Uri Guterman, Head of Product & Marketing for Hanwha Techwin Europe, explains why he believes that the password protection elements of the Secure by Default standard should be a fundamental requirement for all video surveillance systems.
They may occur for criminal or malicious purposes, or just seen as a challenge by opportunistic hackers. Whatever the reason, cyber-attacks are a major issue which could have a significant impact on the reputation of the video surveillance industry. This is why recent publicity about a high-profile security video solutions provider, allegedly taking a casual attitude in terms of restricting who can gain access to end-users’ confidential information, should serve as a reminder for stakeholders in the video surveillance supply chain to work together to promote best practice.
Secure by Default
Whilst the majority of cameras are not installed for mission critical or high security purposes, there are countless businesses and organisations which are entrusting video surveillance systems to help them protect their assets, people and property. In doing so, they should be able to expect that their confidential data is being kept safe from hackers, which is the main reason why the Secure by Default standard was introduced in 2019 by the UK’s Surveillance Camera Commissioner.
Hanwha Techwin was proud to be among the manufacturers who were invited to participate in the development of the Secure by Default standard, which has the objective of ensuring security surveillance products are cyber and network secure by default, out of the box. As such, the standard sets out what those of us involved in the video security industry can do to respect customer privacy rights, as well as comply with data protection regulations, such as GDPR.
In the simplest of terms, the standard guides manufacturers to adopt an approach which makes cyber-attack protection a fundamental feature of a video surveillance solution that is taken into account at the start of a camera design process and not just treated as one of a long list of useful features.
5 essential elements of password protection
Obvious perhaps, but having sound password protection protocols is a good starting point for establishing cyber security best practice. Whilst these need to be easy to implement, having minimum mandatory and auto-enforced standards, such as prohibiting the consecutive use of the same letter or number and encouraging the use of special characters, as well as a combination of letters and numbers, should always be designed into a device’s firmware. It is also important manufacturers do not supply products with pre-configured weak passwords where the user is not required to make changes. These are typically passwords which all have the same letters or numbers.
In particular, the Secure by Default standard stipulates the following measures:
- Installers should be forced to change the manufacturer’s default password on boot up
- There should be a strength indicator or ‘weak password not accepted’ facility
- The device must not have hidden user accounts
- The device must not have hardcoded account passwords
- Manufacturers must not be able to assist users recovering lost/forgotten device passwords.
Whilst no manufacturer can offer 100% guarantees, we would urge consultants, system designers and system integrators to only work with manufacturers who support the objectives of the Secure by Default standard and can demonstrate they fully understand the importance of keeping end-user clients’ data safe by doing their utmost to counter the risk of a cyber-attack. This will include those who have removed a ‘back door’ which might have originally been created to give engineers easy access to a device, but also provides an opportunity for hackers.
Look out for manufacturers who recognise the importance of being open and honest with customers when new cyber security threats are identified and are able to move quickly to update firmware to combat them. At Hanwha Techwin, for example, our Security Computer Engineering Response Team (S-CERT) is totally focused on addressing any potential security vulnerabilities in our Wisenet products and solutions. Members of the team have been hand-picked for their expertise in being able to identify, analyse and quickly respond with effective countermeasures to any cyber security threats.
Manufacturers should also be using third-party testing agencies to evaluate their products against the latest methods of hacking, as well as offering training to installers and systems integrators which covers the importance of setting up password protection as an essential part of the commissioning process for cameras and recording devices.