printer friendly version

Putting cyber into surveillance

Cybersecurity has become an essential part of the physical security industry, including the surveillance industry. However, as opposed to other IoT technologies, of which security products form a part, surveillance technologies have more to protect. On the one hand, there is the ‘normal’ technology, such as firmware and other internal software in cameras, NVRs, and so forth, but then there is the product of surveillance cameras: video.

Video can be compromised, allowing bad actors to hide scripts and data within it that are unseen by the operators, although that may be an extreme case. There is also the threat that video can be interrupted to allow criminals to do their nefarious deeds before security can figure out what is happening. Of course, there is the old problem of hacking into the camera and using it to break into the corporate network.

SMART Security Solutions asked two surveillance companies for their input on the importance of cybersecurity in the surveillance market. We spoke to Jürgen Seiler, Head of Business Development, CRITIS, at Dallmeier, and Dene Alkema, MD of Cathexis Africa.

Jürgen Seiler.

Dene Alkema.

Every surveillance vendor talks about cybersecurity, but how far are they going in making their hardware and software cybersecure? Not too long ago, cybersecurity meant changing the administrator’s password when setting up a new device or installing new software; perhaps it also included getting your IT people to close all the unneeded ports that could access your camera – Telnet ports, for example.

These simple tactics are standard today, so much so they hardly feature in any cyber advisory notes – although we all know that many installers and users opt for the easy route to get the job done as fast as possible. Cybersecurity in the physical security world has become so important that there are regulations governing how devices and software should be protected. (At the time of writing, no such legislation has been passed in Africa yet).

Two examples of EU regulations include the Network and Information Security Directive 2nd Edition (NIS2) and The European Cyber Resilience Act (CRA). KPMG describes NIS2 as follows: “As the world becomes more connected, organisations see that their IT and OT infrastructures become increasingly integrated, whereby the potential of physical cybersecurity incidents is growing. As a result, the NIS2 Directive underlines the EU’s motivation to put cybersecurity at the forefront of the agenda.”

So what does this mean in the real world?

The CRA “is a legal framework that describes the cybersecurity requirements for hardware and software products with digital elements placed on the market of the European Union. Manufacturers are now obliged to take security seriously throughout a product’s life cycle.”

When asked what this means for manufacturers and developers in the surveillance market, Alkema says, “To comply with cybersecurity standards and meet the requirements of the NIS2 and CRA, surveillance manufacturers and developers are responsible for following the principle of ‘Security by Design’. This means that cybersecurity must be incorporated into every stage of product development and manufacturing.”

He explains that this means manufacturers are responsible for implementing procedures to identify and address any vulnerabilities or security risks in their products or operations, complying with regional and international industry standards, rigorously testing their products and having their products tested by external certification bodies, reporting security breaches to relevant authorities as well as end users, and providing thorough documentation and resources for end users.

Seiler adds that the manufacturer’s responsibility arises from the end customer’s perspective. “They must consider the entire value chain, including upstream suppliers.

With regard to physical security – and this naturally includes surveillance components – one thing is essential: network-based video security products for physical security (e.g., for perimeter protection, building protection) must not jeopardise the ‘other’, complementary security of the CRITIS (Critical Infrastructure Organisation) operators, namely IT and cybersecurity. Video surveillance cameras and systems must not be a gateway into the customer’s IT or OT networks.

“As a European manufacturer of video surveillance devices, we have voluntarily and proactively taken on our corporate responsibility even before and beyond legal regulations such as the NIS2 Directive and the CRA. The Security by Design guidelines set out in the EU-GDPR provide decisive guidance for manufacturers and users. We see that end customers are increasingly asking for products and solutions that meet these criteria and are ‘Made in Europe’. NDAA compliance (the USA’s National Defence Authorisation Act), although not officially relevant in the EU, is also often used as a quality criterion.”

The opposite view

Adhering to or exceeding regulations and certifications sounds good to a customer, but what should users, who may not be educated in the cyber aspects of physical security, look at when considering surveillance solutions? What should their expectations be from the manufacturers, installers and integrators, and, essentially, what cyber responsibilities rest with them?

Seiler advises that, when selecting manufacturers and integrators, it is advisable to carry out a thorough manufacturer check in advance to ensure that the products offer the highest level of technical cybersecurity and meet the requirements for physical security. “This includes assessments, tests and proof of cyberconformity. Furthermore, products should comply with the Security by Design and Privacy by Design principles of the EU-GDPR. Legal compliance in accordance with European directives and national laws (NIS2, RCE, CRA) is equally important.”

Legal compliance also means that the solutions actually offer adequate physical protection and that the supply chain fulfils the security criteria. He continues that cyber and ethical aspects of the manufacturer and its country of manufacture must be checked, particularly with regard to authoritarian countries. In the latter’s case, it is not only a question of possible gateways, but also of keeping an eye on a possible current or future influence by official bodies such as secret services to request access to systems. Validated references and proof of expertise in physical security and cybersecurity should be obtained, and it is advisable to carefully check the extent to which the manufacturer has tested both dimensions of resilience.

Alkema supports this advice, noting, “Customers should expect manufacturers to comply with relevant industry standards and cybersecurity legislation, to implement cybersecurity and data protection measures in their product development process, and to communicate clearly about product specifications and support. However, customers are still responsible for ensuring their surveillance system is secure.”

It is their responsibility to configure and maintain their network’s security, update software as necessary, follow audit procedures to identify risks, and stay informed about industry developments, best practices, and legislation.

No matter the size of your company

Alkema continues that cybersecurity is essential, no matter the organisation’s size. “Even a small business operating a surveillance system with a handful of cameras could experience the consequences of cybersecurity breaches. Malicious cybersecurity attacks could still target your system, sensitive data could be shared with criminal parties and be exploited, personal information could be leaked, or the company could receive hefty penalties for non-compliance with industry or legal standards. These can cause short-term and long-term operational costs by eroding customers’ trust in the company.”

Users should remember the risks and costs of poor cybersecurity practices and consider the many benefits of robust cybersecurity practices. Implementing cybersecurity measures protects you, your customers, your brand, and your data. It also lays a solid foundation for following best practices in all your business processes.

“Nowadays, cameras, workstations and recording systems are almost always connected to the internet as they act as IoT devices,” says Seiler. “This means they are just as vulnerable to cyberattacks as any other networked system. To make the risks clear and sensitise users, we recommend creating permanent awareness for risk analysis, cybersecurity and cyberhygiene. This includes regular training and education.

“It is particularly important to raise risk awareness among users and executive management. We therefore recommend raising awareness of the high priority of cybersecurity and preparing for the law. For example, highlighting high-profile cases that could cause monetary and reputational damage, up to the worst-case scenario of jeopardising business continuity or bankruptcy. It is also helpful to point out the stricter liability rules for management and the threat of fines under NIS 2, RCE and regulations and directives such as the GDPR (Security by Design) or the US NDAA.”

Cloud complications

It is no secret that cloud services are growing in the surveillance market. Locally, bandwidth limitations and costs have somewhat slowed the adoption, but adoption continues to grow. The availability of specific analytical or AI services in the cloud (gun detection, for example) is boosting growth because the cloud is used for specific purposes.

The cloud, however, has a reputation for increasing cybersecurity risks in all industries (whether the reputation is warranted or not), so care needs to be taken to ensure cloud systems are configured and secured properly from the user side, and the service provider must ensure it covers all the cyber bases to secure customers’ data and prevent potential network breaches. So, what should users consider regarding cybersecurity when engaging cloud services for surveillance?

Alkema states that a video management system’s primary component is video data, which can include sensitive footage or personally identifying information. “You do not want that data to get into the wrong hands. Your video data could be compromised if the cloud service has a data breach. It would be best to consider how the cloud service could use or misuse your data, such as sharing it with a third party without your consent.

“Being reliant on a cloud service provider means you have less control over your data, and you might not be able to access it if the cloud service has technical issues or downtime. Not only is this inconvenient, but it adds to operational costs. Being locked into a contract with a cl are subject to increased costs or changing pricing models, which could compound as your organisation grows.”

A final point to consider is compliance. Alkema says it can be a challenge when your company implements measures to comply with regional regulations or legislation if the service provider does not meet the necessary standards. On the other hand, given the popularity of cloud-based solutions and the potential for security breaches, large cloud service providers can dedicate significant resources to cybersecurity.

“As a user, it is important to educate yourself on the potential pitfalls of using cloud-based services so you can make an informed decision about the solution you implement,” he adds. “Do your research on the service provider. Find out what measures they take to ensure data protection and mitigate risk, and how they protect the physical security of their data centres. Review the contract, and make sure that the service provider’s responsibilities in terms of cybersecurity, data protection, and backup are clear.”

From Dallmeier’s perspective, Seiler maintains that the success and global acceptance of cloud technologies and applications confirm that companies and users have established and gained a certain basic trust in the cloud. And yes, in his view, cloud providers can invest more in security technologies and provide professional personnel expertise than the customer or the medium-sized or large company itself.

“In general, both cloud and on-premise operations must comply with the appropriate technical and organisational measures in terms of cybersecurity in accordance with industry standards. The greatest risk is often the user or the person themselves, regardless of whether cloud or on-premise. From a technical perspective, there is no longer any difference between the security of cloud and on-premise environments in terms of physical security.”

Cybersecurity processes

In conclusion, SMART Security Solutions asked both companies to explain how they ensure their solutions are cyber-secure, and how they assist customers/integrators in maintaining their cybersecurity posture.

According to Alkema, at Cathexis, “Cybersecurity is built into the solutions we develop at every step. We apply cryptographic techniques that ensure system integrity, secure communication, and data protection. These include encryption and security for external site connections, network channels and IP camera connections, validation of login credentials using secure public key methods, and data integrity verification from encryption methods and passphrases.”

“System administrators are empowered to prioritise cybersecurity and the protection of personal information in the setup and use of CathexisVision, with features such as privacy zones (the option to restrict camera views), the option to password protect archives to control playback, watermarking footage, and creating bookmarks that canot be overwritten. All CathexisVision archive files can be verified, and original footage and metadata can only be played via our proprietary archive viewer, adding a further security layer.”

“Our cybersecurity strategy is reinforced through the support and resources we offer our customers and integrators. We aim to empower our customers with up-to-date, accurate product information, and comprehensive, clear documentation, and alert them to changes in the video surveillance landscape that could impact their cybersecurity strategies. An example of this latter point is the comprehensive guidelines we created for understanding personal data protection when using CathexisVision and implementing a video surveillance system, particularly when complying with data protection legislation in South Africa and the EU.”

For Dallmeier, Seiler says, “In addition to compliance with data security regulations by the user, we, as a manufacturer of video surveillance systems, also bear a high level of responsibility, and our products and solutions offer our customers an extremely broad portfolio of proven technical functions for data security and data protection. The fact that all development and production is based in Regensburg, Germany, means that we also have complete control over all stages of the value chain and can ensure the highest level of cybersecurity in all aspects.”

“The development and manufacturing within the framework of the rule of law also guarantees neutrality towards state interference and maximum ethical responsibility. Our products comply with EU-GDPR, NDAA and all planned data protection and cybersecurity directives, such as EU NIS2, EU RCE, and EU CRA, in preparation with the EU AI Artificial Intelligence Act and DIN 62676-4. With 40 years of ‘Made in Germany’, Dallmeier stands for the highest level of security in terms of legal and compliance, data protection and cybersecurity.”

For more information contact:

• Cathexis Africa, +27 31 240 0800, [email protected], www.cathexisvideo.com

• Dallmeier Southern Africa, +49 941 870 0111

Share this article:

Further reading: