As the media often reports, the world of cybersecurity can be seen like the ‘Wild West’. There’s now a wide range of Internet of Things (IoT) devices connected to the web, making this a hot topic. Among these devices are security cameras. IoT devices are computers that use software that makes them vulnerable. As the famous cybersecurity evangelist, Mikko Hypponen says, “If a device is smart, it’s vulnerable!”
Hypponen is right. On a daily basis, new vulnerabilities are found in software, regardless of the manufacturer. In 2019, more than 12,000 vulnerabilities worldwide were made public and reported as a CVE (Common Vulnerability and Exposure) in the National Vulnerability Database (NVD). Unfortunately, vulnerabilities are a given. What really matters is how a company deals with and resolves vulnerabilities.
Awareness of cybersecurity vulnerabilities is vitally important to protect you, your business and the Internet, but it’s also important to understand that a vulnerability is not synonymous with “backdoor” and is not necessarily indicative of “cheap quality”.
But there are companies out there that are embedding safeguards into their development processes to reduce the risks. You could see them as ‘Sheriffs’, taking steps to make this Wild West a little safer.
Why Hikvision chooses ‘Secure-by-Design’
Security cameras, like all other IoT devices, are vulnerable to cyberattacks. Fortunately, manufacturers of IoT devices can significantly reduce these vulnerabilities during the production of devices, using a process called ‘Secure-by-Design’.
Implementation of Secure-by-Design requires a commitment on the part of the manufacturer’s management team and a serious investment in resources and technology, which can result in a longer production process and a higher cost of the IoT device. Cost is often the reason why some IoT device manufacturers do not use Secure-by-Design (and are indeed cheaper).
Hikvision is a producer of IoT devices that takes security and privacy very seriously and has implemented Secure-by-Design in its production process. Management supports this process and has even set up a dedicated internal cybersecurity structure charged with product cybersecurity. This group is also the central point of contact for all other cybersecurity matters.
The Hikvision Security Development Life Cycle (HSDLC) is an essential part of Hikvision’s cybersecurity program. Cybersecurity checks take place at every stage of product development — from concept to delivery. For example, product testing takes place during the verification phase, the company also regularly invites well-known security companies and public testing platforms to conduct penetration testing. Does this mean that all Hikvision products are immune to hacking? No, that guarantee cannot be given, but the HSDLC is a testament to a manufacturer that makes every effort to produce products that are as cyber secure as possible.
In addition to the Secure-by-Design process, Hikvision opened a Source Code Transparency Center (SCTC) lab in California in 2018, being the industry’s first-of-its-kind lab to open such a centre. At this centre, US and Canadian government and law enforcement agencies can view and evaluate the source code of Hikvision IoT devices (IP cameras and network video recorders).
It’s important to emphasise that no product is 100% secure. Hikvision has a Vulnerability Management Program in place when a vulnerability is discovered in a product. To date, vulnerabilities that have been reported to Hikvision and/or made publicly known, have been patched in the latest Hikvision firmware and are readily available on the Hikvision website. In addition, Hikvision is a CVE CNA and has committed to continuing to work with third-party white-hat hackers and security researchers, to find, patch and publicly release updates to products in a timely manner. These vulnerabilities are collected in the National Vulnerability Database (NVD) and are public. Hikvision recommends that customers who are interested in purchasing security cameras inquire about a manufacturer’s cybersecurity practices and if they have an established Vulnerability Management Program.
Cybersecurity questions to consider
The cybersecurity of IoT devices is a topic that needs to be addressed in a serious way and it should play an essential role in the product development process, beginning at the concept phase of an IoT product. This requires time, investment and knowledge.
Consider the following questions:
Do I trust the manufacturer of a low-cost security camera?
Does this manufacturer have a dedicated cybersecurity organisation?
How does this manufacturer handle vulnerabilities?
These are the questions that everyone should ask themselves when making a purchase, be it a camera or any other IoT product.
There is no absolute 100% guarantee of security, but Hikvision has industry-leading practices to ensure the cybersecurity for its cameras. Cooperation, with its customers, installers, distributers and partners and full transparency are key elements to successfully secure IoT devices.
When you read cybersecurity news, we invite you to look beyond the headlines and really get to know the companies that produce the IoT devices. Before you buy a security camera or any IoT device, check out the manufacturer’s cybersecurity practices, look for a company with a robust vulnerability management program, a company that aligns itself with Secure-by-Design and Privacy-by-Design and a company that employs cybersecurity professionals who are ready and eager to answer your questions. Remember, there are Sheriffs out there, as well as bandits.
By Fred Streefland, Director Cybersecurity, EMEA, Hikvision