THE ADOPTION OF ZERO TRUST WITHIN THE VIDEO SURVEILLANCE INDUSTRY
Zero Trust is an accepted concept within the IT industry and is now also slowly moving into the physical security domain. One reason for this development is the convergence of IT security and physical security. Hikvision, an IoT manufacturer with a focus on video surveillance, recognizes this convergence and views cybersecurity as an absolute imperative for its business. Hikvision strives toward a fully visible ecosystem by maintaining transparency about Secure-by-Design production processes, regularly executing internal and external penetration testing, reviewing the supply chain consistently, and monitoring all software/hardware development processes of all products. Cooperation with suppliers and partners is essential for achieving the required visibility and transparency.
HOW TO DEPLOY ZERO TRUST ACROSS VIDEO SURVEILLANCE IN FOUR STEPS As mentioned before, the adoption of the Zero Trust concept within the video surveillance industry is fairly new worldwide. Here are four steps that show how Zero Trust can be deployed pragmatically within the video surveillance industry.
- Know your business
• Start by listing how a video surveillance system will help the organization
• Think of how the video surveillance system may interface with other business and systems in the organization
• Try to list all stakeholders and how they may use or interact with the video surveillance system
• Think of all the risks associated with the video surveillance system and the severity, then think of ways to mitigate the risks
- Design a secure network
• Group video surveillance equipment in a segmented network environment, isolated from the organization’s other systems (payroll, accounting, HR, CRM, R&D, etc.)
• Define possible groups of users who may access the video surveillance system • Define the location and time for each group of users to access the video surveillance system
- Implement a secure network
• Place all video surveillance equipment in a dedicated and segmented network behind a router and a firewall
• Define deny-all-IP-and-Port in the firewall ruleset, and then open only the local IP addresses and ports that need to access the video surveillance system. Also, open IP addresses and ports of other systems that need to interface with the video surveillance system • Use a VPN-capable router or firewall for remote access to the video surveillance system
• Institute multi-factor authentication for remote access and cross-system access
• Implement a network monitoring system and/or IDS/IPS system to set up alerts if the video surveillance system is not accessed at a pre-determined period and location • Use switches and routers that restrict and monitor port usage for enhanced security
• Encrypt all storage data 4. Configure a secure video surveillance system • Configure 802.1x for video surveillance devices
• Configure and whitelist all IP addresses and MAC addresses that have the need to access the video surveillance system
• Enable HTTPS and restrict only TLS 1.2 or higher for transmission from/to video surveillance devices with enhanced encryption • Set illegal login attempts to lock up devices
• Disable SSH to prevent shell login to all video surveillance devices
EFFECTIVE ZERO TRUST WITHIN THE VIDEO SURVEILLANCE INDUSTRY
By following these four steps, Zero Trust can be deployed successfully within the video surveillance industry, resulting in the following:
• All users have been predefined and prescreened
• Users must use VPN to access video surveillance remotely
• Only predefined systems are allowed to interface with video surveillance
• Multi-factor authentication is required for remote access and cross-system access • No other network packets are allowed other than video surveillance (defined by firewall)
• Unusual logins are monitored and alerted
Does taking these steps to implement Zero Trust guarantee 100 percent security? The answer is no. Unfortunately, it is impossible to guarantee absolute security. But, Zero Trust will improve the overall cybersecurity significantly and provide all stakeholders within the IoT industry more visibility on what’s happening in their network, and more control over access, so that they can act accordingly amidst a growing threat environment. In this way, Zero Trust contributes to a more secure IoT world. As more organizations adopt Zero Trust principles, malicious actors will find it increasingly harder to conduct attacks and increasingly difficult to conduct malicious activity without being identified and remedied.