Cyber security is a trending topic in the video surveillance market. As a result of international regulations, companies are assessing the potential security risks of video surveillance systems, deploying crisis management policies and developing mitigation plans for events related to a data breach. Customers desire trustworthy products and vendors are rushing to fill this gap to satisfy the market demand.

Multiple vendors are offering a great number of solutions; however the choice and diversification perplexes customers, who often have difficulty identifying the best solution for their needs. In this paper, Videotec puts forward its vision with regard to developing safe products and describes its strategy for cyber security.

Explosion-proof rated cameras

Customers are currently overwhelmed by the perpetual advertisement of products related to cyber security. At tradeshows and in sector magazines, multiple products are being promoted as key elements for cyber security. Unfortunately, cyber-safe products cannot be marketed with the same strategy as other devices, for example, explosion-proof rated cameras.

For software, similar requirements exist but there is less clarity than with their counterparts

The key difference is that for threats that do not concern software a set of well-defined and well-documented requirements exist: in general, it is possible to universally define safety requirements for installation in special environments, such as a drilling rig, a marine vessel or along a railway. For software, similar requirements exist but there is less clarity than with their counterparts when it comes to security.

Video management software

Furthermore, a device's firmware and video management software (VMS) are updated by each vendor to introduce new features or to fix bugs. Every update may have an impact on the complete video surveillance system reliability. Finally, security researchers continuously identify new issues that may reduce the safety of the system, even if no change is applied to the facilities. Deploying a cyber-secure system is a challenging task under these ever-changing conditions.

Other aspects of security, such as mechanical, electrical or environmental are not subject to similar uncertainty. As an example, designing an explosion-proof system is a well-known process, involving classifying zones, identifying the nature of the explosive elements, such as gases or dusts, and deducting the product requirements.

Video surveillance equipment

During the lifespan of the system, the identified risk sources do not change. Similarly, during installation on a marine vessel, the video surveillance equipment is commissioned and will not change until the entire ship is refurbished.

Several certification options are currently available on the market, and these can be placed in two main groups

The result of the lack of certainty that characterises software and the existence of complex standards that have a restricted competent audience is a professional market that is trying to incoherently fill this gap, by pursuing certifications and stamps or by adopting aggressive advertisement strategies, based on over-optimistic promises on product features.

Cyber security certification

Several certification options are currently available on the market, and these can be placed in two main groups:

  • System certification
  • Product certification

As the name suggests, system certification addresses cyber security at a system level. This group includes ISO27001, NIST SP 800-53° ISA/IEC62443-3 for example. In these frameworks, risks related to information management are evaluated across every aspect of the organisation: information generated by the devices, storage, access control to the information and physical security to protect data from being stolen from data centers.

Video surveillance system

Since these certifications must be flexible to adapt to a heterogeneity of systems, they define frameworks to perform the system analysis and the assessment of the risks of such systems, but they do not punctually mandate explicit requirements. System certifications delegate the definition of such requirements to the organisation willing to achieve the certification. In contrast, product certifications are narrow in scope, targeting a single component subject to certification.

A single component can be a camera, a networking switch or video management software

A single component can be a camera, a networking switch or video management software. In this category are the EMV standard for credit and debit cards, the UL2900 series and ISO/IEC 15408, also known as Common Criteria. It is clear that pursuing a system-level certification involves the customer and the integrator installing the video surveillance system.

Cyber secure surveillance

Manufacturers should target product certifications and drive efforts to ease the integration of their products into the frameworks of system-level certification that is being pursued by their customers. Videotec started developing its DeLux technology several years ago. At that time, Videotec had a clear vision for its products: developing safe products for all possible tasks - mechanical, electrical, electromagnetic and software - according to current and future security requirements.

The mission of the DeLux technology was, and still is, to provide a reliable, safe and future-proof platform that integrates with all products. Sharing a common platform between multiple products is challenging. It requires deep planning of product design to ensure the platform will function perfectly within any product. It also implies that new software releases are compatible with any previously released camera.

New security feature

Software architecture must be flexible enough to guarantee integration into very different products

Thus, every time a new product is released the effort to validate the software increases. Due to this decision, Videotec guarantees that any new security feature and any bug fix will be available to its customers regardless of product age and whether it is still present in the current product catalogue. From the beginning of the DeLux project, two key points were immediately clear.

The first point is that software architecture must be flexible enough to guarantee integration into very different products, and at the same time it needs dedicated components that guarantee the un-exploitability of the device.

Accomplish video acquisition

For this reason, the code executed by the device is partitioned into different security domains, making sure that processes that implement the protocol interfaces towards the video management software cannot harm the internal components that accomplish video acquisition, perform compression and constantly monitor the correct function of the unit.

The second point that Videotec immediately understood is that ensuring the correct functioning of the software in every device is as important as the software running in just the cameras. For this reason, Videotec started developing internal tools that perform automated testing on the entire set of devices that incorporate the DeLux technology.

Secure video surveillance

Every night, the validation tools embedded into the continuous integration process automatically test each product to verify that no regression was unconsciously added while the company proceed with software development. Every time Videotec adds a new feature in response to a suggestion for improvement by the company's customers or identification of an issue, it also updates the testing tools to increase the reliability of the company's products.

Videotec has yet to definitively choose a certification scheme for the DeLux technology

Videotec believes that its products, and the continual updating of these, actively contribute to maintaining the safe operation of secure video surveillance system, helping IT departments and system administrators by keeping their systems balanced and by not requiring excessive mitigating actions or protections due to future issues. At Videotec, they call this cyber-sustainability.

System-level security requirements

At the time of writing this white paper, Videotec has yet to definitively choose a certification scheme for the DeLux technology. Several options are being evaluated, as the company search for a solution that will create value for the company’s customers without sacrificing the addition of new features on all products that make up the DeLux technology range.

Although Videotec is still exploring the best certification scheme for its software, this does not prevent the company from having a clear and active development path for the cyber security in their products. At Videotec, the following five principles are the basis for implementing cybersecurity in products:

  • Hardened software architecture to minimise the attack surface of the cameras
  • Constant updates and availability of new features, even on old products
  • Removal of predefined credentials in the products, to strongly indicate to customers that, as a minimum, a new username and password combination must be defined by the user during installation according to the system-level security requirements
  • Contribution to the ONVIF Security Service specification, to push the industry shifting from usernames and password to X.509 certificates
  • Clear communication to customers, by avoiding fake marketing claims

Security service specifications

Videotec had an active role in the development of the ONVIF Profile Q specifications. Among other activities, it contributed to driving the standard towards the removal of predefined credentials. The security market must teach installers and users that using pre-defined usernames and passwords is equivalent to not having credentials at all.

Videotec is proposing extensions to the ONVIF Security Service specifications

Defining the factory-default state of Profile Q compliant devices, where no authentication is required, is the strongest reminder a vendor can provide to its customers. Similarly, with regard to the commitment for the ONVIF Profile Q, Videotec is proposing extensions to the ONVIF Security Service specifications that will include the widespread the adoption of X.509 certificates to replace the usage of credentials.

Video surveillance market

Moving towards this new way of handling authentication between devices and VMSs will not only impact devices, but it will require a leap forward for the whole video surveillance market. Beyond implementing the functionality in its devices, Videotec is already planning the actions that will be necessary to make its customers effective at selling, installing and maintaining video surveillance systems based on this technology.

Last, but not least, trustworthy communication to customers is a key value for Videotec. For this reason, Videotec will never exploit the unintuitive requirements of system certifications of international privacy rules to send wrong messages to the market. As an example, Videotec added to all its IP products an instruction about performing a safe installation according to the General Data Protection Regulation (GDPR), similarly to the instructions given for mechanical, electrical of environmental safety.

IP-based device

In the last ten years, the video surveillance industry has vigorously shifted from analogue to IP products

These instructions are meant to teach customers and stimulate their attention to aspects related to cyber security. As such, instructions will never be turned into unreliable market claims, such as claims for conformance to the GPDR or any other rule. Cyber threats started menacing video surveillance systems from the day the first IP-based device was put into the market. At that time, the number of digital systems was low and video surveillance was not as pervasive as it is today.

In the last ten years, the video surveillance industry has vigorously shifted from analogue to IP products and, at the same time, it has witnessed a constant growth in market demand. As a result, digital video surveillance systems are everywhere nowadays and attract attention not only from professionals but also from malicious users.

Risk assessment analytics

Keeping these systems safe from cyber-threats is an activity that cannot be performed just by performing a risk assessment analytics during the commissioning phase - maintenance and recovery plans must be operative during the whole lifespan of the systems. These activities have a cost; also managing the effects of a system violation has a cost. Integrators and users must find the correct balance, to minimise expenses while keeping video surveillance systems updated and secure.

In order to make reduction of expenses related to maintenance and recovery plans easier, Videotec bases the development of its products on the concept of cyber-sustainability, where support, updates and training about the products span an interval that is larger than each single product lifecycle and assist integrators and customers keeping their systems protected.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

In case you missed it

Thermal cameras and smart cities: Preventing COVID-19 in public places
Thermal cameras and smart cities: Preventing COVID-19 in public places

With the pandemic still in full swing and no certainty as to when exactly it will come to an end, the world has been battling anxiety for months now. And with each day, circumstances change quickly and almost make it impossible to predict what will happen next, how events will unfold, and what actions to take in light of a new situation. But one thing is certain: the world has been shut down and paralysed for way too long, and the eventual reopening is unavoidable – in fact, it’s well under way. In this situation, what is possible to control is how the world will continue reopening – and specifically, how to ensure the safest possible reopening that will ensure the return of some degree of normalcy to people’s lives and business operations, while also managing the risk of COVID’s spread in the most efficient way. Our highly digitised, technologically advanced world This is when the power of technology comes to rescue the day: what truly sets the global crisis we face today apart from other calamities that humanity has encountered over year is the fact that it has developed in a highly digitised, technologically advanced world where each day brings about innovations with a sole purpose to make daily life and operations easier and more streamlined. And among these, the star of the past decade has been artificial intelligence. The world has been shut down and paralysed for way too long, and the eventual reopening is unavoidable – in fact, it’s well under way While AI has many avenues of introducing efficiency and fast problem-solving, there is one specific application that will further fuel the reopening of the world and successfully keep the spread of the virus abate. This “collaborative security” application includes a synthesis of smart video analytics, facial recognition, object identification/detection, and thermal cameras that can support the reopening of businesses globally when installed within those facilities frequented by customers. With such a level of sophistication that can ensure uninterrupted monitoring and analysis of large public spaces, these AI technologies can ideally operate best as cloud solutions to ensure a collaborative network with maximum scalability and widespread implementation. As these technologies increase in ubiquity and find their way into daily operations of businesses globally, the cost of the smart solutions will decrease proportionally to the growth of their reach. There are some highly specific ways to create this collaborative network of interconnected safety tools in the current climate. Here are some applications that have been successful to date and will increase in usability in the foreseeable future, creating “smart cities” working together towards a safer, more secure world. Maintaining social distancing practices The most important step everyone around the world has taken to contribute to the effort of slowing the spread of the virus has been social distancing. A six-foot-distance has become a new social norm that has quickly been adopted globally and become a habit to people who are naturally used to being close to others and socialising without giving distance a second thought. The star of the past decade has been artificial intelligence So, it is natural that such distancing measures take time to get accustomed to – and it is also natural that individuals may forget about them from time to time. To help maintain the six-foot distance between people at all times and give them slight nudges to keep the rule top of their minds, AI video technology can be trained to estimate the distance between individuals in public and commercial areas and identify the cases in which people get too close to each other. By notifying local merchants or authorities about such cases, the system can help ensure the safety of everyone in the area at all times while positively reinforcing the public to gradually get more accustomed to maintaining the distance and thus helping stop the spread of the virus. Detecting the virus through facial recognition Perhaps the straightforward application of such high-level technology is using video surveillance to identify persons of interest who have tested positive for the virus. Modern AI has the ability to identify facial features and characteristics with a unique level of granularity, making it possible to identify individuals whose records show they have antibodies from those who can be potential carriers of the virus. After the initial differentiation and identification, the system can then notify the employers and employees of the facility about the results of the conducted analysis and the pursuant results, allowing them to be more vigilant and take action where necessary to ensure a safe experience for everyone. PPE reinforcement Wearing a mask or some sort of face coverage in public spaces and especially within facilities (such as stores, for instance) has been - and will continue to be - a requirement for maintaining a safe and healthy environment for people to continue with their day-to-day lives and businesses to resume regular operations. To this extent, the object detection and identification abilities of smart cameras can further reinforce this requirement and ensure that the absence of protective equipment doesn’t go unnoticed.  Essentially, these cameras can easily identify if an individual has coverage at any given point of time or not, notifying the local authorities about any risks immediately and helping them maintain necessary safety measures without having to interrupt their workflow or worry about missing a visitor without a mask. Detecting high temperature One of the key (and the most widespread) symptoms of COVID-19 is a high fever - a certain indicator of whether an individual may have been infected with the virus or not. While identifying fever with a regular human eye is nearly impossible, AI can do so at a fraction of time by quickly scanning body temperatures of any incoming individuals and determine whether it’s above CDC’s recommended temperature of 100.4F in order to determine the risk factor and notify the local authorities to take action. Modern AI has the ability to identify facial features and characteristics with a unique level of granularity This technology is a good tactic to objectively assess potential risks that come with elevated temperatures - and sometimes, the people themselves might not realise they might (unconsciously) be carriers of the virus and thus endanger the safety of others in their vicinity. The technology is yet another step towards ensuring a safer reopening of the global economy and a more streamlined way of getting back on track while minimising the risk of spreading the virus further. It’s not all about the theory  We have tested the described approaches in our own R&D campus in Europe. The latest release of the IREX cloud enables remote fever detection and monitoring of social isolation and mask policies with AI. We have integrated thermal cameras to detect people with elevated temperature and CCTV cameras for identification and notifying those who potentially ill. In case of any health threat, the venue manager gets an instant message with a picture and exact location. These preventive steps helped our employees return to the office months earlier than it's happening in other countries. Moreover, personnel coming back to the office by their own wish as now they feel a virus-free environment in the campus - even safer than in their own homes. Now we are launching a pilot project for a well-known pharmacy chain in Florida, USA. With the help of a Computer Vision platform, staff will be able to divide customer traffic into those with normal body temperature and those who come in with elevated temperatures, as well as effectively monitor social distance norms. The goal of our potential client is to maximise the safety of customers in the post-pandemic period. Also, IREX is already deployed across hundreds of locations in the UK and will add health monitoring capability soon.

Why cloud-enabled physical security must be part of your long-term digital strategy
Why cloud-enabled physical security must be part of your long-term digital strategy

COVID-19 and the resultant lockdown saw an unprecedented demand for cloud-enabled technologies across Europe. Such services enabled people to stay connected and allowed some businesses to relocate personnel and continue to operate successfully. With enterprise-focused video conferencing mobile app downloads showing a weekly 90% increase in comparison to pre-COVID-19 figures, it’s clear that cloud services have proven invaluable in these challenging times. Now, as the benefits to business of cloud technology become apparent, and the grip of COVID-19 begins to loosen, senior decision makers must consider the learnings from the past few months and look to apply them to boost productivity, streamline costs or become more agile in the long term. Digital transformation presents some enticing advantages for those companies that have been slow to adapt. The physical security industry, traditionally video surveillance cameras (CCTV) and access control, will have witnessed how cloud infrastructure is not only cost effective and safe, but is a force multiplier for connecting platforms, services and people with potent business benefits. The future is VSaaS and ACaaS In today’s modern, connected world, dated technologies are giving way to their cloud-enabled successors, video surveillance as-a-service (VSaaS) and access control as-a-service (ACaaS). In this context, cameras and readers are added to a network as IoT devices that bring security systems up to date and represent a vital component in any modern, cyber-secure digital strategy. Frictionless access control has meant touch free access to buildings But better security is just one benefit of a much greater system that can bring real value. Built in analytics, for example, that utilise the data from network video cameras and smart access control devices, produce valuable business insights that help to inform and automate decision making. In the recent pandemic, frictionless access control has meant touch free access to buildings; while occupancy tools have helped retailers adhere to strict government guidelines on social distancing. And as more security equipment becomes connected to the wider IT network, the advantages have not been lost on the IT industry that is expressing more than a passing interest in the adoption and management of such systems. Morphean recently conducted a survey of 1000 IT decision makers across the UK and Europe, with the purpose of providing clarity around their security purchasing intent in the 2020s. Findings revealed that as many as 84% of IT managers are currently using or considering VSaaS or ACaaS systems, pointing to an appreciation of the convergence of physical security and IT security, and a willingness to embrace systems when integrated with IT in the cloud. An adaptable business model with recurring revenues Of course, it is not just the IT industry that is changing mindsets towards hosted physical security. As a result of COVID-19, end customers are demanding it too and found it easier to scale at speed when business circumstances changed. Rather than being tied to fixed IT infrastructure on premises, a hosted solution offered greater dexterity as operational challenges around the pandemic arose. Businesses were able to customise and scale quickly to meet ongoing need without the need for large upfront capital investment, instead, paying for the convenience as-a-service out of operational expenditure as a monthly cost. This is the proven business model of cloud, yet the security industry has been slow to adopt it. One key challenge is the way in which the prevalent business models in the sector operate. VSaaS is still alien to installers and integrators used to selling hardware on narrow margins, reliant on existing financial arrangements with distributors to fund new equipment. Transitioning to sales cycles based on monthly licences rather than up-front purchases won’t be easy, but the security channel must learn how if it is to remain competitive and drive new business opportunities. This recurring revenue model will be interesting for the physical security industry who will have witnessed uncertainty and, in some cases, a downturn in revenues as decisions around capital expenditure were put on hold during the crisis. Instead, convenient and recurring monthly payments will have put the installer on a firmer footing and guaranteed ongoing vendor support backed by the latest software updates and firmware upgrades to ensure delivery of a high quality service that’s always up to date and online. What is driving your digital strategy? VSaaS and ACaaS provide a flexible and fluid security and business solution Cloud is here to stay. Its resilience and ability to connect the world during the COVID-19 pandemic has proved its worth, even to the uninitiated who have now witnessed first-hand the value of connected systems. VSaaS and ACaaS provide a flexible and fluid security and business solution to meet the demands of a rapidly evolving industry, where the changing threat landscape means investing in the cloud is an investment towards success. CEOs and CIOs within the physical security reseller industry must learn the lessons and apply the learnings to drive their businesses forward in the ‘new normal’ where hosted security solutions must surely play a major part to expand their offering to a wiser customer base. Cloud-enabled physical security solutions represent an investment into improving security and operations, and a chance to forge new business relationships to face the challenges of an ever changing world.

Facial recognition: Contactless solutions for a safe, post-pandemic world
Facial recognition: Contactless solutions for a safe, post-pandemic world

Facial recognition technology has come a long way since it first came to market several years ago. Initially plagued with technical challenges and widely viewed as a futuristic solution, facial recognition is now firmly implanted in numerous consumer and business products and applications. New advancement in software, specifically in the areas of algorithms, neural networks and deep learning and/or artificial intelligence (AI), have all dramatically improved both the performance and accuracy of facial recognition, further expanding its use for an increasing number of applications. From a purely business perspective, facial recognition’s powerful identification and authentication capabilities make it ideal for two primary applications: first as a security tool, and second as a workforce management solution. The touchless, accurate credential solution Facial recognition readers meet the new emerging need to limit physical exposure to germs and viruses Even before the COVID-19 pandemic, the touchless nature of facial recognition as an access credential was gaining traction with physical and cyber security professionals. By using an individual’s face as an access control credential, facial recognition eliminates the need and expense of physical cards and proximity devices, or the need to physically enter PIN codes. In addition, facial recognition readers meet the new emerging need to limit physical exposure to germs and viruses by offering a highly accurate touchless access control credentialing solution. As a workforce management tool, facial recognition helps preserve the health of employees checking into work, while providing management with an infallible means of documenting employee time and attendance while providing a detailed history of overall workforce activity and individual personnel tracking. Both of which have been longstanding challenges due to easily compromised time tracking systems and practices. Now, nothing is left to question based on hard data. With the growing popularity of facial recognition technology, there are many choices already available with more undoubtedly on the way. Selecting the right solution for your specific access control and/or workforce management application is dependent on a very wide range of variables. But there are a few core characteristics that you should look for when evaluating facial recognition readers. Wide and near-angle LEDs Most facial recognition terminals employ some form of IR (Infrared) technology to help ensure high visibility by the unit’s image sensor. This often limits where the unit can be installed such as outdoors or near windows due to strong ambient light. More advanced facial recognition readers employ as many as 80 wide-angle near infrared LEDs and 60 narrow-angle near infrared LEDs, allowing the unit to recognise faces even in full daylight and brightly lit environments (not direct sun). This enables installation at indoor locations near windows, lobbies and building entries. 3D pixel intensity distribution analysis Another facial recognition reader advancement to look for involves three-dimensional pixel intensity analysis. Ambient lighting contains ultraviolet rays which can negate near infrared LED lighting, and can also cast shadows making it difficult for a facial recognition reader to pinpoint the facial recognition points required for identification and authentication. Three-dimensional pixel intensity distribution analysis minimises the effects of ambient light when acquiring facial images by minimising lighting contrasts. As a result, it is easier for the algorithm to recognise the shape of the face, enabling it to extract more facial features and create higher quality face templates, which are critical for accurate facial recognition. Functional ergonomics This results in a faster, more comfortable, and convenient user experience The angle and position of a facial recognition reader directly impact the performance of the unit. Facial recognition readers with different viewing angles for built-in visual and infrared cameras allows users to stand at positions that are most suitable for facial recognition with little or no effort of contortions. This results in a faster, more comfortable, and convenient user experience. High performance processing Like any intelligent edge device, the performance of a facial recognition solution is directly reliant on its processing power. New advanced facial recognition readers deliver exceptional performance by employing enhanced face template extraction technology combined with powerful processor. For example, a facial recognition reader with a 1.4 GHz quad-core processor can perform up to 3,000 facial database matches (1:N) within one second. More advanced solutions also feature Group Matching functionality capable of executing up to 30,000 matches within one second. Live face detection It is most important that the facial recognition readers you evaluate are capable of analysing faces in real time to maintain fluid entry/egress even during high volumes of employee traffic. Hardware-dependent live face detection systems employing technologies such as facial thermogram recognition and facial vein recognition require expensive hardware components, provide less accurate matches and slower authentication performance, which is counterintuitive for mainstream access control and workforce management applications. Dual authentication for added security Although the use of an advanced facial recognition reader provides the convenience, health benefits and cost-savings of touchless identification and authentication, there are many applications where more than one credential may be necessary to ensure the highest levels of security. Advanced facial recognition readers with multimodal, multifactor credentialing capabilities provide this added security benefit. For example, facial recognition readers that support multiple RFID proximity devices supporting 125 kHz and 13.56 MHz provide varying degrees of protection and greater implementation versatility. Videophone or intercom capabilities Facial recognition readers with multifunctionality can solve several challenges with one solution Facial recognition readers with multifunctionality can solve several challenges with one solution. A perfect example includes devices with SIP (session initiation protocol) videophone capabilities which effectively eliminate the need and associated expense of  installing separate intercom devices while adding another layer of security to one’s facility. The COVID-19 pandemic, and hopefully soon to follow post-pandemic world, have surely accelerated the need for highly accurate, cost-efficient, and reliable facial recognition technologies to help get people back to work safely. Selecting the right facial recognition solution for your specific access control and/or workforce management is now more important than ever before, making a little extra due diligence during the evaluation process a smart decision.