Government Security
mation that needs to be protected, security leaders need to evaluate how to secure not only video data, but also the entire video surveil- lance system, which includes video management. This is where cy- bersecurity protocols and guidance can come into play to help pro- tect, along with the design of products that better leverage these tools.
Identifying tools. One way to decipher risk is through the con- cept of “security by design,” which is an approach to software and hardware development that aims to make systems as free from vul- nerabilities and protected from attacks as possible. This is especially important for devices that run on a network. But the design should be coupled with additional touch points for monitoring the health of the system, and government agencies are required to also provide ongo- ing oversight of a network to protect critical information.
One tool that is commonly used to scan networks to identify is- sues is NESSUS, an open-source network vulnerability scanner that uses the common vulnerabilities and exposures architecture for easy cross-linking between compliant security tools. The functions include malware detection, configuration auditing, target profiling, sensitive data discovery, and more.
There is a suite of other tools and hands-on penetration testing that should be built into the product development lifecycle that continue to identify potential vulnerabilities and ensure there are no “back doors” into the system. Some other best practices include assigning various user levels where possible to protect pieces of the system and being diligent about ensuring the right level of access for the user. Finally, tak- ing steps to encrypt all communications between devices is essential.
This includes the way the video transmits to the operator worksta- tion, where it is stored, and all the connections between these various locations; they must all be encrypted to ensure the most secure data sharing capabilities are in place.
But this is just the tip of the iceberg. In order to fully identify the right tools, it is essential to know the risk.
Examining the Supply Chain
A big part of the landscape for navigating cybersecurity protocols across the government sector is adherence to the strict standards put in place to protect the network, such as the use of IPV6, the Fed- eral Information Processing Standard (FIPS) 140-2, and (in access control) the use of the Federal Government Identity, Credential and Access Management (FICAM) standards. As a result of the nature of today’s threats, the federal government has taken steps to ensure these protocols are met and executed.
The National Defense Authorization Act (NDAA), which speci- fies the budget and policies of the Department of Defense (DoD), prohibits the purchase and installation of video surveillance equip- ment from select Chinese companies in federal facilities. This act has created a ripple effect across much of the security industry, as integra- tors work to make sense of the products they can and cannot use for government-related projects.
In this regard, cybersecurity and national security go hand-in- hand, as the idea is to minimize the perceived risk moving forward. One way some camera manufacturers have started to limit this risk is by examining the supply chain and making adjustments on where various components of a camera originate. Another is by engaging in a General Services Administration (GSA) Schedule Contract used to sell to federal agencies (as well as state and local government on occasion). GSA also requires several requirements to be met, including country of origin standards or compliance with the Trade Agreements Act (TAA).
Speaking the Language
Early in the design process, it’s critical for integrators and manufac- turers alike to understand the needs of the government space. This means implementing measures that foster this communication. Many integrator companies and security manufacturers are taking the necessary steps to form internal task forces made up of cyberse- curity and former DoD professionals who have a working knowledge of the demands of the government sector.
Part of this involves engaging with professionals that keep current on the threats this market faces. For example, professional services departments made up of network specialists, consulting, and deploy- ment specialists, are being formed to address some of the significant challenges that federal agencies face as it relates to access.
Some of these individuals have top-secret clearances, meaning they can access areas of a facility that are considered visually classi- fied and offer a significant amount of support beyond the traditional integrator or installer. This makes a real difference in understanding and being able to speak the language of a federal agency, IT depart- ment, or security leader in this space.
Vulnerability Testing
A critical component for designing for data protection is engaging in vulnerability testing of a system to evaluate the security risks in a soft- ware system and reduce the probability of a threat. In the government sector, for example, this includes STIG configuration (or the Security Technical Implementation Guide).
STIGs are the configuration standards for DoD that contain tech- nical guidance to “lockdown” information systems and/or software that might otherwise be vulnerable to a malicious attack. In essence, this helps standardize network security protocols that aim to identify vulnerabilities and address them before they become a risk. Building these protocols into a product goes a long way in helping secure a government organization’s systems.
Keep Up-to-Date
Cyber threats continue to increase and evolve in sophistication, and security leaders — both IT and physical — need to maintain a proac- tive approach to mitigating this risk. As government entities continue to embrace the connected world, new cyber vulnerabilities will come to light. As a vendor in the video surveillance market, we are entrust- ed to provide secure products and guidelines to safeguard solutions from various types of risks, including cyber vulnerabilities.
One of the best ways to reduce network vulnerabilities associated with video surveillance is to ensure strong levels of data protection. Highly secure encryption and role-based access control are two ca- pabilities that elevate security while meeting the compliance require- ments of government agencies.
Government security leaders need to evaluate what parameters work best for their specific environments while being cognizant of emerging risks and how to proactively address them. Regardless of the specific application, a secure, compliant video surveillance infra- structure built on common cyber security protocols enable organiza- tions to maintain strict levels of cyber and physical security to ensure physical and data security, protecting business, employees, and assets along the way.
Stuart Rawling serves ast theVice President of Technology and Cus- tomer Engagement at Pelco.
GS2
GOVERNMENT SECURITY MAY/JUNE 2020