Thursday, February 9, 2012

Another Cybersecurity Issue – Video Security Systems

Security managers at high-risk chemical facilities already have to be concerned about cyber security in two different (and unfortunately probably interconnected) computer systems; the industrial control system that provides access to and controls on processes that use the DHS chemicals of interest (COI) on site, and the information systems that support the business side of the facility. Today I saw an article over at IPVM.com that raises concerns about another separate (but perhaps interconnected) system, the security management system protecting the facility.

The article describes a vulnerability in Trednet IP cameras that allows anyone with network access to the camera to view the images from the camera. While this vulnerability may only be limited to a number (at least 7 according to the original Console Cowboys blog post which is the basis for this article) of cameras from a single vendor, it is extremely likely that there are similar vulnerabilities in other cameras out there.

Now we have all seen the Hollywood burglar’s (both good guys and bad) who break into a secure facility by substituting a loop of no change from a video camera to hide their activities from the security guards watching the video displays. If we think about what the Stuxnet authors did to PLC programing to hide changes in the operation of the PLC and combine that with this type of camera vulnerability, then the Hollywood plot line becomes much more plausible.

If there are vulnerabilities this easy to detect and exploit in cameras, what other vulnerabilities exist in other components of these security control systems? Maybe we need a video security system cyber emergency response team (VSS-CERT) at DHS to keep track of these vulnerabilities and help and help security managers deal with compromises of their VSS. Or maybe we just need to bit the bullet and form the SS-CERT (SS for security system, not the other thing) to cover the complete security system with all of its supporting devices and software.

1 comment:

Dan said...

I have a TRENDnet TV-IP422WN camera. I set it up to use as a baby monitor last month. I read the article when it first came out and it was a bit alarming to say the least. I put the camera on a switched outlet so I could turn it on and off easily. Just checked and Trendnet finally released a firmware update so I will have to install that soon. Hopefully it doesn't break functionality that I am using already.

 
/* Use this with templates/template-twocol.html */