The consequence of a security breach can include loss of confidentiality, as well as compromised data integrity and availability. Any organization with IP-networked devices, including surveillance cameras, must address the vulnerabilities that internet connection presents. Cybersecurity is, therefore, top of mind at Axis. As cybersecurity requires continuous vigilance and maintenance, the responsibility of maintaining security falls not only on manufacturers, but also on partners and customers who must do their part as well to maximize protection.
In this article, we explain the Axis approach to cybersecurity, and why a shared and ongoing responsibility between all stakeholders is vital to maintaining it.
Cybersecurity built in: how Axis minimizes security risks
“Cybersecurity is a fundamental and natural part of the Axis DNA,” says Jonas Falk, Director Cybersecurity, Software Development at Axis. “It’s an integral part of everything we do, from new technology development, to our own day-to-day operations. At Axis, security considerations are addressed right from the start of a new product’s development process, and this focus continues throughout the product’s lifecycle.”
To make sure this happens, a dedicated Axis cybersecurity team, the Axis Software Security Group, has defined the Axis Security Development Model (ASDM) that guides development teams to minimize the risk of vulnerabilities in Axis products during design and implementation. The group guides the methodology and activities, including tests involving simulated cyberattacks, that help to improve the security of Axis products.
Most Axis networked devices are driven by AXIS OS, the Axis operating system. While AXIS OS drives the features of Axis products, it’s also designed to reduce the risk of vulnerabilities and improve security of products from deployment through to decommissioning. New AXIS OS versions for devices are made available on a continual basis, and they include the latest security patches and bug fixes.
“A significant step Axis took was transforming the development of software for devices from an individual approach for each product, to a software platform that today is the foundation for most Axis products,” says Andre Bastert, Global Product Manager AXIS OS Cybersecurity at Axis. “Focusing on a common platform based on AXIS OS means we can more readily ensure development and updates to enhance security in an efficient and timely fashion.”
A key aspect of Axis’ strength in cybersecurity also comes from the strong foundation provided through the hardware-based security platform called Axis Edge Vault. Edge Vault safeguards the integrity of Axis devices and enables the execution of operations requiring cryptographic keys. Edge Vault enhances supply chain protection and provides secure key storage. It also enables features such as signed video. Signed video adds a cryptographic checksum, enabling proof that the video has not been edited since it left the camera, which is particularly important in an investigation or prosecution.
Cybersecurity, however, cannot be achieved by developing new security features alone. A security foundation - with an overarching strategy comprising processes and policies that are implemented and improved over time – is necessary.
Having transparency in cybersecurity
“It’s important for customers to mitigate supply chain risks from networked products that are integrated into their systems, and at Axis, we believe that customers deserve to have transparency from their suppliers to help them mitigate risks,” says Andre. “It’s why we place such importance in being transparent, in areas such as the management of software vulnerabilities, in order to be a responsible partner in helping to protect our customers.”
Axis is approved as a Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA) for its products. The CVE Program provides the framework and tooling that enable organizations around the world to manage and disclose newly identified vulnerabilities. Joining the CVE Program testifies to the commitment of an organization to following ethical vulnerability management best practices with a focus on customers.
As part of Axis’ commitment to ensuring the cybersecurity of its products, the company has both internal and external resources testing the products to help improve security. Axis also facilitates a bug bounty program where security researchers who discover vulnerabilities in AXIS OS are eligible to receive a cash reward. When new vulnerabilities are discovered, Axis remedies the issues and publicly discloses them so customers can take timely and appropriate actions.
This transparent approach also extends to making openly available a software bill of materials (SBOM) for AXIS OS. The SBOM provides a list of all software components that comprise the AXIS OS release, enabling free access for review. These practical measures are also underpinned by ISO 27001 compliance.
Tools customers can use to optimize cybersecurity
Cyberthreats are continually evolving as cyber criminals learn and develop new techniques to penetrate defenses. This is why all stakeholders – manufacturers, partners, system integrators and end users – must share not only the responsibility of implementing cybersecurity measures, but also maintain it on an ongoing basis.
Axis supports partners and customers in this complex arena by strengthening cybersecurity in its offerings. This includes providing the guidance and tools to make it easier for customers to manage and operate Axis products in as secure a manner as possible.
Tools such as AXIS Device Manager and the complementary AXIS Device Manager Extend help customers efficiently set up and manage Axis products through their lifecycle. End users can use the tools to help implement cybersecurity policies, get alerts to new AXIS OS updates, and efficiently update product firmware.
“Axis can provide the technologies, tools and guidance to support our products, but they will not help if customers themselves, with help from the system integrator, don’t take the steps to actively and continually maintain their products’ security,” says Andre. “Everyone needs to do their part.”
Always keeping cybersecurity top of mind
As cybersecurity is a moving target, Axis has an approach of continual focus on cybersecurity.
“Cybersecurity is an essential part of daily activities at Axis,” says Jonas. “We are striving not only to provide products that have built-in security measures, but also to ensure that security processes are in place that govern our own operations and activities to help mitigate supply chain risks associated with our products.”