In an article published by The Times, Nigel Inkster, former Director of Operations and Intelligence at MI6, raised concerns about the threat to national security through vulnerabilities in IP (Internet Protocol) connected CCTV systems including components manufactured in countries that have a reputation for state-sponsored espionage.

Whilst the integration of video surveillance with IP networks carries significant benefits – including offering potentially cheaper and easier installation, the ability to distribute video images more widely and the ease at which additional cameras can be added to the network at a later date – they are also potentially vulnerable to cyber attacks.

Unsecured cameras can become the weak link that provides hackers with an entry point to a network. From here, the risks to businesses may include: sabotage, such as disrupting operations, potentially leading to lost productivity and revenue; stolen personal data, such as financial or health information, potentially resulting in loss of customer trust, denigration of brand, and ultimately lost profits; stolen intellectual property or trade secrets, such as marketing plans or research and development data that could result in a loss of competitive advantage; extortion, where the company or individuals pay ransom to regain access to their system or data; regulatory action or negligence claims, such as penalties from a government agency or civil lawsuits.

Mitigating these risks must be a priority for each party involved in the supply chain. Manufacturers should ensure that accidental design or implementation errors are kept to a minimum and that systems are regularly scanned for vulnerabilities. They should be proficient in secure coding and testing procedures and should ensure that their products are capable of supporting the stringent controls necessary for secure network communication.

This may include end to end encryption with SHA-2 & TLS; encrypted database communication; system auditing, alerting and management; denial of service protection; restriction of ports, protocols and services; highly customisable user access and permissions and archive, failover and high availability.

Chairman of the BSIA’s CCTV section, Simon Adcock, comments: “Responsible installers and integrators will conduct a risk-based approach to any system design, taking into account the origin of the hardware in the design and whether this presents potential risk to the customer. Anyone who is designing a system or making decisions on behalf of an end user should be considering the security of the hardware they are installing, ensuring that it is robust and manufactured responsibly. Responsible installers will also ensure that the system they have installed is protected from cyber attacks by changing manufacturer’s default system credentials.

“Ultimately, an end user must take responsibility for the security of their network. When procuring an IP connected surveillance system, end users must use the services of a reputable installer / integrator that is fully committed to best practice. They should also ensure that they have comprehensive cyber security and information security policies in place” concludes Adcock.