Chinese Surveillance Cameras Being Used All Over U.S. Highlight Supply Chain Risks
Recently the Wall Street Journal reported that security cameras monitoring a U.S. Army base, the streets of Memphis, a U.S. embassy overseas, and many homes and businesses around the country are sold by Hangzhou Hikvision Digital Technology. Hikvision is 42% owned by the Chinese government, sparking concerns about cybersecurity both from the U.S. government and private sector.
Because of concerns that the cameras might be used by China to spy on Americans, some U.S. security resellers refuse to carry Hikvision cameras. Another precaution being taken is that some agencies have put restrictions on who can purchase Hikvision cameras.
For example, the government’s procurement oversight agency, the General Services Administration (GSA), removed Hikvision from a list of automatically approved suppliers. Also, as of May 2017, the Department of Homeland Security (DHS) issued a warning that some of Hikvision’s cameras contained a loophole that makes them easily exploitable by hackers, and assigned its worst security rating to that vulnerability.
Today, we benefit greatly from a global supply chain and specialization, which allows companies to focus on their core competencies and outsource many other pieces of their business to those that specialize in those products, processes, etc.
But a byproduct of this means that supply-chain security must be a critical part of an enterprise’s security program. Using a vendor who supplies cameras or recording equipment that then sends any data back to them should be factored into a company’s threat model. Having that vendor that’s partially owned by a foreign government makes the threat model even more important.
Some organizations will determine that the risk is worth the tradeoff, but every organization should be evaluating that tradeoff, not burying their head in the sand to the risks from third-party vendors.
When we look at the companies using Hikvision products, there are two questions that we should be asking:
1. What kind of information could the Chinese government be receiving about the companies that use Hikvision’s products?
2. What could my competitor do with the collected information?
For example, these cameras could be collecting seemingly harmless data, such as schedules for deliveries and patterns of traffic flow at various times of the day. But that information could also reveal which vendors are making deliveries to the customer sites and what nearby buildings are not under surveillance. With this in mind, organizations should determine if recorded information could put them at risk domestically, or in the form of a public/private partnership sanctioned by other countries.
Most cameras of these types utilize poor security and rarely receive updates when patches become available. Organizations would do well to assume that they are either compromised, compromisable, or will be compromisable in the future.
As cameras and other IoT devices quickly begin to outnumber traditional computing devices, we must think about ongoing device security much in the same way we do with servers, laptops, etc. In addition to evaluating initial security and risks, organizations must evaluate whether devices can support ongoing upgrades, identity and access management, patch management, and other enterprise-standard security procedures.
This will likely not be the last time we learn of a broadly deployed IoT device with the potential to be owned by a foreign government or hacker. But we should use it as a strong and constant reminder to treat these devices as we would any other device accessing our network. To limit risks, organizations should assume information on any device can be compromised, determine how much risk they are willing to tolerate, and apply security models and best practices to limit that risk.
For more on IoT security, check out my previous blog, Top 3 Things You Need to Remember for Better IoT Security, or learn more about an IoT-Ready Approach to Identity Management.