Cyber Security has become increasingly important in the industrial sector, and the Video Surveillance System is no exception. A compromised Video Surveillance System can result in unauthorised access to sensitive data, data loss, operations disruption, and even physical harm to personnel or equipment. This can have severe consequences in industrial settings, where any disruption or damage to critical infrastructure can lead to significant financial losses and pose a threat to public safety.
While awareness of choosing the certified cameras, network equipment and servers and storage has increased, the certification and compliance standards followed by the Video Management Software (VMS) cannot be overlooked. VMS software is a critical component of security systems, providing the ability to manage and monitor video feeds from cameras across an organisation. However, VMS software is also vulnerable to cyber-attacks, as it is often connected to the internet or other networks, making it a potential target for hackers.
One example of a known attack that compromised a VMS is the 2019 cyber-attack on a Norwegian aluminum company, Norsk Hydro. The attack, which was carried out by hackers using ransomware, affected the company’s VMS, causing it to fail and leaving the company unable to monitor its facilities. This attack highlights the vulnerability of VMS software and the potential impact of a successful cyber-attack. In industries such as Oil & Gas, Power, Heavy Manufacturing, and Pharma, the consequences of a security breach can be severe, including production downtime, financial losses, and potential safety risks. As a result, it is essential that these industries use secure VMS software that is compliant with industry security standards, such as FIPS 140-2.
This is especially true in critical infrastructure sectors such as Power, Oil & Gas, Heavy Manufacturing, Pharma, Utilities, etc. where a cyber attack could have devastating consequences. VMS software is the central component of a video surveillance system and is responsible for managing video data, user access, and other security features. If the VMS is vulnerable to cyber attacks, it can compromise the entire system, regardless of how secure the cameras, storage, servers, and networks are. Therefore, it is important to select a VMS that has been certified as meeting relevant cybersecurity standards, such as FIPS 140-2, and that follows best practices for cybersecurity. This can help ensure that the video surveillance system is as secure as possible and can provide reliable and accurate data in the event of a security incident.
What is FIPS?
The standard known as “Security Requirements for Cryptographic Modules,” or FIPS (Federal Information Processing Standard) 140-2, lays out guidelines for which encryption and hashing algorithms can be utilised, as well as how encryption keys should be created and handled. These requirements are put in place to uphold the security of a cryptographic module. However, adhering to this standard alone does not guarantee the security of a specific module. The responsibility for ensuring that a cryptographic module offers adequate security and meets the owner’s standards for protected information lies with the operator of the module. Additionally, any remaining risk must be recognised and accepted. Compliance with FIPS 140-2 ensures that the VMS meets a high standard of security, which is particularly important in sensitive industries such as the power sector. A secure VMS is essential to prevent unauthorized access to critical infrastructure and ensure the safe and reliable operation of power plants and energy facilities.
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards, which are mandatory requirements for the reliability and security of the North American power grid require compliance with FIPS 140-2 for cryptographic modules used in the control and protection of critical cyber assets, such as those used in the VMS. Another example is the International Electrotechnical Commission (IEC) 62443 standard, which is a global cybersecurity standard for industrial control systems, including those used in the power sector. The standard includes requirements for secure communication protocols, access controls, and cryptography, with compliance with FIPS 140-2 being one of the recommended cryptographic controls. FIPS (Federal Information Processing Standard) compliant Video Management Software (VMS) should be made mandatory in industries such as Oil & Gas, Power, Heavy Manufacturing, Pharma, and others, as it provides a high level of security and protection against cyber-attacks.
What does FIPS compliant Video Management Software mean?
According to Arya Banerjee, Business Manager at Milestone, a globally leading provider of Video Management Solutions, “The use of FIPS compliant VMS is essential in industries such as Oil & Gas, Power, and others where security and safety are critical. By using FIPS compliant VMS, organisations can be assured that their security systems are using strong encryption algorithms and key management, providing high protection against cyber-attacks.”
• The VMS must use an approved cryptographic module that meets FIPS 140-2 requirements for encryption, hashing, and other security functions.
• The VMS must have a secure user authentication process, including password policies and access control mechanisms.
• The VMS must have a secure key management system for generating and protecting cryptographic keys used for encryption and decryption.
• The VMS must provide secure communication channels between the VMS and other components of the security system, such as cameras and recording devices.
• The VMS must have secure mechanisms for storing and transferring data, including video footage, logs, and configuration files.
• The VMS must provide audit logs and other monitoring features to detect and respond to security incidents.
• The VMS must have a documented security policy and procedures for installing, configuring, and operating the system.
• These requirements are designed to ensure that the VMS provides high security for video surveillance data and operations, protecting against unauthorized access, tampering, and other security threats. By using a FIPS-compliant VMS, organizations can be assured that their security systems meet industry-standard security requirements and provide high protection against cyber threats.
What may happen if Video Management Software is not compliant with FIPS?
The attacker may exploit a vulnerability in the VMS software that is not FIPS compliant, such as weak encryption algorithms or poor key management practices. They could intercept the data transmission between the VMS server and the camera, and use a network analyzer to decrypt the data since it is not using a FIPS-approved encryption algorithm. This would give them access to the video stream and possibly control the cameras.
The attacker could also exploit a vulnerability in the VMS server operating system or other components, such as unpatched software or weak passwords. They may use social engineering techniques to trick an authorized user into revealing their login credentials or use brute-force methods to guess weak passwords. Once they access the VMS server, they could exfiltrate sensitive data or plant malware to disrupt or disable the system.
Despite firewalls in place, the attacker could use a variety of tactics to bypass them, such as exploiting known vulnerabilities in the firewall software or using social engineering techniques to trick an authorised user into disabling the firewall or opening a port. Additionally, the attacker may use techniques like domain name system (DNS) tunnelling or port hopping to bypass firewall rules.
Shaunak Mody, Cyber Security Consultant and CEO at Trixter Cyber Solutions, said, “FIPS compliance is an important consideration for video surveillance projects, as it provides a recognized standard for security and can help mitigate the risks associated with cyber threats. And with many OEMs like Milestone, Genetec, Avigilon, Bosch, Pelco complying, soon FIPS compliance will be industry standard.”