Cybersecurity is a trending topic in the video surveillance market. As a result of international regulations, companies are assessing the potential security risks of video surveillance systems, deploying crisis management policies and developing mitigation plans for events related to a data breach. Customers desire trustworthy products and vendors are rushing to fill this gap to satisfy the market demand.

Multiple vendors are offering a great number of solutions; however the choice and diversification perplexes customers, who often have difficulty identifying the best solution for their needs. In this paper, Videotec puts forward its vision with regard to developing safe products and describes its strategy for cybersecurity.

Explosion-proof rated cameras

Customers are currently overwhelmed by the perpetual advertisement of products related to cybersecurity. At tradeshows and in sector magazines, multiple products are being promoted as key elements for cybersecurity. Unfortunately, cyber-safe products cannot be marketed with the same strategy as other devices, for example, explosion-proof rated cameras.

For software, similar requirements exist but there is less clarity than with their counterparts

The key difference is that for threats that do not concern software a set of well-defined and well-documented requirements exist: in general, it is possible to universally define safety requirements for installation in special environments, such as a drilling rig, a marine vessel or along a railroad. For software, similar requirements exist but there is less clarity than with their counterparts when it comes to security.

Video management software

Furthermore, a device's firmware and video management software (VMS) are updated by each vendor to introduce new features or to fix bugs. Every update may have an impact on the complete video surveillance system reliability. Finally, security researchers continuously identify new issues that may reduce the safety of the system, even if no change is applied to the facilities. Deploying a cyber-secure system is a challenging task under these ever-changing conditions.

Other aspects of security, such as mechanical, electrical or environmental are not subject to similar uncertainty. As an example, designing an explosion-proof system is a well-known process, involving classifying zones, identifying the nature of the explosive elements, such as gases or dusts, and deducting the product requirements.

Video surveillance equipment

During the lifespan of the system, the identified risk sources do not change. Similarly, during installation on a marine vessel, the video surveillance equipment is commissioned and will not change until the entire ship is refurbished.

Several certification options are currently available on the market, and these can be placed in two main groups

The result of the lack of certainty that characterises software and the existence of complex standards that have a restricted competent audience is a professional market that is trying to incoherently fill this gap, by pursuing certifications and stamps or by adopting aggressive advertisement strategies, based on over-optimistic promises on product features.

Cybersecurity certification

Several certification options are currently available on the market, and these can be placed in two main groups:

  • System certification
  • Product certification

As the name suggests, system certification addresses cybersecurity at a system level. This group includes ISO27001, NIST SP 800-53° ISA/IEC62443-3 for example. In these frameworks, risks related to information management are evaluated across every aspect of the organization: information generated by the devices, storage, access control to the information and physical security to protect data from being stolen from data centers.

Video surveillance system

Since these certifications must be flexible to adapt to a heterogeneity of systems, they define frameworks to perform the system analysis and the assessment of the risks of such systems, but they do not punctually mandate explicit requirements. System certifications delegate the definition of such requirements to the organization willing to achieve the certification. In contrast, product certifications are narrow in scope, targeting a single component subject to certification.

A single component can be a camera, a networking switch or video management software

A single component can be a camera, a networking switch or video management software. In this category are the EMV standard for credit and debit cards, the UL2900 series and ISO/IEC 15408, also known as Common Criteria. It is clear that pursuing a system-level certification involves the customer and the integrator installing the video surveillance system.

Cyber secure surveillance

Manufacturers should target product certifications and drive efforts to ease the integration of their products into the frameworks of system-level certification that is being pursued by their customers. Videotec started developing its DeLux technology several years ago. At that time, Videotec had a clear vision for its products: developing safe products for all possible tasks - mechanical, electrical, electromagnetic and software - according to current and future security requirements.

The mission of the DeLux technology was, and still is, to provide a reliable, safe and future-proof platform that integrates with all products. Sharing a common platform between multiple products is challenging. It requires deep planning of product design to ensure the platform will function perfectly within any product. It also implies that new software releases are compatible with any previously released camera.

New security feature

Software architecture must be flexible enough to guarantee integration into very different products

Thus, every time a new product is released the effort to validate the software increases. Due to this decision, Videotec guarantees that any new security feature and any bug fix will be available to its customers regardless of product age and whether it is still present in the current product catalog. From the beginning of the DeLux project, two key points were immediately clear.

The first point is that software architecture must be flexible enough to guarantee integration into very different products, and at the same time it needs dedicated components that guarantee the un-exploitability of the device.

Accomplish video acquisition

For this reason, the code executed by the device is partitioned into different security domains, making sure that processes that implement the protocol interfaces towards the video management software cannot harm the internal components that accomplish video acquisition, perform compression and constantly monitor the correct function of the unit.

The second point that Videotec immediately understood is that ensuring the correct functioning of the software in every device is as important as the software running in just the cameras. For this reason, Videotec started developing internal tools that perform automated testing on the entire set of devices that incorporate the DeLux technology.

Secure video surveillance

Every night, the validation tools embedded into the continuous integration process automatically test each product to verify that no regression was unconsciously added while the company proceed with software development. Every time Videotec adds a new feature in response to a suggestion for improvement by the company's customers or identification of an issue, it also updates the testing tools to increase the reliability of the company's products.

Videotec has yet to definitively choose a certification scheme for the DeLux technology

Videotec believes that its products, and the continual updating of these, actively contribute to maintaining the safe operation of secure video surveillance system, helping IT departments and system administrators by keeping their systems balanced and by not requiring excessive mitigating actions or protections due to future issues. At Videotec, they call this cyber-sustainability.

System-level security requirements

At the time of writing this white paper, Videotec has yet to definitively choose a certification scheme for the DeLux technology. Several options are being evaluated, as the company search for a solution that will create value for the company’s customers without sacrificing the addition of new features on all products that make up the DeLux technology range.

Although Videotec is still exploring the best certification scheme for its software, this does not prevent the company from having a clear and active development path for the cybersecurity in their products. At Videotec, the following five principles are the basis for implementing cybersecurity in products:

  • Hardened software architecture to minimize the attack surface of the cameras
  • Constant updates and availability of new features, even on old products
  • Removal of predefined credentials in the products, to strongly indicate to customers that, as a minimum, a new username and password combination must be defined by the user during installation according to the system-level security requirements
  • Contribution to the ONVIF Security Service specification, to push the industry shifting from usernames and password to X.509 certificates
  • Clear communication to customers, by avoiding fake marketing claims

Security service specifications

Videotec had an active role in the development of the ONVIF Profile Q specifications. Among other activities, it contributed to driving the standard towards the removal of predefined credentials. The security market must teach installers and users that using pre-defined usernames and passwords is equivalent to not having credentials at all.

Videotec is proposing extensions to the ONVIF Security Service specifications

Defining the factory-default state of Profile Q compliant devices, where no authentication is required, is the strongest reminder a vendor can provide to its customers. Similarly, with regard to the commitment for the ONVIF Profile Q, Videotec is proposing extensions to the ONVIF Security Service specifications that will include the widespread the adoption of X.509 certificates to replace the usage of credentials.

Video surveillance market

Moving towards this new way of handling authentication between devices and VMSs will not only impact devices, but it will require a leap forward for the whole video surveillance market. Beyond implementing the functionality in its devices, Videotec is already planning the actions that will be necessary to make its customers effective at selling, installing and maintaining video surveillance systems based on this technology.

Last, but not least, trustworthy communication to customers is a key value for Videotec. For this reason, Videotec will never exploit the unintuitive requirements of system certifications of international privacy rules to send wrong messages to the market. As an example, Videotec added to all its IP products an instruction about performing a safe installation according to the General Data Protection Regulation (GDPR), similarly to the instructions given for mechanical, electrical of environmental safety.

IP-based device

In the last ten years, the video surveillance industry has vigorously shifted from analog to IP products

These instructions are meant to teach customers and stimulate their attention to aspects related to cybersecurity. As such, instructions will never be turned into unreliable market claims, such as claims for conformance to the GPDR or any other rule. Cyber threats started menacing video surveillance systems from the day the first IP-based device was put into the market. At that time, the number of digital systems was low and video surveillance was not as pervasive as it is today.

In the last ten years, the video surveillance industry has vigorously shifted from analog to IP products and, at the same time, it has witnessed a constant growth in market demand. As a result, digital video surveillance systems are everywhere nowadays and attract attention not only from professionals but also from malicious users.

Risk assessment analytics

Keeping these systems safe from cyber-threats is an activity that cannot be performed just by performing a risk assessment analytics during the commissioning phase - maintenance and recovery plans must be operative during the whole lifespan of the systems. These activities have a cost; also managing the effects of a system violation has a cost. Integrators and users must find the correct balance, to minimize expenses while keeping video surveillance systems updated and secure.

In order to make reduction of expenses related to maintenance and recovery plans easier, Videotec bases the development of its products on the concept of cyber-sustainability, where support, updates and training about the products span an interval that is larger than each single product lifecycle and assist integrators and customers keeping their systems protected.

Download PDF version Download PDF version

In case you missed it

Security & Safety Things Becomes Azena, Underscores Advances In Smart Camera Platform Development
Security & Safety Things Becomes Azena, Underscores Advances In Smart Camera Platform Development

Security & Safety Things is announcing that it has rebranded to Azena, a new brand name that underscores the company’s corporate growth and leading-edge smart camera platform and positions it for the next chapter in its ambitious plans for redefining video analytics. With a growing slate of global customer and partner collaborations and expanding geographic coverage, Azena will continue to increase the value of its platform for systems integrators and end customers. More than 100 AI-enabled video analytics apps Since its market introduction in 2018, Azena has grown to more than 120 employees spread across its headquarters in Munich, its technology Innovation Accelerator facility in Pittsburgh, and another development hub in Eindhoven, The Netherlands, all supporting the Azena open platform for smart cameras.Integrators can flexibly add or change apps on one or multiple cameras as needed for their customers The Azena platform is comprised of an open operating system for cameras and an Application Store with nearly 100 Artificial Intelligence (AI)-enabled video analytics apps. It enables smart cameras to simultaneously run multiple apps directly on the device. Integrators can flexibly add or change apps on one or multiple cameras as needed for their customers and use any of the 15 cameras from six different manufacturer partners in a variety of form factors.“Systems integrators play a crucial role in connecting the video analytic edge devices on our platform into the larger system landscape for a truly data-driven approach to security, operational intelligence and automation,” said Hartmut Schaper, chief executive officer, Azena. “Our new identity as Azena positions us for improved name recognition and market presence as we continue to add functionality and the potential for expansion into new markets for our systems integrator partners.” More than 40 use cases in 25+ verticals The Azena Application Store features apps that address more than 40 different use cases in at least 25 different vertical markets, ranging from traditional perimeter security, retail loss prevention and occupancy management to stadium security and even the unique needs of aquaculture. Some examples of use cases include: One U.S. professional hockey team, the Pittsburgh Penguins, is using the Azena platform to monitor crowding at its stadium entrances, license plate recognition for more efficient stadium parking and heat mapping for improved layouts of its fan merchandise retail outlets. An oil drilling company is deploying smart cameras running the Azena OS so operations staff can remotely monitor any pumping disruptions in the oil fields. A chemical plant is monitoring its locations for the presence of smoke to enhance  workplace safety measures Collaboration with Proseguy Systems integrator Prosegur, one of the world’s largest security companies, has announced its collaboration with Azena to use analytics on the edge as part of its Security Operations Center as a service offering. By deploying more sophisticated analytics to measure activity or automatically verify alarms, incoming alarm traffic from customer sites can be prefiltered, reducing the number of alarms needing to be handled by human operators in the SOC, enabling a more appropriate response.Integrators will find a host of other new features in the Azena platformIntegrators will find a host of other new features in the Azena platform designed to leverage device management capabilities and remote access for diagnosis and maintenance to cameras on a customer site, using Azena’s digital twin architecture. Other benefits include: Ability to run all the analytics apps from the Azena Application Store on the video stream of existing IP cameras by means of a small appliance from one of the camera manufacturer partners, bringing AI to already installed video systems Wide range of integration options to connect VMS systems, dashboard software, access systems, other apps or other cameras to support the creation of sophisticated end-to-end solutions Option for integrators to build and deploy custom solutions with apps available only to them and their customers via the Azena Application Store Ability to securely and remotely connect to a customer camera without a VPN A new integration assistant that quickly builds middleware for custom integrations between Azena components and third-party software and hardware Opportunity to negotiate directly with app developers on bulk pricing Standardized terms of use that can be adopted by all applications in the Application Store

What Are New Trends In Residential Security?
What Are New Trends In Residential Security?

Residential security and smart homes are rapidly changing facets of the larger physical security marketplace, driven by advances in consumer technology and concerns about rising crime rates. During the COVID-19 pandemic, many people spent more time at home and became more aware of the need for greater security. As workplaces opened back up, returning workers turned to technology to help them keep watch over their homes from afar. We asked this week’s Expert Panel Roundtable: What are the trends in residential security in 2021?

How Businesses Can Protect Their People In The New Age Of Work
How Businesses Can Protect Their People In The New Age Of Work

Ensuring employee health and safety remains a key priority for organizations this year, especially as we see COVID-19 cases continue to rise in different areas of the world. As an ongoing challenge, COVID-19 has shifted the priorities of many organizations. In fact, “improving health and safety for employees” is the top strategic goal this year of manufacturing and logistics organizations in the U.S. and U.K., according to research conducted by Forrester on behalf of STANLEY Security. But as we think about reopening and as hybrid workforce models and “workspace-on-demand” approaches rise in popularity, leaders need to consider implementing the right technologies to help ensure a safe return to the office. This means investing in health, safety, and security solutions that can help leaders protect their people. The intersection of security technology and health and safety There’s no doubt that the scope of security has expanded in the wake of the global pandemic. What was once an area governed by a select few security or IT professionals within a business has now become a crucial company investment involving many key stakeholders. The role of security has expanded to encompass a broader range of health and safety challenges for businesses Additionally, the role of security has expanded to encompass a broader range of health and safety challenges for businesses. Fortunately, security technologies have made significant strides and many solutions, both existing and new, have been thrust forward to address today’s biggest business challenges. Investment in security technology It’s important to note that businesses are eager to adopt tech that can help them protect their people. Nearly half (46%) of organizations surveyed by Forrester report that they’re considering an increasing investment in technology solutions that ensure employee safety. Technologies like touchless access control, visitor management systems, occupancy monitoring, and installed/wearable proximity sensors are among some of the many security technologies these organizations have implemented or are planning to implement yet this year. Facilitating a safe return to work But what does the future look like? When it comes to the post-pandemic workplace, organizations are taking a hard look at their return-to-work strategy. Flexible or hybrid workforce models require a suite of security solutions to help ensure a safer, healthier environment More than half (53%) of organizations surveyed by Forrester are looking to introduce a flexible work schedule for their employees as they make decisions about returning to work and keeping employees safe post-pandemic. Such flexible – or hybrid – workforce models require a suite of security solutions to help ensure a safer, healthier environment for all who traverse a facility or work on-site. One of the central safety and security challenges raised by these hybrid models is tracking who is present in the building at any one time – and where or how they interact. Leveraging security technology With staggered schedules and what may seem like a steady stream of people passing through, it can be difficult to know who’s an employee and who’s a visitor. Access control will be key to monitoring and managing the flow of people on-site and preventing unauthorized access. When access control systems are properly integrated with visitor management solutions, businesses can unlock further benefits and efficiencies. For instance, integrated visitor management systems can allow for pre-registration of visitors and employees – granting cellphone credentials before people arrive on-site – and automated health screening surveys can be sent out in advance to help mitigate risk. Once someone reaches the premises, these systems can also be used to detect the person’s temperature and scan for a face mask, if needed.  We will likely see these types of visitor management and advanced screening solutions continue to rise in popularity, as 47% of organizations surveyed by Forrester report that they’re considering requiring employee health screening post-pandemic. Defining the office of the future A modern, dynamic workforce model will require an agile approach to office management. It’s imperative to strike the right balance between making people feel welcome and reassuring Businesses want to create an environment in which people feel comfortable and confident – a space where employees can collaborate and be creative. It’s imperative to strike the right balance between making people feel welcome and reassuring them that the necessary security measures are in place to ensure not only their safety but also their health. In many cases, this balancing act has created an unintended consequence: Everyone now feels like a visitor to a building. Protocols and processes With employees required to undergo the same screening processes and protocols as a guest, we’ve seen a transformation in the on-site experience. This further underscores the need for seamless, automated, and tightly integrated security solutions that can improve the employee and visitor experience, while helping to ensure health and safety. Ultimately, the future of the office is not about what a space looks like, but how people feel in it. This means adopting a “safety-always” culture, underpinned by the right technology, to ensure people that their safety remains a business’ top priority.