Cybersecurity in surveillance

The Network and Information Security Directive (NIS2) and the European Cyber Resilience Act (CRA) set out specific requirements for the cybersecurity of products with digital components. Against this backdrop, the obligations of manufacturers of video surveillance technology, for example, have also increased. Jürgen Seiler, Head of Business Development at Dallmeier electronic and CRITIS expert, answers important questions about cybersecurity in video surveillance.

1. What responsibilities do manufacturers of surveillance technology have, both at the hardware and software level, to ensure that their products meet cybersecurity standards?

The manufacturer's responsibility arises from the end customer's perspective. They must consider the entire value chain, including upstream suppliers. And with regard to physical security – and this naturally includes surveillance components – one thing is very important: network-based video security products for physical security (e.g. for perimeter protection, building protection) must not jeopardise the “other”, complementary security of the CRITIS operators, namely IT and cybersecurity. Video surveillance cameras and systems must not be a gateway into the customer's IT network or OT network.

As a European manufacturer of video surveillance devices, we have voluntarily and proactively taken on our corporate responsibility even before and beyond legal regulations such as the EU NIS2 Directive and the Cyber Resilience Act (CRA). The “Security by Design” guidelines set out in the EU-GDPR provide decisive guidance for manufacturers and users. We see that end customers are therefore increasingly asking for products and solutions that meet these criteria and are “Made in Europe”. NDAA compliance – although not officially relevant in the EU – is also often used as a quality criterion.

2. When looking for a suitable surveillance solution, what should customers and users look for? What expectations should they have of manufacturers, their installers and integrators, and what cyber responsibility lies with the users themselves?

When selecting manufacturers and integrators, it is advisable to carry out a thorough manufacturer check in advance to ensure that the products offer the highest level of technical cybersecurity and meet the requirements for physical security. This includes assessments, tests and proof of cyber conformity. Furthermore, products should comply with the “Security by Design” and “Privacy by Design” principles of the EU-GDPR. Legal compliance in accordance with European directives and national laws (NIS2 | RCE | CRA) is equally important. Legal compliance also means that the solutions actually offer adequate physical protection according to the technological “state of the art” and that the supply chain fulfils the security criteria. Cyber- and ethical aspects of the manufacturer and its country of manufacture must be checked, particularly with regard to authoritarian third countries. In the case of the latter, it is not only a question of possible gateways, but also of keeping an eye on a possible current or future influence by official bodies such as secret services to request access to systems. Validated references and proof of expertise in physical security and cybersecurity should be obtained and it is advisable to carefully check the extent to which the manufacturer has tested both dimensions of resilience together.

3. Many users, especially individuals and small businesses, may not immediately realise why cybersecurity should be an issue when using surveillance solutions. What would you recommend to explain the risks and raise awareness?

Cybersecurity in the use of surveillance solutions is an often underestimated but extremely important issue. Nowadays, cameras, workstations and recording systems are almost always connected to the internet as they act as “IoT” devices. This means that they are just as vulnerable to cyberattacks as any other networked system. To make the risks clear and sensitise users, we recommend creating permanent awareness for risk analysis, cybersecurity and cyber hygiene. This includes regular training and education.

Appropriate technical and organisational measures (TOMs) help to ensure cybersecurity. This includes complying with the “state of the art” and ensuring the security of the supply chain. Security measures should be taken when purchasing, developing and maintaining IT systems and components in order to avoid disruptions to availability, integrity, authenticity and confidentiality. It is also important to ensure that they are used as intended and to install regular security updates.

It is particularly important to raise risk awareness among users and executive management. We therefore recommend raising awareness of the high priority of cybersecurity and preparing for the law. For example, by highlighting high-profile cases that could cause monetary and reputational damage, up to the worst-case scenario of jeopardising business continuity or bankruptcy. It is also helpful to point out the stricter liability rules for management and the threat of fines under NIS 2, RCE and regulations and directives such as the GDPR (Security by Design) or the US NDAA.

4. The popularity of cloud-based surveillance technology continues to grow. What are the potential risks of relying on external service providers? Or are cloud services perhaps even more cyber secure as cloud providers place more emphasis on security? What cybersecurity issues should users consider when using cloud services for surveillance?

In our view, the success and global acceptance of cloud technologies and cloud applications is confirmation that companies and users have established and gained a certain basic trust in the cloud. And yes, in our view, cloud providers can invest more in security technologies and also provide professional personnel expertise than the customer or the medium-sized or large company itself. In general, both cloud and on-premise operations must comply with the appropriate technical and organisational measures in terms of cybersecurity in accordance with industry standards. The greatest risk is often the user or the person themselves, regardless of whether cloud or on-premise. From a technical perspective, there is no longer any difference between the security of cloud and on-premise environments in terms of physical security.

5. How does your company make sure that the solutions you provide are cyber secure?

In addition to compliance with data security regulations by the user, we as a manufacturer of video surveillance systems also bear a high level of responsibility, and our products and solutions offer our customers an extremely broad portfolio of proven technical functions for data security and data protection. The fact that all development and production is based in Regensburg, Germany, means that we also have full control over all stages of the value chain and can ensure the highest level of cybersecurity in all aspects. The development and manufacturing within the framework of the rule of law also guarantees neutrality towards state interference and maximum ethical responsibility. Our products are compliant with EU-GDPR, NDAA and all planned directives related to data protection and cybersecurity, such as EU NIS2, EU RCE, EU CRA, in preparation with the EU AI Artificial Intelligence Act and DIN 62676-4. Our internal Information Security Management System (ISMS) and internal IT security processes are ISO 27001 compliant and certified.

With 40 years of “Made in Germany”, Dallmeier stands for the highest level of security in terms of legal and compliance, data protection and cybersecurity.

Feel free to join in our discussion on LinkedIn

Do you have any questions? Or would you like to share your thoughts on this subject with us?
We welcome you to post your comments and remarks!