Putting PoE to New Uses

 

There’s a new technology available for security professionals, and it’s been on the market for almost two decades.

 

Power over Ethernet (PoE) technology is widely used across diverse security and surveillance applications. However, the latest version of the standard, first established in 2003, has evolved the technology’s capabilities to the point where professionals are now finding entirely new uses for PoE-enabled cameras and devices.

 

The PoE standard was first ratified by the IEEE in 2003, initially as 802.3af, and allowed a camera or other PoE device to receive up to 12.95 watts of power, with the second standard – 802.3at – doubling that to 25.5 watts.

 

PoE technology enables integrators to easily onboard, connect, configure and integrate different types of systems without having to learn a whole new “language” and without needing to home run cables to disparate systems.

 

That’s a significant cost-savings because now you don’t need to deploy multiple outlets everywhere. You don’t need to run 18/2 copper cabling. You don’t need to deal with additional power supplies. You have a single cable for the data and power, and it makes functions like UPS battery backup easier because now it’s all centralized.

 

For integrators, requiring fewer cable runs to deliver power and network to a camera makes it easier to install new products or design a system for a new facility.

 

There are also PoE extenders that you can plug in inline, so you don’t need a local 110-volt power source. It essentially steals a bit of power, goes inline and then it pushes out the rest of the power supply, extending the distance for delivering power. There are also ways to daisy chain and keep going further and further.

 

PoE technology can also do much more, if used properly. The technology can extend beyond cameras to include lighting, digital signage, clocks, access control, entry and access badging systems, encoders, decoders, Public View Monitors, anything really.

 

The standards have evolved, supporting higher network speeds – now up to 10 gig — and allowing for more watts to be received — now up to 71.3 watts in the highest case.

 

As new standards have come out, we’ve kept pace by upgrading and enhancing our cameras to best take advantage of each technology leap. Here’s a perfect example of how the new BT standard can enable project applications never before possible: PTZ cameras with low temperature environment capabilities, but also with ultra-long range, powerful IR LEDs to see far away in near total darkness.

 

 

 

Know Your Terminology

When it comes to PoE, there are two key terms: PD and a PSE.

 

A PD is your Powered Device: cameras, speaker, any device receiving power. A PSE is Power Sourcing Equipment. The PSE consumes a certain amount of power, but it can’t deliver the full amount of power needed due to loss along the cable run. For example, in standard PoE, your switch, your injector, your mid-span consumes up to 15.4 watts, but the camera can only receive 12.95 watts.

 

When designing a system, professionals need to make sure they look at each device’s data sheet. If it says “12.95 watts,” you can’t use that number by itself to size how big your power budget is on your infrastructure. If you have a 32-port switch, or even a 48-port switch, then 12.95 times 48 equals 621 watts. But 15.4 times 48 is 739. That’s a difference of 118 watts, which could cause devices to not receive enough power, changing your PSE selection. It’s important to always be cognizant of what the actual power draw is on the switch side.

 

Also, just because a switch says it can do PoE+, it probably can’t do that on all the ports. Keep in mind your total system budget, and also how much power each camera or each device needs. Then add it all up to make sure that switch can fully support your network requirements.

 

Remember: the “E” in PoE doesn’t mean “everything.” There is no one size fits all.

 

For more information, check out Hanwha Techwin’s range of PoE+ switches, injectors and NVRs at hanwhasecurity.com.

If you liked it, share it!

 

While cybersecurity is everyone’s responsibility, it begins with a ‘cybersecurity by design’ approach during the development of the technology and carries through to manufacturing and distribution. For network cameras it’s critically important to ensure hackers don’t get access to a company’s valuable information via any weakness in the security system.  Depending on the device and what’s inside, it may be vulnerable by default. This is one of the biggest differences between professional security cameras and the cheap systems that can be purchased from discount retailers.

 

For organizations seeking to install a low-cost solution, it might solve a need initially, but the product might not receive support or updates and patches for vulnerabilities going forward. Hacking techniques evolve as vulnerabilities are uncovered over time so it’s critical that a manufacturer evolves its firmware and updates it regularly to keep one step ahead. Hanwha Techwin focused on cybersecurity in its latest Wisenet 7 SoC (system on chip). Some of the technology used to harden the latest cameras may be unfamiliar to users, so this post seeks to provide a high-level overview of these various technologies and associated terms.

 

Technologies and terms for cybersecure IP cameras

Secure Boot Verification

Secure Boot provides an extra layer of security by isolating different elements of a camera’s operating system from the network. When a camera is booted up, it verifies encrypted signatures in the boot image in its secure operating system and then runs Linux on top of that for the network interface. This separates Linux (user access) from the chipset and decryption keys. The system will complete a full boot before communicating with any other part of the system and this also prevents an interruption to the boot process which could be exploited by a hacker.

 

Secure OS

Using a separate operating system (OS) for encryption and decryption, as well as for verifying that apps have not been modified, reduces the workload of a camera’s main OS. A separate Linux based API is needed to access a Secure OS and without this, there is no way to make any changes to the camera from the outside.

 

Secure JTAG

JTAG ports are hardware interfaces which are used to program, test and debug devices. They can be compromised by hackers to gain low level control of a device and perhaps replace firmware with a malicious version. This can be prevented by securing the JTAG port via a key-based authentication mechanism to which only authorized personnel working for the manufacturer have access. JTAG comes from Joint Test Action Group who created the standard for verifying and testing printed circuit boards and chips.

 

Secure UART (Universal Asynchronous Receiver-Transmitter)

UART ports are serial interfaces typically used for debugging cameras. They allow administrator access to a camera and are therefore a target for hackers attempting to access sensitive information such as password keys. Hackers could also potentially access a camera’s firmware in order to reverse engineer it, upload a non-authorized version, or examine it for vulnerabilities in the device’s communications protocols. Enforcing restricted and secure access to the UART port allows the debugging process to be safely completed, without opening the door to cyber criminals.

OTP ROM (One Time Program Read Only Memory)

One of the most important aspects of cybersecurity is to verify that anyone accessing the camera is who they say they are. This feature burns certain unique pieces of information like decryption keys into the chip during manufacturing that cannot be reprogrammed. When firmware is installed and a certificate is verified, it references these keys to guarantee the data comes from a trusted source. This is a critical element of the Trusted Platform Module (TPM) that separates the end-user side of the camera application from the network (Linux). OTP protects the integrity of encryption keys which are used to validate the stages in a secure bootup sequence and allows access to the camera application. A manufacturer that’s not building its own chip typically doesn’t have this capability.

 

Anti-Hardware Clone

Anti-hardware clone functionality prevents a chipset from being cloned. In addition to protecting intellectual property, this ensures that a chipset with a manufacturer’s label is a genuine copy and removes the risk of a cloned device which may contain malicious software being used to steal sensitive data such as passwords.

 

Crypto Acceleration

Crypto acceleration in the context of a camera chipset means providing for complex mathematical functions for encryption and decryption. Because this is a very intensive operation, it can require a chipset to use a large proportion of its resources. Equipping chipsets with a dedicated ‘engine’ for this purpose ensures that encryption/decryption is efficiently carried out, without impacting other camera functionality.

 

Video & API Encryption

Between the location of a camera and where the images it captures are remotely viewed, recorded and stored, there is always the possibility that a cybercriminal could hack into the network and gain access to what may be confidential video and data. Encryption can be used prior to transmission of the video and other network communications so that it cannot be viewed by anyone maliciously hacking into the network.

Raising the bar on cybersecurity
I hope these brief definitions have added to your understanding of the various technologies that can be used to protect network IP cameras from exploitation. When deploying IP cameras, it’s important to consider a manufacturer’s dedication to cybersecurity and be armed with a basic knowledge of what is required to successfully protect devices. Manufacturers should use independent testing agencies (whitehat hackers) to help identify vulnerabilities.

 

Hanwha Techwin has always put a priority on cybersecurity and the latest Wisenet 7 chip has again raised the bar for the security industry. The Wisenet 7 SoC received UL CAP (Cybersecurity Assurance Program) certification in only 3 months (it typically takes 8 to 10 months for most companies) thanks to our well-established software development process already in place and our dedicated in-house cybersecurity department.

 

While cybersecurity is everyone’s responsibility, it begins with a ‘cybersecurity by design’ approach during the development of the technology and carries through to manufacturing and distribution. For network cameras it’s critically important to ensure hackers don’t get access to a company’s valuable information via any weakness in the security system.  Depending on the device and what’s inside, it may be vulnerable by default. This is one of the biggest differences between professional security cameras and the cheap systems that can be purchased from discount retailers.

 

For organizations seeking to install a low-cost solution, it might solve a need initially, but the product might not receive support or updates and patches for vulnerabilities going forward. Hacking techniques evolve as vulnerabilities are uncovered over time so it’s critical that a manufacturer evolves its firmware and updates it regularly to keep one step ahead. Hanwha Techwin focused on cybersecurity in its latest Wisenet 7 SoC (system on chip). Some of the technology used to harden the latest cameras may be unfamiliar to users, so this post seeks to provide a high-level overview of these various technologies and associated terms.

 

Technologies and terms for cybersecure IP cameras

Secure Boot Verification

Secure Boot provides an extra layer of security by isolating different elements of a camera’s operating system from the network. When a camera is booted up, it verifies encrypted signatures in the boot image in its secure operating system and then runs Linux on top of that for the network interface. This separates Linux (user access) from the chipset and decryption keys. The system will complete a full boot before communicating with any other part of the system and this also prevents an interruption to the boot process which could be exploited by a hacker.

 

Secure OS

Using a separate operating system (OS) for encryption and decryption, as well as for verifying that apps have not been modified, reduces the workload of a camera’s main OS. A separate Linux based API is needed to access a Secure OS and without this, there is no way to make any changes to the camera from the outside.

 

Secure JTAG

JTAG ports are hardware interfaces which are used to program, test and debug devices. They can be compromised by hackers to gain low level control of a device and perhaps replace firmware with a malicious version. This can be prevented by securing the JTAG port via a key-based authentication mechanism to which only authorized personnel working for the manufacturer have access. JTAG comes from Joint Test Action Group who created the standard for verifying and testing printed circuit boards and chips.

 

Secure UART (Universal Asynchronous Receiver-Transmitter)

UART ports are serial interfaces typically used for debugging cameras. They allow administrator access to a camera and are therefore a target for hackers attempting to access sensitive information such as password keys. Hackers could also potentially access a camera’s firmware in order to reverse engineer it, upload a non-authorized version, or examine it for vulnerabilities in the device’s communications protocols. Enforcing restricted and secure access to the UART port allows the debugging process to be safely completed, without opening the door to cyber criminals.

 

OTP ROM (One Time Program Read Only Memory)

One of the most important aspects of cybersecurity is to verify that anyone accessing the camera is who they say they are. This feature burns certain unique pieces of information like decryption keys into the chip during manufacturing that cannot be reprogrammed. When firmware is installed and a certificate is verified, it references these keys to guarantee the data comes from a trusted source. This is a critical element of the Trusted Platform Module (TPM) that separates the end-user side of the camera application from the network (Linux). OTP protects the integrity of encryption keys which are used to validate the stages in a secure bootup sequence and allows access to the camera application. A manufacturer that’s not building its own chip typically doesn’t have this capability.

 

Anti-Hardware Clone

Anti-hardware clone functionality prevents a chipset from being cloned. In addition to protecting intellectual property, this ensures that a chipset with a manufacturer’s label is a genuine copy and removes the risk of a cloned device which may contain malicious software being used to steal sensitive data such as passwords.

 

Crypto Acceleration

Crypto acceleration in the context of a camera chipset means providing for complex mathematical functions for encryption and decryption. Because this is a very intensive operation, it can require a chipset to use a large proportion of its resources. Equipping chipsets with a dedicated ‘engine’ for this purpose ensures that encryption/decryption is efficiently carried out, without impacting other camera functionality.

 

Video & API Encryption

Between the location of a camera and where the images it captures are remotely viewed, recorded and stored, there is always the possibility that a cybercriminal could hack into the network and gain access to what may be confidential video and data. Encryption can be used prior to transmission of the video and other network communications so that it cannot be viewed by anyone maliciously hacking into the network.

 

Raising the bar on cybersecurity
I hope these brief definitions have added to your understanding of the various technologies that can be used to protect network IP cameras from exploitation. When deploying IP cameras, it’s important to consider a manufacturer’s dedication to cybersecurity and be armed with a basic knowledge of what is required to successfully protect devices. Manufacturers should use independent testing agencies (whitehat hackers) to help identify vulnerabilities.

 

Hanwha Techwin has always put a priority on cybersecurity and the latest Wisenet 7 chip has again raised the bar for the security industry. The Wisenet 7 SoC received UL CAP (Cybersecurity Assurance Program) certification in only 3 months (it typically takes 8 to 10 months for most companies) thanks to our well-established software development process already in place and our dedicated in-house cybersecurity department.

 

 

Many companies decided to continue production, leading to more challenges. The process of refining and selling oil usually moves quickly. As a result, oil is typically never stored for long, so companies haven’t invested in long-term storage capabilities. Now, with no one purchasing oil and ongoing production, they weren’t equipped to store their ever-increasing quantities. Basic economics: supply was outreaching demand and prices dropped – at one point down to -$40 a barrel.

 

While oil prices are now starting to rebound, they are still far below normal levels. Oil and gas companies are adjusting to address financial losses without impacting production.

 

Many have done this by reducing personnel at their sites. This lowers costs, but also has the potential to leave smaller or remote sites vulnerable. The challenge is how to reduce this site vulnerability and still oversee production – and not increase costs.

 

One solution is installing IP-based video surveillance cameras, which allows companies to keep a close eye on their wells and pipelines from anywhere. But setting up these cameras in remote locations presents its own set of challenges.

 

Running power to sites along a pipeline and then getting a connection back to the network is no small task. Many companies use solar panels and batteries and then simply connect cameras to a computer.

If you liked it, share it!