Development of cyber-sustainable video surveillance systems

Abstract

Cyber security is a trending topic in the video surveillance market. As a result of international regulations, companies are assessing the potential security risks of video surveillance systems, deploying crisis management policies and developing mitigation plans for events related to a data breach. Customers desire trustworthy products and vendors are rushing to fill this gap to satisfy the market demand. Multiple vendors are offering a great number of solutions, however the choice and diversification perplexes customers, who often have difficulty identifying the best solution for their needs. In this paper, Videotec puts forward its vision with regard to developing safe products and describes its strategy for cyber security.

Introduction

Customers are currently overwhelmed by the perpetual advertisement of products related to cyber security. At tradeshows and in sector magazines, multiple products are being promoted as key elements for cybersecurity. Unfortunately, cyber-safe products cannot be marketed with the same strategy as other devices, for example, explosion-proof rated cameras. The key difference is that for threats that do not concern software a set of well-defined and well-documented requirements exist: in general it is possible to universally define safety requirements for installation in special environments, such as a drilling rig, a marine vessel or along a railway. For software, similar requirements exist but there is less clarity than with their counterparts when it comes to security. Furthermore, a device's firmware and video management software (VMS) are updated by each vendor to introduce new features or to fix bugs. Every update may have an impact on the complete video surveillance system reliability. Finally, security researchers continuously identify new issues that may reduce the safety of the system, even if no change is applied to the facilities.

Deploying a cyber-secure system is a challenging task under these ever-changing conditions. Other aspects of security, such as mechanical, electrical or environmental are not subject to similar uncertainty. As an example, designing an explosion-proof system is a well-known process, involving classifying zones, identifying the nature of the explosive elements, such as gases or dusts, and deducting the product requirements. During the lifespan of the system, the identified risk sources do not change. Similarly, during installation on a marine vessel, the video surveillance equipment is commissioned and will not change until the entire ship is refurbished.

The result of the lack of certainty that characterizes software and the existence of complex standards that have a restricted competent audience is a professional market that is trying to incoherently fill this gap, by pursuing certifications and stamps or by adopting aggressive advertisement strategies, based on over-optimistic promises on product features.

Orientation between different cyber-security certification options

Several certification options are currently available on the market, and these can be placed in two main groups:

● System certification

● Product certification

As the name suggests, system certification addresses cyber-security at a system level. This group includes ISO27001, NIST SP 800-53° ISA/IEC62443-3 for example. In these frameworks, risks related to information management are evaluated across every aspect of the organization: information generated by the devices, storage, access control to the information and physical security to protect data from being stolen from data centers. Since these certifications must be flexible to adapt to a heterogeneity of systems, they define frameworks to perform the system analysis and the assessment of the risks of such systems, but they do not punctually mandate explicit requirements. System certifications delegate the definition of such requirements to the organization willing to achieve the certification.

In contrast, product certifications are narrow in scope, targeting a single component subject to certification. A single component can be a camera, a networking switch or video management software. In this category are the EMV standard for credit and debit cards, the UL2900 series and ISO/IEC 15408, also known as Common Criteria.

It is clear that pursuing a system-level certification involves the customer and the integrator installing the video surveillance system. Manufacturers should target product certifications and drive efforts to ease the integration of their products into the frameworks of system-level certification that is being pursued by their customers.

Videotec's strategy for cyber-secure video surveillance systems

Videotec started developing its DeLux technology several years ago. At that time, Videotec had a clear vision for its products: developing safe products for all possible tasks - mechanical, electrical, electromagnetic and software - according to current and future security requirements. The mission of the DeLux technology was, and still is, to provide a reliable, safe and future-proof platform that integrates with all products.

Sharing a common platform between multiple products is challenging. It requires deep planning of product design to ensure the platform will function perfectly within any product. It also implies that new software releases are compatible with any previously released camera. Thus, every time a new product is released the effort to validate the software increases. Due to this decision, Videotec guarantees that any new security feature and any bug fix will be available to its customers regardless of product age and whether it is still present in the current product catalogue.

From the beginning of the DeLux project, two key points were immediately clear.

The first point is that software architecture must be flexible enough to guarantee integration into very different products, and at the same time it needs dedicated components that guarantee the un-exploitability of the device. For this reason, the code executed by the device is partitioned into different security domains, making sure that processes that implement the protocol interfaces towards the video management software cannot harm the internal components that accomplish video acquisition, perform compression and constantly monitor the correct function of the unit.

The second point that Videotec immediately understood is that ensuring the correct functioning of the software in every device is as important as the software running in just the cameras. For this reason, Videotec started developing internal tools that perform automated testing on the entire set of devices that incorporate the DeLux technology. Every night, the validation tools embedded into the continuous integration process automatically test each product to verify that no regression was unconsciously added while we proceed with software development. Every time Videotec adds a new feature in response to a suggestion for improvement by our customers or identification of an issue, it also updates the testing tools to increase the reliability of our products.

Videotec believes that its products, and the continual updating of these, actively contribute to maintaining the safe operation of secure video surveillance system, helping IT departments and system administrators by keeping their systems balanced and by not requiring excessive mitigating actions or protections due to future issues. At Videotec, we call this cyber-sustainability.

At the time of writing this white paper, Videotec has yet to definitively choose a certification scheme for the DeLux technology. Several options are being evaluated, as we search for a solution that will create value for our customers without sacrificing the addition of new features on all products that make up the DeLux technology range.

Although Videotec is still exploring the best certification scheme for its software, this does not prevent us from having a clear and active development path for the cyber-security in our products. At Videotec, the following five principles are the basis for implementing cyber-security in products:

● Hardened software architecture to minimize the attack surface of the cameras;

● Constant updates and availability of new features, even on old products;

● Removal of predefined credentials in the products, to strongly indicate to customers that, as a minimum, a new username and password combination must be defined by the user during installation according to the system-level security requirements;

● Contribution to the ONVIF Security Service specification, to push the industry shifting from usernames and password to X.509 certificates;

● Clear communication to customers, by avoiding fake marketing claims.

Videotec had an active role in the development of the ONVIF Profile Q specifications. Among other activities, it contributed to driving the standard towards the removal of predefined credentials. The security market must teach installers and users that using pre-defined usernames and passwords is equivalent to not having credentials at all. Defining the factory-default state of Profile Q compliant devices, where no authentication is required, is the strongest reminder a vendor can provide to its customers.

Similarly, with regard to the commitment for the ONVIF Profile Q, Videotec is proposing extensions to the ONVIF Security Service specifications that will include the widespread the adoption of X.509 certificates to replace the usage of credentials. Moving towards this new way of handling authentication between devices and VMSs will not only impact devices, but it will require a leap forward for the whole video surveillance market. Beyond implementing the functionality in its devices, Videotec is already planning the actions that will be necessary to make its customers effective at selling, installing and maintaining video surveillance systems based on this technology.

Last, but not least, trustworthy communication to customers is a key value for Videotec. For this reason, Videotec will never exploit the unintuitive requirements of system certifications of international privacy rules to send wrong messages to the market. As an example, Videotec added to all its IP products an instruction about performing a safe installation according to the General Data Protection Regulation (GDPR), similarly to the instructions given for mechanical, electrical of environmental safety. These instructions are meant to teach customers and stimulate their attention to aspects related to cyber-security. As such, instructions will never be turned into unreliable market claims, such as claims for conformance to the GPDR or any other rule.

Conclusions

Cyber-threats started menacing video surveillance systems from the day the first IP-based device was put into the market. At that time, the number of digital systems was low and video surveillance was not as pervasive as it is today. In the last ten years, the video surveillance industry has vigorously shifted from analogue to IP products and, at the same time, it has witnessed a constant growth in market demand. As a result, digital video surveillance systems are everywhere nowadays and attract attention not only from professionals but also from malicious users.

Keeping these systems safe from cyber-threats is an activity that cannot be performed just by performing a risk assessment analytics during the commissioning phase - maintenance and recovery plans must be operative during the whole lifespan of the systems. These activities have a cost; also managing the effects of a system violation has a cost. Integrators and users must find the correct balance, to minimize expenses while keeping video surveillance systems updated and secure. In order to make reduction of expenses related to maintenance and recovery plans easier, Videotec bases the development of its products on the concept of cyber-sustainability, where support, updates and training about the products span an interval that is larger than each single product lifecycle and assist integrators and customers keeping their systems protected.

.

other news
Videotec Joins Motorola Solutions
Read
MAXIMUS MPXL SERIES2 and MAXIMUS MLX, for the surveillance of environments with explosive atmosphere and poor lighting
Read
VIDEOTEC celebrates 10 years of ONVIF membership
Read
POR-FESR/Regione Veneto NEWS
Read
ULISSE EVO DUAL, the new PTZ network camera with dual thermal and Full HD sensors
Read
Videotec Digital Event #3
Read
Explosion-proof camera MAXIMUS MVX with SONY FCB-EV7520
Read
New models available for MAXIMUS MPX SERIES2 and NVX
Read
COMB: the new polycarbonate communication box
Read
COVID-19 Videotec Communication
Read
New firmware release 4.0 for Videotec cameras
Read
VIDEOTEC DIGITAL EVENT 2
Read
S2D, Securing Smartbuilding Devices
Read
NVX now with video analysis and advanced GeoMove functions
Read
NXPTZ SERIES2, the new PTZ cameras for the harshest conditions
Read
Important new features for Videotec cameras with the firmware update
Read
Videotec Digital Event
Read
MAXIMUS MPXT-SERIES2: new IP Dual Vision Ex-Proof PTZ
Read
ULISSE EVO gets SMARTER with onboard Videotec Analytics
Read
MAXIMUS MPX SERIES2: next-generation of ex-proof PTZ
Read
New firmware release for Videotec cameras
Read
Videotec and Sony: integrated technology for top-performing surveillance
Read
Videotec ULISSE2 and SONY SNC-VB770 integrated solution for colour images in the dark
Read
Now available BIS and the CCOE/PESO Certifications for Indian market
Read
Fujifilm and Videotec join forces to offer a solution for long-range surveillance
Read
ULISSE EVO THERMAL: preventive perimeter protection 24/7
Read
MBX stainless steel explosion proof communication box
Read
MVXT thermal camera enhanced with radiometric functions
Read
NTX: Videotec’s new IP68 radiometric thermal cameras
Read
ULISSE EVO: the next stage of PTZ camera evolution
Read
New Level of Protection for Critical Infrastructure with the Integration of SpotterRF and Videotec's Systems
Read
New FULL HD corrosion-resistant camera with DELUX technology, for exceptional night-time vision
Read
BIM library now available for Videotec products
Read
New ex-proof communication box from Videotec
Read
Videotec's DELUX technology is now available in cameras for the Marine and Oil & Gas sectors.
Read
ULISSE COMPACT with new DELUX technology for day/night vision with exceptional night brightness
Read
Videotec cameras have attained Lloyd’s Register certification for Marine applications
Read
VIDEOTEC Joins Ameristar Perimeter Security’s Perimeter InSite Initiative for Complete Perimeter Security Solutions
Read
Schio, Italy: 14 ULISSE COMPACT HD cameras in sensitive areas
Read
Surveillance system using Maximus cameras in Mexican refineries
Read
Surveillance system using Maximus cameras in Indonesian refineries
Read
Success of Videotec Products on Russian Roads
Read
Ulisse Compact Thermal protects the border in Vietnam
Read
Videotec co-hosts “Perimeter Security Roadshows” across North-America
Read
Videotec's camera helps in strictly regulated cannabis industry
Read
Chilean mine uses NXM housings in monitoring of heavy-duty tasks
Read
New competitive Full HD ex-proof camera
Read
The Videotec A&E Security Consultants Program
Read
VIDEOTEC is committed to the environment
Read
Maximum protection for airports thanks to an advanced, integrated system from Crisma Security and Videotec
Read
SightLogix SightTracker Automatically Steers Videotec IP PTZ Cameras
Read
ULISSE COMPACT HD chosen to monitor a strategic bridge in Kuwait
Read
ULISSE COMPACT HD cameras commissioned to keep watch over a Korean airport
Read
Japanese underwater unit that uses NXM housings
Read
Explosion-proof MHX housings used at a refinery in Taiwan
Read
ULISSE COMPACT THERMAL, protector of a military base in Italy
Read
Cameras using Videotec's NXM housing keep watch on the underwater ecosystem of Okinawa, Japan
Read
ULISSE COMPACT HD: Monitoring Taiwan's high speed railway
Read
MPX chosen for safety at a chemical plant in Japan
Read
Videotec employed on Russian roads
Read
ULISSE COMPACT HD chosen for windfarms in South Korea
Read
NXPTZHD
Read
ULISSE2
Read
MAXIMUS MVX for hazardous environments and industrial settings
Read
MAXIMUS MPX now in FULL HD
Read
The winner of the 2015 Onvif Award Program is ... Videotec!
Read
ULISSE RADICAL THERMAL
Read
ULISSE RADICAL PTZ camera
Read
Videotec with EX camera systems is ACHILLES Trusted Partner
Read
Digivod and Videotec
Read
Extended warranty
Read
PTZ assistant, Companion app for VMSs
Read
TOP