Tony Porter QPM LLB, the Surveillance Camera Commissioner, has launched another ‘global first’, namely ‘Secure by Design, Secure by Default’ minimum requirements for the manufacturers of surveillance camera systems and components.
Several high-profile and well-publicised compromises of surveillance systems have demonstrated that they were being left live and Internet-facing in an unacceptable security configuration. Some of these compromises – like the one involving the Mirai botnet that brought down social media and financial websites across the globe – have also showed the root cause was down to poor design and manufacturing.
Driven by the need to ensure the UK’s resilience against forms of cyber security vulnerability, as well as to provide the best possible assurance for stakeholders, the new minimum requirements from the Home Office are an important step forward for manufacturers, installers and end users alike.
The work has been led by Mike Gillespie of Advent IM (cyber security advisor to the Commissioner) and Buzz Coates of Norbain and developed in consultation with manufacturers (among them Axis Communications, Bosch, Hanwha Techwin, Hikvision and Milestone Systems). The scheme has been designed by manufacturers for manufacturers.
Mike Gillespie informed Risk Xtra: “If a device comes out of the box in a secure configuration, there’s a good chance it will be installed in a secure configuration. Encouraging manufacturers to ensure they ship their devices in this secure state is the key objective of these minimum requirements for them. Manufacturers benefit by being able to demonstrate they take cyber seriously and the fact that their equipment is designed and built to be resilient. Installers and integrators benefit from the introduction of the requirements by not having to know how to turn dangerous ports or protocols off during the installation. End users benefit because they know they’re buying equipment that has demonstrated it has been designed to be resilient to cyber attack and data theft.”
Manufacturers can demonstrate they meet the minimum requirements by completing a self-certification form and submitting it to the Surveillance Camera Commissioner’s office for validation. If successful, they will be able to list the component or system as being certified by the Commissioner and will be able to display his certification mark.
Tony Porter added: “It has been an enlightening and positive experience working with manufacturers toward a common goal. It’s a genuine first. Further standards will follow over the next couple of years.”