Video Management Systems: Guarding Against Cyber Attacks
29 April 2020
DESPITE THE rising prevalence of data breaches, awareness of the needs of tighter security when installing and using a video management system is yet to catch up. Complacency is the enemy, suggests Neil Killick, with even the most basic of security errors potentially placing such systems at risk.
Cyber security has become part and parcel of everyday life. Over the past few years, huge brands such as Equifax and British Airways (BA) have suffered the fall-out from highly-publicised data breaches and hacks that have sent tremors across the technology industry.
In 2018, users of the BA website were diverted to a fraudulent site. This site allowed the harvesting of around 500,000 people’s details in what the airline described as a “sophisticated and malicious criminal attack” on its website. As a result, the Information Commissioner’s Office handed out its biggest penalty yet: the substantial sum of £183 million.
The latter is just one example from an increasing number of breaches and hacks which have weakened the degree of trust placed in data security. Alongside this is a general fear over the safety of personal data.
Today's organisations now face a perfect storm. The list of networked devices is steadily increasing thanks to the rise of the Internet of Things (IoT) and there are now even greater opportunities for would-be hackers to compromise systems. For many, it’s a matter of when - not if - a hack or a breach will occur. When it does, it could take a long time to regain public trust. The good news, though, is that there are many tools at hand which can minimise the risk and protect valuable data.
One particular vulnerability surrounds the use of video management systems (VMS) and connected devices. Despite the rising occurrence of data breaches, awareness of the needs of tighter security when installing and using a VMS is yet to catch up. Complacency is very much the enemy here. It must be stressed that even the most basic of security errors can ultimately place a system in jeopardy.
Security integrators must keep abreast of the issue by understanding new risks and how to secure a VMS and connected devices. This is even more important now that the stakes are so high. Under the European Union's General Data Protection Regulation (GDPR), organisations can be fined up to €20 million (or 4% of their annual turnover) for any proven infringement. For many, that's a potentially business-ending penalty.
The amount of the fine will be based on the nature, gravity, duration and character of the infringement, as well as the type of personal data that was harvested. In practice, highly sensitive data such as biometric information would be classed differently to less personal data, like postcodes or usernames, for example..
GDPR and VMS
How all of this applies to video data isn’t clear cut. Even on a basic level, video may capture individuals at events or scenes that could establish political involvement, for example. This is a type of data categorised as ‘Sensitive Personal Data’.
Once a company falls foul of the GDPR because of its VMS and video devices, the consequences will be far more severe. More organisations will likely rush to secure their VMS. Of course, when it comes to the GDPR, nobody wants to be the first infringement case.
For their part, security installers must ensure that the VMS they’re using is GDPR-ready – and that it's duly certified as such.
This brings us to the practicalities of securing a VMS. With the GDPR, the onus is on creating a ‘culture of privacy’ around the use of video systems. Organisations cannot collect data simply on the basis of ‘just in case’. There must be a legitimate reason for collecting and storing VMS data. It must also be ‘reasonable’ in relation to that purpose.
In practice, this might look like a VMS analysing pedestrian activity for potentially dangerous behaviour. Unwell people can be automatically flagged by the system when standing too close to the edge of a rail platform, for example. Using a VMS in this way is clearly in the public interest: there's a legitimate reason for installing such a system and storing the data.
Ensuring compliant operation
Ensuring a GDPR-compliant video operation is all about taking three crucial steps.
First, make sure the VMS is GDPR-ready and certified to contain cyber security and privacy protection features that enable GDPR-compliant use.
Second, systems integrators must ensure privacy by design by applying the correct overall system design, system configuration and physical installation of cameras and other devices.
Last, but not least, end users must define and follow procedures and processes as to how video data is stored, handled and shared.
All that said, human error is still commonplace. Often, VMS and connected devices are installed and maintained by teams who are not fully trained in cyber security. There are many misconceptions. One such mistake is believing that, because a system isn’t connected to the Internet, it doesn’t need cyber security. However, it could be easily compromised by a USB device, or by having exposed camera networks, which is particularly relevant if cameras are connected by dint of using Wi-Fi.
Developing and implementing security measures and Best Practice is known as ‘hardening’: a continuous process of identifying and understanding security risks and taking appropriate steps to counter them. The process is dynamic because threats - and, indeed, the systems they target - are continuously evolving.
Physical security is also a vital part of the hardening process. Humans and their errors often compromise this. It's prescient to use physical barriers to servers and client computers, and make sure that elements like camera enclosures, locks, tamper alarms and access control systems are secure.
Training: an essential
That’s why training is so vital. People are still the weakest link in any security system. Even if maintenance teams are taught to avoid switching off the firewall and to configure anti-virus software correctly, all of that instruction can be undone by a password written on a piece of paper and stuck to a monitor.
Training needs to reach people across the organisation. It must be tailored such that individuals understand some of the unique security risks that come with VMS and the sensitive data that can be collected. They should understand how to comply with the GDPR.
Thereafter, they should know their role in securing the system, all the way from avoiding written-down passwords to the correct installation of cyber security systems. Understanding the threats out there is essential. You cannot protect against things you don’t know about. This means cyber security training is an ongoing effort and not a one-time event.
There’s a risk that training could become a tick-box exercise that people attend simply because they have to. To prevent this, use interactive sessions like Lunch and Learn, workshops and group work to engage all of those involved.
Another aspect is to consider the updates and security accreditations of the VMS itself. As a minimum, it has to be able to work in a GDPR-ready system to ensure end user compliance. The 'Gold Standard' would be regular releases that cover emerging threats and the implementation of new security features (dual encrypted authentication, for example).
The software should also be Secure by Design wherein security is at the heart of a developer’s mindset when they approach a task. If the VMS provider can illustrate that secure implementation is a priority then VMS cyber security is going to be built on robust foundations.
Risk of the IoT
Regular updates become even more vital in The Fourth Industrial Revolution, the name given to the current environment in which technological advances and innovations such as the IoT, robotics, Artificial Intelligence and virtual reality are changing the way in which we live. In some respects, the IoT poses the biggest cyber security risk today. There are too many unknown devices connected to networks with no standardisation around security.
One solution for this is to use a VMS supporting dual networks wherein IoT devices are connected to a completely locked-down network and information generated from these devices is then proxied via the recording server. This affords a level of immediate protection for IoT devices.
Thanks to increased public awareness and the GDPR, cyber security and the privacy it maintains has become a Board-level priority. That can only be a good thing for privacy as a whole. Yet there’s still a lot of ground to make up for VMS installers and end users. Greater awareness of cyber security threats to the VMS is needed in tandem with knowledge specific to IoT devices to prepare them for The Fourth Industrial Revolution.
It will pay to remain up-to-date with all cyber security developments, particularly those relating to the IoT and VMS. Part of this should be the responsibility of the solution manufacturer who must regularly update the VMS to mitigate threats. By keeping a step ahead in terms of VMS cyber security, systems will be made less of a target. It’s hard to be caught out when you’re constantly in motion.
In terms of top tips on this subject, it's really all about awareness, hardening, training, privacy and regular updates.
(1) Awareness: Ensure wider awareness of the need for a secure VMS
(2) Hardening: Tighten up your VMS as part of an ongoing and dynamic process designed to ensure robustness
(3) Training: Educate users and colleagues on Best Practice in system set-up, installation and use
(4) Privacy: Maintain a ‘culture of privacy’ by ensuring that the system is GDPR-ready
(5) Regular updates: Keep systems up-to-date with the latest drivers, patches and fixes to stay ahead of would-be hackers
Neil Killick is Leader of Strategic Business (EMEA) at Milestone Systems