International. ONVIF announced that it will end its support for Profile Q early next year, as it contains certain specifications that are no longer consistent with current cybersecurity best practices.
Profile Q was developed to provide easy configuration of a supported device on an IP network. Requires a Profile Q-compliant device to allow anonymous access to all ONVIF commands during the configuration process in the factory default state. This does not follow current cybersecurity best practices, which recommend, among other things, that a network device require users to set passwords and other access rights before the device can be used.
Since the specifications of a profile cannot be changed, as they would affect interoperability between products that fit a specific profile, Profile Q will become obsolete on March 31, 2022.
"ONVIF-compliant products are used in a wide variety of industries and geographies, with different requirements when it comes to cybersecurity policies or best practices," said Leo Levit, chair of the ONVIF Steering Committee. "As these cyber threats evolve rapidly, it is important for users to know these best practices to ensure they are implementing cybersecurity measures that are appropriate for their organization."
ONVIF recommends following industry best practices and local regulations and staying informed about technological changes in the market. ONVIF's network interface specifications have defined network protocols that include security elements such as TLS (Transport Layer Security), which allows ONVIF devices with that feature to communicate with clients over a network in a way that protects them from eavesdropping and tampering. The ONVIF specifications also cover the ONVIF Default Access Policy, which specifies that there must be different classes of access to services based on different user roles. Manufacturers can implement these ONVIF specifications regardless of whether the specifications are included in a profile or not.