Cyber security is a trending topic in the video surveillance market. As a result of international regulations, companies are assessing the potential security risks of video surveillance systems, deploying crisis management policies and developing mitigation plans for events related to a data breach. Customers desire trustworthy products and vendors are rushing to fill this gap to satisfy the market demand. Multiple vendors are offering a great number of solutions, however the choice and diversification perplexes customers, who often have difficulty identifying the best solution for their needs. In this paper, Videotec puts forward its vision with regard to developing safe products and describes its strategy for cyber security.
Customers are currently overwhelmed by the perpetual advertisement of products related to cyber security. At tradeshows and in sector magazines, multiple products are being promoted as key elements for cybersecurity. Unfortunately, cyber-safe products cannot be marketed with the same strategy as other devices, for example, explosion-proof rated cameras. The key difference is that for threats that do not concern software a set of well-defined and well-documented requirements exist: in general it is possible to universally define safety requirements for installation in special environments, such as a drilling rig, a marine vessel or along a railway. For software, similar requirements exist but there is less clarity than with their counterparts when it comes to security. Furthermore, a device’s firmware and video management software (VMS) are updated by each vendor to introduce new features or to fix bugs. Every update may have an impact on the complete video surveillance system reliability. Finally, security researchers continuously identify new issues that may reduce the safety of the system, even if no change is applied to the facilities.
Deploying a cyber-secure system is a challenging task under these ever-changing conditions. Other aspects of security, such as mechanical, electrical or environmental are not subject to similar uncertainty. As an example, designing an explosion-proof system is a well-known process, involving classifying zones, identifying the nature of the explosive elements, such as gases or dusts, and deducting the product requirements. During the lifespan of the system, the identified risk sources do not change. Similarly, during installation on a marine vessel, the video surveillance equipment is commissioned and will not change until the entire ship is refurbished.
The result of the lack of certainty that characterizes software and the existence of complex standards that have a restricted competent audience is a professional market that is trying to incoherently fill this gap, by pursuing certifications and stamps or by adopting aggressive advertisement strategies, based on over-optimistic promises on product features.
Orientation between different cyber-security certification options
Several certification options are currently available on the market, and these can be placed in two main groups:
● System certification
● Product certification
As the name suggests, system certification addresses cyber-security at a system level. This group includes ISO27001, NIST SP 800-53, ISA/IEC62443-3 for example. In these frameworks, risks related to information management are evaluated across every aspect of the organization: information generated by the devices, storage, access control to the information and physical security to protect data from being stolen from data centers. Since these certifications must be flexible to adapt to a heterogeneity of systems, they define frameworks to perform the system analysis and the assessment of the risks of such systems, but they do not punctually mandate explicit requirements. System certifications delegate the definition of such requirements to the organization willing to achieve the certification.
In contrast, product certifications are narrow in scope, targeting a single component subject to certification. A single component can be a camera, a networking switch or video management software. In this category are the EMV standard for credit and debit cards, the UL2900 series and ISO/IEC 15408, also known as Common Criteria.
It is clear that pursuing a system-level certification involves the customer and the integrator installing the video surveillance system. Manufacturers should target product certifications and drive efforts to ease the integration of their products into the frameworks of system-level certification that is being pursued by their customers.
Videotec’s strategy for cyber-secure video surveillance systems
Videotec started developing its DeLux technology several years ago. At that time, Videotec had a clear vision for its products: developing safe products for all possible tasks - mechanical, electrical, electromagnetic and software - according to current and future security requirements. The mission of the DeLux technology was, and still is, to provide a reliable, safe and future-proof platform that integrates with all products.
Sharing a common platform between multiple products is challenging. It requires deep planning of product design to ensure the platform will function perfectly within any product. It also implies that new software releases are compatible with any previously released camera. Thus, every time a new product is released the effort to validate the software increases. Due to this decision, Videotec guarantees that any new security feature and any bug fix will be available to its customers regardless of product age and whether it is still present in the current product catalogue.
From the beginning of the DeLux project, two key points were immediately clear. The first point is that software architecture must be flexible enough to guarantee integration into very different products, and at the same time it needs dedicated components that guarantee the un-exploitability of the device. For this reason, the code executed by the device is partitioned into different security domains, making sure that processes that implement the protocol interfaces towards the video management software cannot harm the internal components that accomplish video acquisition, perform compression and constantly monitor the correct function of the unit. The second point that Videotec immediately understood is that ensuring the correct functioning of the software in every device is as important as the software running in just the cameras. For this reason, Videotec started developing internal tools that perform automated testing on the entire set of devices that incorporate the DeLux technology. Every night, the validation tools embedded into the continuous integration process automatically test each product to verify that no regression was unconsciously added while we proceed with software development. Every time Videotec adds a new feature in response to a suggestion for improvement by our customers or identification of an issue, it also updates the testing tools to increase the reliability of our products.
Videotec believes that its products, and the continual updating of these, actively contribute to maintaining the safe operation of secure video surveillance system, helping IT departments and system administrators by keeping their systems balanced and by not requiring excessive mitigating actions or protections due to future issues. At Videotec, we call this cyber-sustainability.
At the time of writing this white paper, Videotec has yet to definitively choose a certification scheme for the DeLux technology. Several options are being evaluated, as we search for a solution that will create value for our customers without sacrificing the addition of new features on all products that make up the DeLux technology range.
Although Videotec is still exploring the best certification scheme for its software, this does not prevent us from having a clear and active development path for the cyber-security in our products. At Videotec, the following five principles are the basis for implementing cyber-security in products:
● Hardened software architecture to minimize the attack surface of the cameras
● Constant updates and availability of new features, even on old products
● Removal of predefined credentials in the products, to give strongly indicate to customers that, as a minimum, a new username and password combination must be defined by the user during installation according to the system-level security requirements
● Contribution to the ONVIF Security Service specification, to push the industry shifting from usernames and password to X.509 certificates
● Clear communication to customers, by avoiding fake marketing claims
Videotec had an active role in the development of the ONVIF Profile Q specifications. Among others activities, it contributed to driving the standard towards the removal of predefined credentials. The security market must teach installers and users that using pre-defined usernames and passwords is equivalent to not having credentials at all. Defining the factory-default state of Profile Q compliant devices, where no authentication is required, is the strongest reminder a vendor can provide to its customers.
Similarly with regard to the commitment for the ONVIF Profile Q, Videotec is proposing extensions to the ONVIF Security Service specifications that will include the widespread the adoption of X.509 certificates to replace the usage of credentials. Moving towards this new way of handling authentication between devices and VMSs will not only impact devices, but it will require a leap forward for the whole video surveillance market. Beyond implementing the functionality in its devices, Videotec is already planning the actions that will be necessary to make its customers effective at selling, installing and maintaining video surveillance systems based on this technology.
Last, but not least, trustworthy communication to customers is a key value for Videotec. For this reason, Videotec will never exploit the unintuitive requirements of system certifications of international privacy rules to send wrong messages to the market. As an example, Videotec added to all its IP products an instruction about performing a safe installation according to the General Data Protection Regulation (GDPR), similarly to the instructions given for mechanical, electrical of environmental safety. These instructions are meant to teach customers and stimulate their attention to aspects related to cyber-security. As such, instructions will never be turned into unreliable market claims, such as claims for conformance to the GPDR or any other rule.
Cyber-threats started menacing video surveillance systems from the day the first IP-based device was put into the market. At that time, the number of digital systems was low and video surveillance was not as pervasive as it is today. In the last ten years, the video surveillance industry has vigorously shifted from analogue to IP products and, at the same time, it has witnessed a constant growth in market demand. As a result, digital video surveillance systems are everywhere nowadays and attract attention not only from professionals, but also from malicious users.
Keeping these systems safe from cyber-threats is an activity that cannot be performed just by performing a risk assessment analytics during the commissioning phase - maintenance and recovery plans must be operative during the whole lifespan of the systems. These activities have a cost; also managing the effects of a system violation has a cost. Integrators and users must find the correct balance, to minimize expenses while keeping video surveillance systems updated and secure. In order to make reduction of expenses related to maintenance and recovery plans easier, Videotec bases the development of its products on the concept of cyber-sustainability, where support, updates and training about the products span an interval that is larger than each single product lifecycle and assist integrators and customers keeping their systems protected.
Ottavio Campana – Videotec R&D Manager