VMS cybersecurity: all about cameras

May 23, 2024

Cameras are the eyes and ears of a security system. They can also be its biggest vulnerability. If compromised, cameras can be used to spy on individuals and organizations, or even hijack business operations with ransomware and malware. This article explains the practical steps that you can take to minimize the risk of your security cameras being exploited.

Step 1: Take stock of all of your security cameras.

Many organizations use different camera models from different manufacturers. This makes a lot of sense for organizations managing a range of spaces across multiple sites. After all, a security camera on a highway has a different job to do than one in a parking lot or in the immigration area of an airport. 

For large projects though, it can be challenging to keep track of all cameras. The first step is asset management: knowing what you have. If all of your cameras are already connected to video management software (VMS), therein lies your list. 

Step 2: Choose which security cameras to keep.

Different organizations have different cybersecurity needs. A local restaurant chain with three locations is going to be less concerned with a cyber attack than a company that provides electricity to most of a country’s citizens. With that in mind, you need to decide on the priorities that make sense for your organization. Here are some examples that you might want on your cybersecurity assessment list:

  • HTTPS: If you’re reading this article, you probably only want to use cameras that support HTTPS. It’s a type of encryption that helps block cyber criminals from hijacking a video camera’s communication and the VMS client or server. Even if you work in a low-risk sector, this is a good “basic cybersecurity” box to tick. 
  • Tamper detection: Some advanced cameras come with tamper detection features that alert you if anyone has physically or digitally interfered with the device. On the one hand, if a camera is physically placed where it would be almost impossible for a person to reach it, then maybe it’s less necessary. On the other hand, if you’re a retailer with a theft insurance policy that requires tamper detection of security cameras, the choice is simple. 
  • Cybersecurity policies and certifications: These are especially valid for government projects, which may involve defense, healthcare or critical infrastructure. The stakes are higher when it comes to national security and public safety. That said, private organizations also have a lot to lose if money-making activities are blocked due to a security incident. If any of this rings true, you’ll want to check if a camera vendor has a way for customers to report vulnerabilities, a team to respond to incidents, if it’s been ISO/IEC 27001 certified or if it’s been penetration (pen) tested by an independent third party. 

You can often find this information by looking up the manufacturer’s online documentation, opening the settings of the camera’s interface and/or reaching out to their customer support team. 

Step 3: Update the camera firmware.

Firmware updates often address known security vulnerabilities. Manufacturers release updates to fix these vulnerabilities, protecting your camera from being exploited by hackers. So, naturally, staying up to date makes a lot of sense. However, here are several steps that can lower the risks of updating: 

  • Device life cycle: There might be firmware updates available for some of your devices. But if the latest update is two or three years old and the expected lifetime of the camera is almost up, you might want to evaluate whether it’s even worth the update. It might make more sense to swap out the device. 
  • What’s included: There is a small chance that the update could mean losing support for a functionality or process that you currently depend on. For example, you want to make sure that requirements for password complexity, HTTPS, etc. in the latest firmware version stay at a level that you need. 
  • Backwards compatibility: Sometimes a VMS provider will decide to stop supporting a specific camera manufacturer. It’s unlikely that the VMS provider will remove the camera drivers that they previously developed. But you still want to make sure that your VMS has an updated driver to match the latest camera firmware. Otherwise, you might end up wasting time and having to downgrade the firmware to re-establish a connection with your VMS.
  • Firmware source: To be on the safe side, always download directly from the camera manufacturer’s website. Going through the checksum that comes with the firmware will also raise alarm bells if it’s been tampered with.
  • Testing: Getting the latest firmware on one or a few cameras will let you know if there are any major bugs that could interrupt your security operations. If testing goes well, then you can move on to updating the rest of the cameras. 

Okay, you’ve confirmed that an update is a good idea. Hopefully, you have a VMS that gives you a fast, easy way to check which firmware your cameras are running and the time since the last update. From there, you can either update in bulk or one-by-one.

Step 4: Update the camera drivers.

As mentioned, your VMS needs to be running drivers that match the firmware of any connected cameras. The latest drivers should be available on your VMS provider’s website. 

Step 5: Automate password protection.

Even if you only have a single security camera running, please double-check that it does not still have a factory-set admin account and password. More modern cameras won’t even have this factory option, but many older ones do. Even if 99.9% of your cameras are password protected, just one vulnerable camera can compromise your entire installation. 

If you operate in a higher-risk, regulated sector, then this is one of the bases that you probably have covered. In which case, the next considerations are: 

  • Password strength: Ideally, no one should know a camera password. It’s more safe and more efficient to let your VMS generate complex passwords for you. That way, no one will remember a password off the top of their head and be able to repeat it verbally and/or remember it when they leave your organization. It will also make it more difficult for a bad actor to brute force into a device.
  • Bulk updates: While automatic password generation is a good idea even for smaller projects, the benefits of bulk updates increase with the number of cameras you’re managing. In addition to generating passwords, a VMS should also let you update them in bulk.  
Step 6: Put your cameras on a separate VLAN.

Putting your VMS on a separate network limits the damage an attacker can do. They’ll have access to the compromised VLAN, but won’t be able to go further. Let’s look at a couple of infographics that showcase two common VLAN setups that customers use when deploying Milestone’s XProtect VMS. 

  • If your organization is smaller and/or at lower risk of a cyber attack, you could create a camera VLAN and a VMS client VLAN with a single switch, allowing them both to communicate with the server. 
  • In a more advanced corporate environment, where the office network shares infrastructure with the security network, it’s advisable to create a third VLAN for certain sensors, file servers and computers frequently used by employees. This approach allows the physical infrastructure to be shared while the virtual separation adds an extra layer of security.
Step 7: Enable port security on your managed switches.

Organizations that need to use managed switches for their video security cameras typically include those with complex security requirements, high data traffic or stringent regulatory compliance needs. If any of that rings a bell, we recommend using the IEEE 802.1X authentication protocol on your switches and cameras. This protocol makes sure that the switch is definitely communicating with the camera and not some hacking equipment. Of course, a prerequisite is that your cameras support 802.1X. So if you’re considering which hardware to keep and what to swap out, this might be added to your list of criteria. 

Step 8: Encrypt security footage.

Encryption at rest and encryption in transit are two key components of securing data in video security systems:

  • Encryption in transit: At the beginning of this article, we talked about HTTPS as a good standard of video encryption in transit. Another option that can be used along with HTTPS (or instead of it, in case your cameras don’t support HTTPS) is Media Access Control Security (MACsec). It encrypts the data on the cable between the camera and the switch.  So, if you have cameras installed in public and/or outdoor spaces, MACsec is something you might want to look into.
  • Encryption at rest: In the absence of encryption, unauthorized individuals who could potentially watch or steal sensitive video content. Widely acknowledged as one of the most secure encryption algorithms currently available, the Advanced Encryption Standard (AES) offers varying key lengths. AES-256 is as good as it gets, and is the preferred choice of government agencies. would require millions of years, a feat that has yet to occur. 
Step 9: Set up digital signing on all footage.

Digital signing video recordings—knowing who has viewed and exported footage—is critical to law enforcement. After all, if video evidence is used in a courtroom, there can’t be any doubt as to whether it’s been tampered with. Digital signing could also be a requirement within government and defense, healthcare, financial services, critical infrastructure, retail and education. 

Taking XProtect as an example of digital signing within a VMS, how it works is that a signature is applied each time a video is exported and you also get a signature from the recording server. One signature is saved at the time of recording and another at the time of export. When a signature is applied, the video itself isn’t altered or re-encoded. Instead, any signatures are stored alongside the media database, which verifies the signatures. All XProtect variants support this functionality at no additional cost. 

Learn more

Learn more about Milestone’s approach to cybersecurity: 

New to Milestone? Please book an XProtect VMS product demo or ask us a question! We’d be happy to hear from you. 

Tags
Ready to see what we have to offer with smart video technology? 
Book a demo
Related content
Beyond the basics: cybersecurity for video management software
How to protect your video security setup from a cyber attack: the fundamentals  
How Milestone’s video technology can help hospitals protect patient privacy
You will be logged out in
5 minutes and 0 seconds
For your security, sessions automatically end after 15 minutes of inactivity unless you choose to stay logged in.