‘Secure by Design, Secure by Default’ scheme launched by Surveillance Camera Commissioner

Tony Porter QPM LLB, the Surveillance Camera Commissioner, has launched another ‘global first’, namely ‘Secure by Design, Secure by Default’ minimum requirements for the manufacturers of surveillance camera systems and components.

Several high-profile and well-publicised compromises of surveillance systems have demonstrated that they were being left live and Internet-facing in an unacceptable security configuration. Some of these compromises – like the one involving the Mirai botnet that brought down social media and financial websites across the globe – have also showed the root cause was down to poor design and manufacturing.

Driven by the need to ensure the UK’s resilience against forms of cyber security vulnerability, as well as to provide the best possible assurance for stakeholders, the new minimum requirements from the Home Office are an important step forward for manufacturers, installers and end users alike.

The work has been led by Mike Gillespie of Advent IM (cyber security advisor to the Commissioner) and Buzz Coates of Norbain and developed in consultation with manufacturers (among them Axis Communications, Bosch, Hanwha Techwin, Hikvision and Milestone Systems). The scheme has been designed by manufacturers for manufacturers.

Tony Porter QPM LLB: the Surveillance Camera Commissioner

Tony Porter QPM LLB: the Surveillance Camera Commissioner

Mike Gillespie informed Risk Xtra: “If a device comes out of the box in a secure configuration, there’s a good chance it will be installed in a secure configuration. Encouraging manufacturers to ensure they ship their devices in this secure state is the key objective of these minimum requirements for them. Manufacturers benefit by being able to demonstrate they take cyber seriously and the fact that their equipment is designed and built to be resilient. Installers and integrators benefit from the introduction of the requirements by not having to know how to turn dangerous ports or protocols off during the installation. End users benefit because they know they’re buying equipment that has demonstrated it has been designed to be resilient to cyber attack and data theft.”

Manufacturers can demonstrate they meet the minimum requirements by completing a self-certification form and submitting it to the Surveillance Camera Commissioner’s office for validation. If successful, they will be able to list the component or system as being certified by the Commissioner and will be able to display his certification mark.

Tony Porter added: “It has been an enlightening and positive experience working with manufacturers toward a common goal. It’s a genuine first. Further standards will follow over the next couple of years.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts