In June 2017 we saw IFSEC 2017 hosted at Excel London as part of a series of shows and expos dealing with security, safety, protection and management. What was particularly interesting was the creation of a new event at IFSEC focusing on Border and Infrastructure protection, a subject that perhaps would traditionally have been covered by the large defence expos. Whilst perhaps still in its infancy this year, you can see the logic in bringing this subject into IFSEC with the surveillance technology and PSIM.
I was fortunate to be able to spend two days visiting IFSEC this year, although it has to be said that this is not enough time to do full justice to the show, and the size and scale of the event requires careful planning to get the most out of it. What was particularly noteworthy was the number of high quality seminars that were run across the three days and open free of charge to all participants at the show. This year there were four ‘theatres’ in operation each with their own distinct theme:
- Security Management Theatre sponsored by Panasonic
- Smart Theatre by Tyco
- Border & Infrastructure Theatre sponsored by Genetec
- Tavcom Training Theatre Sponsored by TDSi
Although each theatre had its own track, there were a number of common themes coming out of many presentations, and here I provide a quick overview and commentary on three that were particularly interesting to me:
- GDPR – the ‘General Data Protection Regulations’ that comes into force across Europe in May 2018.
- Cyber Security in Video Surveillance and Security Systems.
- The increasing use and effectiveness of analytics in video surveillance.
General DataProtection Regulations (GDPR)
The GDPR was approved and adopted by the European Parliament in 2016 and comes into force in 2018 in all member states. The GDPR will affect all organizations located within the EU and outside the EU if they offer good and services to or monitor the behavior of EU data subjects. At the moment UK companies will also need to be compliant with these regulations; after Brexit the position is less clear although we can expect the UK government to adopt these or very similar regulations into UK law.
Failure to comply with the GDPR can be a costly error with the most serious offences attracting a fine of up to 4% of annual global turnover or €20 million and the rules apply equally to controllers and processors of data.
EU operators of video surveillance systems must start to pay attention to their current and future installations to ensure that they are compliant with the new regulations (and indeed existing data protections laws in EU member states). It should also be noted that these regulations do not replace other laws concerning the operation of public space surveillance cameras such as the UK’s ‘Protection of Freedoms Act 2012’ where operators of large public surveillance systems, e.g. local authorities, are expected to comply with the code of conduct.
Within the UK, organisations such as the NSI are working in conjunction with the Office of Surveillance Commissioners and offer a route to obtain a certificate of compliance from the Surveillance Camera Commissioner. Whilst this may be of benefit to large public organisations that wish to demonstrate compliance and provide reassurance to the local community, this certification process does have ongoing obligations (e.g. annual reviews) and therefore a cost overhead; for others simply completing their own self-assessment could be sufficient to be satisfied that their installations meet the code of conduct.
Returning to the main subject of GDPR, all EU organisations, if they are not already doing so, must put in place plans to ensure they are compliant by the time the rules come into force next year.
Cyber Security in Video Surveillance and Security Systems
It is not surprising that this was quite a big theme at this years show, particularly given the number of significant cyber-attacks that have occurred over the recent years with the notable recent ‘WannaCry’ ransomware attack which affected large parts of the UK’s NHS and industries and banks in Europe and around the world. Whilst it is not currently believed that this recent attack originated in security equipment, the fact that we are increasingly seeing security systems connected to the internet (to support remote video monitoring, for example), means it is only a question of ‘when’ and not ‘if’ we will see attempts at large scale exploitation of these systems for malicious purposes. Indeed, in 2014 we saw the exploitation (if not particularly effective) of a brand of DVRs for bitcoin mining that just goes to remind us that vulnerabilities do exist.
One of the reasons that security systems may pose a higher level of risk, compared to business IT systems, is that whilst there may be a lot of common underlying technology between IT and video surveillance/security systems, many companies outsource the installation and maintenance of security systems or simply install security systems and forget about them. These security systems, therefore, often do not fall under the authority and control of IT departments and are either not maintained or are maintained by bodies that simply are not prepared and skilled to deal with these modern systems. For example, how many CCTV installation companies really know how to secure the systems and are able to keep them up to date with the firmware and patches as they become available (assuming they are even contracted to do so).
Raising awareness across the industry is essential to tacking this problem and Panasonic used IFSEC to demonstrate that they are a manufacturer that is taking positive steps to ensure that the latest generation of systems they are selling are inherently secure and that their partners and installers are trained and equipped to securely deploy and maintain these systems. Their series of instructive seminars, both highlighted the issues and demonstrated the steps they are taking such as embedding certificates and keys in the cameras at the time of manufacture to ensure that they can’t be hacked or rerouted once they are deployed in the field as part of their secure solution.
The increasing use and effectiveness of analytics in video surveillance
The last of the themes that I will touch on from IPSEC is the use and effectiveness of analytics in video surveillance. In a world where video surveillance coverage continues to grow at a phenomenal rate, these systems will only be truly effective if they can detect events both as they happen in real-time and not just offline for investigation of historical events. However, the task of monitoring hundreds or thousands of cameras, particularly in an urbane environment, is simply not effective when done by humans as their ability to monitor cameras and detect events diminishes rapidly after perhaps only 20 minutes. In addition, monitoring large numbers of cameras in real-time by humans is simply too expensive and not efficient enough given the number of people required and relative low amount of activity that would be detected on each camera
This issue has long been recognised in the industry and even though video analytics have existed for many years now in simple forms such as video motion detection through to facial recognition, the capabilities and performance of these systems have not always met the expectations of the end user. Whilst users will be aware of issues such as false positives, I wonder how many users consider the events they are missing through false negatives. As with all technology solutions, users must make themselves aware of any limitations of these systems and not be overly dependent particularly for critical coverage.
PSIM and intelligent surveillance vendors (e.g. Genetec, Milestone, Advancis) are doing a lot to make the job of the security control room operators more effective, by linking VMS to other sensors such as intruder, BMS, fire alarms and the industry continues to develop new and better analytics solutions. There were a number of analytics solutions on show at IFSEC from vendors such as Qognify and Digital Barriers which show much these systems have progressed in recent years. That being said, there is still some way to go, with the optimal performance of facial recognition, in particular, still being somewhat constrained by the environmental conditions.
One interesting debate that can be had is where the analytics are actually performed. The current preference still seems to be to do analytics on dedicated central servers and there are a number of advantages to doing this. It allows the analytics system to be largely camera agnostic and for the vendor to develop optimised solutions in a controlled hardware and software environment. One downside of this approach is that is you want to perform real-time analytics on a very large number of cameras, from geographically diverse locations, it requires the backhaul of a lot of high quality video feed as well as a large centralised processing and storage capability or a distributed analytics server solution. On top of the debate, there is also the impact of cloud based solutions which perhaps only complicates the matter.
The sense I got from IPSEC is that the analytics solution providers want to keep the analytics away from the cameras. At the same, camera manufactures are looking to add value and are putting increased processing power in their cameras. Therefore, it may be in their interests to try and move the analytics to the cameras themselves. However, for complex analytics this is not a trivial undertaking, particularly when the analytics must access databases such as facial recognition. From the customer perspective, they will want to see solutions running on an open architecture that means they are not tied to a single camera manufacturer. This is a space I will be following with interest.
On a final note, investments in video surveillance systems can be a very large undertakings for many organisations and yet in many environments (such as shopping malls, transport hubs etc), these same systems can or already are collecting data that has commercial value e.g. people counting, movements and flows, where people visit etc. Some vendors, such as Panasonic, demonstrated at IFSEC how they are already making inroads here, but other vendors remain purely focussed on security applications; perhaps additional increased sales can be achieved by identifying ways to add further value from their solutions in more diverse ways (e.g. tokenised facial recognition to track movements and habits and/or linking to social media). Of course all this most be done taking into account GDPR and other privacy regulations!