Development of cyber-sustainable video surveillance systems

Abstract

Cyber security is a trending topic in the video surveillance market. As a result of international regulations, companies are assessing the potential security risks of video surveillance systems, deploying crisis management policies and developing mitigation plans for events related to a data breach. Customers desire trustworthy products and vendors are rushing to fill this gap to satisfy the market demand. Multiple vendors are offering a great number of solutions, however the choice and diversification perplexes customers, who often have difficulty identifying the best solution for their needs. In this paper, Videotec puts forward its vision with regard to developing safe products and describes its strategy for cyber security.

 

Introduction

Customers are currently overwhelmed by the perpetual advertisement of products related to cyber security. At tradeshows and in sector magazines, multiple products are being promoted as key elements for cybersecurity. Unfortunately, cyber-safe products cannot be marketed with the same strategy as other devices, for example, explosion-proof rated cameras. The key difference is that for threats that do not concern software a set of well-defined and well-documented requirements exist: in general it is possible to universally define safety requirements for installation in special environments, such as a drilling rig, a marine vessel or along a railway. For software, similar requirements exist but there is less clarity than with their counterparts when it comes to security. Furthermore, a device's firmware and video management software (VMS) are updated by each vendor to introduce new features or to fix bugs. Every update may have an impact on the complete video surveillance system reliability. Finally, security researchers continuously identify new issues that may reduce the safety of the system, even if no change is applied to the facilities.

Deploying a cyber-secure system is a challenging task under these ever-changing conditions. Other aspects of security, such as mechanical, electrical or environmental are not subject to similar uncertainty. As an example, designing an explosion-proof system is a well-known process, involving classifying zones, identifying the nature of the explosive elements, such as gases or dusts, and deducting the product requirements. During the lifespan of the system, the identified risk sources do not change. Similarly, during installation on a marine vessel, the video surveillance equipment is commissioned and will not change until the entire ship is refurbished.

The result of the lack of certainty that characterizes software and the existence of complex standards that have a restricted competent audience is a professional market that is trying to incoherently fill this gap, by pursuing certifications and stamps or by adopting aggressive advertisement strategies, based on over-optimistic promises on product features.

 

Orientation between different cyber-security certification options

Several certification options are currently available on the market, and these can be placed in two main groups:

●System certification

●Product certification

As the name suggests, system certification addresses cyber-security at a system level. This group includes ISO27001, NIST SP 800-53° ISA/IEC62443-3 for example. In these frameworks, risks related to information management are evaluated across every aspect of the organization: information generated by the devices, storage, access control to the information and physical security to protect data from being stolen from data centers. Since these certifications must be flexible to adapt to a heterogeneity of systems, they define frameworks to perform the system analysis and the assessment of the risks of such systems, but they do not punctually mandate explicit requirements. System certifications delegate the definition of such requirements to the organization willing to achieve the certification.

In contrast, product certifications are narrow in scope, targeting a single component subject to certification. A single component can be a camera, a networking switch or video management software. In this category are the EMV standard for credit and debit cards, the UL2900 series and ISO/IEC 15408, also known as Common Criteria.

It is clear that pursuing a system-level certification involves the customer and the integrator installing the video surveillance system. Manufacturers should target product certifications and drive efforts to ease the integration of their products into the frameworks of system-level certification that is being pursued by their customers.

 

Videotec's strategy for cyber-secure video surveillance systems

Videotec started developing its DeLux technology several years ago. At that time, Videotec had a clear vision for its products: developing safe products for all possible tasks - mechanical, electrical, electromagnetic and software - according to current and future security requirements. The mission of the DeLux technology was, and still is, to provide a reliable, safe and future-proof platform that integrates with all products.

Sharing a common platform between multiple products is challenging. It requires deep planning of product design to ensure the platform will function perfectly within any product. It also implies that new software releases are compatible with any previously released camera. Thus, every time a new product is released the effort to validate the software increases. Due to this decision, Videotec guarantees that any new security feature and any bug fix will be available to its customers regardless of product age and whether it is still present in the current product catalogue.

From the beginning of the DeLux project, two key points were immediately clear.

The first point is that software architecture must be flexible enough to guarantee integration into very different products, and at the same time, it needs dedicated components that guarantee the un-exploitability of the device. For this reason, the code executed by the device is partitioned into different security domains, making sure that processes that implement the protocol interfaces towards the video management software cannot harm the internal components that accomplish video acquisition, perform compression and constantly monitor the correct function of the unit.

The second point that Videotec immediately understood is that ensuring the correct functioning of the software in every device is as important as the software running in just the cameras. For this reason, Videotec started developing internal tools that perform automated testing on the entire set of devices that incorporate the DeLux technology. Every night, the validation tools embedded into the continuous integration process automatically test each product to verify that no regression was unconsciously added while we proceed with software development. Every time Videotec adds a new feature in response to a suggestion for improvement by our customers or identification of an issue, it also updates the testing tools to increase the reliability of our products.

Videotec believes that its products, and the continual updating of these, actively contribute to maintaining the safe operation of secure video surveillance system, helping IT departments and system administrators by keeping their systems balanced and by not requiring excessive mitigating actions or protections due to future issues. At Videotec, we call this cyber-sustainability.

At the time of writing this white paper, Videotec has yet to definitively choose a certification scheme for the DeLux technology. Several options are being evaluated, as we search for a solution that will create value for our customers without sacrificing the addition of new features on all products that make up the DeLux technology range.

Although Videotec is still exploring the best certification scheme for its software, this does not prevent us from having a clear and active development path for the cyber-security in our products. At Videotec, the following five principles are the basis for implementing cyber-security in products:

●Hardened software architecture to minimize the attack surface of the cameras;

●°Constant updates and availability of new features, even on old products;

●Removal of predefined credentials in the products, to strongly indicate to customers that, as a minimum, a new username and password combination must be defined by the user during installation according to the system-level security requirements;

●°Contribution to the ONVIF Security Service specification, to push the industry shifting from usernames and password to X.509 certificates;

●°Clear communication to customers, by avoiding fake marketing claims.

Videotec had an active role in the development of the ONVIF Profile Q specifications. Among other activities, it contributed to driving the standard towards the removal of predefined credentials. The security market must teach installers and users that using pre-defined usernames and passwords is equivalent to not having credentials at all. Defining the factory-default state of Profile Q compliant devices, where no authentication is required, is the strongest reminder a vendor can provide to its customers.

Similarly, with regard to the commitment for the ONVIF Profile Q, Videotec is proposing extensions to the ONVIF Security Service specifications that will include the widespread the adoption of X.509 certificates to replace the use of credentials. Moving towards this new way of handling authentication between devices and VMSs will not only impact devices, but it will require a leap forward for the whole video surveillance market. Beyond implementing the functionality in its devices, Videotec is already planning the actions that will be necessary to make its customers effective at selling, installing and maintaining video surveillance systems based on this technology.

Last, but not least, trustworthy communication to customers is a key value for Videotec. For this reason, Videotec will never exploit the unintuitive requirements of system certifications of international privacy rules to send wrong messages to the market. As an example, Videotec added to all its IP products an instruction about performing a safe installation according to the General Data Protection Regulation (GDPR), similarly to the instructions given for mechanical, electrical of environmental safety. These instructions are meant to teach customers and stimulate their attention to aspects related to cyber-security. As such, instructions will never be turned into unreliable market claims, such as claims for conformance to the GPDR or any other rule.

 

Conclusions

Cyber-threats started menacing video surveillance systems from the day the first IP-based device was put into the market. At that time, the number of digital systems was low and video surveillance was not as pervasive as it is today. In the last ten years, the video surveillance industry has vigorously shifted from analogue to IP products and, at the same time, it has witnessed a constant growth in market demand. As a result, digital video surveillance systems are everywhere nowadays and attract attention not only from professionals but also from malicious users.

Keeping these systems safe from cyber-threats is an activity that cannot be performed just by performing a risk assessment analytics during the commissioning phase - maintenance and recovery plans must be operative during the whole lifespan of the systems. These activities have a cost; also managing the effects of a system violation has a cost. Integrators and users must find the correct balance, to minimize expenses while keeping video surveillance systems updated and secure. In order to make reduction of expenses related to maintenance and recovery plans easier, Videotec bases the development of its products on the concept of cyber-sustainability, where support, updates and training about the products span an interval that is larger than each single product lifecycle and assist integrators and customers keeping their systems protected.

other news
Videotec Joins Motorola Solutions
Leggi
MAXIMUS MPXL SERIE2 e MAXIMUS MLX, per sorveglianza di ambienti con atmosfera esplosiva e scarsa illuminazione
Leggi
VIDEOTEC celebra il 10° anniversario di ONVIF membership
Leggi
POR-FESR/Regione Veneto NEWS
Leggi
ULISSE EVO DUAL PTZ di rete outdoor-ready con doppio sensore termico e visibile
Leggi
Videotec Digital Event #3
Leggi
Telecamera antideflagrate MAXIMUS MVX con SONY FCB-EV7520
Leggi
Nuovi modelli disponibili per MAXIMUS MPX SERIES2 e NVX
Leggi
COMB nuova communication box in policarbonato
Leggi
COVID-19 Comunicazione Videotec
Leggi
Nuova release di firmware 4.0 per le telecamere Videotec
Leggi
VIDEOTEC DIGITAL EVENT 2
Leggi
S2D, Securing Smartbuilding Devices
Leggi
Telecamera NVX ora con video analisi e funzioni di GeoMove
Leggi
NXPTZ SERIES2, i nuovi PTZ in acciaio inox per atmosfera corrosiva
Leggi
Nuova release di firmware per le telecamere Videotec
Leggi
Videotec Digital Event
Leggi
MAXIMUS MPXT SERIES2: nuovi PTZ antideflagranti dual vision di rete
Leggi
Intelligenza artificiale per ULISSE EVO
Leggi
MAXIMUS MPX SERIES2: nuova generazione di PTZ antideflagranti
Leggi
Nuova release di firmware per le telecamere Videotec
Leggi
Videotec e Sony: tecnologia integrata per alte prestazioni di sorveglianza
Leggi
Videotec soluzione integrata ULISSE2 e SONY SNC-VB770 per immagini a colori nel buio
Leggi
Now available BIS and the CCOE/PESO Certifications for Indian market
Leggi
Partnership Fujifilm e Videotec: soluzione per applicazioni di sorveglianza a lungo raggio
Leggi
ULISSE EVO THERMAL protezione perimetrale preventiva 24/7
Leggi
MBX communication box anti-deflagrante in acciaio inox
Leggi
Telecamera termica MVXT potenziata con funzioni radiometriche
Leggi
NTX, nuova telecamera termica in acciaio inox con funzioni radiometriche da Videotec
Leggi
ULISSE EVO, un passo avanti nell'evoluzione delle telecamere PTZ
Leggi
Massimo livello di protezione per le infrastrutture critiche con l'integrazione dei sistemi SpotterRF e Videotec
Leggi
Nuova Telecamera FULLHD anti-corrosione con tecnologia DELUX per una straordinaria luminosità notturna
Leggi
Modelli BIM disponibili per i prodotti Videotec
Leggi
Nuova communication box antideflagrante da Videotec
Leggi
VIDEOTEC, tecnologia DELUX disponibile nelle telecamere per settori Marine e Oil & Gas
Leggi
Progetto di Innovazione tecnologica
Leggi
ULISSE COMPACT con nuova tecnologia DELUX, visione day/night con straordinaria luminosità notturna
Leggi
Le telecamere Videotec ottengono la certificazione Lloyd's Register per le applicazioni Marine
Leggi
VIDEOTEC Joins Ameristar Perimeter Security’s Perimeter InSite Initiative for Complete Perimeter Security Solutions
Leggi
ULISSE COMPACT HD: 14 nuove telecamere nei luoghi sensibili della città di Schio (Vi)
Leggi
Sistemi di sorveglianza per raffinerie in Messico con telecamere Maximus
Leggi
MAXIMUS FULL HD usato in una stazione di misura e regolazione del gas in Indonesia
Leggi
Successo dei prodotti Videotec sulle strade russe
Leggi
Ulisse Compact Thermal protegge la frontiera in Vietnam
Leggi
Videotec co-hosts “Perimeter Security Roadshows” across North-America
Leggi
Videotec's camera helps in strictly regulated cannabis industry
Leggi
Miniera in Cile utilizza la custodia NXM per il controllo di processi gravosi
Leggi
Nuova competitiva telecamera anti-deflagrante FullHD
Leggi
The Videotec A&E Security Consultants Program
Leggi
VIDEOTEC si impegna per l’ambiente
Leggi
Massima protezione per gli aeroporti con l’evoluto sistema integrato di Crisma Security e Videotec
Leggi
SightLogix SightTracker Automatically Steers Videotec IP PTZ Cameras
Leggi
ULISSE COMPACT HD sorveglia uno strategico ponte in Kuwait
Leggi
ULISSE COMPACT HD per la sorveglianza di un aeroporto coreano
Leggi
Unità subacquee in Giappone utilizzano le custodie NXM
Leggi
Custodie antideflagranti MHX utilizzate per una raffineria a Taiwan
Leggi
ULISSE COMPACT THERMAL protegge una base del Ministero della Difesa in Italia
Leggi
Le custodie NXM sorvegliano l'ecosistema marino di Okinawa in Giappone
Leggi
ULISSE COMPACT HD sorveglia l'alta velocità di Taiwan
Leggi
MPX per la sicurezza di uno stabilimento chimico in Giappone
Leggi
Videotec employed on Russian roads
Leggi
ULISSE COMPACT HD scelto per gli impianti eolici nella Corea del Sud
Leggi
NXPTZHD
Leggi
ULISSE2
Leggi
MAXIMUS MVX per ambienti hazardous e industriali
Leggi
MAXIMUS MPX è ora FULL HD
Leggi
Videotec vince l'Onvif Award Program 2015!
Leggi
ULISSE RADICAL THERMAL
Leggi
ULISSE RADICAL
Leggi
Videotec Trusted Partner di ACHILLES per l'Oil&Gas
Leggi
Digivod and Videotec
Leggi
Estensione garanzia
Leggi
PTZ assistant, Companion app per VMS
Leggi
TOP