By John Merlino, Business Development Manager, Government, Axis Communications, Inc.
According to Army LTG Alan R. Lynn, the director of the Defense Information Systems Agency (DISA), cyberattacks on government installations used to be a gentlemanly sport. Hackers would sniff around the systems, watch for a while, maybe take a little information and then quietly leave. Now the enemy is kicking in the doors and moving fast to snatch and grab everything they can.
Defending against this new type of cyberattack requires evolving ever more sophisticated strategies and programs to protect government surveillance systems and data. This battle to stay ahead of the cyber threat curve raises both technical challenges and ethical questions about the balance between sovereignty, national security and the right to privacy. These issues not only extend to the systems and data under government purview but also those of their vendors and supply chain.
Which Layer is Most Vulnerable to Attack?
What should government worry about most – a potential breach into the entire eco-system via the video device/application or the unauthorized access to sensitive video data? It depends on who you ask and the value of the data and systems they’re using. End users such as the Chief Information Officer, field agents, intelligence officers and other functional users look at the situation from a different perspective than system integrators and hardware/software vendors. But in truth, the two layers are so intertwined that any security measures by necessity need to protect both. To successfully manage this holistic approach to cyber security, however, Physical Security Teams need to work closely with the Logical/IT Security Teams to understand each other’s policies and associated risks.
Hardening the Video Management System (VMS)
Many government IT departments treat the VMS as just another application on the network. They generally employ a standard operating procedure such as virtualization to harden the system. Creating virtual servers on existing machines provides isolated, independent environments in which to test new applications or operating systems without affecting other applications. Server virtualization also enables government agencies to employ redundancy – running the same application on multiple servers – without purchasing additional hardware. If a server fails for any reason another server running the same application can automatically take its place, which minimizes any interruption in service.
Another best practice IT departments commonly use is to deploy a static “build or image” on the server. This not only ensures consistent behavior throughout the entire eco-system, it also drastically reduces the uptime necessary to restore the solution in the event of system or user anomalies. Image-based backup captures a picture of the entire workstation or server and stores it as a unique point in time. If an agency needs to rebuild or virtualize a machine due to damage or disaster, they can quickly restore all of the files, applications and operating systems.
Another basic best practice organizations should adopt is the deployment of firewalls to keep destructive elements out of a network or specific computer. Firewalls can be configured in system devices or applications or both and contain specific criteria to block or prevent unauthorized access to a network.
Hardening the Eco-system from Edge to Core
The Internet of Things introduces yet another level of concern. With the proliferation of devices now connecting to the network – everything from desktops to thermostats to smart phones to video cameras – government agencies need a way to identify and manage these end points more securely to prevent network breaches through attacks on these seemingly innocuous devices.
One strategy is for government agencies to use certificates and encryption keys to authenticate devices on the network and securely managed transmissions to and from those endpoints. This automated verification process applies to video cameras, video management systems or any other IoT device and helps to prevents ports from being hijacked or data being stolen. These same authentication methods can be used to enhance the security of the entire eco-system.
For instance, agencies can employ certificates to validate not only for the servers, applications and clients across the fabric of network devices, but extend that certificate requirement to the storage components as well. In concept this sounds easy, but in practice this kind of reference architecture between systems and components requires a great deal of cooperation and development between agencies, suppliers, manufacturers, application layer developers, and integrators.
But when it comes to protecting the transmission and storage of the video data itself IT departments have had to raise the bar. Often extremely valuable and sensitive, this information has become an appealing target for criminal hackers, cyber terrorists and unauthorized and perhaps disgruntled employees. Without proper safeguards situations such as what happened with Edward Snowden who leaked classified NSA data might become more commonplace.
As a consequence of past incidents, many government and military facilities that capture operational video are required to receive, transmit and store this data in a highly secure manner – namely in an encrypted format. Legacy capabilities such as TLS/Transport Layer Security and SSL/Secure Sockets Layer are evolving into more contemporary standards-based approaches such as SRTP (Secure Real-time Transport Protocol). As the name implies, SRTP is intended to provide transport layer encryption, message authentication and integrity, and replay protection to the RTP data in both unicast and multicast applications.
In some cases, encryption requirements are extending into the private sector as well to include companies that do business with government agencies. Whether protecting surveillance of operations such as critical infrastructures, tracking the movements of high-value personnel or recording other activity that may have significant value to various customers or their competitors, encryption shields the video data from unauthorized tampering and dissemination.
Hardening the Supply Chain and Vendor Management Systems
Another area of concerns is the inadvertent – or deliberate – introduction of malware via the software and hardware systems of companies that do business with government agencies. The government regularly runs war game scenarios to determine the consequences to IT infrastructure, weapons systems and other mission critical platforms when infiltrated with malware, backdoors and other malicious code. Because these infiltrations could potentially enable our enemies to disrupt, deceive and possibly dismantle critical national defense systems and capabilities, government agencies are now enforcing rigorous and discipline management policies and procedures across their supply chain and vendor eco-systems.
This requires that the government supply chain continuously monitor and validate the origins of components and final products and provide a sterile chain of custody. The guidelines can be found in the newly published DoD Instruction 4140.01 DoD Supply Chain Material Management Policy (http://www.dtic.mil/whs/directives/corres/pdf/414001p.pdf) which governs DoD Supply Chain Management. Another resource is the relatively current (February 2014) eleven-volume series of DoD manuals entitled DoD Manual 4140.01 DoD Supply Chain Material Management Procedures.
One of the ways that the Navy and other DoD services scrutinize non-government partner companies who furnish equipment to their agencies – especially mission critical systems – is to require documentation showing each component’s country of origin. IP video surveillance systems in many instances are included in this scrutiny. Any device or application operating on a Government network is subjected to rigorous Information Assurance/IA and Risk Management Framework/RMF policies. In addition to the components meeting these requirements, the applications, hardware and connected devices are vigorously scanned against all published “known vulnerabilities” to ensure that they are sufficiently hardened to operate on the network and have no previous history of being breached.
Issued by DISA on behalf of the DoD, a Security Technical Implementation Guide or STIG outlines a methodology for standardized secure installation and maintenance of computer software and hardware. When implemented these guides lockdown common and typically permissive software to further reduce vulnerabilities. These implementation guidelines include recommended administrative processes that span the devices’ lifecycle. Integrators must employ STIG scanning software to implement/validate proper configuration and ultimately to obtain an ATO/Authority to Operate. These standards are applied to a range of systems from those that provide for the safety and security of personnel in barracks to those that monitor the health and security of nuclear reactors on Navy ships and submarines.
Taking a Holistic Approach to Cyber Security
Because the integration of systems and components is so key to government network operations and support, cyber security of that technology has to be managed on multiple fronts simultaneously. In recognition of that challenge, the Federal Government and the DoD are converging on a process called Risk Management Framework (RMF). Formerly called DIACAP (Defense Information Assurance Certification and Accreditation Process), RMF provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.
Those suppliers, manufacturers and integrators wishing to do business with government agencies will be required to follow this process to ensure that their solutions are accredited and allowed to be deployed on a DoD or Federal network. Video surveillance vendors would also need to extend the RMF process to the vetting and selection of their strategic video management system partners to guarantee the proper level of interoperability and assurance.
Ultimately, in order to receive an ATO/Authority to Operate at a given site, the entire system must be validated from edge (i.e., camera) to core (storage) which includes the application layer and the network infrastructure.