Implementing a Video Plan

Designing a security system with cybersecurity in mind

There’s a specific paradigm shift in the world of video that might be bigger than the transition from analog to IP more than 15 years ago.

Over the last decade, the emergence of the Internet of Things (IoT) and a demand for more video data has changed the way businesses operate. But as the rise in connectivity increases, so too does the need for increased security for physical assets, networks, and valuable corporate data. As a result, a dialogue between cyber, IT and physical security is necessary to help leaders gain a greater knowledge of how to best collaborate to ensure complete protection.

This is especially poignant for government security professionals who must communicate with aligned internal departments to drive strategies that help identify vulnerabilities in a more proactive manner. The result of these conversations: A truly comprehensive approach to security intelligence.

To maintain a high level of security and ensure business continuity, government agencies seek solutions that help predict and identify threats in real time. But often, there are too many alerts generated by too many systems, and none of this data is integrated together and therefore, not actionable.

Linking cyber and physical security together transforms data into intelligence, which helps agencies connect the pieces of any situation together and present a unified risk assessment to the right stakeholders. By capturing and analyzing data in real time, government organizations gain a visual representation of risks across the business while accessing information related to the most critical events taking place. Not only does this process enable a higher and more proactive level of protection, but it also helps facilitate a plan of action based within unified intelligence.

No market more than the government segment is facing more challenges in today’s business and security landscape. Security leaders in this market have to focus on securing every single aspect of their network infrastructure, which includes confirming software updates and firmware on surveillance cameras are completed on-demand and as available. In addition, as more and more physical security devices become networked connected, encryption and vulnerability testing are essential to ensure secure data transfer and storage.

With so much information captured on a daily basis, agencies need to evaluate how to secure not only video data but also an entire video surveillance system. In the past, this meant making sure best practices were enforced so that an individual could not physically tamper with a camera; however, now the focus also incorporates IT processes, such as ensuring that no one can access the camera and its data via the network. This marks quite a change from years past when cybersecurity wasn’t part of any physical security conversation. But the adoption of IP-connected devices makes a cyber attack a genuine possibility.

Within federal, state, and local governments, the combination of IT and security teams, along with the involvement of procurement, has made the decision-making and budgeting process more complex. However, technology providers have learned much about the specific needs of this market while maintaining the integrity of the product life cycle.

That’s where the strategic design of a solution that encompasses video and the intelligence it can bring comes into play. In essence, software providers have worked to maintain the demands of integrators serving the government space and their end users by incorporating several protocols that help guide interconnectivity and provide a significant amount of protection against threats. This can be achieved through several methods:

Understanding ownership. While many federal agencies employ experts in the field of physical and cybersecurity, technology providers must play a role in positioning these organizations to proactively detect evolving threats. But this effort is not without its challenges. The identification of stakeholders becomes critical early on when working on a project. Agencies can make this easier by understanding who will be involved in implementing a new video-centric solution across an organization.

Deciphering risk. Government organizations are constantly working to determine risk factors, determining how to address various risk factors with not only policies and processes, but also technology. These organizations often look to integrator and manufacturer partners to help identify the solutions that can address these various risk factors.

Video data is one area where this is essential. With so much information that needs to be protected, security leaders need to evaluate how to secure not only video data, but also the entire video surveillance system, which includes video management. This is where cybersecurity protocols and guidance can come into play to help protect, along with the design of products that better leverage these tools.

Identifying tools. One way to decipher risk is through the concept of “security by design,” which is an approach to software and hardware development that aims to make systems as free from vulnerabilities and protected from attacks as possible. This is especially important for devices that run on a network. But the design should be coupled with additional touch points for monitoring the health of the system, and government agencies are required to also provide ongoing oversight of a network to protect critical information.

One tool that is commonly used to scan networks to identify issues is NESSUS, an open-source network vulnerability scanner that uses the common vulnerabilities and exposures architecture for easy cross-linking between compliant security tools. The functions include malware detection, configuration auditing, target profiling, sensitive data discovery, and more.

There is a suite of other tools and hands-on penetration testing that should be built into the product development lifecycle that continue to identify potential vulnerabilities and ensure there are no “back doors” into the system. Some other best practices include assigning various user levels where possible to protect pieces of the system and being diligent about ensuring the right level of access for the user. Finally, taking steps to encrypt all communications between devices is essential.

This includes the way the video transmits to the operator workstation, where it is stored, and all the connections between these various locations; they must all be encrypted to ensure the most secure data sharing capabilities are in place.

But this is just the tip of the iceberg. In order to fully identify the right tools, it is essential to know the risk.

Examining the Supply Chain

A big part of the landscape for navigating cybersecurity protocols across the government sector is adherence to the strict standards put in place to protect the network, such as the use of IPV6, the Federal Information Processing Standard (FIPS) 140-2, and (in access control) the use of the Federal Government Identity, Credential and Access Management (FICAM) standards. As a result of the nature of today’s threats, the federal government has taken steps to ensure these protocols are met and executed.

The National Defense Authorization Act (NDAA), which specifies the budget and policies of the Department of Defense (DoD), prohibits the purchase and installation of video surveillance equipment from select Chinese companies in federal facilities. This act has created a ripple effect across much of the security industry, as integrators work to make sense of the products they can and cannot use for government-related projects.

In this regard, cybersecurity and national security go hand-inhand, as the idea is to minimize the perceived risk moving forward. One way some camera manufacturers have started to limit this risk is by examining the supply chain and making adjustments on where various components of a camera originate. Another is by engaging in a General Services Administration (GSA) Schedule Contract used to sell to federal agencies (as well as state and local government on occasion). GSA also requires several requirements to be met, including country of origin standards or compliance with the Trade Agreements Act (TAA).

Speaking the Language

Early in the design process, it’s critical for integrators and manufacturers alike to understand the needs of the government space. This means implementing measures that foster this communication. Many integrator companies and security manufacturers are taking the necessary steps to form internal task forces made up of cybersecurity and former DoD professionals who have a working knowledge of the demands of the government sector.

Part of this involves engaging with professionals that keep current on the threats this market faces. For example, professional services departments made up of network specialists, consulting, and deployment specialists, are being formed to address some of the significant challenges that federal agencies face as it relates to access.

Some of these individuals have top-secret clearances, meaning they can access areas of a facility that are considered visually classified and offer a significant amount of support beyond the traditional integrator or installer. This makes a real difference in understanding and being able to speak the language of a federal agency, IT department, or security leader in this space.

Vulnerability Testing

A critical component for designing for data protection is engaging in vulnerability testing of a system to evaluate the security risks in a software system and reduce the probability of a threat. In the government sector, for example, this includes STIG configuration (or the Security Technical Implementation Guide).

STIGs are the configuration standards for DoD that contain technical guidance to “lockdown” information systems and/or software that might otherwise be vulnerable to a malicious attack. In essence, this helps standardize network security protocols that aim to identify vulnerabilities and address them before they become a risk. Building these protocols into a product goes a long way in helping secure a government organization’s systems.

Keep Up-to-Date

Cyber threats continue to increase and evolve in sophistication, and security leaders — both IT and physical — need to maintain a proactive approach to mitigating this risk. As government entities continue to embrace the connected world, new cyber vulnerabilities will come to light. As a vendor in the video surveillance market, we are entrusted to provide secure products and guidelines to safeguard solutions from various types of risks, including cyber vulnerabilities.

One of the best ways to reduce network vulnerabilities associated with video surveillance is to ensure strong levels of data protection. Highly secure encryption and role-based access control are two capabilities that elevate security while meeting the compliance requirements of government agencies.

Government security leaders need to evaluate what parameters work best for their specific environments while being cognizant of emerging risks and how to proactively address them. Regardless of the specific application, a secure, compliant video surveillance infrastructure built on common cyber security protocols enable organizations to maintain strict levels of cyber and physical security to ensure physical and data security, protecting business, employees, and assets along the way.

This article originally appeared in the May/June 2020 issue of Security Today.


  • Cloud Adoption Gives Way to Hybrid Deployments

    Cloud adoption is growing at an astonishing rate, with Gartner forecasting that worldwide public cloud end-user spending will approach $600 billion by the end of this year—an increase of more than 21% over 2022. McKinsey believes that number could eclipse $1 trillion by the end of the decade, further underscoring the industry’s exponential growth. Read Now

  • AI on the Edge

    Discussions about the merits (or misgivings) around AI (artificial intelligence) are everywhere. In fact, you’d be hard-pressed to find an article or product literature without mention of it in our industry. If you’re not using AI by now in some capacity, congratulations may be in order since most people are using it in some form daily even without realizing it. Read Now

  • Securing the Future

    In an increasingly turbulent world, chief security officers (CSOs) are facing a multitude of challenges that threaten the stability of businesses worldwide. Read Now

    • Guard Services
  • Security Entrances Move to Center Stage

    Most organizations want to show a friendly face to the public. In today’s world, however, the need to keep people safe and secure has become a prime directive when designing and building facilities of all kinds. Fortunately, there is no need to construct a fortress-like entry that provides that high level of security. Today’s secured entry solutions make it possible to create a welcoming, attractive look and feel at the entry without compromising security. It is for this reason that security entrances have moved to the mainstream. Read Now

Featured Cybersecurity


New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3