How to protect a video management system (VMS) from cyber attacks - and maintain privacy

In 2018, users of the British Airways (BA) website were diverted to a fraudulent site. This site allowed the harvesting of around 500,000 people’s details in what BA described as a “sophisticated, malicious criminal attack” on its website. As a result, the Information Commissioner’s Office (ICO) handed out its biggest penalty yet - £183m.

When the US credit score agency, Equifax, experienced a massive data breach in 2017, more than 147million US citizen’s details were exposed. In the same breach up to 15million UK citizens were left at risk. The agency had been warned that its system suffered from a critical vulnerability, but had failed to follow up procedures to rectify the situation. The consequence of which was a £561m fine from the US regulator, and a £500,000 fine from the ICO in the UK.

These are just two examples from an increasing number of highly publicised data breaches and hacks which have weakened trust in data security. Alongside this is a general fear for the safety of our own personal data. In short, cybersecurity has become part and parcel of everyday life.

Organizations now face a perfect storm. The list of networked devices is steadily increasing, thanks to the rise of the Internet of Things (IoT) and there are now even greater opportunities for would-be hackers to compromise systems. For many, it’s a matter of when - not if - a hack or breach will occur. When it does, it could take a long time to gain back public trust. The good news is that there are many tools at hand which can minimize the risk and protect your data.

One particular vulnerability surrounds the use of video management systems (VMS) and connected devices. Despite the rising prevalence of data breaches, awareness of the needs of tighter security when installing and using a VMS is yet to catch up. Complacency is the enemy: even the most basic security errors can put a system at risk.

Security integrators must keep on top of the issue, by understanding new risks and how to secure a VMS and connected devices. Especially when the stakes are so high. Under GDPR, organizations can be fined up to €20 million (or 4% of annual turnover) for infringement. A potentially business-ending penalty.

The amount of the fine will be based on the nature, gravity, duration and character of the infringement. As well as the type of personal data collected. So, highly sensitive data such as biometric information would be classed differently to less personal data, like postcodes or usernames.

How this applies to video data isn’t clear cut. Even on a basic level video may capture individuals at events or scenes that could establish political involvement, for example, a type of data categorized as Sensitive Personal Data.

Once a company falls foul of GDPR because of its VMS and video devices, the consequences will be far more severe. More organizations will likely rush to secure their VMS. Of course, when it comes to GDPR, nobody wants to be the first infringement.

Installers must ensure that the VMS they’re using is GDPR-ready – and is certified as such.

This brings us to the practicalities of securing your VMS. With GDPR, the onus is on creating a ‘culture of privacy’ around the use of video systems. Organizations cannot collect data simply on the basis of ‘just in case’. There must be a legitimate reason for collecting and storing VMS data. It also must be ‘reasonable’ in relation to that purpose.

In practice, this might look like a VMS analyzing pedestrian activity for potentially dangerous behaviour. Unwell people can be automatically flagged by the system when standing too close to the edge of a rail platform, for example. Using VMS in this way is clearly in the public interest - there is a legitimate reason for installing such a system and storing the data.

Ensuring a GDPR-compliant video operation includes three steps. First, make sure your VMS is GDPR-ready and is certified to contain cybersecurity and privacy protection features that enable GDPR-compliant use.

Secondly, systems integrators must ensure privacy by design by applying the correct overall system design, system configuration and physical installation of cameras and other devices.

Lastly, end users must define and follow procedures and processes for how video data is stored, handled and shared.

However, human error is still commonplace. Often, VMS and connected devices are installed and maintained by teams who aren’t fully trained in cybersecurity. There are many misconceptions. One such mistake is believing that because a system isn’t connected to the Internet it doesn’t need cybersecurity. However, it could be easily compromised by a USB device, or by having exposed camera networks, which is particularly relevant if connecting cameras using WiFi.

Developing and implementing security measures and best practices is known as "hardening", a continuous process of identifying and understanding security risks, and taking appropriate steps to counter them. The process is dynamic because threats, and the systems they target, are continuously evolving.

Physical security is also a vital part of hardening; humans and their errors often compromise this. For example, use physical barriers to servers and client computers, and make sure that things like camera enclosures, locks, tamper alarms, and access controls are secure.

That’s why training is so vital. People are still the weakest link in your security system. Even if you teach maintenance teams to avoid switching off the firewall and to configure antivirus software correctly, it can be undone by a password written on a sticky-note stuck to a monitor.

Training needs to reach people across the organization. It must be tailored, so people understand some of the unique security risks that come with VMS and the sensitive data that can be collected. They should understand how to comply with GDPR.

Then, they should know their role in securing the system. From avoiding written-down passwords, to the correct installation of cybersecurity systems. Understanding the threats out there is essential. You cannot protect against things you don’t know about. This means cybersecurity training is an ongoing effort, not a one time event.

There’s a risk that training could become a tick-box exercise that people attend because they have to. To prevent this, use interactive sessions like lunch and learns, workshops and group work to engage with everyone.

Another aspect is to consider the updates and security accreditations of your VMS itself. As a minimum, it has to be able to work in a GDPR-ready system to ensure end user compliance. The gold standard would be regular releases that cover emerging threats and implements new security features (dual encrypted authentication, for example).

The software should also be secure-by-design. Where security is at the center of a developer’s mindset when they approach a task. If your VMS provider can illustrate that secure implementation is a priority - as is the case with Milestone XProtect^®, for example - then your VMS cybersecurity is built on robust foundations.

Regular updates become even more vital in The Fourth Industrial Revolution, the name given to the current environment in which technological advances and innovations such as the IoT, robotics, artificial intelligence (AI) and virtual reality (VR) are changing the way we live. In some respects, the IoT poses the biggest cybersecurity risk today. There are too many unknown devices connected to networks with no standardisation around security.

One solution for this is to use a VMS supporting dual networks, where IoT devices are connected to a completely locked-down network and information generated from these devices is then proxied via the recording server. This gives a level of immediate protection to IoT devices.

Thanks to increased public awareness and GDPR, cybersecurity and the privacy it maintains has become a board-level priority. That can only be a good thing for privacy as a whole. Yet, there’s still a lot of ground to make up for VMS installers and end-users. Greater awareness of cybersecurity threats to the VMS is needed. Plus, knowledge specific to IoT devices to prepare them for The Fourth Industrial Revolution.

It will pay to remain up-to-date with all cybersecurity developments, particularly relating to the IoT and VMS. Part of this should be done by your manufacturer, who will regularly update the VMS to mitigate threats. By keeping a step ahead in your VMS cybersecurity, you’ll make your systems less of a target. It’s hard to be caught out when you’re constantly in motion.

Top tips
1. Awareness – ensure wider awareness of the need for a secure VMS.
2. Hardening – tighten up your VMS as part of an ongoing, dynamic process to ensure robustness.
3. Training – educate users and colleagues on best practice in system setup, installation and use.
4. Privacy – maintain a ‘culture of privacy’ by ensuring that your system is GDPR-ready.
5. Regular updates – keep your system up to date with the latest drivers, patches and fixes to stay ahead of would-be hackers.

This article was first published in Security Matters https://www.fsmatters.com/Cyber-security-for-Video-Management-Systems