ONVIF Recommendations for Cybersecurity Best Practices for IP-based Physical Security Products
January 2020
There are many forms of cybersecurity threats. Some relate to technology within the product and networks, and some relate to human behavior.
This recommendation guide serves to inspire you to look at cybersecurity in a broader perspective (broader than just technology and what ONVIF has incorporated in its specifications and profiles). Many of the recommendations are about common sense and vigilance when working with security products.
ONVIF also encourages users to conduct their own research and consult with cybersecurity experts. The Internet is rich with such information and offers plenty of guidance.
Be Aware of the Current Risk to Your System and Business
- Know what’s on your network
- Constantly seek awareness of the vulnerabilities your business faces
- Make a risk analysis of potential threats and the possible damage/cost if the system is attacked
Design Your System
Secure your network
- Avoid exposing the cameras/NVRs/servers to the Internet unless strictly necessary.
- Make use of VLANs to separate the CCTV network
- Use a firewall to protect your network if connected to the Internet
- Only keep ports that are strictly required open.
- Use encrypted connections (HTTPS) when possible, even on local networks
Restrict user privileges and access
- Limit the number of privileged users and minimize physical access to equipment
- Each user account should only be given the authority to access the resources required to fulfill their specific responsibilities
Secure the devices and servers
- When possible, put your network and IT assets behind locked doors to limit unnecessary access
- Do not rely on a network device’s factory default settings; enable and configure device protection services and disable services that are not being used (such as UPnP, protocols)
- To reduce exposure, video clients should not be allowed to access cameras directly unless it is required by the system/solution. Clients should only access video through a VMS (Video Management System) or a media proxy.
Review Your Security and Password Policies
- Use strong, unique passwords and change them on a regular basis. Passwords as a minimum should be at least 8 characters long and be a combination of letters, numbers, and special characters. Everyone should be assigned their own username and password. This ensures accountability.
- If logging in for the first time using a default ID/password, be sure to set a new password afterwards.
- If possible, make use of certificate-based authentication
Maintain and Monitor
- Document system
- Have a maintenance plan
- Do back-ups, which is necessary if your system is compromised
- Keep appliances current: update software and firmware regularly, as they may contain security patches.
- Every transaction that occurs on the appliance should be logged so that there is a record kept for forensics later.
- Monitor devices on a regular basis. Enable system notifications when applicable and supported.
- Make sure you can efficiently and effectively manage your device.
Work Out a Risk Mitigation Plan
- Design a plan of who to notify if and when your system is compromised (or simply if you suspect it).
- If you suspect the vulnerability is due to a flaw in a product, notify the manufacturer so that they can test and fix it, if necessary.
Disclaimer: These recommendations, including the contents and information therein (this “Reference”), is a non-exhaustive reference, and is intended for use for informational purposes only. This Reference is not, nor should it be relied upon as, legal advice, nor does this Reference or otherwise contain (nor should its contents be relied upon as containing) information or instructions relating to use or security of any particular hardware, software, systems, products, devices, networks, or any other programs, protocols, or frameworks. This Reference is provided by Open Network Video Interface Forum (“ONVIF”) on an “as is” basis. ONVIF makes no representations or warranties of any kind, express or implied, as to the accuracy or content of the Reference. ONVIF expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall ONVIF or any of its officers, directors, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, publication, distribution, use of, or reliance on this Reference.