov ides securit y consulting ser v ices for public and private facilities. Member of the Content E xpert Facult y of the Securit y E xecutive Council (w w w.Securit y- E Follow Ray on Twitter: @RayBernardRBCS

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - SEP-OCT 2017