Protecting CCTV systems

Closed Caption Television (CCTV), or more commonly called surveillance cameras are complicated systems to deal with from an IT perspective. On one side they are “secure” systems that contain sensitive information, but they are also “weak” from the level of protection they have from cyber attacks. These are our standard recommendation on dealing with these systems.

• First, select a reputable vendor that has a history of creating secure solutions.
• Second, subscribe to system updates notifications and apply the updates regularly.
• Third, use a dedicated network (VLAN) for all cameras and recorders (NVR), this way you can firewall it and limit what can access it and what it can access.
• Lastly, you should not open your camera system to the Internet:
  • Option 1 (if the vendor has a cloud based portal): allow the camera system only to talk to the cloud service (limiting ports and IP addresses) and ensure the camera system does not have access to your local network (that way if it is compromised, they only get access to the recordings, not all your network).
  • Option 2: setup a VPN to access the camera system, this way you can block all inbound and outbound connections, limiting the ability for your recordings to be leaked and blocking the system from accessing the rest of your network.

All of this should be part of your Third Party Vendor policy, it should help you ask the following questions:

• What will the vendor have access to?
• What is the impact to me if that vendor cannot provide its services?
• What strategies should I implement to limit the risks linked to the above.

Final notes: any vendor that has access to your data or network (like an MSP, MSSP or camera vendor) should be SOC2 Type 2 or ISO27001 certified, this is the proof that they are taking steps to protecting you.