Tony Porter, the Surveillance Camera Commissioner, launched ‘secure by default‘ minimum requirements for manufacturers of surveillance camera systems and components.
The official launch was on the third and final morning of IFSEC 2019 at London Excel, on Thursday, June 20. The work has been led by Mike Gillespie, cyber security advisor to the Commissioner (of info-security awareness training company Advent IM) and Buzz Coates (of distributor Norbain) and developed as featured in the May and June print issues of Professional Security magazine, with video hardware and software manufacturers Axis Communications, Bosch, Hanwha, Hikvision and Milestone Systems.
Mike Gillespie said: “If a device comes out of the box in a secure configuration, there’s a good chance it will be installed in a secure configuration. Encouraging manufacturers to ensure they ship their devices in this secure state is the key objective of these minimum requirements for manufacturers. Manufacturers benefit by being able to demonstrate they take cyber seriously and their equipment is designed and built to be resilient. Installers and integrators benefit from the introduction of the requirements by not having to know how to turn dangerous ports or protocols off during the installation. End users benefit because they know they are buying equipment that has demonstrated it has been designed to be resilient to cyber-attack and data theft.”
The launch drew something of a who’s who of UK CCTV, from consultants to execs of the five manufacturers who worked on the details, to others who work on other strands of the Surveillance Camera Commissioner’s strategy.
Manufacturers can demonstrate they meet the minimum requirements by completing a self-certification form and submitting it to the Commissioner’s office for validation. If successful they will be able to list the component or system as certified by the Commissioner and will be able to display his certification mark.
Several speakers at the launch described this as a first step; a likely second step will be towards a ‘kitemark’, on the lines of the self-certified Cyber Essentials and the more detailed Cyber Essentials Plus, for internal cyber security (which does not include the goods a company may produce).
Tony Porter said: “It has been an enlightening and positive experience working with manufacturers toward a common goal and it’s a genuine first and further standards will follow over the next couple of years.”
As background, several high profile and well publicised compromises of systems demonstrated that they were being left live and internet-facing in an unacceptable security configuration. Some of these compromises, like Mirai botnet, that brought down social media and financial websites, also showed the root was to poor product design and manufacturing. And hence the ‘secure by default’, hailed as a global first, for UK resilience against cyber security vulnerability, to offer some assurance to manufacturers, installers and users alike.
More in the August print issue of Professional Security magazine.
For the ‘default’ details visit https://www.gov.uk/government/publications/secure-by-default-self-certification-of-video-surveillance-systems.
Covered in the nine-page ‘requirements’ document are default passwords (an installer would have to change the password on boot up), protocols and ports, encryption, remote access, software patching and firmware upgrades.
