There aren't many times when a news article aligns exactly with what you do, but as a Sheffield-based business with a major line in CCTV design, installation and management, including ANPR systems, we're bang in the middle of the Venn diagram for this story:
Nine million logs of Brits' road journeys spill onto the internet from password-less number-plate camera dashboard.
Exclusive: In a blunder described as "astonishing and worrying," Sheffield City Council's automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal.
We recommend you read the full article (with a cushion on your lap for when your jaw drops open) but to summarise:
- Location, numberplate and timestamp data for more than 8,600,000 records were exposed.
- Security experts stumbled upon the flaw via a search service.
- The ANPR Camera Management Dashboard was open to anyone - no login or authentication was set up.
- The Dashboard was itself connected and pulling data from 100 CCTV cameras around Sheffield.
- The IPv4 addresses for every camera was exposed - an open goal for would-be malicious hackers.
In visual security terms, this is about as bad as it gets. Allowing unrestricted access to the main dashboard to which all other devices are connected and through which all your data flows is equivalent to getting all your valubles together before you go on holiday and piling them up by the front door, which you then leave wide open.
Sheffield Council and, in fact, Sheffield's citizens, can count themselves lucky that this issues was discovered by benign actors and they were duly notified and given time to rectofy the issue. Unfortunately, we've seen too many cases of late of far worse breaches only being avoided by good grace.
We'll leave the questions, enquiries and hand-wringing to others, but to our eyes there are some lessons all businesses can learn from this incident.
Security systems and processes need regular attention.
Ensuring that a maintenance contract is in place for any wide-scale technology roll-out is core to the tender processes that councils use, so it seems highly unlikely that this ANPR system is unmaintained (as so many businesses' systems are). You would also expect that local authorites, as famous fans of admisinistrative red tape, would have some kind of process in place to monitor and control who would have access to such a system.
However, something clearly went wrong somewhere to leave the system enitrely open to anyone with means to look. What this highlights is the importance of both regular system check-ups, and a robust access control procedure.
In the modern security landscape the security and accessibility of your systems need to be regular, if not constantly, monitored, checked and tested. This would still be true even if Sheffield Council had superb security procedures set up, because the threat landscape is always changing, and will always be changing, and needs to be responded to.
And just as important is controlling who has access, how access is gained and revoked, and what features, functions and data those people have access to. Aside from good practice, when it comes to user data this is a GDPR requirement.
To ensure you're on the right path, there are some very basic questions you as a business can ask of your security systems, or those who are responsible for them, to determine if you have at least a basic level of security and access control, such as:
- Who has been accessing the system and when?
- What activity did they undertake?
- Is all your software and firmware up to date?
- What data is being stored and for how long?
- Where are files and data being stored (and are they secure and encrypted)?
- Who is responsible for controlling access to the system (and who has access)?
- What maintenance schedule is in place?
If someone within Sheffield Council had been asking these kinds of questions they might have avoided this incident.
Security is everyone's business
The first question doesn't just deal with the technology involved either, it's just as much about the people, too.
Cyber security and data management isn't "an IT thing" any longer; it touches most workers' every day lives, and in order to be able to be secure as a business, every employee needs to have at least a basic awareness of what "good security" and "good data management" looks like.
In their article The Register reveals that the ANPR dashboard is being regularly accessed and the data assessed and processed. So people were regularly accessing a portal of thousands of pieces of users data, some of which would be used for traffic enfircement and therefore could potentially be used in a court case, but none of them thought it was unusal that they didn't have to log in? Or, if they did, there wasn't an robust enough reporting procedure for them to utilise.
I'm not trying to lay blame at the users here. This is still an organisational issue, but in a sense that all businesses - especially large and complex organisations such a slocal authorities - need to ensure that their employees are sufficiently well trained, and security and reporting procedures sufficiently clear to them, that when something unusual or untoward comes across their path the business gets to know about it, and gets the chance to investigate.
It doesn't seem that this can have happened in this case.
Do you need this data?
Before GDPR there did seem to be an attitude amongst some organisations to gather as much data as possible and then decide what to do with it afterwards. One of the benefits of GDPR is that there is now a potential cost to this kind of attitude, since every piece of data now has both a benefit and a risk to it.
Sheffield Council was clearly gathering number plate data as part of it's enforcement of traffic and parking laws. But was indiscriminately gathering all journeys from all 100 cameras really serving this goal? If they restricted data gathering to only the times and areas that enforcement was in place, would the amount of data spilled, and therefore their inevitable fine from the Information Commissioners' Office, be much less?
That's for them to decide, not me, but the point is to say that ever piece of data has a risk and reward, and all businesses need to seriously consider this balance before switching on funky features like ANPR.
Some of the reasons some of our customers use ANPR, and the limitations imposed, include:
- Managing site access to approved vehicles only (via camera + barrier combo). Vehicles on the road beyond the barrier can be seen by the camera, but number plates are not recorded until the barrier is approached.
- Monitoring an area beset by fly-tipping. Number plates of vehicles are recorded once fully turned off the main road and into the affected area. Records are kept for a limited time, just enough to allow for manual retreival in case of an incident.
In effect, only gather what you need, only keep it for as long as you need it, and make sure you regularly return to the reasons that you need it, so if this changes, data gathering won't continue indefinitely without good reason.
Start with "Secure by Default", and record from there.
Whether Sheffield Council's ANPR system was delivered by the vendor as entirely lacking in access control is not entirely clear, but we know from the artcile the system was first installed in 2014, and although this isn't a long time ago, things have changed quite a lot since then.
The visual security (CCTV) industry has had an issue with a proliferation of cheap but powerful devices, in particual IP cameras, being home installed and being open to public access by default. Being plentiful, powerful and lacking in security, these devices were targeted by hackers to use in their attacks on businesses and indiviuals.
As a result the industry and British Government came together to launch the "Secure By Default" initiative. You can see our blog about it here, but it is in effect a kite mark initiative whereby products sold under the kitemark are certified to be secure from easy external attack if they are just turned on, connected and left.
By ensuring you only purchase Secure By Default products you can ensure a basic level of security from the start, making for a sound security foundation.
Now, it may be that you will need to loosen some of this security in order to enable, for instance, remote access to camera dashboard, and this is where procedures and recording comes in. You must make it your business to know who is requesting system security changes, why they need it, and whether loosening your overall security is sufficient pay off for the usability gains made. Otherwise all your good security can be undone, and you won't know when, why, and for how long this has been for.
I suspect this may the boat in which Sheffield City Council find itself right now.
I geenuinely wish them good luck in recovering from this scandal, and if they want someone to come and build a properly secure system for them, they know where I am!