Development of cyber-sustainable video surveillance systems


Cyber security is a trending topic in the video surveillance market. As a result of international regulations, companies are assessing the potential security risks of video surveillance systems, deploying crisis management policies and developing mitigation plans for events related to a data breach. Customers desire trustworthy products and vendors are rushing to fill this gap to satisfy the market demand. Multiple vendors are offering a great number of solutions, however the choice and diversification perplexes customers, who often have difficulty identifying the best solution for their needs. In this paper, Videotec puts forward its vision with regard to developing safe products and describes its strategy for cyber security.


Customers are currently overwhelmed by the perpetual advertisement of products related to cyber security. At tradeshows and in sector magazines, multiple products are being promoted as key elements for cybersecurity. Unfortunately, cyber-safe products cannot be marketed with the same strategy as other devices, for example, explosion-proof rated cameras. The key difference is that for threats that do not concern software a set of well-defined and well-documented requirements exist: in general it is possible to universally define safety requirements for installation in special environments, such as a drilling rig, a marine vessel or along a railway. For software, similar requirements exist but there is less clarity than with their counterparts when it comes to security. Furthermore, a device’s firmware and video management software (VMS) are updated by each vendor to introduce new features or to fix bugs. Every update may have an impact on the complete video surveillance system reliability. Finally, security researchers continuously identify new issues that may reduce the safety of the system, even if no change is applied to the facilities.

Deploying a cyber-secure system is a challenging task under these ever-changing conditions. Other aspects of security, such as mechanical, electrical or environmental are not subject to similar uncertainty. As an example, designing an explosion-proof system is a well-known process, involving classifying zones, identifying the nature of the explosive elements, such as gases or dusts, and deducting the product requirements. During the lifespan of the system, the identified risk sources do not change. Similarly, during installation on a marine vessel, the video surveillance equipment is commissioned and will not change until the entire ship is refurbished.

The result of the lack of certainty that characterizes software and the existence of complex standards that have a restricted competent audience is a professional market that is trying to incoherently fill this gap, by pursuing certifications and stamps or by adopting aggressive advertisement strategies, based on over-optimistic promises on product features.

Orientation between different cyber-security certification options

Several certification options are currently available on the market, and these can be placed in two main groups:

●System certification

●Product certification

As the name suggests, system certification addresses cyber-security at a system level. This group includes ISO27001, NIST SP 800-53° ISA/IEC62443-3 for example. In these frameworks, risks related to information management are evaluated across every aspect of the organization: information generated by the devices, storage, access control to the information and physical security to protect data from being stolen from data centers. Since these certifications must be flexible to adapt to a heterogeneity of systems, they define frameworks to perform the system analysis and the assessment of the risks of such systems, but they do not punctually mandate explicit requirements. System certifications delegate the definition of such requirements to the organization willing to achieve the certification.

In contrast, product certifications are narrow in scope, targeting a single component subject to certification. A single component can be a camera, a networking switch or video management software. In this category are the EMV standard for credit and debit cards, the UL2900 series and ISO/IEC 15408, also known as Common Criteria.

It is clear that pursuing a system-level certification involves the customer and the integrator installing the video surveillance system. Manufacturers should target product certifications and drive efforts to ease the integration of their products into the frameworks of system-level certification that is being pursued by their customers.

Videotec’s strategy for cyber-secure video surveillance systems

Videotec started developing its DeLux technology several years ago. At that time, Videotec had a clear vision for its products: developing safe products for all possible tasks - mechanical, electrical, electromagnetic and software - according to current and future security requirements. The mission of the DeLux technology was, and still is, to provide a reliable, safe and future-proof platform that integrates with all products.

Sharing a common platform between multiple products is challenging. It requires deep planning of product design to ensure the platform will function perfectly within any product. It also implies that new software releases are compatible with any previously released camera. Thus, every time a new product is released the effort to validate the software increases. Due to this decision, Videotec guarantees that any new security feature and any bug fix will be available to its customers regardless of product age and whether it is still present in the current product catalogue.

From the beginning of the DeLux project, two key points were immediately clear.

The first point is that software architecture must be flexible enough to guarantee integration into very different products, and at the same time, it needs dedicated components that guarantee the un-exploitability of the device. For this reason, the code executed by the device is partitioned into different security domains, making sure that processes that implement the protocol interfaces towards the video management software cannot harm the internal components that accomplish video acquisition, perform compression and constantly monitor the correct function of the unit.

The second point that Videotec immediately understood is that ensuring the correct functioning of the software in every device is as important as the software running in just the cameras. For this reason, Videotec started developing internal tools that perform automated testing on the entire set of devices that incorporate the DeLux technology. Every night, the validation tools embedded into the continuous integration process automatically test each product to verify that no regression was unconsciously added while we proceed with software development. Every time Videotec adds a new feature in response to a suggestion for improvement by our customers or identification of an issue, it also updates the testing tools to increase the reliability of our products.

Videotec believes that its products, and the continual updating of these, actively contribute to maintaining the safe operation of secure video surveillance system, helping IT departments and system administrators by keeping their systems balanced and by not requiring excessive mitigating actions or protections due to future issues. At Videotec, we call this cyber-sustainability.

At the time of writing this white paper, Videotec has yet to definitively choose a certification scheme for the DeLux technology. Several options are being evaluated, as we search for a solution that will create value for our customers without sacrificing the addition of new features on all products that make up the DeLux technology range.

Although Videotec is still exploring the best certification scheme for its software, this does not prevent us from having a clear and active development path for the cyber-security in our products. At Videotec, the following five principles are the basis for implementing cyber-security in products:

●Hardened software architecture to minimize the attack surface of the cameras;

●°Constant updates and availability of new features, even on old products;

●Removal of predefined credentials in the products, to strongly indicate to customers that, as a minimum, a new username and password combination must be defined by the user during installation according to the system-level security requirements;

●°Contribution to the ONVIF Security Service specification, to push the industry shifting from usernames and password to X.509 certificates;

●°Clear communication to customers, by avoiding fake marketing claims.

Videotec had an active role in the development of the ONVIF Profile Q specifications. Among other activities, it contributed to driving the standard towards the removal of predefined credentials. The security market must teach installers and users that using pre-defined usernames and passwords is equivalent to not having credentials at all. Defining the factory-default state of Profile Q compliant devices, where no authentication is required, is the strongest reminder a vendor can provide to its customers.

Similarly, with regard to the commitment for the ONVIF Profile Q, Videotec is proposing extensions to the ONVIF Security Service specifications that will include the widespread the adoption of X.509 certificates to replace the use of credentials. Moving towards this new way of handling authentication between devices and VMSs will not only impact devices, but it will require a leap forward for the whole video surveillance market. Beyond implementing the functionality in its devices, Videotec is already planning the actions that will be necessary to make its customers effective at selling, installing and maintaining video surveillance systems based on this technology.

Last, but not least, trustworthy communication to customers is a key value for Videotec. For this reason, Videotec will never exploit the unintuitive requirements of system certifications of international privacy rules to send wrong messages to the market. As an example, Videotec added to all its IP products an instruction about performing a safe installation according to the General Data Protection Regulation (GDPR), similarly to the instructions given for mechanical, electrical of environmental safety. These instructions are meant to teach customers and stimulate their attention to aspects related to cyber-security. As such, instructions will never be turned into unreliable market claims, such as claims for conformance to the GPDR or any other rule.


Cyber-threats started menacing video surveillance systems from the day the first IP-based device was put into the market. At that time, the number of digital systems was low and video surveillance was not as pervasive as it is today. In the last ten years, the video surveillance industry has vigorously shifted from analogue to IP products and, at the same time, it has witnessed a constant growth in market demand. As a result, digital video surveillance systems are everywhere nowadays and attract attention not only from professionals, but also from malicious users.

Keeping these systems safe from cyber-threats is an activity that cannot be performed just by performing a risk assessment analytics during the commissioning phase - maintenance and recovery plans must be operative during the whole lifespan of the systems. These activities have a cost; also managing the effects of a system violation has a cost. Integrators and users must find the correct balance, to minimize expenses while keeping video surveillance systems updated and secure. In order to make reduction of expenses related to maintenance and recovery plans easier, Videotec bases the development of its products on the concept of cyber-sustainability, where support, updates and training about the products span an interval that is larger than each single product lifecycle and assist integrators and customers keeping their systems protected.

other news
Изделия серий MAXIMUS MPXL SERIES2 и MAXIMUS MLX, применяемые для наблюдения во взрывоопасных средах при слабом освещении
Компания VIDEOTEC отмечает 10-летие членства в организации ONVIF
POR-FESR/Regione Veneto NEWS
ULISSE EVO DUAL, новая сетевая PTZ-камера, совмещающая функции тепловизора и видеокамеры
Передовая взрывобезопасная камера наблюдения MAXIMUS MVX с SONY FCB-EV7520
Доступны новые модели для MAXIMUS MPX SERIES2 и NVX
COMB: новая соединительная коробка из поликарбоната
COVID-19: Официальное сообщение компании Videotec
Новая версия прошивки 4.0 для видеокамер Videotec
S2D, Securing Smartbuilding Devices
Новинка NXPTZ SERIES2: PTZ-камера из нержавеющей стали для использования в коррозионно-активных условиях
Новинка nvx: изготовлена из стали и оснащена системой анализа видеоизображения и функцией GeoMove
Важные новые функции камер компании Videotec в связи с обновлением прошивки
Videotec Digital Event
MAXIMUS MPXT-SERIES2: Взрывозащищенная PTZ-камера с двойным изображением
Искусственный интеллект для камеры ULISSE EVO
MAXIMUS MPX SERIES2: новое поколение взрывобезопасных PTZ-камер
Выпуск новой прошивки для продукции компании Videotec
Videotec и Sony: комплексная технология для еще более эффективного видеонаблюдения
Комплексное решение для получения цветных изображений в условиях темноты на основе устройства Videotec ULISSE2 и камеры SONY SNC-VB770
Now available BIS and the CCOE/PESO Certifications for Indian market
Fujifilm и Videotec объединяют усилия, чтобы предложить современное решение для наблюдения на дальних расстояниях
ULISSE EVO THERMAL Видеонаблюдение по периметру 24/7
MBX взрывобезопасный блок связи из нержавеющей стали
Тепловизор MVXT с новыми радиометрическими функциями
NTX: новый тепловизор компании Videotec из нержавеющей стали с радиометрическими функциями
ULISSE EVO: очередной шаг вперед компании Videotec в разработке PTZ-камер
Новый уровень защиты особо важных элементов инфраструктуры за счет технологического тандема компаний SpotterRF и Videotec
Новая камера FULL HD с защитой от коррозии и технологией DELUX для безупречной работы в ночное время
Продукция компании VIdeotec теперь подходит для BIM-моделирования
Новый взрывобезопасный блок связи от компании Videotec
Технология DELUX компании Videotec теперь в камерах для морских объектов и нефтегазовой отрасли.
Модель ULISSE COMPACT с новой технологией DeLux для работы в режиме день/ночь с необычайно ярким изображением
Камеры компании Videotec для морских объектов получили сертификат Lloyd’s Register
VIDEOTEC Joins Ameristar Perimeter Security’s Perimeter InSite Initiative for Complete Perimeter Security Solutions
Schio, Italy: 14 ULISSE COMPACT HD cameras in sensitive areas
Системы видеонаблюдения с камерами Maximus на мексиканских НПЗ
PTZ-камера MAXIMUS FULL HD используется на измерительно-регуляторной установке в Индонезии
Истории успеха видеооборудования Videotec на автотрассах России
Камера Ulisse Compact Thermal для защиты границы Вьетнама
Videotec co-hosts Perimeter Security Roadshows across North-America
Камера компании Videotec обеспечивает строгий контроль за регулируемой отраслью по выращиванию конопли
Кожухи NXM используются на чилийском руднике для контроля за работами в тяжелых условиях
New competitive Full HD ex-proof camera
The Videotec A&E Security Consultants Program
VIDEOTEC is committed to the environment
Максимальная защита аэропортов благодаря усовершенствованной интегрированной системе компаний Crisma Security и Videotec
SightTracker компании SightLogix автоматически управляет PTZ-IP-камерами компании Videotec
ULISSE COMPACT HD для наблюдения за мостом стратегического значения в Кувейте
Камеры ULISSE COMPACT HD для наблюдения за территорией корейского аэропорта
Японские подводные исследования с применением кожухов NXM
Взрывобезопасные кожухи MHX для нефтеперерабатывающего завода на Тайване
ULISSE COMPACT THERMAL: защита военной базы в Италии
Камеры с кожухами NXM производства компании Videotec для наблюдения за подводной экосистемой на Окинаве, Япония
ULISSE COMPACT HD: использование камер для мониторинга движения на высокоскоростной железной дороге Тайваня
Камеры MPX для обеспечения безопасности на химическом заводе в Японии
Российский успех Videotec на автодорогах
Выбор в пользу ULISSE COMPACT HD для ветряных электростанций в Южной Корее
MAXIMUS MVX для опасных условий
MAXIMUS MPX теперь с разрешением FULL HD
Videotec, надежный партнер компании ACHILLES
Digivod и Videotec
Продленная гарантия
PTZ Assistant для программ управления видео