Hikvision launches first ‘Secure by Default’ product ranges

Hikvision UK & Ireland has unveiled the first Hikvision product ranges to be self-certified under a pioneering initiative that encourages manufacturers to make network cameras cyber-secure ‘out of the box’.

Launched by Surveillance Camera Commissioner Tony Porter at IFSEC 2019, Secure by Default is a set of minimum requirements for making network video security products as secure as possible in their default settings.

Hikvision was instrumental in Secure by Default’s development, along with Axis Communications, Bosch, Hanhwa Techwin and Milestone Systems.

In an interview with IFSEC Global shortly before the scheme was launched, Tony Porter said: “We think it may be a global first for this kind of guidance and approach. We believe that there is a greater burden on manufacturers to support the security of end users.

“It’s simple to follow, and manufacturers will be held to account both by the public and internally. So I think it’s a good thing, and provides an opportunity for greater security [and reassurance] that their kit [is resilient against] being hacked.”

Products must meet 25 criteria, set by Tony Porter’s office, to qualify for certification – including:

• Default passwords – to be changed on initial power-up, have strength indicator, do not allow insecure passwords
• Hardcoded passwords – no hard-coded usernames and passwords
• Protocols and ports – only necessary protocols enabled, enabled ports documented, strategy to fix any identified vulnerabilities in place, appropriate notification scheme for fixes
• Encryption – appropriate encryption considered, HTTPS in use, TLS for communications, baseline encryption for data stored at rest
• ONVIF protocol – ONVIF disabled at bootup, video streaming disabled until new username and password created
• Remote access – remote access disabled by default, user consent required for vendor-controlled network services, no access to other connected network services, workstations and servers locked down
• Software patching and firmware upgrades – community resource in place for patches/upgrades, critical updates proactively notified, advisory service for user subscription
• Penetration/fuzz testing – security testing process in place, vulnerable components and devices subject to development before live use
• IEEE 802.1x – Products are IEEE 802.1x capable

The first Hikvision products to be certified under the Secure by Default requirements include:

• Anti-corrosion camera series 5.6.0 firmware or above
• ATEX camera series 5.5.84 firmware or above
• DeepInView 7 camera series 5.6.0 firmware or above
• Fisheye camera series 5.5.73 firmware or above
• Pro camera series 0+, 3.0 and 4.0 ranges v.5.6.0 firmware or above
• Pan, tilt and zoom camera series 5.6.0 firmware or above
• Thermal camera series 5.5.18 firmware or above
• Ultra camera 5 series 6.0 firmware or above

“Installers and integrators should, where possible, offer products that are certified to the Secure by Default requirement,” said Gary Harmer, UK & Ireland sales director for Hikvision. “This offers them, and their customers, an assurance that those products are provided to them in the most hardened, cyber-security-optimal form possible, with default settings which provide minimal vulnerabilities on first use.”

Free Download: The Video Surveillance Report 2023

Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!

Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.

Download The Video Surveillance Report