Ten years ago, the Global Surveillance disclosures demonstrated the severe consequences of a data breach. But it wasn’t just governments at risk; in 2014, bugs such as Heartbleed emerged, posing a threat to businesses and individuals. For IP-networked devices, including surveillance cameras, this period clearly showed the need to address inherent vulnerabilities.
Today, many partners and end users have made significant advances in their cybersecurity journey. But cybersecurity is a constantly moving target. For greater assurance, organizations should continue to partner with vendors that combine comprehensive cybersecurity policies and procedures with a transparent approach.
For some organizations, getting management to budget for cybersecurity can still be a challenge. Balanced against available budget and resources on the one hand, and cybersecurity risk on the other, understanding the full extent of the latter is crucial. Learning from an organization that has already been through the cybersecurity journey can be useful.
Today, Axis has come a long way since the start of our cybersecurity journey. We’ve reached a maturity level where cybersecurity is at the forefront of our offering and how we operate as a company. Sharing the journey we’ve taken on the path to maturity will hopefully provide useful lessons to help partners and end users develop a robust cybersecurity strategy.
Developing awareness
In 2014, Axis decided to define a strategy to focus and build maturity within cybersecurity. Up until that point, cybersecurity in the IP-based physical security market wasn’t on the agenda for most manufacturers, integrators, or end users. Before then, cybersecurity wasn’t a significant issue, as many systems were still analog, and even early digital networks weren’t generally connected to open networks.
However, internet protocol (IP) connectivity was the future for security cameras. The PC sector had previously gone through a maturing period in the early 2000s – then the challenges of 2013 struck. Axis had already begun to strengthen cybersecurity before this point though, as our cameras included basic security controls such as user management, HTTPS, and IP filtering. The Axis R&D team also performed basic security activities such as vulnerability scanning, and provided firmware updates, as well as "IEEE 802.1X network access control techniques. But the developing threat landscape demanded a new strategy.
Building maturity
The high-profile cybersecurity attacks of 2013 were a catalyst for greater focus by Axis on cybersecurity – the first company to do so within the video camera market. But at this point, we also began to receive questions from partners and customers about how to improve cybersecurity. As part of defining an initial cybersecurity strategy, in 2015 Axis published the first version of the Axis Hardening Guide to support partners and end users in securing their network, devices, and services.
An early realization in our increasing maturity was that cybersecurity could not be achieved by developing new security features alone. Strategy, processes, and policies also needed to be developed, improved, and maintained over time. This realization was gained in part by working with and learning from customers such as investment banks and security organizations who were already mature in their cybersecurity journey.
Transparency in vulnerabilities
At this stage of the cybersecurity journey, encounters with independent researchers also helped to advance our maturity. In 2016, an independent researcher discovered a critical vulnerability. We remediated the flaw and were recognized for our response and transparency. This situation also demonstrated the need for regular software updates, as well as the benefit of a single platform software, rather than maintaining multiple versions on different devices.
Through the development of policies and procedures, when another vulnerability was identified - the ‘Devil’s Ivy’ vulnerability located within gSOAP code, widely used in security industry products - it was quickly resolved. Wired magazine praised Axis for its transparency in early warning to competitors, as the vulnerability was discovered in an open-source package used by vendors to develop support for the ONVIF standard communication interface.
Significantly, our experience with independent researchers showed that cybersecurity needed to be prioritized. To help achieve this, we engaged with the Building Security in Maturity Model (BSIMM), a study of current software security initiatives or programs, evaluating the practices of organizations with mature cybersecurity.
Achieving maturity in cybersecurity
In 2017, these cybersecurity policies and procedures were formalized in the Axis Security Development Model (ASDM) that made cybersecurity integral to Axis software development. To ensure that all product development was based on best practices, the Axis Software Security Group (SSG) was also launched to work with Axis development engineers during design, development, and testing, to minimize the risk of vulnerabilities.
Prior experience had proved that transparency was also a fundamental requirement of robust cybersecurity. So, in 2017 we published the Axis Vulnerability Management Policy as a guarantee of a concerted effort at every stage of development to identify and mitigate potential vulnerabilities. At the same time, the volume of installed IP cameras on the market had by now grown exponentially. To enable efficient management updates to ensure cybersecurity, AXIS Device Manager and then AXIS Device Manager Extend, released later as an additional tool, began to take an increasingly important role.
Guiding organizations on their cybersecurity journey
Since 2019, thanks to the development of processes and dedicated teams, supported by the necessary resources, cybersecurity is an essential part of Axis’ day-to-day activities. While cybersecurity at Axis has reached a mature level, thanks to the learning experiences of our own journey, continual focus remains vital.
Guiding organizations on their own cybersecurity journey, it’s essential to underline the importance of building an understanding of the threats to develop policies and procedures, rather than focusing purely on cybersecurity product features. When this has been achieved, it’s crucial to remember that cybersecurity is an ongoing journey, with standing resources and expertise essential to maintain it.
As part of continual development, Axis has been approved as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA) for Axis products and has recently launched a software bill of materials (SBOM) for AXIS OS. This also includes a private bug bounty program that strengthens Axis’ commitment to building professional relationships with external security researchers and ethical hackers. While openness and honesty build trust among partners, customers, and all stakeholders alike, this transparent approach helps to create the most effective defense.