Managing risks to CCTV data and systems
CCTV
systems collect all types of information for a wide range of reasons. While the
equipment is valuable, it is almost always the records, and the information
they hold, that matter the most.
Many
CCTV systems record images of people, especially if they are set up in a public
space. This type of record is 'personal information', which is protected under
privacy legislation. As a result, every effort should be made to keep the
records secure and avoid misuse.
Managing
the risk to records protects the CCTV owner as well as the individual being
recorded. CCTV records may be used as evidence in criminal proceedings. They
can also be used to demonstrate that an innocent activity was genuinely
innocent. Either way, the records should be stored securely until they are
handed over to the police. For private operators, there may also be good
commercial reasons for ensuring confidentiality of the records.
At
a basic level, the question is: what can go wrong, and how much does it matter?
CCTV
systems are exposed to a range of intentional physical security risks such as
tampering with camera placement, power supplies, communications cabling and
controlling equipment. These risks may be prevented with physical control
measures, such as housing these items in locked enclosures appropriate to the
risk and environment (such as equipment that is accessible to the
public). Procedural security can be used to deter and detect attacks on
CCTV infrastructure by visual inspection and review of indicative alarms.
Natural
disasters also present risks. You can't prevent fires, floods, or earthquakes,
but you can minimise the risk of damage or loss of data from your CCTV system.
While insurance can cover the loss of equipment, data is not replaceable.
A good offsite backup system for electronic data, such as CCTV video,
configuration data, usage logs etc, can reduce this risk. Systems that
instantaneously backup data provide less likelihood of data loss when compared
to scheduled periodic backups.
Modern
digital CCTV systems are typically dependent on computing equipment performing
continuously. Protection from inevitable hard disk failure is usually
provided with redundant disk storage systems (using RAID arrays). Once a
disk failure has been detected (automated detections should be tested
regularly) it can be substituted with a replacement disk onto which the missing
data is automatically copied. This rebuilding process can take many hours due
to the large storage capacity which presents additional risks; the storage
system may not cope with rebuilding load resulting in missing data, and data
from any further coincidental disk failure(s) may not be protected (depending
on the redundancy design). Whilst it may be impractical to have
full CCTV system redundancy it may be prudent to maintain service spares of
essential components. For example, power supplies are required for
interrogation of system data or access live CCTV resources. As such
battery backup and/or alternate utility supplies may be warranted.
Attacks
on CCTV information from human threats can be grouped as:
- Availability; the information is not required when needed. Information may have been deleted accidentally or maliciously, or normal access prevented through disruption to normal processes, such as physically damaging equipment and communications or inundating communication channels.
- Accuracy; the information has been compromised. This may include substitution of real data with artificial data, or breaching evidential requirements for handling information that casts doubt on its authenticity.
- Confidentiality; the information has been disclosed to unauthorized persons. This may have occurred with or without knowledge of the CCTV system owner. An obvious example of this is the unauthorized duplication and dissemination of video to media outlets - made easier if operators have ready access to high speed internet connections. A less obvious example may be an unauthorized access by computer 'hackers' where CCTV systems are interconnected with other data networks.
- Integrity; the information has been compromised. This may include substitution of real data with artificial data, or breaching evidential requirements for handling information that casts doubt on its authenticity.
Even
with the best of intentions, mistakes can and do happen. They include
accidentally deleting records or even entire hard drives, overwriting backups,
forgetting to maintain a system, placing cameras in the wrong place, or
forgetting to make a regular, scheduled backup. Some of these can be prevented
by information management policies that include user training and restricting
access to system resources, usually with logical access control (such as user
sign log-on accounts). This can also help reduce the chances of deliberate
actions aimed at destroying or stealing data or equipment. Personnel
security vetting is often included in licensing requirements and can reduce
risks of inappropriate usage by CCTV operatives.
Cybersecurity Measures (Protecting the Network)
- Change Default Credentials: Immediately change default usernames and passwords for cameras, routers, and Network Video Recorders (NVRs) to strong, unique credentials.
- Implement Network Segmentation: Place CCTV cameras on a dedicated Virtual Local Area Network (VLAN) to isolate them from critical business IT networks.
- Update Firmware Regularly: Check for and install firmware updates from manufacturers to patch known security vulnerabilities.
- Disable Unnecessary Services: Turn off unused features like UPnP (Universal Plug and Play), HTTP, and unused network ports.
- Use Encryption: Ensure data is encrypted in transit (using HTTPS or VPNs) and at rest (using AES-256 for storage).
- Secure Remote Access: Avoid direct port forwarding. Use a VPN for secure remote access to the system
It
is worth considering how you will manage these and other risks to the security
of your CCTV equipment and records. Most strategies fall into one of four
categories:
- Avoid the risk - for example, by moving a camera out of reach of vandals, or locking a door after hours.
- Transfer the risk - for example, by outsourcing the CCTV system and ensuring that contracting organizations, within the contract, are responsible for the security of records.
- Accept the risk - for example, by relying on default settings in CCTV equipment because you believe the risk is low.
- Reduce the risk - for example, ensuring only authorized people have access to CCTV computer systems and information.
In
most cases, the final approach uses several strategies and depends on
individual circumstances. It ultimately depends on the value of the records,
the risk of loss or damage, and the consequences. These decisions are best made
before the records are collected and, if possible, before a CCTV system is even
installed. It is advisable to have an Information Security Management
Plan that includes CCTV systems to ensure that risks are treated
appropriately. The policies and procedures used to apply information
security should be competently reviewed and executed.
Physical Security Measures (Protecting the Hardware)
- Lock Down Equipment: Secure recorders (DVRs/NVRs) and network switches in locked cabinets or access-controlled rooms.
- Protect Cabling: Use cable conduits to prevent tampering, "smash and dash" thefts, and environmental damage.
- Anti-Vandal Enclosures: Use cameras with IK10 impact-resistance ratings for high-risk, accessible areas.
- Regular Maintenance: Clean lenses and inspect cameras for tampering, ensuring they have not been moved or covered
Government
organizations have an additional obligation to consider the security
classification of CCTV records and may consider implementing an information
classification policy in accordance with the relevant government regulations.
The agency's security officer should be contacted for advice in these
cases.
Personnel and Operational Security
- Employee Training: Educate staff on the risks of phishing, the importance of password security, and how to report suspicious activity.
- Manage Staff Turnover: Immediately revoke access to the CCTV system for departing employees.
- Work with Professionals: Utilize reputable, certified installers who understand both physical and cybersecurity requirements
Information
classification should be considered by private CCTV system owners, particularly
with the advent of computer based CCTV system designs and high capacity
portable media.
This
process helps provide assurance that CCTV records information will be handled
appropriately to reduce negative risks.