Volume 5
June 2016 Edition
Hardening the Eco-system from Edge to In some cases, encryption requirements are extending into the private sector as well to include
Core
The Internet of Things introduces yet another level of
concern. With the proliferation of devices now connecting to the network – everything from desktops to
thermostats to smart phones to video cameras – government agencies need a way to identify and manage these end points more securely to prevent network breaches through attacks on these seemingly
innocuous devices. One strategy is for government
agencies to use certificates and encryption keys to
authenticate devices on the network and securely
managed transmissions to and from those endpoints.
This automated verification process applies to video
cameras, video management systems or any other
IoT device and helps to prevents ports from being
hijacked or data being stolen. These same authentication methods can be used to enhance the security
of the entire eco-system. For instance, agencies can
employ certificates to validate not only for the servers, applications and clients across the fabric of network devices, but extend that certificate requirement
to the storage components as well. In concept this
sounds easy, but in practice this kind of reference
architecture between systems and components requires a great deal of cooperation and development
between agencies, suppliers, manufacturers, application layer developers, and integrators.
But when it comes to protecting the transmission and
storage of the video data itself IT departments have
had to raise the bar. Often extremely valuable and
sensitive, this information has become an appealing target for criminal hackers, cyber terrorists and
unauthorized and perhaps disgruntled employees.
Without proper safeguards situations such as what
happened with Edward Snowden who leaked classified NSA data might become more commonplace.
As a consequence of past incidents, many government and military facilities that capture operational
video are required to receive, transmit and store
this data in a highly secure manner – namely in an
encrypted format. Legacy capabilities such as TLS/
Transport Layer Security and SSL/Secure Sockets
Layer are evolving into more contemporary standards-based approaches such as SRTP (Secure
Real-time Transport Protocol). As the name implies,
SRTP is intended to provide transport layer encryption, message authentication and integrity, and replay
protection to the RTP data in both unicast and multicast applications.
companies that do business with government
agencies. Whether protecting surveillance of operations such as critical infrastructures, tracking
the movements of high-value personnel or recording other activity that may have significant value to
various customers or their competitors, encryption
shields the video data from unauthorized tampering and dissemination.
Hardening the Supply Chain and Vendor
Management Systems
Another area of concerns is the inadvertent – or
deliberate – introduction of malware via the software and hardware systems of companies that do
business with government agencies. The government regularly runs war game scenarios to determine the consequences to IT infrastructure, weapons systems and other mission critical platforms
when infiltrated with malware, backdoors and other
malicious code.
Because these infiltrations could potentially enable
our enemies to disrupt, deceive and possibly dismantle critical national defense systems and capabilities, government agencies are now enforcing
rigorous and discipline management policies and
procedures across their supply chain and vendor
eco-systems. This requires that the government
supply chain continuously monitor and validate the
origins of components and final products and provide a sterile chain of custody. The guidelines can
be found in the newly published DoD Instruction
4140.01 DoD Supply Chain Material Management
Policy (http://www.dtic.mil/whs/directives/corres/
pdf/414001p.pdf) which governs DoD Supply Chain
Management. Another resource is the relatively
current (February 2014) eleven-volume series of
DoD manuals entitled DoD Manual 4140.01 DoD
Supply Chain Material Management Procedures.
One of the ways that the Navy and other DoD
services scrutinize non-government partner companies who furnish equipment to their agencies –
especially mission critical systems – is to require
documentation showing each component’s country
of origin. IP video surveillance systems in many instances are included in this scrutiny. Any device or
application operating on a Government network is
subjected to rigorous Information Assurance/IA
13