Technological change and legislation are currently setting the direction for manufacturers of security solutions.
Legislation is pushing the security sector into a new gear. European regulations such as GDPR and the AI Act are prompting manufacturers not only to protect privacy but also to demonstrate cybersecurity and the authenticity of visual material.
Connecting any IT device also creates a potential gateway for attackers, especially when devices are not correctly ‘bolted down’ after installation. Security manufacturer Axis Communications tries to manage this tension with security-by-design and an internal ethical test: not everything that is possible should necessarily be brought to market.
Legislation points the way
“Axis Communications has been developing security solutions, including cameras, for many years,” begins Erik Baeten, security advisor at Axis Communications. “Many cameras are now used for Business Intelligence and Operational Efficiency purposes. We have noticed a clear change in this over the last few years as technology continues to evolve.”
Many of these changes are driven by evolving regulations. “In the European Union, there are various laws that ensure technology moves in a certain direction,” he notes. A well-known example is the GDPR, which focuses on the protection of personal data within Europe.
But it goes further than that. Legislation such as NIS2 and the AI Act also affects the development of cameras, for example. “These are some of the laws that determine which direction manufacturers must take to develop their devices according to the rules.”
Tools and technologies
“The goal of such legislation is to build systems that are difficult to hack,” Baeten continues. “With cameras in particular, it is important that the data your systems produce, such as video and metadata, does not fall into the wrong hands.”
But the authenticity of visual material is also important. “There are now all kinds of tools and techniques that allow you to prove that the video material is authentic and comes directly from the camera without anyone being able to manipulate the images,” he states. Legislation is pushing the industry to create such tools.
Encrypted videos
One such security technique is based on encryption keys. “Videos are not transported over the network as raw video footage because this is far too sensitive,” says Baeten. “The camera sends the footage encrypted to the receiver, where it is decrypted again.”
Another way to transfer videos securely is what Baeten calls Signed Video. “The footage from the camera is sent along with a specific signature. You can only view the material if you have that signature,” he explains. Furthermore, you can use that key to prove that the video is the original, authentic video material.
Smart, smarter, AI
When it comes to new technologies, we naturally cannot ignore AI. There are various AI applications in the security world as well. “To return to the guiding legislation, the AI Act is the foundation here,” says Baeten. The AI Act is a European regulation stating that anyone developing an AI algorithm must clearly describe its purpose, how it will be used, and which datasets are being employed.
“We develop AI algorithms ourselves with specific objectives related to the goals of a camera.” Baeten illustrates: “Thanks to AI tools, we can classify different vehicles, such as detecting trucks. We only want to receive reliable alerts, because every alarm that is triggered must be followed up, and there are costs involved,” he states.
AI algorithms are also increasingly being used for things beyond security. “In healthcare, for example, such AI technologies are applied to check if someone has fallen out of bed or is becoming restless,” Baeten notes.
Purpose of the technology
These (AI) developments can make various processes smarter and provide efficiency, but Baeten is aware that they can also be misused. “We want to make the world better with our technologies, but we realize there can also be a downside,” he continues. That is why Axis Communications established a Code of Conduct.
“With the committee, we first try to determine the purpose of a specific technology on a case-by-case basis. Furthermore, we ask ourselves whether that technology can also be applied in a simple way without it being used against us,” he explains. According to him, this leads to certain technologies simply not being used or sold.
As a concrete example, Baeten mentions facial recognition: “This is technically possible, but the privacy ‘by-catch’ is too great because you are actually analyzing all faces. It can cause more net harm than good.”
Open door
Moreover, technology can also leave the door ajar for cybercriminals. “Unfortunately, not every manufacturer invests as much time in making devices cyber-secure,” says Baeten. “Every IP device, such as a camera, is plugged into a network. Those devices, in turn, connect to the outside world—the internet—to download updates, for example.” It is a front door you are opening. “Anything that can go out can ultimately also come in.”
Every device is an entry point to your entire network.
Erik Baeten, security advisor at Axis Communications
According to Baeten, manufacturers are in a bit of a bind. “It is impossible to deliver a completely ‘bolted down’ device, because then the customer can no longer connect it to their network. Axis therefore ensures that partners receive training on how to secure a network and how to connect cameras to a network in a secure manner, so that a well-protected whole is created.”
Weak spots
Companies must be aware of the cybersecurity of their devices. “Our devices often end up in high-end environments precisely because we emphasize cybersecurity so much, and you can see that awareness is very much alive there,” says Baeten.
Cybercriminals today will not attack a large, well-secured bank directly, but rather a small party connected to the bank. They can then penetrate through that gateway, for example by sending a phishing email.
“As a manufacturer, we must take as many measures as possible to create as few weak spots as possible,” he states. “That ranges from measures for cameras to training or guides on how to secure the camera system, and network training on how to make a network reliable.”
“We don’t wait for the outside world; we hire people ourselves to look for weaknesses in our systems,” says Baeten. Openness is an important aspect, which is why we are also part of Common Vulnerabilities and Exposures (CVE), communicate transparently about our vulnerabilities, and perform the necessary patches.
Real or not?
Although we started the article with a series of regulations that set the direction for manufacturers, that regulation is also the Achilles’ heel of technological developments. “Legislation always lags slightly behind technology,” says Baeten. “The technology has existed for a long time, and only now is legislation starting to emerge.”
He is primarily concerned about future generations. “Our youth will have to learn to look critically at all the data presented to them and learn to distinguish between reliable and unreliable, and real and fake,” says Baeten.
“It is up to us to educate the next generation with techniques such as the aforementioned Signed Video or encryption keys. The technologies we have now must ensure that everything can be traced back to a reliable source,” he concludes.