Securing data & communication isn't just about large data centers.
It applies to intrusion detection and video surveillance at your facility.
RELATED: video surveillance data security
In this article we take a look at intrusion detection communication encryption.
With today’s increasing focus on protecting data and securing your network devices, the little known and often misunderstood encryption method utilized by your intrusion detection system has become more important than ever. Since intrusion detection systems are migrating to alarm reporting over IP, this feature of intrusion detection systems now requires some education and understanding to properly select the most secure system possible.
Intrusion detection systems typically report to a Central Monitoring Station alarm communications receiver. In the past, the best and most economical method of alarm and life safety systems communications was messages transmitted to the central station via POTS (Plain Old Telephone Service) lines. With the use of acknowledgement and "kiss-off' signals, test timers and phone line monitors communications were made as secure and as reliable as possible.
Although many systems today still use this technology, it is quickly being replaced by more economical, much faster, and much more secure communications via IP and cellular networks. This change involves some new concerns. Now that these alarm and life safety communications are on our IP networks the need for encryption has surfaced as well.
To monitor the systems’ communication path and secure the data, encryption and polling (check-in) are performed at regular intervals. The alarm messages are encrypted to prevent interception by unauthorized parties. The polling messages replace the old test timer reports that we are accustomed to and are now performed in increments of seconds rather than only every 4, 12 or 24 hours. By encrypting the messages and polling the actual off-site alarm panels, usually every 300 seconds or so, the alarm reporting and supervision of the communications path is made secure and reliable. In contrast to the method of phone line monitors on the IDS panel only providing local annunciation since the comm path (phone line) has failed. IP reporting paths offer the ability for the central monitoring station to know that a communications path failure has occurred as well as potentially the local alarm panel. This increases system reliability significantly by not relying on someone local to address comm failures. Now, with IP comms, the central station knows immediately that a comm failure has occurred.
In addition to improved supervision of path, the speed at which IP networks transmit alarm and life safety messages is greatly improved. Signals now reach the central station in a matter of seconds.
Now we can explore the difference between the two methods as far as encryption.
First Encryption Choice
Bosch Security Systems has a product line known as “Conettix”. The Conettix product line includes all of the communications devices that are built-in and used by the various intrusion detection systems and alarm communicator devices produced by Bosch. In addition, central station receiver units made by Bosch also incorporate the same technology and encryption which provides a one manufacturer end to end secure solution.
All Bosch Conettix products include the encryption I will outline below as standard equipment, another important point, some other manufacturers only offer their encryption as an optional feature requiring additional costs. These other manufacturer’s products may or may not be capable of being upgraded to encrypted communications. It may be necessary to replace the unit to add encryption.
Bosch Security Systems uses AES-CBC (Cipher Block Chaining) style encryption Wikipedia
In CBC mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block. Each message sent and received is unique. No two messages are alike. It significantly reduces the possibility of "man in the middle" substitution and replay attacks. It means it is nearly impossible to copy polling (check-in) messages, and substitute or replay them to the central station receiver while taking the alarm panel off-line in order to circumvent or compromise it.
The AES-CBC method or encryption has been verified by NIST (National Institute of Standards and Technology) and is authorized to be used in applications requiring NIST certification such as government SCIF projects among others. See the Bosch NIST certification here. This is what should be considered when determining if a proposed intrusion detection system is appropriate for your application. The easiest way to find this Bosch certificate is simply to google “Bosch Security Systems NIST certificate”. Substitute your vendors name in place of Bosch to find other manufacturers certificates and compare.
Second Encryption Choice
AES-ECB (Electronic Code Book) style encryption. Wikipedia definition
The simplest of the encryption modes is the Electronic Codebook (ECB) mode. The message is divided into blocks, and each block is encrypted separately. The disadvantage of this method is that identical plaintext blocks are encrypted into identical ciphertext blocks; thus, it does not hide data patterns well. In some senses, it doesn't provide serious message confidentiality, and it is not recommended for use in cryptographic protocols at all.
A striking example of the degree to which ECB can leave plaintext data patterns in the ciphertext can be seen when ECB mode is used to encrypt a bitmap image which uses large areas of uniform color. While the color of each individual pixel is encrypted, the overall image may still be discerned as the pattern of identically colored pixels in the original remains in the encrypted version. ECB mode can also make protocols without integrity protection even more susceptible to replay attacks, since each block gets decrypted in exactly the same way. In fact it states, “In some senses, it doesn't provide serious message confidentiality, and it is not recommended for use in cryptographic protocols at all.”
- See Bosch Intrusion Detection solutions here.
- See the Conettix AES-CBC (Cipher Block Chaining) style encryption product guide here.
- See how to deploy secure surveillance systems here
For assistance designing your project, contact us here.