Overview
Security
vGRID Gateway

vGRID Gateway Security Features

The vGRID Gateway connects your CCTV & ANPR cameras and operator screens to the vGRID SaferCity Platform. Number Plate Information and images are received through ANPR metadata and CCTV streams offer live video without recording any footage.

Communications between the vGRID Gateway and the vGRID Core leverage OpenVPN with client certificate authentication (a certificate is issued to each vGRID Gateway, allowing revocation as/when required).

For communication with the CCTV/ANPR system, vGRID Gateways are configured as a user within the donor system and then authenticate and communicate with this system as a normal user. This means all data relating to use, access and access controls are managed and accessible by the donor’s system and administrators.

vGRID Gateways are regularly and automatically patched at the OS, Device Management and Application Container Level and additional patches are deployed as appropriate for critical vulnerabilities.

Where possible, vGRID Gateways will be installed in secure data centres or equipment racks. Gaining physical access to a vGRID Gateway does not grant any person access to the device or to the wider vGRID Platform. vGRID Gateways can be accessed via SaferCities’ support staff when and where required, via short-lived SSH certificates. These SSH certificates are only generated for support staff that are granted access via Azure AD, via Hashicorp Vault.

The data partition of the vGRID Gateway is encrypted and vGRID Gateways do not store any user data.

vGRID Gateway Network Requirements

Connections to the vGRID SaferCity Platform (outbound only) are encrypted and securely streamed over a VPN, and we offer various connection options to suit your network and IT security requirements. Outbound connectivity is required on the below ports:

  • OpenVPN - UDP/1194
  • Device Management - TCP/443
  • DNS - UDP/53
  • NTP - UDP/123

Connections will then also be required to your CCTV system (VMS, CCTV or ANPR cameras). Specific ports depend on system type and vendor.

Bandwidth consumption is configurable and can be dependent on your site’s connection capability. This can range from 500kbps for 1 low quality camera up to ~100Mbps for several full quality streams. Our team will work with you on any bandwidth limitations or requirements and configure the vGRID Gateway to suit.

For further details view Connection Requirements.

vGRID OS Security Features

Every vGRID Gateway ships with vGRID OS, our custom, purpose-built Linux-based operating system designed to provide security, integrity, and reliability.

The below sections outline the key features of vGRID OS, why they were implemented, and how they directly benefit your organisation.

Secure Boot with Custom Keys

Why we implemented it: Ensuring that the Gateway only runs software we trust is critical to maintaining system integrity. Secure Boot ensures that only verified and authorised software is loaded during startup.

How it works: The gateway uses custom keys for Secure Boot. These keys allow us to cryptographically sign and verify all boot components, ensuring only trusted binaries are executed. This eliminates the risk of tampered firmware or unauthorized modifications at the boot level. Our PK and KEK are generated via an HSM, and the db/dbx keys are managed securely.

Read-Only Root Filesystem

Why we implemented it: A tamper-proof core system enhances reliability, while reducing the risk of malware persistence or accidental misconfigurations.

How it works: The root filesystem is mounted as read-only, preventing accidental or malicious modifications. Logs and configuration files are stored in dedicated writable areas, which are encryped and protected against tampering.

Trusted Platform Module (TPM) Integration

Why we implemented it: Hardware-backed security adds a layer of protection against sophisticated attacks and ensures encryption keys are never exposed.

How it works: The TPM securely stores encryption keys and provides cryptographic operations that bind data and configurations to the hardware. It also enables measured boot, which verifies system integrity during startup.

Data Partition Encryption with dm-crypt

Why we implemented it: Ensures sensitive data cannot be accessed if the physical hardware is stolen or compromised.

How it works: vGRID OS encrypts sensitive data stored on the gateway using dm-crypt, a robust disk encryption system, on the data partition. The encryption keys are securely stored in the Trusted Platform Module (TPM), ensuring they are never exposed to attackers.

Signed Over The Air (OTA) Updates

Why we implemented it: Secure OTA updates faciliate regular patching alongside rapid deployment of new features and fixes.

How it works: All updates are cryptographically signed by us before being delivered to your gateway. The gateway verifies these signatures before applying updates, ensuring only authentic and untampered updates are installed. Updates are atomic and rollback-capable, meaning the gateway will revert to the last known good state if something goes wrong. This is achieved via a dual root filesystem setup.

Proactive Security Updates

Why we implemented it: Minimise the risk of cyberattacks through timely updates and vulnerability patches without disrupting operations.

How it works: Regular, monthly (or sooner depending on CVE level) updates ensure the latest security patches are applied to the gateway. Updates are tested extensively to minimize risk and ensure stability.

vGRID CorevGRID App