Alert Essentials:

Equipment illegal for use in the United States is increasingly found in critical infrastructure networks due to manufacturers white labeling products with unrecognized brand names.

Conduct inventory reviews and plan to replace any disallowed products to avoid losing funding for government programs.

Email Team

Detailed Threat Description:

The National Defense Authorization Act (NDAA) was signed into law on August 13, 2019. This law prohibits government agencies, contractors, and critical infrastructure from using communications equipment that poses an unacceptable risk to national security.

Multiple Chinese-made products were added to the covered list in March 2021. The devices’ weak security configurations, lack of encryption, and backdoors allowing manufacturers to communicate with equipment justify banning them.

This prohibition does not apply to equipment authorized before February 6, 2023.
However, intelligence agencies have observed an increase in the number of cameras produced by the manufacturers in critical infrastructure networks despite the sanctions.

The prohibited manufacturers utilize white labeling to bypass the regulations and continue selling their U.S. products under names such as LTS, Uniview, HiLook, Lorex, EZVIZ, and Luminsys.

The United States does not authorize importing or selling any equipment identified on the ‘Covered List’ published by the FCC and Homeland Security. As such, a healthcare facility that participates in federally funded programs may lose that aid if unlawful equipment is found to be in use.

Review inventory to determine if Huawei, ZTE, Hytera, Hikvision, Dahua, or any subsidiaries or affiliates of these companies make any organization cameras. If unacceptable equipment is uncovered, plan to replace it immediately.

You can contact the FCC directly for clarification on a specific model by visiting its website at www.fcc.gov or calling the Public Safety and Homeland Security Bureau at (202) 418-1300.

Impacts on Healthcare Organizations:

The introduction of these cameras into Health Sector environments constitutes an espionage and cybersecurity risk. Further, healthcare facilities receiving federal funding for programs such as Medicare and Medicaid could jeopardize program participation if they are found to have operational banned products.

To mitigate these risks, healthcare facilities should conduct thorough inventories of their equipment, verify compliance with the most current Covered List, and develop plans to replace non-compliant equipment with authorized alternatives.

Affected Products / Versions:

  • Telecommunications equipment produced by Huawei Technologies Company
  • Telecommunications equipment produced by ZTE Corporation
  • Video surveillance and telecommunications equipment produced by Hytera Communications Corporation
    • This ban does not include Hytera Radios
  • Video surveillance and telecommunications equipment produced by Hangzhou Hikvision Digital Technology Company
  • Video surveillance and telecommunications equipment produced by Dahua Technology Company

Recommendations:

Engineering Recommendations:

  • Conduct a comprehensive site audit to identify all non-compliant equipment
  • Check the manufacturer: Determine if your cameras are made by Huawei, ZTE, Hytera, Hikvision, Dahua, or any of their subsidiaries or affiliates
  • Investigate the chipset; even if the camera manufacturer isn’t on the list, the internal components might be
    • Huawei’s HiSilicon chips are widely used and are considered non-compliant

Leadership/Program Recommendations:

  • If you find that cameras in use are on the Covered List or use components from listed manufacturers, consider replacing them with National Defense Authorization Act (NDAA) compliant alternatives
  • When choosing a video surveillance system, decision-makers should take into consideration that they may not be able to get replacement cameras and parts for Hikvision and Dahua systems in the future

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References: