• No brand is immune to cybersecurity breaches, but certain practices can mitigate them better than others. 
• Drawing from tried and tested cybersecurity policies and actions taken by different CCTV companies, what makes cybersecurity best practice?
• Cybersecurity best practices should look at best practices before and after potential breaches to ensure the safety of its customers.

Cybersecurity is a particularly pressing issue in all tech circles, and CCTV is no different. One need only remember the Mirai cyber-attack in 2016, where bots were able to infiltrate unprotected computers, which shared IP addresses with home CCTV cameras.

While there is rightfully an emphasis on preventing cyber-attacks in the first place, no company is completely immune to cybersecurity breaches. Cybersecurity practices arise out of new threats and new methods to gain access to data, and it takes companies time to identify threats, address weaknesses, and roll out improvements to their software.

Therefore, cybersecurity best practice can be divided into two key parts: before a cybersecurity breach has been identified, and after a cybersecurity breach has been identified. Crucially, they are both equally important, and any credible tech company should recognise this.

To this effect, the article highlights key practices that cybersecurity companies can follow and identifies certain companies that utilise these practices.

Cyber-Breach Prevention

Imagine cybersecurity in CCTV systems as a chain connecting the camera itself to the network that it's on, as well as the camera manufacturer. The flow of information along this chain depends on the destination. 

For example, the camera company should not have access to end-user data and footage without the end-user authorization, while the network that the camera is connected to should allow its owner to survey the footage. At the same time, camera manufacturers should be able to send software updates to their products to optimise them and protect them against current and future cybersecurity threats.

Each chain has a linkage, which is where data is communicated to each point. These are the vulnerabilities that are most susceptible to cyber-attacks. Cybersecurity best practice in prevention targets these linkages to fortify the chain.

Firstly, there should be certain technical mechanisms implemented to protect cybersecurity, such as data encryption. For instance, encrypted video means that video data cannot be accessed by the manufacturer or any other third parties during its processing.

The same goes for firmware, which serves as a manual from the manufacturer that allows the hardware to function properly. In this aspect, the monitoring device should check the integrity of the security camera's firmware when upgrading to prevent it from being maliciously replaced by attackers.

As a rule of thumb for potential customers, you ensure that a manufacturer is compliant with these best practices by checking that the manufacturer has been certified as compliant with the ETSI EN 303 645 Cybersecurity Standard. 

Among security camera companies that maintain a large market share, AXIS Communications and Dahua Technology stand out as companies that have announced that their products have passed the ETSI EN 303 645 Cybersecurity Standard.

European Union legislation also requires high-level cybersecurity practices in industries linked to critical infrastructure, including digital infrastructure, managed security service providers, etc. The new NIS2 Directive may be enshrined into EU member states' national laws in October 2024 and may require EU member states to enshrine the directive into their national laws in October 2024. It is pertinent for customers to keep a close eye on the companies that signal that they are compliant with the new legislation. 

Companies that have announced their commitment to compliance with the NIS2 Directive include Dahua, Hikvision, AXIS Communications, Bosch, and Hanwha Vision. 

Cyber-Breach Mitigation

However, cybersecurity professionals discover new linkages in the chains all the time. Unfortunately, so do hackers. How should companies identify and address these new linkages quickly and efficiently?

It is harder to identify 'best practice' for identifying and addressing linkages, as companies have to be vigilant and not complacent with existing cybersecurity practices. This is where vulnerability management teams come in.

One core attribute of a vulnerability management team is accessibility. An excellent example of this is Dahua Technology. Dahua Product Security Incident Response Team (Dahua PSIRT) is available 24/7 to publicly announce cybersecurity breaches. Certain devices support online upgrading (turned off by default). When users actively turn on the online upgrading feature, Dahua will post new programs at the first time when there is an upgrading to solve functional or security problems of the devices.

One example of this is a security advisory quickly released in November 2021 regarding an identity authentication bypass vulnerability found in some Dahua products. The document in its first form outlined the threat to customers and assessed the vulnerability. Soon after, the page updated, with Dahua providing a clear list of the models that could be affected by the vulnerability and directed users to a patch that would fix the issue. 

Another example of this is a 2020 security advisory released by Dahua that detailed login authentication compatibility vulnerabilities in earlier hardware. The page directs you straight to Dahua Wiki, which then allows you to download the firmware fix. For this reason, Dahua is known for being proactive in troubleshooting cybersecurity risks.

The second identifiable 'best practice' for troubleshooting vulnerabilities is transparency. Visibly addressing cybersecurity issues not only builds trust with installers and end-users but also ensures accountability on behalf of the manufacturer through documentation.

AXIS Communications has an easily found page detailing every major cybersecurity vulnerability, and whether their products are affected by it. The page also highlights the actions taken by AXIS Communications to address any vulnerability that has implications for its products.

What does this mean for customers?

To summarise, there are certain elements that an installer or an end-user should be on the lookout for regarding cybersecurity. Firstly, they should ensure that the company that they are choosing has relevant cybersecurity mechanisms or certifications that demonstrate that data is adequately protected and legally processed.

Secondly, security camera manufacturers should be responsive to new vulnerabilities in their products and take accountability for the vulnerabilities. Security camera manufacturers are meant to provide security for their customers. It is, therefore, important that customers trust security camera manufacturers to protect and address security issues.