Protecting the reputation of the video surveillance industry
Uri Guterman, Head of Product & Marketing for Hanwha Techwin Europe, explains why he passionately believes that the password protection elements of the Secure by Default standard should be a fundamental requirement for all video surveillance systems.
They may occur for criminal or malicious purposes, or just seen as a challenge by opportunistic hackers. Whatever the reason, cyber-attacks are a major issue that could have a significant impact on the reputation of the video surveillance industry. This is why recent publicity about a high-profile security video solutions provider, allegedly taking a casual attitude in terms of restricting who can gain access to end-users’ confidential information, should serve as a reminder for stakeholders in the video surveillance supply chain to work together to promote best practice.
Secure by Default
Hanwha Techwin was proud to be among the manufacturers who were invited to participate in the development of the Secure by Default standard, which has the objective of ensuring security surveillance products are cyber and network secure by default, out of the box. As such, the standard sets out what those of us involved in the video security industry can do to respect customer privacy rights, as well as comply with data protection regulations, such as GDPR.
In the simplest of terms, the standard guides manufacturers to adopt an approach that makes cyber-attack protection a fundamental feature of a video surveillance solution that is taken into account at the start of a camera design process and not just treated as one of a long list of useful features.
5 essential elements of password protection
Obvious perhaps, but having sound password protection protocols is a good starting point for establishing cyber security best practice. Whilst these need to be easy to implement, having minimum mandatory and auto-enforced standards, such as prohibiting the consecutive use of the same letter or number and encouraging the use of special characters, as well as a combination of letters and numbers, should always be designed into a device’s firmware. It is also important manufacturers do not supply products with pre-configured weak passwords where the user is not required to make changes. These are typically passwords that all have the same letters or numbers.
In particular, the Secure by Default standard stipulates the following measures:
- Installers should be forced to change the manufacturer’s default password on boot up.
- There should be a strength indicator or ‘weak password not accepted’ facility.
- The device must not have hidden user accounts.
- The device must not have hardcoded account passwords.
- Manufacturers must not be able to assist users in recovering lost/forgotten device passwords.
Whilst no manufacturer can offer 100% guarantees, we would urge consultants, system designers and system integrators to only work with manufacturers who support the objectives of the Secure by Default standard and can demonstrate they fully understand the importance of keeping end-user clients’ data safe by doing their utmost to counter the risk of a cyber-attack. This will include those who have removed a ‘back door’ which might have originally been created to give engineers easy access to a device but also provides an opportunity for hackers.
Look out for manufacturers who recognise the importance of being open and honest with customers when new cyber security threats are identified and are able to move quickly to update firmware to combat them. At Hanwha Techwin, for example, our Security Computer Engineering Response Team (S-CERT) is totally focused on addressing any potential security vulnerabilities in our Wisenet products and solutions. Members of the team have been hand-picked for their expertise in being able to identify, analyse and quickly respond with effective countermeasures to any cyber security threats.
Manufacturers should also be using third-party testing agencies to evaluate their products against the latest methods of hacking, as well as offering training to installers and systems integrators which covers the importance of setting up password protection as an essential part of the commissioning process for cameras and recording devices.
The ability for countless businesses and organisations, as well as homeowners, to view live or recorded video from any PC on the network or from a smartphone or tablet, has revolutionised how property or assets are remotely monitored. It has, however, also resulted in data protection becoming a significant issue for the video surveillance sector.
The good news for end-users and all involved in the supply chain is that there is no shortage of professional and socially responsible manufacturers whose products meet the Secure by Default standard by being designed with data protection in mind.
Do you have some questions about password protection or cyber security in general? Email Uri Guterman at firstname.lastname@example.org