Milestone Systems: Protecting video against cyber-attacks
James Thorpe
Share this content
ISJ speaks exclusively with Neil Killick, EMEA Sales Director, Milestone Systems.
Video is fast expanding its applications far beyond security, to deliver data insights that improve operations, maintenance and staffing, long term strategy and more.
This expansion will only accelerate as technologies like the Internet of Things (IoT), smart cities and AI become mainstream.
With this comes additional cyber-risk that security leaders need to mitigate, to avoid video devices becoming compromised and leaking data.
Providing robust cybersecurity is a core charge for Milestone Systems – and Neil Killick, EMEA Sales Director at Milestone Systems, recently discussed this with ISJ.
Video is an attractive target for cyber-attacks
With its range of uses, video is becoming a priority investment for many organisations, which is leading to rapid growth.
As Killick explained: “This growth is being driven by a need to secure assets, but more leaders are realising the usefulness of video analytics and data in new operational areas like tracking passenger footfall in rail stations, measuring occupancy rates in buildings to inform maintenance and cleaning, alerting operators to broken-down machinery, understanding the use of parking facilities and planning store layouts.”
“Yet, as video becomes core to every operation and decision being made, video networks are becoming a more attractive target for malicious actors and insider threats,” he added.
Depending on the organisation, threats could range from state actors to insider attacks and blackmail. The data collected by such systems can be of value in itself, but unsecured cameras and other connected devices can also be the gateway to a larger attack.
As Killick pointed out, the list of networked devices is steadily increasing as smart cities and the IoT expands.
“Ultimately, this is giving would-be hackers more opportunities to compromise systems if devices are not properly secured and regularly updated against new threats.”
The cost of a data breach
If a data leak does occur, it can have significant financial, operational and reputation costs. IBM’s latest Cost of a Data Breach report discovered that, in 2023, the average cost of a data breach globally reached an all time high of $4.45m.
“You also have to consider GDPR and the fines that can be levied for violating this – a significant $20m or 4% of annual global revenue. Potentially, a business-ending amount,” Killick cautioned.
This doesn’t account for the reputation and trust impact of a data breach.
High profile breaches like British Airways, Shell and even NATO are making the public sensitive to potential data loss and weakening their trust in the collection, protection and use of their data.
“We risk public backlash and a roll-back of the advances made in video if providers and security leaders don’t effectively protect video systems and data,” Killick said.
Moreover, he pointed out that thanks to AI and automation, cyber-attacks are becoming more sophisticated: “It’s very much an AI arms race in cybersecurity and the threats are constantly evolving.
“It is only by partnering with a responsible vendor who remains committed to its cybersecurity response that your system can remain as updated as possible with any new threats.”
Amid this backdrop, Milestone is investing heavily in its cybersecurity response.
How to reduce the risk
“Your system can be exposed via external accesses like a mobile server, ONVIF bridge, the Microsoft Information Protection (MIP) SDK and so forth.
“Attacks can happen via the camera network itself or because of insider attacks or social engineering,” Killick explained.
“Vulnerabilities can also be created when designing and installing a system. Milestone’s approach takes each of these risks into account.”
Secure by design
“Milestone XProtect is designed to provide the highest security protection against external and internal security threats,” Killick added.
Tiered administrator and strict, time-controlled user rights, enforced on the server side, combined with the use of standard IT security procedures, make XProtect the ideal choice for leaders focused on robust cybersecurity.”
Additionally, Milestone is compliant with the IEC 29147 standard aiming to provide the best cybersecurity experience.
When it comes to gateway attacks, XProtect allows for the physical separation of camera networks and a client network, preventing attackers from accessing an entire system.
To effectively protect data, XProtect has secure end-to-end handling of exported forensic material and secure access for web and mobile users.
It also has secure integration of third party applications and systems.
“This is really the tip of the iceberg with the measures we’ve put in place to protect the public and our customers,” Killick remarked.
“For added peace of mind, XProtect also has HTTPS for bidirectional encryption of communication, password protection of video databases and exports, digital signing of video to prove it hasn’t been tampered with in storage and an audit log to trace all user actions.”
To protect a video system from attacks via remote web and mobile access, it is also possible to apply a two-step verification process to the XProtect Web Client or the Milestone Mobile application.
XProtect Corporate has, for the second time, received EuroPriSe GDPR-ready certification from the European Privacy Seal Institute.
Protecting evidence material
“This deserves a special call-out due to the sensitive nature of the data being used and the potential for tampering,” Killick highlighted.
“When exporting forensic material using the XProtect Smart Client, video material evidence can be password-protected, encrypted and digitally signed.
“These security measures can be applied in addition to signing recorded data in the recording server.”
Encryption and password protection ensures that the forensic material can be viewed by the authorised receiver only, while the digital signature proves that the video has not been altered or manipulated while in transit.
The Milestone Product Security Incident Response Team (PSIRT)
Cyber-attackers never stop developing new threats and exploiting new vulnerabilities. This is where the ongoing work of the Milestone PSIRT comes in.
This team manages the receipt, investigation, internal coordination and disclosure of security vulnerability information related to Milestone products.
Customers and partners can report any potential Milestone security vulnerability for investigation, mitigation and disclosure.
“There is no such thing as being too secure, especially because cyber-attackers are always finding new exploits to gain access to data,” Killick elaborated.
“The PSIRT’s work is crucial to the ongoing security and protection of Milestone products. Customers and partners are invited to report any potential vulnerability to this team to investigate.”
The team then follows Milestone’s Vulnerability Handling Process to handle any mitigations or software updates needed – free of charge and as soon as possible.
As Killick added: “Naturally, we want our products to be as secure as possible and we aim to minimise any adverse impacts on business operations and corporate identity.”
Collaboration and communication remains key to Milestone’s response.
Therefore, the team regularly updates customers and partners on the latest threats, which most recently included Spring4Shell and Log4J.
Milestone was not impacted by either threat.
Milestone Responsible Disclosure Policy
“Although we perform the strictest software and hardware security processes and testing, the reality is that vulnerabilities are always a possibility. In such cases, transparency, communication and quick action are key,” Killick said.
“Our transparent disclosure policy is designed to resolve any vulnerability occurring in Milestone-developed capabilities, embedded technologies and execution environments where our products operate.”
“The policy covers active threat monitoring, rapid assessment and threat prioritisation, response and proactive customer contact and expedited remediation.”
Reducing the human threat
Another major vulnerability can come from the workforce. Indeed, 95% of cybersecurity incidents can be traced back to human error.
As Killick explained: “Even if you teach maintenance teams to avoid switching off firewalls and to configure antivirus software correctly, it can be undone by a password written on a post-it note stuck to a monitor.”
“Train people to understand how cybersecurity best practices are key to their role and show them how they can mitigate the risk of an attack by always locking their computer when away from their desks, using two-factor authentication and secure passwords.”
Training needs to be tailored to the unique risks posed by video surveillance systems and the data they collect.
Regular updates on the latest threats will help to keep cybersecurity top-of-mind for operators.
“For any advice and support, the Milestone response team is available 24/7,” Killick added.
Milestone and responsible use
We then moved on to Milestone’s dedication to the responsible use of video; Killick connected the dots, saying: “Cyber-resilience is a key feature of using video responsibly, as it is critical to gaining the trust of customers and the public in the ethical use and protection of video data.
“People must always be put before technology and that extends to the personal data that video devices collect and store.
“We look forward to a future where responsible technology will effectively be a licence to operate.
“In practice, Milestone is committed to the responsible use of technology from a foundation of three concepts that encompass the scope of our business: How we develop technology, how we sell our technology and how customers use our technology.
“We have consistently developed our responsible technology principles over many years, beginning in 2009 with the human rights clause in our End User Licensing Agreement (EULA).
“In 2017, we were joint signatories to the Copenhagen Letter after which we introduced Milestone’s Copenhagen Clause into our contracts.
“Then, in 2022, we made a commitment to the United Nations Guiding Principles on Business and Human Rights.”
It’s a significant move for Milestone, highlighting the company’s dedication to responsible technology.
As Killick put it: “We want to be a beacon for responsible technology in our industry. It’s really at the heart of every decision at Milestone.”
As an industry leader for 25 years, Milestone ensures cybersecurity is core to all of its products.
“You cannot talk about video today without mentioning cybersecurity,” Killick concluded. “That’s why your choice of vendor makes such a difference to your overall cybersecurity.”
“With our partnership, you can rest assured that your video system is as secure as possible, today and tomorrow… it’s why XProtect is trusted in over half a million customer sites worldwide.”
To find out more information, visit: www.milestonesys.com
