The CIA triad—Confidentiality, Integrity, and Availability—has been a foundational information security model for four decades. However, achieving these principles fully and reliably for medium and large-size security video surveillance deployments has not been possible until now. Note that this column is twice the typical length because the subject of CIA for video surveillance cannot be treated shallowly.
Q: Our security cameras missed capturing an incident that damaged critical IT equipment. Our CISO said we need to implement CIA for video surveillance. What does that mean?
A: Implementing CIA for video surveillance means more than your CISO might realize because these systems are cyber-physical. Their CIA involves both digital and physical domains.
CIA for Cyber-Physical Systems
Cyber-physical systems (CPS) integrate physical components like machines and sensors with software and networks to control and monitor them, enhancing efficiency and safety in critical areas such as energy, transportation, healthcare, and manufacturing. In physical security, CPS includes building access control, video surveillance, and intrusion detection systems, often integrating to provide multi-sensor validation and situational awareness.
As I will explain in my talk at the Converge Security Conference in Anaheim, California, this October, CIA for CPS is more complex than CIA for purely digital systems. The complexity arises from including electronic and physical elements, requiring CIA to apply to sensor data collection, physical control actions, and system integration data exchanges.
AI and IoT Technology to the Rescue
Fortunately, two award-winning products now fully address the most neglected aspects of video CIA: camera field-of-view integrity and image quality assurance for the physical domain, the digital domain data path and storage integrity and availability, and the system's cyber hygiene. These CIA capabilities are crucial today due to the business dependencies on AI-enabled video analysis for detecting criminal and other prohibited activity, optimizing retail operations, supporting safety compliance, ensuring safety, quality assurance, and troubleshooting on manufacturing lines.
While manual management of CIA is feasible for small-scale deployments, larger deployments require significant automation to maintain video data's confidentiality, integrity, and availability at scale. Threat actors have already shown their ability to manipulate video (deepfakes) and use their access to exfiltrate large-scale video data (the Sony Pictures and Verkada incidents come to mind).
Camera Field of View Image Integrity
Ensuring camera image integrity is challenging, especially when relying on human efforts. With hundreds of cameras, only severely misaligned ones tend to catch human attention, and even these can often be missed. Both indoor and outdoor cameras are prone to accidental misalignment by workers or cleaners and can be repositioned by ill-intending individuals, particularly during off-business hours, without being noticed. A bad actor might reposition a camera temporarily or block its view to commit a misdeed and then return it to its original position to avoid detection.
Additionally, outdoor cameras can have their fields of view gradually obstructed by overgrown greenery, while weather conditions can cause dirty lenses or bugs to nest inside camera housings. Night lighting outages can also darken scenes, often going unnoticed.
One company experienced the theft of expensive furniture, which was replaced over time with cheap look-alikes in a hallway with no video coverage. Even with video coverage of such an area, without CIA, an insider could access a camera’s record-on-motion setting, disabling it periodically to ensure that the theft of each furniture piece would not be captured on video.
AI Solves the Image Integrity Problem
AI-based software from Ai-RGUS identifies and addresses image integrity issues by comparing camera images to reference images representing the intended field of view. This software, developed by CEO Daniël Reichman during his Ph.D. in electrical and electronics engineering at Duke University, was initially designed to help the university maintain its then-1,100 cameras. Ai-RGUS performs daily health checks on camera images, providing automated alerts for discrepancies such as incorrect field of view, blocked view, tilt, blur, glare, low light, and inactive feeds. Camera Performance Reports review historical performance to identify trends and inform system upgrades and changes.
The system also supports multiple reference images for outdoor cameras, accommodating varying daily lighting conditions and changes from snowfall, rain, sandstorms and other seasonal variations. Its AI capabilities learn the image impacts of these conditions, reducing false alerts that plagued earlier generations of video analytics software.
Additionally, Ai-RGUS performs camera health checks with automated alerts for issues such as camera/device liveness, cameras being online but not producing images, insufficient recording days per camera, hard drive problems, and timestamp correctness. It also provides tools for firmware management, including managing firmware versions and performing bulk updates automatically. Furthermore, it supports setting policies for camera password expiration and complexity requirements.
Starting Off With Integrity in Mind
I plan to use Ai-RGUS to assist in system commissioning for several upcoming video surveillance upgrades. For large projects, evaluating camera installation and configuration weekly, rather than at project completion, ensures ongoing image quality and accuracy, and saves work time by preventing repetition of unrecognized mistakes. This approach simplifies the final system acceptance evaluation.
Addressing Large Enterprise Scale Camera Deployments
Achieving CIA for large-scale enterprise video projects requires comprehensive infrastructure management, which the Viakoo enterprise IoT platform provides. Viakoo ensures the confidentiality, integrity, and availability of the entire physical security system infrastructure, with specific capabilities for video systems. It incorporates robust authentication and password rotation mechanisms – not just password checking and policy enforcement. Viakoo can automatically set new passwords on demand or at the schedule you set for all cameras (and other IoT devices) and the VMS—providing you have Milestone, Genetec, ExacqVision, or one of many supported VMS.
Viakoo supports secure certificate encryption protocols, intrusion/vulnerability detection platforms, and comprehensive firmware management practices, including automatic rollback if a firmware update fails. Additionally, Viakoo enables organizations to extend their Zero Trust IT initiatives to cover physical security IP devices, including networked video cameras. Upon detecting a camera device, Viakoo can assess its security posture (e.g. checking against the National Vulnerability Database for known vulnerabilities in its firmware), report on it to Physical Security and also to an interfaced network monitoring system such as Armis, Forescout, Nozomi, Claroty, and many others.
The Viakoo platform is designed to manage the entire video technology infrastructure as a complete system, encompassing multi-vendor component parts. It focuses on the integrity of each video data stream throughout its life cycle—from its inception at the camera, through network distribution, to its retention point. Viakoo provides insights into the performance-critical and compliance-critical functionality of the system infrastructure and its individual devices, with per-camera and aggregated performance KPIs.
Viakoo understands multi-vendor network and computing infrastructures and can detect and report device faults, performance anomalies, and trends. It is designed to inform vendor technical support functions and alert end users of current and impending application and device faults. The preemptive aspect of Viakoo’s digital twin-based monitoring, combined with its automated root cause analysis, provides comprehensive diagnostics data to all involved technology vendors without requiring access to the video systems and networks. This eliminates cross-vendor finger-pointing and enables efficient problem resolution. Digital twin modeling helps address short-lived, intermittent problems that are the hardest to diagnose.
IT-Style Troubleshooting
It has long been an IT best practice to collect device and system status and diagnostics data and store it separately from the monitored device or system. In Viakoo’s case, this is highly secure cloud storage. Having a cloud-based system that consolidates all troubleshooting data into a single timeline is a major time-saver, and its automated root cause analysis is especially valuable when a single problem is causing multiple cascading failures.
Viakoo’s automated data collection solves the major problems confronting the tech support teams of most physical security industry manufacturers—limited remote access and little to no troubleshooting data. Remote access, if available, typically gives each manufacturer insight only into its product’s error logs. Viakoo provides a single view of all relevant troubleshooting data shared by each manufacturing and service stakeholder, with no access needed to the VMS or underlying operating system. This total combination of proactive, preemptive and fault-time diagnostic capabilities with automated root cause analysis ensures the highest system uptime, regardless of the number of IP devices or their locations.
Large Scale Video Technology Management
Most manufacturers and their software developers are used to lab testing their own systems and products and often don’t have deep insight into the realities of large-scale multi-system security technology deployments. Viakoo’s capabilities are based on its nearly two decades of experience with large video deployments. For example, Viakoo’s cloud-based firmware management solution allows parallel updating of camera firmware that can reduce weeks of firmware update work into days. However, you don’t want to update all cameras in a single area, because security video surveillance is a 24/7 operation. So, Viakoo allows the grouping of cameras so that lobbies, hallways, parking areas, executive offices, and so on can update camera firmware in parallel but with only one camera per group at a time, eliminating critical area blind spots.
This is the kind of intelligent automation needed for physical security systems. Only the two companies mentioned have a good enough command of cyber-physical dynamics to fully apply AI and IT capabilities to system management.
Achieving True CIA for Video Surveillance Systems
Combining Ai-RGUS’s automated image integrity assurance and Viakoo’s automated cyber hygiene, Zero Trust device authentication, comprehensive password management and performance monitoring tools provides a gap-free CIA solution for large-scale video surveillance systems. The groundbreaking aspects are that 'missing video' becomes a thing of the past, and security teams can recover the time spent on the only partially effective task of manually checking each camera's status. Automation is not only more effective but also less costly.
