Chapter 6: Security & Risks
Security architecture, physical protection, electrical safety, network hardening, risk grading, and emergency plans
6.1 Security Architecture
The security architecture for an underground parking surveillance system is organized as five concentric defense layers, each addressing a distinct threat surface. The outermost layer protects field devices from physical tampering and credential compromise; the innermost layer protects the supply chain from firmware-level backdoors. Each layer must be independently hardened — a weakness at any single layer can be exploited to compromise evidence integrity, which is the system's primary security objective.
The network segmentation model divides the system into three security zones: the surveillance device zone (cameras, I/O gateways, gate controllers), the surveillance platform zone (VMS, storage, NTP, log server), and the office/visitor zone (operator PCs, client terminals). Inter-zone traffic is controlled by firewall ACLs that permit only the minimum required protocols. Remote O&M access must traverse a VPN jump host with full session logging.
| Layer | Threat Surface | Control Strategy | Verification Method |
|---|---|---|---|
| Field Devices | Default credentials, physical tamper, lens block | Unique passwords per device, tamper alarms, IK10 housings, anti-tamper screws | Credential audit, tamper alarm test, physical pull test |
| Access Network | Lateral movement, ARP spoofing, port flooding | VLAN isolation, port security (MAC limit), ACL, storm control | VLAN penetration test, MAC flooding simulation |
| Core / Platform | Privilege abuse, unauthorized export, DB tampering | RBAC with least privilege, MFA for admin, immutable audit logs, HA | RBAC role review, MFA enforcement audit, log integrity check |
| Remote Access | Exposed management ports, brute force, session hijack | VPN only (no public exposure), IP allowlist, session timeout, MFA | Port scan from internet, VPN session log review |
| Supply Chain | Firmware backdoors, counterfeit hardware, tampered updates | Signed firmware verification, approved vendor list, update policy with rollback | Firmware signature check, vendor certification review |
6.2 Physical Security
Physical security measures protect surveillance hardware from vandalism, theft, and unauthorized access. In underground parking environments, cameras are particularly vulnerable to vehicle impact, deliberate tampering, and moisture ingress. The combination of vandal-resistant housings, protected cabling, locked enclosures, and environmental monitoring creates a layered physical defense that is verified during acceptance testing and maintained through periodic O&M inspections.
| Measure | Specification | Implementation | Acceptance Test |
|---|---|---|---|
| Vandal-Proof Housing | IK10 minimum (20J impact) | All cameras in public-accessible areas; dome style preferred | Impact resistance certificate; physical inspection |
| Anti-Tamper Screws | Torx T20 or Tri-wing; no standard Phillips | All camera mounting screws and junction box covers | Verify screw type; confirm driver not available on-site |
| Protected Conduit | Metal EMT conduit; liquid-tight flex at camera | All exposed cable runs in accessible areas; sealed at both ends | Visual inspection; pull test on conduit anchors |
| Locked Cabinets | IP54 minimum; key management log | All distribution cabinets; equipment room server racks | Key log review; unauthorized access alarm test |
| Cabinet Door Alarm | Magnetic reed switch; NO/NC; SNMP trap | All field distribution cabinets; equipment room racks | Open cabinet and verify alarm in VMS/SNMP within 30s |
| Environmental Monitoring | Temp/RH sensor; water leak rope; alarm thresholds | Inside each cabinet and equipment room | Simulate high-temp alarm; water drip simulation test |
| Legal Signage | Per local privacy/CCTV regulations | At all entrances and within monitored areas | Compliance review; signage visibility check |
6.3 Electrical Safety
Electrical safety in underground parking surveillance installations addresses five primary hazard categories: overvoltage/surge, overcurrent/short circuit, leakage current, overtemperature, and improper grounding. Each hazard has a defined protection mechanism and an acceptance test that must be completed and documented before the system is handed over. Electrical safety failures in this environment are particularly consequential because they can simultaneously damage multiple cameras and switches, creating widespread recording gaps.
| Hazard | Protection Mechanism | Specification | Test / Acceptance |
|---|---|---|---|
| Overvoltage / Surge | SPD (Class C) + equipotential grounding | 10kA minimum; DIN rail; at all outdoor cable entries | SPD device inspection; earth resistance <4Ω |
| Overcurrent / Short Circuit | MCB breakers + fuses per circuit | Dedicated CCTV circuits; thermal margin ≥20% | Trip test; thermal scan under full load |
| Leakage Current | RCD/ELCB on all CCTV circuits | 30mA trip threshold; test button monthly | Leakage trip validation; insulation resistance test |
| Overtemperature | Cabinet ventilation + temperature sensor + alarm | Inlet temp <35°C; alarm at 40°C; shutdown at 50°C | High-temp alarm threshold test; thermal scan |
| Improper Grounding | Equipotential bonding; 6mm² ground wire to bus | All cabinets bonded; ground resistance <4Ω | Continuity test; resistance measurement documented |
6.4 Network & Communications Security
Network security for surveillance systems requires a defense-in-depth approach that addresses both the camera network (device zone) and the platform network (server zone). The most common security failures in surveillance deployments are not sophisticated attacks — they are misconfigurations that expose the system to trivial compromise. The table below documents the most frequent misconfigurations, their risk impact, and the required remediation.
Security Controls Checklist
- Camera VLAN separate from office and guest networks; deny east-west camera-to-camera traffic unless specifically required
- HTTPS for all management interfaces; disable HTTP, Telnet, and other legacy insecure services; change default ports where possible
- Rotate all device credentials at commissioning; enforce password complexity policy; no shared credentials between devices
- Central syslog server with minimum 90-day retention; alert on new device discovery, configuration changes, and failed logins
- Firmware patch policy: staged rollout (test → 10% → full); maintain offline firmware copies; document rollback procedure
- No direct internet exposure of VMS, cameras, or storage; VPN-only remote access with MFA and session logging
| Misconfiguration | Risk | Severity | Remediation |
|---|---|---|---|
| Cameras reachable from guest Wi-Fi | Unauthorized live view and recording access | High | VLAN separation + ACL; verify with penetration test |
| Default passwords on cameras/switches | Trivial compromise; botnet enrollment | High | Enforce unique credentials at commissioning; credential audit |
| RTSP streams exposed to internet | Video leakage; privacy violation; legal liability | High | VPN-only access; firewall block all RTSP from WAN |
| No syslog retention policy | No audit trail for incident investigation | Medium | Configure central syslog; 90-day minimum retention |
| No NTP time synchronization | Multi-camera replay timestamps misaligned; forensic value reduced | High | NTP mandatory on all devices; monitoring alert on drift |
| No MFA for VMS admin accounts | Credential phishing leads to full system compromise | High | Enforce MFA for all admin and operator accounts |
6.5 Risk Identification & Grading
The risk register below identifies the primary risk categories for underground parking surveillance systems, with likelihood and impact assessments based on common deployment patterns. Risks graded "High" require active mitigation measures and must be tracked in the project risk log. Risks graded "Medium" require documented mitigation plans. All risk grades must be reviewed at commissioning and annually during O&M audits.
| Risk Category | Example | Likelihood | Impact | Grade | Notes |
|---|---|---|---|---|---|
| Technical | Storage undersized for retention period | Medium | High | High | Retention period shorter than required; evidence lost |
| Operational | No spare parts inventory on-site | Medium | Medium | Medium | MTTR grows; extended recording gap during repair |
| Environmental | Condensation in camera housing or cabinet | High | Medium | High | Very common in underground environments; frequent cause of failure |
| Legal / Compliance | Improper access log retention or disclosure | Low | High | Medium | Audit risk; potential legal liability for evidence chain |
| Supply Chain | Camera delivery delayed; project schedule impact | Medium | Medium | Medium | Procurement lead time 8–16 weeks for specialty cameras |
| Security | Credential leak; unauthorized evidence export | Medium | High | High | Evidence integrity compromised; chain of custody broken |
6.6 Mitigation & Emergency Plans
The following three emergency response plans address the highest-probability, highest-impact failure scenarios for underground parking surveillance systems. Each plan follows a four-phase structure: Prevent (design measures), Detect (monitoring and alerting), Respond (immediate actions), and Restore (verification and documentation). These plans must be tested annually and updated after any significant system change.