The notion no Chinese security or network device can be trusted needs examination - the big image shows the entry of AG's Dept, which is a large site in its own right. The Dahua camera in question is up the street. This site's primary surveillance cameras are another brand.

HIKVISION has rejected the assertions of a sprawling ABC report, which hinted at possible espionage by Australian-owned and Australian-installed surveillance solutions, questioned the cyber security capabilities of Chinese surveillance cameras, claimed Hikvision and Dahua cameras dominated government and public surveillance applications across Australia, and raised the spectre of Chinese Government interference in Australian politics, while providing no credible empirical evidence in support of its assertions.

“We believe this report fails to provide a factual, fair and objective view of our company and our products,” said Hikvision in a release. “We would like to reinforce that there is no evidence anywhere in the world, including Australia, to indicate that Hikvision’s products are used for unauthorized collection of information of end-users. Hikvision never has nor ever will install backdoor access to its products intentionally. The installation of Hikvision’s products by numerous government facilities and infrastructures proves the overall safety, quality and cost-effectiveness of Hikvision products.”

The ABC report said its journalists found 2 Hikvision and 2 Dahua cameras installed at Central Station in Sydney (out of a total of 400 cameras of various brands at the site). As the well-informed know, the surveillance system at Central will soon be upgraded to more than 1000 cameras, none of which will be Hikvision or Dahua. Meanwhile, a Hikvision camera was found near the driveway of RAAF Base Edinburgh outside Adelaide, where it had been installed and configured by an Australian security integrator, and was being used by Australian security operators to provide security and safety for Australian defence force personnel at the site. At neither site was a Dahua or Hikvision VMS driving the system.

A Dahua camera was spotted at a government precinct in Canberra frequented by politicians and lawyers. An Australian integrator may have installed this camera to give the Australian security team monitoring it situational awareness of street events outside 3 nearby security agencies, as well as the Office of National Assessments, the Attorney-General’s Department, and the Department of Prime Minister and Cabinet. However, the real angle of view and depth of field were not revealed by ABC and are likely known only to integrator and system operators. Anyone who has walked this stretch of road will know the scene in question is vast and complex – hundreds of metres long and hundreds of metres wide. The ABC report did not mention focal length, PTZ capability, camera resolution, or the cyber security setup of camera or network supporting it.

It’s difficult to make objective claims about the camera brands most commonly installed in government and public surveillance solutions around Australia but SEN’s experience covering these installations in depth over many decades suggests they are still dominated by manufacturers including Axis Communications, Pelco, FLIR, Mobotix, Panasonic and Bosch. When it comes to higher security government applications, the field is more intensely dominated by a very small group of manufacturers, none of which is Hikvision or Dahua. The lack of penetration by the big Chinese makers relates partly to their comparatively recent arrival on the local market and the slow churn of government systems – it’s around 10 years. This upgrade latency is typical of government investment in technology and means most currently installed systems are last-gen. They typically include multiple camera brands – systems are expanded in segments as budget comes to hand.

There are many Chinese brands, many famous non-Chinese manufacturers OEM their products and many manufacturers do their building on Chinese production lines – this applies to all electronic security hardware devices – including surveillance cameras, NVRs, alarm panels, access control panels, communicators, servers and network appliances. It also includes many of the mobile devices used to remotely manage and monitor these systems. This fact exposes a larger issue to examination – the notion behind these recurring reports seems to be that any NIC-enabled device manufactured in China cannot be trusted, regardless of the cyber security settings of said device or the cyber security settings of the network on which it resides. This notion must be addressed objectively by cyber security experts at an industry level and resolved to conclusion, not left open to uninformed speculations in the consumer press.

Most brands of surveillance camera have been found to have exploitable sections of code and/or vestigial engineering shortcuts in their firmware over the last 3-4 years. Since their discovery all manufacturers have resolved the issues raised and significantly enhanced their cyber security capabilities. Regardless, no empirical evidence has ever shown that any brand of surveillance camera – Hikvision and Dahua included – has ever transmitted live streams of video to the government of any state. Any proof of such transmissions should be sent to [email protected]

Hikvision said in response to the ABC report that its products currently meet industry leading standards including:

* ISO 27001, the internationally-recognized information security management standard;

* ISO 9001:2008, the standard for quality management, as measured by customer satisfaction and compliance with regulatory requirements; and

* Capability Maturity Model Integration (CMMI) Level 5, the most advanced process on a scale created by Carnegie Mellon to demonstrate the application of best practices when developing software;

* Partnership with U.S.-based cybersecurity company Rapid7 in 2015 and in September 2017, when it conducted a penetration test on 2 Hikvision cameras and 2 NVRs, finding no critical vulnerabilities.

* U.S. Government Federal Information Processing Standard (FIPS) 140-2 Level 1 certification, which establishes the Cryptographic Module Validation Program (CMVP) as a joint effort by the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce, and the Communications Security Establishment (CSE) for the Government of Canada. Hikvision’s encryption module received Level 1 FIPS 140-2 certification to be used in both IP camera and NVR products.

Hikvision was one of the first companies in the industry to establish a more secure activation process by requiring users to set passwords at the time of first use – rather than the plug and play model with a universal password adding another layer of security.

Recently, the U.S. Department of Homeland Security confirmed that Hikvision followed the standard vulnerability patching procedure and had already issued updates to mitigate the identified vulnerabilities during a hearing held by the U.S. House of Representatives Small Business Committee.

#securityelectronicsandnetworks.com #hikvision #dahua