ports left after commissioning. To reduce risk, the policy promotes using approved solutions and architectures, and escalating exceptions when needed. This supports repeatable designs, faster security validation, and clearer support models - especially important as BW deploys similar systems across diverse customer sites and regulatory environments. The goal is to ensure secure, maintainable video systems with well-defined accountability throughout their lifecycle.
3) Technical security baseline: hardening, segmentation, and controlled connectivity
The policy’s cybersecurity requirements center on one principle: integrated video must not weaken ICS/OT defenses. Video components often require connectivity, remote access, and storage—features that, if implemented casually, can introduce risk.
To mitigate this, the policy emphasizes network segmentation. Video devices and services should be placed in appropriate network zones, not directly on control networks, with only essential traffic allowed between zones. Remote access should be intentional, traceable, and follow least privilege principles—not “always on.”
Secure configuration and hardening are also key. This includes removing default passwords, limiting admin interfaces, updating firmware/software, and disabling unnecessary services. For systems with operating systems or application stacks, the policy aligns with standard endpoint security practices: reduce attack surface, apply timely patches, and enforce auditable privileged access.
Standardization is another focus—especially around approved hardware, software, and containerized video components. When governed properly, containerization can isolate services, simplify updates, and support consistent deployments across sites. However, without proper oversight, it can lead to fragmented, insecure implementations.
Ultimately, the policy ensures that modern video deployments enhance operations without introducing cybersecurity or compliance risks.
4) Privacy and responsible data handling: treating video as sensitive data and “privacy by design”
In addition to cybersecurity, the policy emphasizes privacy and data stewardship. Video can become sensitive when it captures identifiable individuals—such as faces, badges, or contextual cues. In such cases, footage may be regulated as personal data under laws like the EU GDPR or California’s CCPA, triggering requirements for transparency, access controls, retention, and lawful processing.
The policy promotes a “privacy by design” approach. Teams should clearly define the purpose of video, what is being captured, and how long it will be retained. Where possible, designs should minimize personal data collection through thoughtful camera placement, masking, reduced resolution, or event-based recording. Documenting processing practices is also essential to demonstrate how footage is used and protected.
When video supports operations but may incidentally capture people, the policy encourages automated anonymization (e.g., face blurring) and strict role-based access. Storage and transfer practices matter: footage must be stored in approved repositories with strong authentication, encryption where applicable, and defined retention rules. The goal is to ensure video remains accessible for legitimate operational needs while preventing the spread of unregulated “shadow archives” across laptops, removable drives, or unapproved cloud platforms.
5) AI-enabled video analytics: transparency, safety, and regulatory readiness
Many video deployments now include AI or advanced analytics—detecting anomalies, identifying defects, tracking objects, or optimizing processes. While these features can add value, they also introduce new risks. Systems that influence safety decisions, worker monitoring, or regulated processes may fall under stricter oversight, including the EU AI Act and Cyber Resilience Act.
The policy emphasizes transparency and governance for AI features. Teams should be able to explain what the analytics do, what data they use, and what decisions they affect. This clarity is especially important when AI outputs inform operational or compliance-sensitive actions.
