Tim Compston, Guest Features Writer at Security News Desk, finds out what is making waves in the world of video surveillance cameras, from the race for more pixels to, worryingly, the cybersecurity of the cameras themselves.
The capabilities of cameras are certainly on the rise with 'system-on-a-chip' architecture allowing video analytics at the edge, improved sensors supporting ever higher resolutions, and smarter compression techniques helping to ensure that the growing weight of data being generated can be transmitted, efficiently, and effectively. We are also seeing a wider array of camera form factors and aesthetics coming into play, especially in the retail arena, and ruggedized models making their mark in testing environments such as the oil industry. Of course, it is not just conventional cameras that are moving with the times, thermal cameras are being specified for security applications, especially at the perimeter, thanks to a lower price point for uncooled models and their all-weather detection capabilities.
Reflecting on the video surveillance market for 2017 - including cameras - Jon Cropley, Principal Market Analyst at IHS Markit, is forecasting worldwide growth of 7.4 per cent: "Demand is very robust for the cameras themselves but at the same time average prices are going down for cameras and related equipment at a very fast rate. This price erosion means that overall revenue growth is not as high as it might otherwise."
Given this reality, what are the practical implications of this continuing price pressure? Is it putting the brakes on camera development? Well, Cropley suggests that, contrary to what you might think, it is actually driving many technology trends in the market as manufacturers seek to differentiate their offerings from the competition: "Vendors are trying to avoid competing solely on price so they are loading their cameras with features. Higher resolution is one thing, there is also wide dynamic range, advanced low light performance, and analytics is certainly a hot topic now," concludes Cropley.
For his part, Marcus Kneen, IndigoVision's CEO, sees no sign of the 'commoditisation' of cameras changing anytime soon and believes that, invariably, this will lead to more consolidation in camera manufacturing. Talking, specifically, about the way IndigoVision is approaching the market, Kneen believes that, given this race to the bottom - and cybersecurity concerns associated with some cameras from some vendors - a better strategy, to buck this worrying trend, is to offer a 'verifiable end-to-end' solution.
The race for resolution
Moving on to the question of camera resolution, with HD (High Definition) and even 4K cameras being deployed more widely, it is vital, say the experts, not to get swept away in the race for pixels but rather to consider the context in which these solutions are going to be deployed, including the available bandwidth and low light performance.
Even with all the hype around 4K cameras, Jon Cropley reckons that 4K remains a more specialised proposition: "Demand for 4K cameras is increasing but the standard now is really 1080p and, certainly, what most companies are looking to take from network cameras."
Seeking out the thoughts of Martin Gren, the Co-founder of Axis Communications and the Director of New Projects, on the direction of travel for 4K cameras, he confirms that the company is predicting a strong sales pick-up in 2017: "There is not so much of a price difference between a full HD and 4K [camera] now." He adds a word of warning about the way that 4K cameras are rolled out: "4K is useless without smart compression because it generates too much data," concludes Gren.
Turning to Gren's colleagues, Joacim Tullberg, Product Manager - Video Management Systems - and, Product Analyst, Timo Sache for a more detailed discussion on higher camera resolutions, they agree that video compression, and the way it is handled, is a key component of the equation here. Tullberg stresses that a multitude of factors need to be optimised to deliver the right level of in-use performance: "What high resolution gives us is the possibility to have more information, valuable information, in the image and it drives the compression and storage needs, and the best thing is to have them working together."
Sache adds, logically, that there is no point increasing the resolution of camera sensors if you can’t deliver useable images: "You have to have a decent frame rate and compression." He also warns of the dangers of imposing a maximum bit rate limitation: "This is one of the stupidest things you can do. When the limit is very low it doesn't allow the camera to increase the bit rate should the scene complexity increase.”
Tullberg and Sache cite the rollout of the vendor's Zipstream technology as a real game changer. Zipstream, they explain, has been tailored specifically to cope with the demands of today’s video surveillance cameras and is, reportedly, more efficient than H.264 implementations with the potential to lower bandwidth, and storage, requirements by an average of 50 percent or more.
Alongside this, the two product specialists point to the importance of optimising video for forensic purposes with the Axis developed WDR (Wide Dynamic Range) Forensic Capture being a case in point. "If you deploy a video surveillance camera you are not, primarily, interested in a beautiful picture, you are interested in something forensically relevant. We try to preserve as many details without sacrificing anything from a forensics point-of-view," says Sache.
Another major focus for cameras, is, undoubtedly, the expanding footprint of multi-sensor models. Not surprisingly, Jeff Whitney, VP Marketing at Arecont Vision - an industry trailblazer here - is a strong advocate of these 180 and 360 degree cameras: "A multi-sensor panoramic camera provides video from its entire field of view non-stop and is able to be digitally zoomed in without impacting recording of the entire scene. This ensures superior situation awareness and outstanding image quality over a PTZ and reduces cost by requiring fewer cameras to be used."
Interestingly, Jon Cropley from IHS Markit suggests that the market for multi-sensor cameras has taken a very different direction from what was, initially, anticipated by analysts: "It is kind of strange because when they [multi-sensor cameras] originally came out, and started to enter the mainstream, we thought they would be used in conjunction with PTZ cameras. In reality people are often using the 180/360 degree cameras instead of the PTZ. There is a big benefit here because you don't need an operator as you can get the full field of view." In terms of overall demand, Cropley estimates that unit shipments of 180/360 degree cameras grew by over 50 percent last year: "It continues to be a high growth area," he concludes.
Under cyberattack – are cameras a weak link?
One area related to cameras, and the wider video surveillance infrastructure, that has been hitting the headlines recently is cybersecurity. So just how secure are these end points? A series of incidents over the past 12 months have raised red flags around the vulnerability of new, and legacy, video surveillance equipment to large-scale hacking attacks. This is not just from a privacy perspective, as individuals seek to gain unauthorised access to camera images, but, crucially, concerns being raised over cameras being used as a back door into the wider corporate network. Beyond this, by taking remote control of vulnerable cameras - that are essentially mini-computers - cybersecurity experts say there is a ready platform for individuals, groups and even states, to launch large-scale, disruptive, botnet/DDoS (Distributed Denial of Service) incidents.
On a small scale in cyberattack terms, but gaining column inches thanks to the target in question, this month saw the arrest of two individuals - a British man and Swedish woman - in London who were suspected of hacking into network video recorders in Washington DC just days before President Trump's inauguration. The attack, the Washington Post reports, involved ransomware impacted 123 of 187 network video recorders which meant that they could not record from the city's video surveillance cameras until remedial action was taken, specifically taking the recorders offline, removing any malicious software and the reconnecting them.
Denial of service
A much more dramatic event was the massive DDoS attack last year on Dyn - a DNS host - which took offline or impacted on the functionality of key websites, with the attack especially pronounced on the Eastern seaboard of the US. A significant proportion of the attack traffic was thought to have been compromised Internet of Things (IoT) devices participating in Mirai botnet activity. It is suggested by cybersecurity specialist Flashpoint that the attack was initiated by two types of devices, one - worryingly, was thought to have been a DVR running software from a Chinese company and the other a network-attached storage device.
Offering his perspective on the broader issue at hand, Erka Koivunen, Chief Information Security Officer at Helsinki-headquartered F-Secure, says that three main vectors of cyberattack come to mind in the context of video surveillance cameras: "Cameras are essentially computers connected to the network, they just happen to have some optics and some special purpose hardware built on top. Another attack vector is the fact that it [the camera] is connected to a backbone, back-end system, that collects and correlates video feeds from multiple cameras and these, of course, form an operation's centre centralized view of things." For Koivunen the third, and final, vulnerability is the fact that when back-end systems are breached it is possible to control what a camera is being pointed at and, crucially, whether it collects and stores a feed or just deletes it.
Gunter Ollmann, Chief Security Officer at Vectra Networks is certainly well versed on the security issues around Internet of Things (IoT) products thanks to Vectra Threat Labs recent work focusing on the way that consumer-grade Wi-Fi security web cameras can be hacked and reprogrammed to serve as permanent backdoors. In a worst-case scenario, Vectra Threat Labs’ efforts demonstrate that this could enable potential attackers to remotely command and control a cyberattack without being detected by traditional security products.
Many of the same problems, Ollmann suggests, need to be factored in to any discussion around professional video surveillance cameras: "I guess when I look at the problem with CCTV cameras and web cams, and the mix of those two, many are designed to be managed over the Internet, especially if you are a corporate organisation deploying these cameras as a means to monitor multiple sites centrally from one place without all of the hardware investment of on-site DVR systems and streaming players." This throws up a few interesting elements from a threat perspective, says Ollman: "I guess the number one problem for most of these systems, which are designed to be Internet accessible, is that the cameras themselves provide a web service and, typically, the authentication for accessing that network service is missing - or set to the default access credentials.
“Even if there are credentials on there [the camera] they don't, necessarily, have the systems on board to report back saying that someone is trying to do something to the user interface which it is not supposed to." In the end, Ollman points out that with the device becoming standalone, even if a camera is under attack, no one is likely to know - a sobering thought.
Given the emerging threat landscape, camera equipment manufacturers are keen to demonstrate that they are on the front foot with steps to harden their solutions.
Gren says that cybersecurity has to be front of mind for the physical security industry just as it has been for the IT sector: "If we look at video surveillance cameras they are IP based and they are an intelligent network node. We’ve seen attacks initiated through network cameras that brought down some key services such as DNS and even brought down a whole country. This is a result of cheap and inferior IP cameras and DVRs. They were configured with a standard hard-coded router password and put on the open Internet. If this was in the IT industry it’s an absolute no-no but we in the security industry, we unfortunately lag behind IT security."
Gren warns that, as a video camera is effectively a network node, it is important to apply the same security measures as you would for any other IT device. He says that the dangers associated with connected devices is nothing new, recalling that Axis Communications can trace its origins to the IT side of the industry: "Our business was actually doing print servers before network cameras. It is an embedded IoT [Internet of Things] device just like an IP camera."
Gren says that Axis learnt from the start about the importance of cybersecurity: "We had a bad attack in 1996 where some of our print servers took down a factory so since then we have instituted a lot of cybersecurity testing. On the video surveillance side, something like two years ago, we started publishing hardening guides and we have a lot of security measures in our products like 802.1x authentication. In particular, you do ringfencing so there isn't a single point of entry."
Arecont Vision’s Whitney offers another vendor perspective on the challenges associated with the heighted cyber threat: "Since their introduction many IP surveillance cameras have relied on network security to protect them from abuse. That is changing as cybersecurity attacks become more sophisticated and with IT taking a more active role in security systems." Whitney is of the view that no product of any type should be connected to a network unless it offers basic security protection, such as 16 character ASCII passwords. He adds that there is an onus on manufacturers to balance the user experience - by not making setup/operation too difficult - whilst at the same time providing improved protection.
Whitney turns to what he suggests is an often-overlooked issue which is harder for some camera vendors to solve: "Most surveillance cameras run common operating systems (OS) such as Linux." This, reveals Whitney, lets the manufacturer add third party code for features rather than developing everything on their own: "This approach is for cost savings and time-to-market reasons. Unfortunately, doing so also opens the camera to cyberattack, with the OS [Operating System] often the primary gateway."
To illustrate his point, Whitney goes on to flag-up the tens of thousands of cameras, NVRs, and Internet-of-Things (IoT) enabled-devices that have been used in well-publicized Distributed Denial of Service (DDoS) attacks resulting in network service disruption, security breaches, and lost income. Where he believes Arecont Vision has an edge on cybersecurity is the fact that the vendor’s cameras are immune to being used in DDoS and other cyberattacks: "We develop all our core functions for use on our Massively Parallel Image Processing Architecture. This eliminates the risk of undetected malicious code from a third party. We run it all on Field Programmable Gate Array (FPGA), integrated circuits that together allow us to update our architecture with the latest security updates plus add new features after camera is customer installed."
The bottom-line here, stresses Whitney is that if a hacker obtains the ID and password for an Arecont Vision camera, by malicious means, they are only able access that individual device: "They would be unable to repurpose it unlike other camera vendor’s products that have been proven susceptible in previous cyberattacks."
Given the dynamism of the cyber landscape it is important for camera vendors to keep pace with emerging threats and vulnerabilities and to communicate effectively with their user base. One development in this respect was the unveiling by Tyco Security Products - back in April - of an ambitious Cyber Protection Programme. This multifaceted initiative is designed to take a holistic approach to cybersecurity protection for physical security with each phase of the product development life cycle in the programme's sights.
Tyco says that the programme is a practical manifestation of the way it has been enhancing its cybersecurity expertise over many years, including in the provision of critical solutions for the United States Government and large multi-national customers. The company claims to hold many industry firsts on the cybersecurity front, including - in relation to US legislation - offering FISMA (Federal Information Security Management Act) ready access control and video solutions.
Jeff Barkley, Product Manager for Tyco's Cyber Protection Programme, reflects on the challenges at hand: "Starting with a Chinese vendor's issues two years ago, and the DDoS attacks over the past year - which took advantage of default passwords and open Telnet ports, people have become much more aware of how products, and cameras in general, can be vulnerable to misuse."
Who is really in control?
Cybersecurity is also high on the agenda for IndigoVision’s Kneen, who is concerned about the potential for back-door access to cameras: “There is quite a lot being written but I don’t think that the real risks are hitting home.” He poses the question if nation states invest in companies who market themselves globally are the resulting solutions really going to be secure?
Kneen cites the example of the US Embassy in Afghanistan which decided to take down cameras over such security concerns: “One of the big themes for me is can the owners of cameras trust their cameras? Can cameras communicate to others beyond who they are meant to be communicating with? You may have the stream coming to your NVR but is that the only communication to the world it is making or has it gone another route?”
Pauline Norstrom, Managing Director at NetVu Ltd, agrees that effective cybersecurity must now be front and centre for the physical security world: “The view of this company [NetVu] is that enhanced security features should be implemented. Just having the security features there doesn’t mean that they are going to be used. Combined with innovations which increase the security of the network when CCTV is implemented there must be an increase in the awareness of the need to secure it.”
To conclude, the message is clear that as camera vendors continue to build innovative capabilities into to new models the cybersecurity of these devices will remain an ever more critical consideration in buying decisions.
Interested in Attending Intersec 2018?