Cyber security is a trending topic in the video surveillance market. As a result of international regulations, companies are assessing the potential security risks of video surveillance systems, deploying crisis management policies and developing mitigation plans for events related to a data breach. Customers desire trustworthy products and vendors are rushing to fill this gap to satisfy the market demand.

Multiple vendors are offering a great number of solutions; however the choice and diversification perplexes customers, who often have difficulty identifying the best solution for their needs. In this paper, Videotec puts forward its vision with regard to developing safe products and describes its strategy for cyber security.

Explosion-proof rated cameras

Customers are currently overwhelmed by the perpetual advertisement of products related to cyber security. At tradeshows and in sector magazines, multiple products are being promoted as key elements for cyber security. Unfortunately, cyber-safe products cannot be marketed with the same strategy as other devices, for example, explosion-proof rated cameras.

For software, similar requirements exist but there is less clarity than with their counterparts

The key difference is that for threats that do not concern software a set of well-defined and well-documented requirements exist: in general, it is possible to universally define safety requirements for installation in special environments, such as a drilling rig, a marine vessel or along a railway. For software, similar requirements exist but there is less clarity than with their counterparts when it comes to security.

Video management software

Furthermore, a device's firmware and video management software (VMS) are updated by each vendor to introduce new features or to fix bugs. Every update may have an impact on the complete video surveillance system reliability. Finally, security researchers continuously identify new issues that may reduce the safety of the system, even if no change is applied to the facilities. Deploying a cyber-secure system is a challenging task under these ever-changing conditions.

Other aspects of security, such as mechanical, electrical or environmental are not subject to similar uncertainty. As an example, designing an explosion-proof system is a well-known process, involving classifying zones, identifying the nature of the explosive elements, such as gases or dusts, and deducting the product requirements.

Video surveillance equipment

During the lifespan of the system, the identified risk sources do not change. Similarly, during installation on a marine vessel, the video surveillance equipment is commissioned and will not change until the entire ship is refurbished.

Several certification options are currently available on the market, and these can be placed in two main groups

The result of the lack of certainty that characterises software and the existence of complex standards that have a restricted competent audience is a professional market that is trying to incoherently fill this gap, by pursuing certifications and stamps or by adopting aggressive advertisement strategies, based on over-optimistic promises on product features.

Cyber security certification

Several certification options are currently available on the market, and these can be placed in two main groups:

  • System certification
  • Product certification

As the name suggests, system certification addresses cyber security at a system level. This group includes ISO27001, NIST SP 800-53° ISA/IEC62443-3 for example. In these frameworks, risks related to information management are evaluated across every aspect of the organisation: information generated by the devices, storage, access control to the information and physical security to protect data from being stolen from data centers.

Video surveillance system

Since these certifications must be flexible to adapt to a heterogeneity of systems, they define frameworks to perform the system analysis and the assessment of the risks of such systems, but they do not punctually mandate explicit requirements. System certifications delegate the definition of such requirements to the organisation willing to achieve the certification. In contrast, product certifications are narrow in scope, targeting a single component subject to certification.

A single component can be a camera, a networking switch or video management software

A single component can be a camera, a networking switch or video management software. In this category are the EMV standard for credit and debit cards, the UL2900 series and ISO/IEC 15408, also known as Common Criteria. It is clear that pursuing a system-level certification involves the customer and the integrator installing the video surveillance system.

Cyber secure surveillance

Manufacturers should target product certifications and drive efforts to ease the integration of their products into the frameworks of system-level certification that is being pursued by their customers. Videotec started developing its DeLux technology several years ago. At that time, Videotec had a clear vision for its products: developing safe products for all possible tasks - mechanical, electrical, electromagnetic and software - according to current and future security requirements.

The mission of the DeLux technology was, and still is, to provide a reliable, safe and future-proof platform that integrates with all products. Sharing a common platform between multiple products is challenging. It requires deep planning of product design to ensure the platform will function perfectly within any product. It also implies that new software releases are compatible with any previously released camera.

New security feature

Software architecture must be flexible enough to guarantee integration into very different products

Thus, every time a new product is released the effort to validate the software increases. Due to this decision, Videotec guarantees that any new security feature and any bug fix will be available to its customers regardless of product age and whether it is still present in the current product catalogue. From the beginning of the DeLux project, two key points were immediately clear.

The first point is that software architecture must be flexible enough to guarantee integration into very different products, and at the same time it needs dedicated components that guarantee the un-exploitability of the device.

Accomplish video acquisition

For this reason, the code executed by the device is partitioned into different security domains, making sure that processes that implement the protocol interfaces towards the video management software cannot harm the internal components that accomplish video acquisition, perform compression and constantly monitor the correct function of the unit.

The second point that Videotec immediately understood is that ensuring the correct functioning of the software in every device is as important as the software running in just the cameras. For this reason, Videotec started developing internal tools that perform automated testing on the entire set of devices that incorporate the DeLux technology.

Secure video surveillance

Every night, the validation tools embedded into the continuous integration process automatically test each product to verify that no regression was unconsciously added while the company proceed with software development. Every time Videotec adds a new feature in response to a suggestion for improvement by the company's customers or identification of an issue, it also updates the testing tools to increase the reliability of the company's products.

Videotec has yet to definitively choose a certification scheme for the DeLux technology

Videotec believes that its products, and the continual updating of these, actively contribute to maintaining the safe operation of secure video surveillance system, helping IT departments and system administrators by keeping their systems balanced and by not requiring excessive mitigating actions or protections due to future issues. At Videotec, they call this cyber-sustainability.

System-level security requirements

At the time of writing this white paper, Videotec has yet to definitively choose a certification scheme for the DeLux technology. Several options are being evaluated, as the company search for a solution that will create value for the company’s customers without sacrificing the addition of new features on all products that make up the DeLux technology range.

Although Videotec is still exploring the best certification scheme for its software, this does not prevent the company from having a clear and active development path for the cyber security in their products. At Videotec, the following five principles are the basis for implementing cybersecurity in products:

  • Hardened software architecture to minimise the attack surface of the cameras
  • Constant updates and availability of new features, even on old products
  • Removal of predefined credentials in the products, to strongly indicate to customers that, as a minimum, a new username and password combination must be defined by the user during installation according to the system-level security requirements
  • Contribution to the ONVIF Security Service specification, to push the industry shifting from usernames and password to X.509 certificates
  • Clear communication to customers, by avoiding fake marketing claims

Security service specifications

Videotec had an active role in the development of the ONVIF Profile Q specifications. Among other activities, it contributed to driving the standard towards the removal of predefined credentials. The security market must teach installers and users that using pre-defined usernames and passwords is equivalent to not having credentials at all.

Videotec is proposing extensions to the ONVIF Security Service specifications

Defining the factory-default state of Profile Q compliant devices, where no authentication is required, is the strongest reminder a vendor can provide to its customers. Similarly, with regard to the commitment for the ONVIF Profile Q, Videotec is proposing extensions to the ONVIF Security Service specifications that will include the widespread the adoption of X.509 certificates to replace the usage of credentials.

Video surveillance market

Moving towards this new way of handling authentication between devices and VMSs will not only impact devices, but it will require a leap forward for the whole video surveillance market. Beyond implementing the functionality in its devices, Videotec is already planning the actions that will be necessary to make its customers effective at selling, installing and maintaining video surveillance systems based on this technology.

Last, but not least, trustworthy communication to customers is a key value for Videotec. For this reason, Videotec will never exploit the unintuitive requirements of system certifications of international privacy rules to send wrong messages to the market. As an example, Videotec added to all its IP products an instruction about performing a safe installation according to the General Data Protection Regulation (GDPR), similarly to the instructions given for mechanical, electrical of environmental safety.

IP-based device

In the last ten years, the video surveillance industry has vigorously shifted from analogue to IP products

These instructions are meant to teach customers and stimulate their attention to aspects related to cyber security. As such, instructions will never be turned into unreliable market claims, such as claims for conformance to the GPDR or any other rule. Cyber threats started menacing video surveillance systems from the day the first IP-based device was put into the market. At that time, the number of digital systems was low and video surveillance was not as pervasive as it is today.

In the last ten years, the video surveillance industry has vigorously shifted from analogue to IP products and, at the same time, it has witnessed a constant growth in market demand. As a result, digital video surveillance systems are everywhere nowadays and attract attention not only from professionals but also from malicious users.

Risk assessment analytics

Keeping these systems safe from cyber-threats is an activity that cannot be performed just by performing a risk assessment analytics during the commissioning phase - maintenance and recovery plans must be operative during the whole lifespan of the systems. These activities have a cost; also managing the effects of a system violation has a cost. Integrators and users must find the correct balance, to minimise expenses while keeping video surveillance systems updated and secure.

In order to make reduction of expenses related to maintenance and recovery plans easier, Videotec bases the development of its products on the concept of cyber-sustainability, where support, updates and training about the products span an interval that is larger than each single product lifecycle and assist integrators and customers keeping their systems protected.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

In case you missed it

Wire-free, mobile first and data rich? The future of access control is within almost anyone’s reach
Wire-free, mobile first and data rich? The future of access control is within almost anyone’s reach

The 2020s will be a wireless decade in access control, says Russell Wagstaff from ASSA ABLOY Opening Solutions EMEA. He examines the trends data, and looks beyond mobile keys to brand new security roles for the smartphone. The benefits of wire-free electronic access control are well rehearsed. They are also more relevant than ever. A wireless solution gives facility managers deeper, more flexible control over who should have access, where and when, because installing, operating and integrating them is easier and less expensive than wiring more doors. Battery powered locks Many procurement teams are now aware of these cost advantages, but perhaps not their scale. Research for an ASSA ABLOY Opening Solutions (AAOS) benchmarking exercise found installation stage to be the largest contributor to cost reduction. Comparing a typical installation of battery-powered Aperio locks versus wired locks at the same scale, the research projected an 80% saving in installers’ labour costs for customers who go cable-free. Battery powered locks all consume much less energy than traditional wired locks Operating costs are also lower for wireless: Battery powered locks all consume much less energy than traditional wired locks, which normally work via magnets connected permanently to electricity. Wireless locks only ‘wake up’ when presented with a credential for which they must make an access decision. AAOS estimated a 70% saving in energy use over a comparable lock’s lifetime. Find out more about wireless access control at ASSA ABLOY's upcoming 29th June webinar Deploying wireless locks In short, every time a business chooses a wireless lock rather than a wired door, they benefit from both installation and operating cost savings. A recent report from IFSEC Global, AAOS and Omdia reveals the extent to which the advantages of wireless are cutting through. Responses to a large survey of security professionals — end-users, installers, integrators and consultants serving large corporations and small- to medium-sized organisations in education, healthcare, industrial, commercial, infrastructure, retail, banking and other sectors — suggest almost four locations in ten (38%) have now deployed wireless locks as a part or the whole of their access solution. The corresponding data point from AAOS’s 2014 Report was 23%. Electronic access control Electronic access control is less dependent than ever on cabling Without doubt, electronic access control is less dependent than ever on cabling: Even after a year when many investments have been deferred or curtailed, the data reveals fast-growing adoption of wireless locks, technologies and systems. Is mobile access control — based on digital credentials or ‘virtual keys’ stored on a smartphone — an ideal security technology for this wire-free future? In fact, the same report finds mobile access is growing fast right now. Among those surveyed, 26% of end-users already offer mobile compatibility; 39% plan to roll out mobile access within two years. Before the mid-2020s, around two-thirds of access systems will employ the smartphone in some way. The smartphone is also convenient for gathering system insights Driving rapid adoption What is driving such rapid adoption? The convenience benefits for everyday users are obvious — witness the mobile boom in banking and payments, travel or event ticketing, transport, food delivery and countless more areas of modern life. Access control is a natural fit. If you have your phone, you are already carrying your keys: What could be easier? IBM forecasts that 1.87 billion people globally will be mobile workers by 2022 Less often discussed are the ways mobile management makes life easier for facility and security managers, too. Among those polled for the new Wireless Access Control Report, almost half (47%) agreed that ‘Mobile was more flexible than physical credentials, and 36% believe that mobile credentials make it easier to upgrade employee access rights at any time.’ IBM forecasts that 1.87 billion people globally will be mobile workers by 2022. Workers in every impacted sector require solutions which can get the job done from anywhere: Access management via smartphone offers this. Site management device The smartphone is also convenient for gathering system insights. For example, one new reporting and analytics tool for CLIQ key-based access control systems uses an app to collect, visualise and evaluate access data. Security system data could contribute to business success. The app’s clear, visual layout helps managers to instantly spot relevant trends, anomalies or patterns. It’s simple to export, to share insights across the business. Reinvented for learning — not just as a ‘key’ or site management device — the phone will help businesses make smarter, data-informed decisions. The smartphone will also play a major role in security — and everything else — for an exciting new generation of smart buildings. These buildings will derive their intelligence from interoperability. Over 90% of the report’s survey respondents highlighted the importance of integration across building functions including access control, CCTV, alarm and visitor management systems. Genuinely seamless integration They offer greater peace of mind than proprietary solutions which ‘lock you in’ for the long term Yet in practice, stumbling blocks remain on the road to deeper, genuinely seamless integration. More than a quarter of those polled felt held back by a lack of solutions developed to open standards. ‘Open standards are key for the momentum behind the shift towards system integration,’ notes the Report. As well as being more flexible, open solutions are better futureproofed. Shared standards ensure investments can be made today with confidence that hardware and firmware may be built on seamlessly in the future. They offer greater peace of mind than proprietary solutions which ‘lock you in’ for the long term. Open solutions and mobile management are critical to achieving the goals which end-users in every vertical are chasing: scalability, flexibility, sustainability, cost-efficiency and convenience.

What are the latest trends in perimeter security technology?
What are the latest trends in perimeter security technology?

Perimeter security is the first line of defence against intruders entering a business or premises. Traditionally associated with low-tech options such as fencing, the field of perimeter security has expanded in recent years and now encompasses a range of high-tech options. We asked this week’s Expert Panel Roundtable: What are the latest trends in perimeter security technology?

Secure access control is helping to shape the post-pandemic world
Secure access control is helping to shape the post-pandemic world

With the continued rolling back of COVID restrictions in the UK, there is a palpable sense of relief. A mixture of mass vaccinations, widespread testing, and track and tracing of the infection is helping to enable a healthy bounce back for businesses – with secure access control taking an important role in facilitating this. However, rather than just being a reaction to the wake of the pandemic, there is every sign that the economy, and consequently the security sector as well, are both rebuilding and reshaping for the long-term new normal. Prioritising Safety Already deemed an essential service even during the first wave of the pandemic, the security industry has of course taken a vital role in protecting people and property throughout the crisis. Now that venues in the UK are starting to reopen again, our services are key to occupancy management and ensuring that disease transmission is limited as far as possible. Access control is also key in reassuring people that their safety is a priority. Making the upgrade It’s all been about choosing the most suitable components and technology that already existed with a few “tweaks”  Businesses and organisations have a duty of care to their employees and the safety of visitors – so controlling access, employing lateral flow testing, and deploying suitable Track & Trace mechanisms are all key components. I think those outside our industry are surprised to learn that most of the technology being deployed and used hasn’t just magically developed since COVID appeared – it’s all been about choosing the most suitable components and technology that already existed albeit with a few development “tweaks” or adjustments for the situation at hand. This includes using or installing facial recognition readers rather than using fingerprint or contact tokens, it is swapping to automatic request to exit sensors instead of buttons; it is using powered secure doors rather than having people all grab the same handle. Using mobile credentials is also a key technology choice – why not use the highly secure, easy to manage, cost-effective, and of course contact-free benefits of this approach? Touchless solutions We have seen a clear shift in organisations looking to protect their staff and visitors. For instance, we have a big utility customer in Southeast Asia that has just replaced close to 200 sites using fingerprint readers with an additional facial recognition capability. We have also seen a big rise in demand for touchless request to exit sensors and Bluetooth Low Energy Readers for use with smartphone authentication. Working together Integration of security systems is of course nothing new, but in the post-pandemic or endemic age, it has perhaps never been more important. Installations need to be simple, straightforward, and rapid to help maintain safe distancing but also to ensure systems can be deployed as soon as they are needed. The world is changing and developing rapidly and there is simply no place for systems that don’t work with others or cause the end-user considerable cost and inconvenience to upgrade. This flexible delivery of security solutions perfectly matches the evolving and increasing demands of the market. It’s clear that end-users want systems that work well and can easily integrate with their existing systems – not only security but all the other business components which work in unison with each other over a shared network. Great opportunities ahead The recent work-from-home trend is also clearly changing the way organisations and businesses interact with the built environment. Lots of companies are downsizing, offices are being split up, there is lots of revitalisation and reuse of existing office space – all of which creates considerable opportunities for security providers. UK inflation more than doubled in April 2021 with unemployment figures dropping and the Pound rising in value There are also, in the UK at least, clear signs that the construction industry is rapidly growing again -with a forecast of 8% rebound and growth this year. UK inflation more than doubled in April 2021 with unemployment figures dropping and the Pound rising in value – all positive signs for UK-based security providers. Undoubtedly the highly successful UK vaccination rollout has helped considerably, but there are signs that the Eurozone looks set to improve considerably over the next few months as well. Using integrated access control Undoubtedly the pandemic has made security markets around the world more aware of the benefits of integrated access control in managing the needs of the new normal COVID endemic environment. For example, as a business, we have always had keen interest from the UK healthcare sector, but over the last 12 months, we have seen a big growth in previously modest international markets including Morocco, Kuwait, Bahrain, Thailand, Singapore, Hong Kong, and Thailand – all of which are very keen to adopt improved access control solutions. Learning the lessons Nobody would deny the last year or so has been unprecedentedly tough on everyone, as a society we have had to make huge changes and sacrifices. Governments, organisations, and businesses all need to be better prepared in the future, to understand the things that went wrong and those that were successful. However, there is a world beyond the immediate pandemic and its effects. Flexible working practices and the changes these will have to the way we live and work will undoubtedly present great opportunities for the security sector in helping the world evolve. The pandemic has been a wake-up call for many organisations with regards to their duty of care to employees – particularly when it comes to mental health and providing a sensible work/life balance. Where we work and the safety of these facilities has received far more scrutiny than before. Flexible security systems Integrated security solutions have a vital role to play in not only protecting the safety of people during the post-lockdown return to work but also in the evolution of the built environment and move towards smart cities - which inevitably will now need to consider greater flexibility in securing home working spaces rather than just traditional places of work. Importantly, powerful access control and integrated security systems need to be flexible to the uncertainties ahead. The COVID pandemic has shown that nothing can be considered certain, except the need for greater flexibility and resilience in the way we operate our professional and personal interactions.