Rethinking surveillance …for city-wide cybersecurity
Jonathon Squires, Head of Product Strategy at Synectics, explains why surveillance has become a critical dependency in city operations – and why its cyber resilience demands far greater attention.
City infrastructure is now defined by connectivity. And increasingly, by its ability to remain secure and operational under cyber threat.
Across transport networks, public spaces, civic estates and utilities, systems are increasingly integrated. Data moves constantly, decisions are made in real time, and operational teams depend on accurate, immediate insight to maintain safety and service continuity.
At the centre of all this sits surveillance. Its role has expanded significantly. It is no longer confined to evidential recording; it is now a live, operational system underpinning real-time decision-making.
A fully integrated security and surveillance system verifies alarms, provides context to unfolding incidents and enables coordinated responses across multiple services and between different stakeholders. In transport environments, this can include validating trackside or station incidents in real time. In policing and publicly accessible locations, it underpins situational awareness and coordinated response. Within utilities and grid infrastructure, it provides visibility across geographically dispersed and often unmanned assets.
This shift has elevated both its importance and exposure. As a result, expectations are changing – not just around how systems perform, but how securely they are designed, deployed and managed over time.
From a resilience perspective, security and surveillance systems should receive the same level of focus as any other mission-critical digital system. And that starts with understanding what good looks like.
Enforce security by design at every step
In practice, vulnerabilities rarely appear overnight. They emerge gradually through the way systems are configured and managed over time.
Devices are added, integrations evolve and access requirements shift. In this reality, small inconsistencies begin to accumulate. Default credentials remain in place, permissions extend beyond their original scope, and temporary fixes become permanent features.
The impact of configuration drift is a material risk. This is where secure-by-design principles become critical. Security and surveillance systems should not depend on perfect user behaviour to remain secure. They should be engineered to reduce the likelihood of error in the first place, with controls that guide users towards best practice and surface deviations early.
In practice, that means enforcing strong password policies at setup, preventing the reuse of default credentials, and requiring role-based access to be defined before systems can be used. It means built-in prompts that flag excessive permissions, alert administrators to dormant accounts, and highlight when devices fall behind on firmware updates.
Without this, exposure is not a possibility. It is an inevitability at scale.
Ensure every device on your network can be trusted
As already highlighted, modern surveillance environments extend well beyond a single platform. Cameras, servers, operator workstations and third-party systems all interact within the same ecosystem. In city deployments, this often spans multiple sites, technologies and suppliers.
In such a highly connected setting, device authentication is crucial. A compromised device within a transport system or energy network can have cascading operational impacts beyond the immediate site.
Each connected device should be uniquely identified and authenticated before it can operate within the system, typically through certificate-based authentication or secure provisioning processes that prevent unauthorised devices from joining the network.
Restrict access to reduce unnecessary exposure
City security and surveillance systems are accessed by a wide range of users, including control room operators, external contractors, and partner agencies. This makes precision in access authorisation and control essential. In policing and public space operations, where multiple agencies may require controlled access to the same system, this becomes especially important to ensure both operational effectiveness and governance.
Permissions that extend beyond what is operationally necessary introduce avoidable risk, often through routine use rather than deliberate misuse.
Effective systems tightly align access with defined roles (often referred to as RBAC, or role-based access control), making it easier to enforce least-privilege principles in practice. For example, an operator may be able to view live video but not export footage, while a contractor may only access a subset of cameras for a defined time window.
More advanced systems also support time-bound or task-based access, automatically revoking permissions once a job is complete, reducing the reliance on manual oversight.
Crucially, this is not just about restricting access, but about enabling accountability. Security and surveillance systems should provide clear visibility of who has accessed what, and why, so actions can be traced and understood.
That level of control is increasingly expected, particularly in environments aligning with frameworks such as the Cyber Assurance of Physical Security Systems (CAPSS).
Safeguard data integrity across your system
The value of surveillance lies in the reliability of the information it provides. As systems become more integrated, data flows continuously between devices, platforms and users. Each transmission point presents an opportunity for interception or manipulation if not properly secured.
This makes encryption a fundamental requirement, not an optional feature. It ensures that data sent between authenticated devices, sensors, servers and workstations is uniquely encoded, so that even if it is intercepted, it cannot be read or altered without the appropriate keys.
In practice, this means applying end-to-end encryption across system communications, using secure protocols for device-to-server and server-to-client interactions, and ensuring encryption standards are regularly reviewed and kept aligned with current best practice.
The objective is simple: even if data is accessed, it cannot be exploited or altered. For operators, confidence in the data directly underpins confidence in the decisions made from it.
Adapt security to evolving threats
Security and surveillance systems are long-term operational assets. Their risk profile evolves as infrastructure expands and new threats emerge. Cybersecurity, therefore, cannot be a one-time consideration.
Technology providers play an essential role here. Ongoing support through regular updates, active vulnerability management and alignment with recognised standards should be built into the offering, not treated as an add-on.
For city authorities, this reinforces the importance of selecting partners who can sustain cyber resilience throughout the system’s lifecycle, not just at deployment.
Protect the infrastructure cities rely on
Surveillance now plays a central role in how cities operate. When systems are secure, well-managed and resilient, they provide the clarity needed to support effective decision-making and rapid response. When they are not, uncertainty is introduced at precisely the point where it cannot be afforded.
For decades, surveillance has helped keep physical environments safe and secure. Today, as the systems that underpin society become increasingly connected, it must extend that role into the cyber domain.
Cyber resilience in surveillance is no longer a peripheral issue. It is fundamental to keeping the systems society depends on safe, secure and operational.
Jonathon Squires, Head of Product Strategy at Synectics
