Security standard for surveillance cameras set for launch

Several of the biggest and best-known brands in the surveillance industry have collaborated with a team appointed by UK surveillance camera commissioner Tony Porter to draw up a baseline standard for manufacturers.

The result is a standard that has been written by manufacturers for manufacturers and will ensure that video surveillance equipment is secure by design and secure by default, according to Mike Gillespie, cyber security lead for the surveillance cameras guide from the surveillance camera commissioner.

The standard is aimed at remediating the situation of some surveillance systems that are intended to keep UK public spaces safe and secure being open to tampering, misuse or damage by cyber attackers.

The manufacturer standard is intended to lay out the basic areas where all video surveillance systems (VSS), regardless of their intended use, should be secure.

The standard is intended to be an entry-level standard, and has been written with the intention of providing manufacturers of VSS and the components that go into such systems with a minimum baseline standard.

“Rather than opt for the ‘gold standard’, we have instead sought to develop a standard that should provide no barrier to entry for any competent and responsible manufacturer,” said Gillespie in a blog post.

“The standard includes ensuring that passwords have to be changed from the manufacturer default at start-up, and that the chosen passwords should be of sufficient complexity to provide a degree of assurance, placing controls around how and when remote access should be provisioned.

“Not only will some of these requirements help to protect the surveillance system itself, but they will also reduce the risk of compromise of other systems where onward connections exist.”

Alongside the standard, representatives of Axis, Bosch, Hanhwa, HikVision and Milestone Systems have worked with the surveillance camera commissioner to develop a self-certification scheme that will allow manufacturers to assess their systems for compliance, and to apply to use the commissioner’s secure-by-default certification mark.

The mark is intended to demonstrate to all those who buy and install these companies’ products that they are a competent manufacturer that takes the security of their product seriously.

The official launch of the standard is scheduled for 20 June on Surveillance Camera Day, but the launch will not mark the end of the journey, said Gillespie. Instead, it will mark the beginning of something “unique, exciting and vital for the future success of video surveillance”, he said.

Gillespie noted that it is the intention of all who work with the commissioner on the Surveillance Camera Strategy, published in March 2017, that all organisations are using surveillance cameras in a manner that is appropriate, proportionate and lawful.

“Ensuring that data created by these systems and that interconnections are adequately protected remains an integral part of this, and I foresee a time in the future when these organisations will only be prepared to purchase video surveillance systems that are secure by design and secure by default,” he said.

Security by default and design is a key element of UK government policy on technological innovation, and in January 2019, the government announced a £70m investment in making the UK a world leader in eliminating cyber threats to businesses and consumers by developing more resilient IT hardware, with security and protection designed directly into the hardware and chips.

Security by design is also enshrined in the voluntary code of practice (CoP) for manufacturers of consumer internet of things (IoT) devices, which was published by the UK in October 2018.

The secure by design CoP was developed by the Department for Digital, Culture, Media and Sport and the National Cyber Security Centre and will form the basis of planned legislation aimed at ensuring IoT devices are better protected from cyber attacks.

Ahead of potential legislation, the government launched a public consultation in May 2019 on various issues, including a mandatory labelling scheme to tell consumers how secure IoT products are, and mandatory security requirements for all IoT devices sold in the UK.