printer friendly version

Dahua Technology’s cybersecurity approach

In the AIoT era, the world is getting smarter. Everything is going to have an online ID and then connect into a vast net of IoT devices, like a laptop computer, a mobile phone, a connected thermostat or a network security camera.

According to a Marketsandmarkets report, IoT is extensively used by smart cars to smart manufacturing and connected homes and building automation solutions. However, currently there are no unified global technical standards for IoT, especially in terms of communications. This results in inefficient data management and reduced interoperability and ultimately may cause reduced security in the IoT network. The global Internet of Things (IoT) security market size is expected to grow from $12.5 billion in 2020 to $36.6 billion by 2025, at a compound annual growth rate (CAGR) of 23.9%.

Dahua Technology, a video-centric smart IoT solution and service provider, believes cybersecurity is of vital strategic importance in the age of AIoT. In various vertical industries, such as traffic, finance, hospital and critical infrastructure, organisations collect, process and store unprecedented amounts of data on devices like IP cameras and NVRs. A significant portion of that data can be sensitive or private information, which can be prone to cyber-attacks and the situation is getting worse because there are more devices than people. As a security solution provider, Dahua continuously invests in cybersecurity and actively focuses on network security issues.

Continuous investment and focus

The company keeps investing about 10% of its annual sales revenue in R&D; every year, including cybersecurity. In addition, the company put together a professional team of nearly 100 personnel to focus on cybersecurity issue. With rich experience and sufficient resources, Dahua promises to be positive, open, cooperative and responsible when it comes to cybersecurity.

In order to achieve better efficiency, Dahua operates a comprehensive system to cope with all cybersecurity related issues. The system, led by a cybersecurity committee, also contains a cybersecurity and data protection compliance group, cybersecurity institute and product security incident response team (PSIRT). The cybersecurity committee, above all departments or teams, can call resources from the whole company, from the R&D; centre, to legal department, supply chain, overseas business department, etc. when necessary. The Cybersecurity Institute is in charge of building SDLC processes and implementing them in all Dahua products.

Security development lifecycle

Dahua adopts a number of professional SDLC (Security Development Lifecycle) applications to improve product security. During the security design phase, STRIDE + Attack Tree + PIA is adapted to improve threat modelling.During the security realisation phase, OWASP top 10 and over 150 CWEs are used to achieve static code analysis. During the security test phase, over 20 tools within seven fields are applied to complete the multiple security testing processes. CompTIA PenTest+/Security+ is used to carry out professional penetration testing, while compliance ISO 30111 and 290147 are followed during vulnerability management after the products are sold.

Emergency response system

Cooperation with professionals from across the globe is a great way to improve vulnerability detection. Therefore, the Dahua Cybersecurity Centre (DHCC) was established to solve cybersecurity issues with security vulnerability reporting, announcement/notice and cybersecurity knowledge sharing with its global customer base. The Product Security Incident Response Team (PSIRT) is an integral part of the DHCC. Composed of professionals ranging from marketing, supply chain, service and legal representatives, PSIRT is responsible for receiving, processing and disclosing Dahua-related security vulnerabilities. Team members are on duty seven days a week and guarantee to respond to an emergency within 48 hours. End user, partner, supplier, government agency, industry association and independent researcher are encouraged to report potential risk or vulnerability to the PSIRT at [email protected].

Personal data and privacy protection

Dahua Technology also attaches great importance to personal data and privacy protection. Complying with applicable laws and regulations such as EU’s General Data Protection Regulation (GDPR), EDPB’s guidelines on the concepts of controller and processor in the GDPR, ETSI EN 303645’s Cyber Security for Consumer Internet of Things: Baseline Requirements as well as the USA’s California Consumer Privacy Act, the company established the Personal Data and Privacy Protection Standard. The standard stipulates that privacy protection methods such as de-identification, data encryption and systematic access control and privacy-friendly settings are fully adapted to the complete data life cycle all the way from collection, transmitting, storage to sharing, copying and deleting. In addition, working with third-party institutions, Dahua has received Protected Privacy IoT Product Certification and ETSI Certification from TÜV Rheinland, as well as ISO 27018 and ISO 27701 Certification from the BSI, which help in demonstrating its capability in managing personal information and compliance with privacy regulations around the world.

In a widely networked world of IoT, cybersecurity challenges are a universal sore spot for companies. Dahua Technology, in the business of keeping people safe, takes cybersecurity seriously. With a mindset that emphasises cybersecurity and all the resources it can allocate to establish, carry out and strengthen its cybersecurity approach, Dahua Technology plans to stay positive, open, responsible and constantly improving in the field of cybersecurity.

Share this article:

Further reading: