According to Hanwha Vision, the European Union Agency for Cybersecurity, ENISA, reveals that new threats to cyber security are emerging because of the wealth of data that devices can now collect; advances in AI, which make cyber-attacks more complex and scalable; supply-chain targeting (with third-party incidents accounting for 17% of intrusions in 2021 compared to less than 1% in 2020); and Internet of Things (IoT) devices being used as gateways to larger attacks. Amid this landscape comes the new CRA, and a replacement for the original NIS Directive that directly addresses the new threats.
About the NIS2 Directive
The NIS2 Directive was adopted by the European Parliament and Council in December 2020. The deadline for Member States to transpose the NIS2 Directive into applicable, national law has just passed, on the 17 October 2024. Ultimately, the Directive aims to improve the cyber security of network and information systems across the EU.
It applies to both Operators of Essential Services (OES) and Digital Service Providers (DSPs) – identifying where an organisation fits into this is key to understanding its obligations. OES provide critical services to the economy or society and include energy firms, transport, banking, and healthcare. DSPs provide online services to a large number of users, and include search engines, social media platforms, and online marketplaces. As a manufacturer of video technology, Hanwha Vision is defined as a DSP.
The first NIS focused solely on OES, however, given the increasing prevalence of digital services that can be a weak link exploited by malicious actors, NIS2 expands requirements to DSPs. It ensures that DSPs take appropriate measures to manage the risk posed to their networks and information systems.
DSPs will be required to:
- Be fully compliant with the Cyber Resilience Act.
- Conduct regular risk assessments to identify and assess the risks to their networks and information systems.
- Implement appropriate security measures to mitigate the risks identified in their risk assessments.
- Report cybersecurity incidents to the competent national authorities.
- Cooperate with the competent national authorities in the event of a cybersecurity incident.
The experts at Hanwha affirm that the NIS2 directive is a positive step for the video sector; it ensures any manufacturer wishing to do business in EU member states is compliant. Securing a network, with its various devices and different services, requires active participation by the entire vendor supply chain. NIS2 makes this much easier to organise. Moreover, cameras can be a risk if they aren’t chosen from reputable manufacturers, not just for the data they collect (that can be sensitive and personal) but also as a gateway to a larger cyber-attack. As networks become larger and more complex, particularly as more smart cities are built, having robust cyber security across supply chains becomes critical.
Preparing for NIS2
The best way to futureproof an organisation right now, according to Hanwha Vision, is to work exclusively with manufacturers that can prove their readiness for NIS2 compliance, with a strong track record of cyber security best practices. Although the exact requirements are yet to be legislated by the EU, the company suggests that it a safe bet for now is to look for CRA compliance as there is every chance that a CRA-compliant manufacturer will also be NIS2 compliant.
CRA compliance
With more smart devices in businesses and homes, the European Commission is looking to ensure an adequate level of cyber security in every product used within member states, with regular security updates throughout the product lifecycle. To help business leaders and consumers identify compliant products, the CE marking will appear on any product or software that meets the requirements. The CRA applies to products that connect to the internet, for example smart TVs, Wifi routers, smart fridges and video cameras.
Although the Act is being deliberated by the European Parliament and Council, and likely won’t come into force until 2024 at the earliest, Hanwha Vision is already following the guidelines with the CRA owing to the comprehensive cyber security processes it has implemented.
Vendors must also show that they are conducting regular risk assessments to identify, assess, and mitigate any risks to their network. This is something that Hanwha Vision’s Security-Computer Emergency Response Team (S-CERT) regularly carries out, including penetration testing and security checks.
Hanwha Vision’s products are all designed and developed with security in mind, with UL CAP Certification in the Wisenet 7, Advanced System On Chip (SoC). To further improve security for all of its users, Hanwha Vision regularly publishes potential threats and vulnerabilities as part of an open disclosure policy, and provides users with information about their products’ security features and how to use these.
The tip of the cyber security iceberg
The latest legislative moves by the EU are part of wider efforts to promote cyber resilience through policymaking, innovation grants, and more. It shows a clear focus by the European Commission on securing products and services against cyber-attacks; partnering with manufacturers that place cyber security at the core of their product design will help organisations future proof their operations in Europe.
It’s vital, therefore, that users choose a video manufacturer that goes above and beyond in securing its products and software – cyber security is not an area where ‘good enough’ is sufficient. The risks and costs of a data breach are simply too great to justify choosing cameras with substandard cyber security. Partnering with a manufacturer that constantly scans the landscape for new threats and vulnerabilities can help ensure a video system remains ahead of the game in maintaining compliance.
Clear credentials and policies
To obtain peace of mind that a video network is as cyber-secure as possible, looking for a few ‘trust marks’ in the manufacturers offering should be part of every selection process. Clear evidence of their commitment to cyber security should be visible, not just in product design but across all operations, culture, and even thought leadership. Security policies, including vulnerability responses and incident handling/reporting, are basic requirements.
Certifications including UL CAP (UL Cybersecurity Assurance Program) and NDAA (National Defense Authorization Act) compliance, or accreditations such as the UK’s Cyber Essentials scheme can provide further confidence. In particular, since NDAA compliance requires manufacturing companies to avoid manufacturing in, and using silicon chips and other components from blacklisted countries, it can be an important indicator of the cyber-resilience of a manufacturer’s supply chain.
Finally, knowledge and resource sharing, as well as contributing to the CVE vulnerability library (Hanwha Vision is a CVE Partner), can show a long-term commitment to improving cyber security. Hanwha Vision is proud to have been hardening its security measures and contributing to cyber security best practices across the UK and Europe for many years.
A future trust mark?
Similarly to NDAA compliance, the CRA and NIS2 are becoming another point that decision-makers can use to determine a manufacturer’s cyber security commitment. Seeking out vendors that are proactive in their approach and that take a multi-faceted strategy in securing products, will serve well long-term as cyber-attacks become more commonplace, complex, and costly. Organisations need the freedom and flexibility to invest in the best CCTV solutions for the organisation without introducing a weak link into the network.