Hikvision Launch their first ranges of Secure by Default cameras - What does it mean?

[Emma Hedges]

Hikvision UK and Ireland have announced their first release of cameras that comply with the Secure by Default guidelines. In this post we will discuss what this means and how it affects you and your camera selection.

Secure by Default is an initiative backed by the government containing a set of requirements which have been created to ensure that any organisation manufacturing VSS (Video Surveillance Systems) ship their products with the most secure configurations set as default.

We use the internet everyday, whether that be to keep up to date with the news, track our fitness, stream our favourite TV shows or in this case, monitor our IP cameras. Our use of the internet shows no signs of slowing down, unfortunately this means that our risk to cyber attacks is high.

This is why the Secure by Default requirements have been put together. If these requirements are met, the installer and end user can install the camera straight from the box, safe in the knowledge that the default configuration will be the most secure setting possible.

Manufacturers will need to self-certify their products using the relevant documentation provided in order to use the Secure by Default logo. With this, all of the below requirements are now considered mandatory requirements for default configurations.

Element ​	Notes​
Default Passwords​	Force the installer to change the password on boot up. In addition, include a strength indicator or ‘weak password not accepted’ facility.
Hardcoded Engineer Reset Passwords​	The device must not have hidden user accounts. The device must not have hardcoded account passwords. Vendors must not be able to assist users recovering lost/forgotten device passwords.
Protocols and Ports​	All ports and communication protocols must be disabled by default unless vital to the functioning of the component. Commonly accepted vulnerable or obsolete communication protocols must not be present on the device. Where a newer version of a communication protocol has been developed and released, this must be incorporated into the development life cycle and rolled out within a reasonable time frame.
Encryption​	HTTPS must be used for communication with any web interfaces. It must not be possible to connect to an out-of-the-box device without HTTPS (using self-signed certificates). Where encryption is used for protecting network communications across untrusted networks, facilitating remote access etc. then up to date Transport Layer Security must be used. Where encryption is to be used for securing data at rest then it must utilise the current industry accepted standards.
Open Network Video Interface Forum Protocol (ONVIF Protocol)​	ONVIF protocol must be disabled at boot up, although products can still be discovered by VMS/NVRs. Video stream(s) must be disabled until a new user/password is set up.
Remote Access​	Remote access must be fully disabled as default, and must be explicitly enabled before use, or permissions granted for device to ‘call home’. The device may need to use DHCP, DNS etc. in line with best practice cyber security principles to achieve this. The device must never attempt to access external vendor-controlled network services without system owner consent Remote access into a VSS must not, by default, enable access onto other connected network services. Where servers and workstations are to be provided as part of the VSS, these must be configured to be locked down in line with industry best practice, this should include no remote access in the baseline configuration.
Software Patching and Firmware Upgrades​	Manufacturers must have a portal policy/resource centre for handling upgrades/patches with transparency/community sign up programmes. For critical updates whereby a product is vulnerable, an appropriate notification is essential at base level and must be issued to those who have signed up to the portal resource centre. A non-critical and functional advisory service must also be made available to subscribers.
Penetration / Fuzz Testing (Vulnerability Scanning)​	The device must have a documented procedure and be self - tested at manufacturing source to comply with SCC/BS conformity.
Use of IEEE 802.1x​	Devices must be IEEE 802.1x capable

This is a great step forward in improving and maintaining cyber security but it will be a while before the Secure by Default settings will be seen across the board. We mentioned that Hikvision UK and Ireland have announced the first product ranges that will comply with the above requirements, these will be:


Anti-Corrosion camera series - 5.6.0 firmware or above
ATEX camera series - 5.5.84 firmware or above
DeepinView 7 camera series - 5.6.0 firmware or above
Fisheye camera series - 5.5.73 firmware or above
Pro camera series - 2.0+, 3.0 and 4.0 ranges - v.5.6.0 firmware or above
PTZ camera series - 5.6.0 firmware or above
Thermal camera series - 5.5.18 firmware or above
Ultra camera series - 6.0 firmware or above.

Some may not apply to your system yet but it’s definitely an impressive start. If you want to check what version firmware your camera is on, visit the Hikvision UK Portal..

Other organisations that have been issued with the certification include Axis and Bosch, we expect to see the list, "Organisations that have been issued with the Commisoner's certification mark" to be updated as more organisations implement the Secure by Default imitative.

Once we have confirmation that any new cameras delivered will have the latest firmware, we will of course make sure that our product pages clearly show when an item has been certified with the Secure by Default stamp of approval.

In the meantime you can use the list of requirements to check if your system is as secure as possible. We recommend going through the list now and seeing if you can improve the security measurements of your IPCCTV system. Maybe your password is weak and could do with strengthening?