Blue Line

Features
Cybersecurity at the forefront


April 5, 2021
By Gavin Daly
Credit: Axis Communications

The use of surveillance solutions is growing in law enforcement as departments tap into the vast amounts of data these devices create. The increased reliance on connected systems allows law enforcement personnel to observe relationships between suspects and victims, view someone’s proximity to a crime, assess a potential escalation before something tragic happens and listen or review recordings of incriminating comments.

“Like all effective security, cybersecurity is about the depth of your defence.”

This information is collected, stored and retained through the Internet of Things (IoT) for indefinite periods of time to help police in their jobs. With our increased reliance on connected systems, it’s essential that officers work with other professionals to implement security policies that harden all surveillance systems and protect the data being captured.

Hackers are becoming increasingly clever, finding new ways into IoT devices. If there’s an Internet Protocol (IP) end point, like an IP surveillance camera, speaker/audio system, radar or access control unit and it’s running on an unsecured network, it is susceptible to cyberattacks. According to IBM, the more connected we are, the more data breaches we have. With the global average cost of a breach in 2020 totaling US $3.86 million.

Advertisment

Data security management

Security management in law enforcement is about the implementation and ongoing maintenance of fortified cybersecurity policies and technologies. These range from the most simplistic approaches, like not allowing devices to run at factory default settings, to more complex strategies such as fully encrypting traffic between the surveillance edge devices and the rest of the network.

Tools that strengthen cybersecurity measures are key in implementing policies
quickly and easily. Being able to patch firmware, change passwords, push out HTTPS certificates, for example, historically took a lot of time and manual configuration. New tools have allowed us to implement these important changes quickly and easily, with less human effort while minimizing any potential downtime. It starts with having surveillance products that have built-in protection by design (not included as an after thought).

Prevent vulnerabilities by hardening systems

Law enforcement surveillance technologies are not that much different than the systems large private entities use to protect assets, but there may be different
levels of risk to a law enforcement agency. Police agencies may have databases that serve the department in a large region and at a national level. This could make them a high value target for ransomware and a portal to access personal identifiable information of the public, employees and the police department. Access to this information could have a series of troublesome implications. Technologies like HTTPS, 802.1X, signed firmware and secure boot can assist (if implemented correctly) to mitigate the risk of a vulnerability or exploit being taken advantage of through the security system. Ideally, these technologies are implemented across the system, not solely on the edge of security devices.

Vulnerability management comes down to risk. The question is not if a product will have a vulnerability but rather, what the potential risk of that vulnerability is to the system, the company or the people. A discovered vulnerability
doesn’t automatically mean an organization is at risk. A risk threat/risk analysis should be performed. Look at the surveillance vendors security advisory for that vulnerability and check the CVE (Common Vulnerabilities and Exposure) database where there is a scoring system to be sure. Major vulnerabilities that are high risk are typically patched quickly by the vendor and fixes applied by firmware updates. Minor low scoring vulnerabilities may not likely be patched if they are considered low or very low risk.

Collaborate for better results

Now more than ever, various organizations and departments within law enforcement need to collaborate. Education and knowledge sharing are key. The primary departments are IT and cyber teams working with those that are responsible for electronic and physical security.

However, a good cyber policy is not solely an IT function and needs to be effectively communicated to all departments and organizations. It’s about similar organizations, like police departments at municipal and federal levels, collaborating and sharing knowledge with each other on best practices. All employees, from frontline workers to C-Suite executives, should be onboard to foster the importance of a good cybersecurity program.

They can do this by working closely with surveillance vendors in terms of education and understanding industry best practices. For example, a manufacturer developing software and firmware may collaborate with other software developing organizations using BSIMM (Building Security in Maturity Model) best practices around code reviews and testing to know which vulnerabilities are conducted. Sharing the results and being able to implement changes to correct them is how we improve.

Wearable tech can be manipulated

Cyber protection is no different for wearable surveillance. Law enforcement should look to vendors that provide a wearable tech solution versus flashy products. Take a body worn camera for example. Video needs to be encrypted end-to-end using industry standards such as TLS and AES256. Video should be watermarked and should be integrated with a case management system for continuity of evidence, tracking and auditing purposes. Using an end-to-end system that provides this will drastically minimize the likelihood of technology being compromised by a hacker or accidentally misused by an opportunistic threat actor. Only very specific users within an organization, whom have the necessary hardware/applications and permissions, should have access to the stored video.

Three layers of cyber protection

In the end, effective cybersecurity is about assessing risks and consequences and taking appropriate steps through a three-layer approach: 1. security management, 2. vulnerability management, 3. learning and collaboration among the departments, organizations and vendors and or manufacturers.

It’s about products, people, technology and ongoing processes. One of the biggest oversights made is not considering these three factors together. Like all effective security, cybersecurity is about the depth of your defence. It’s about appropriately protecting your IP camera network at every level.


Gavin Daly is the architect and engineering manager at Axis Communications. He provides technical expertise and personalized advice for both internal and external customers.