Features
Do you know how your security cameras are made? You probably should.

IP security cameras are by their very nature connected to the internet either directly, or through a network. That’s what allows users to access them remotely, to check in on their business, and what lets dealers to easily update device software remotely. But this feature can also be a problem. When not secured properly, devices in the so-called Internet of Things (IoT) can be accessed remotely by just about anyone, not just those with whom you want to share access. And that’s a big problem for our industry.

Since a product is only as good as the hardware and software inside it, examining how something is built can give us rapid insight into its potential vulnerabilities and overall cyber worthiness. The NDAA (National Defense Authorization Act) ban is particularly focused on the subject of component sourcing for security devices. What is inside that device that could be exploited? Where did it come from? What do we know about the manufacturing process? These are all important questions about the manufacturing supply chain that need to be considered by anyone who cares about cybersecurity.

The easiest way to reassure customers that your system is compliant and cybersecure is to make everything yourself. However, that’s not always practical for many companies who rely on 3rd parties to supply critical components that they themselves do not manufacture. It’s also true that not every part, (resistors, transistors, and more) has a cyber aspect that can be exploited. So, worrying or restricting products over individual piece parts is unnecessary. There are, however, many OEM and re-labeled products on the market in which companies utilize external 3rd party technology in the form of processing chips, codec modules, network interface components, and more to perform certain complex tasks that could potentially be exploited.

This is where knowledge of the supply chain and manufacturing process becomes so crucial. It might be very difficult to get information about a company’s supply chain and processes since it may not be seen as an asset or selling point to disclose such data. When in doubt, try and find a manufacturer who creates and assembles as much the technology ‘in house’ as possible. An ‘end-to-end’ solution will include not just the manufacturing and sourcing of trusted parts, but also the final assembly, QC and logistics. A reputable manufacturer should manage the entire product lifecycle including updates and fixes. Any reasonable vendor should be willing to divulge where they source their parts, where their products are made and how they are tested, otherwise they may not be in full compliance with things like the NDAA.

If a company tells you its products are cybersecure, should you just believe them? It’s important to look for independent verification. Until recently, there hasn’t been any internationally recognized standard for cybersecurity for IoT products such as security cameras and supporting devices and software. The UL CAP (UL Cybersecurity Assurance Program) is a newer certification service designed to help organizations manage their cybersecurity risks and validate their cybersecurity capabilities to the marketplace. Products that achieve UL CAP certification go through rigorous testing and have had their processes vetted by an independent, respected agency. Choosing a product with UL CAP certification should provide end users with additional peace of mind.

It has never been more important for systems integrators and procurement departments to be fully aware of the risks associated with decisions based solely on price, without taking into consideration any possible cybersecurity weaknesses or vulnerabilities. When shown how easy it is to hack into some of the low-cost security hardware that is widely available on the market, people understand first-hand, the perils that poor procurement choices can cause. In the event that these purchases have already been made, it’s important to evaluate the vulnerabilities and assess the risks through an analysis of the product, and by performing a penetration test. Once the evaluation is complete, every effort should be made to mitigate the important risks identified and, if necessary, replace the devices at risk with ones that come with a trusted design and manufacturing process.

For more information please contact:
Johnell Johnson | Marketing Communications Manager
Hanwha Techwin America
500 Frank W. Burr Blvd. Suite 43 Teaneck, NJ 07666
C: 404-210-9116 • j.johnson@hanwha.com | Hanwhasecurity.com