Brian Sims
Editor
Brian Sims
Editor
THE NEW Internet of Things world is characterised by millions upon millions of connected devices. With more insecure devices and network access points in existence than ever before, Hikvision is a firm believer that ‘Secure-by-Design’ principles are essential for protecting against growing cyber security threats.
Over the last few years, digital technologies have transformed the world, affecting all sectors of business activity and daily life. The end result is an Internet of Things (IoT)-driven technology landscape wherein everything is instrumented and interconnected.
By the end of 2018, there were an estimated 22 billion IoT-connected devices in use around the world. Forecasts suggest that this figure will increase to 50 billion by 2030, in turn creating a massive web of interconnected devices. To support this highly connected future, thousands of IoT devices are connected to networks every day. Additionally, the appetite for new features and functionality has created a ‘need for speed’ in terms of the development and deployment of new types of devices.
Many IoT connected devices are now highly complex, incorporating advanced Artificial Intelligence (AI) algorithms and other next generation features. IP-based video security cameras are a good example of this. Over the last 15 years, they’ve evolved from being simple analogue video cameras into complex, fully-digital IoT devices driven by machine learning and AI.
Like other types of devices, the evolution here has been driven by customer demands for improved functionality and connectivity. This demand also creates an urgency in the development process, with solution providers competing to offer the most advanced features as fast as possible in order to win customers and market share.
Balancing act
The race to develop more feature-rich and even more connected IoT devices has fulfilled customers’ operational needs, but there have often been compromises in terms of security. After all, building security into all aspects of the production process takes time: a precious resource that’s not always available. Due to time pressures, several device manufacturers have opted for development and production speed over security.
The end result of speed over security has been an enormous increase in serious IoT cyber security incidents. Cyber criminals have been able to access millions of IoT devices on a relatively easy basis simply because those devices were not developed and produced with security in mind. By the end of 2016, for example, the Mirai Botnet had become world news and IoT security started to gain some serious attention. This is a clear example of what can go wrong when insecure IoT devices like baby monitors, network routers, agricultural devices, medical devices, home appliances, DVRs, cameras or smoke detectors are connected to the Internet without proper security provision.
In the case of the Mirai Botnet, attackers were able to hack into millions of insecure IoT devices. In this case, security cameras. They then used the combined computer power of the devices to launch targeted Distributed Denial of Service (DDoS) Internet attacks.
Unfortunately, many more cyber incidents involving IoT devices have occurred since 2016 and, indeed, continue to happen every day. In 2019, security researchers from F-Secure issued a warning that cyber attacks on IoT devices are growing at an unprecedented rate. They measured “a three-fold increase in attack traffic to more than 2.9 billion events.”
In the research, this growing threat was attributed – at least in part – to “a basic lack of defences in ageing firmware or architectures, and partly due to a lack of information security-focused housekeeping. Often, IT Departments are not even aware of all these devices on their networks.”
‘Secure-by-Design’ production
One key method in which to prevent damaging attacks on IoT devices is to improve the defences of these devices. Unfortunately, it’s extremely hard to add effective security after the IoT device is produced and/or installed. The most effective way to prevent breaches is to implement security during device production. This is often referenced as ‘Secure-by-Design’ production.
‘Secure-by-Design’ is all about building security into every stage of the production process, from the conceptual phase to the final delivery phase. In the conceptual phase, security requirements are defined. In the design phase, a security architecture is developed for the product design. Then, in the development phase, software code review and code scanning will take place. The verification phase concentrates on the execution of pen-testing, while security training and technical support are provided in the delivery phase.
All of these security measures realized during the production process improve the cyber resilience of a video security camera and render subsequent (and costly) cyber security improvements unnecessary.
There are several prerequisites for manufacturers who want to integrate ‘Secure-by-Design’ principles into all aspects of their production process. First, there needs to be commitment at an organisational level to invest in the security of each product. This may have an impact on production costs, but it will also dramatically improve the security and credibility – and, therefore, value – of products by providing certain security assurances to end user customers.
New and emerging threats
As an additional requirement, ‘Secure-by-Design’ requires manufacturers to be open to penetration testing by third parties once devices are designed, manufactured and operational. This ensures that products are able to withstand new and emerging cyber security threats as well as existing ones.
Ultimately, ‘Secure-by-Design’ principles require manufacturers to be truly serious about bolstering their cyber security and protecting their customers against security breaches. This is very much the case at Hikvision, where ‘Secure-by-Design’ principles are employed in order to minimise the risk of damaging cyber security attacks across the company’s product range.
*For more information on this topic read Hikvision’s Cyber Security White Paper
**Discover more about Hikvision’s cyber security strategy and capabilities, and how the surveillance specialist ensures that its IoT connected cameras and other products are resilient to attacks, by visiting the website