12_tribes - Fotolia
The surveillance camera commissioner for England and Wales has published minimum requirements for manufacturers of surveillance camera systems and components to ensure their products are secure by design and secure by default to improve the UK’s resilience to cyber attacks, but the ambition is to have a positive impact beyond the UK by raising the bar around the world.
“I hope we will get a good response from the industry to the requirements,” said Tony Porter, surveillance camera commissioner.
“What has been deigned is ‘entry level’ so most manufacturers should be able to achieve the requirements fairly easily whilst at the same time raising standards. There will be future iterations which will raise the bar even higher,” he told Computer Weekly.
The need for improved manufacturing standards is underlined by several high profile compromises of systems in recent years that have shown that CCTV systems were being left live and internet-facing due to poor security configurations.
In particular, the distributed denial of service (DDoS) attacks enabled by the Mirai botnet that brought down social media and financial websites around the world in October 2016, also showed that the root cause was poor design and manufacturing standards.
“Mirai exploited a number of poor manufacturing elements including the use of default usernames and passwords, in some cases hardcoded into the firmware, and the use of insecure and out of date connectivity protocols,” said Mike Gillespie, cyber security advisor to the surveillance camera commissioner (SCC) and managing director of information security and physical security consultancy Advent IM, who led the secure by default initiative with Buzz Coates, business development manager at CCTV distributor Norbain.
“Many video surveillance systems [VSS] today are manufactured to be plug-and-play to make installation easy, but this does not always equate to being securely installed. The secure by default requirements are intended to reduce the likelihood of a VSS product having these vulnerabilities out of the box, and this in turn will reduce the opportunity for installers to make mistakes during setup,” he told Computer Weekly.
Raising the standard
Asked in what sense the set of minimum requirements will boost UK resilience to cyber threats like Mirai, Gillespie said the surveillance camera commissioner’s primary remit is as regulator of UK-relevant authorities, and as such the minimum requirements are intended to raise the standard of cyber resilience in those organisations.
Asked how this will have any effect internationally, Gillespie said that while the requirements will apply initially to systems being procured in the UK, the five top surveillance camera manufacturers who collaborated with the SCC in drawing up those requirements are global companies. “This will of course have an international impact,” he said.
Any surveillance camera manufacturer can also apply for the SCC “secure by default” certification mark by completing and submitting a self-assessment document.
“There is no requirement for any manufacturer to comply with these requirements, however the requirements are mandatory for any manufacturer wishing to claim the SCC certification mark.
“UK relevant authorities will be encouraged going forward to procure only SCC Certified products, and it is hoped that other organisations will seek to do the same, which will create a market demand,” said Gillespie, adding that early indications from the market show that many manufacturers who supply into the UK market are keen to participate in this initiative.
The surveillance camera manufacturers that helped draw up the minimum requirements are: Axis, Bosch, Hanwah, Hikvision and Milestone Systems, and all have pledged to achieve the SCC certification mark.
“One of the things that makes this scheme so exciting as a world first, is that this has not been produced in isolation from the market, but by manufacturers for manufacturers with oversight and guidance from the SCC,” said Gillespie.
At the official launch of the requirements, Porter praised the five companies involved put aside their commercial interests to collaborate on the requirements document. “They recognised that the bigger interest is a harmonised approach to cyber security,” he said.
Representing UK police at the launch, Patrick McBrearty, cyber crime protect officer at the West Midlands Regional Organised Crime Unit, endorsed the surveillance camera commissioner’s approach. “Secure by default could dramatically assist in reducing opportunities for cyber criminals to exploit,” he said.
But outside the UK, what incentive is there for organisations to buy products with a UK certification?
According to Porter, the SCC certification mark is intended to demonstrate to all those who buy or install surveillance cameras that the manufacturers are competent and that the products provide a good level of cyber protection. “The big incentive is that they will know that the product they’re buying is already meeting minimum requirements in terms of cyber security. So, it makes them harder for hackers to compromise,” he told Computer Weekly.
In light of the fact that the certification will be granted on the basis of a self-assessment against the set of requirements, how can the certification mark be trusted?
According to Porter, his team will scrutinise the self-assessment forms against the guidance from the industry and issue certification without being able to carry out a full verification.
“However, if the claims on the application are found to be erroneous after the mark has been issued, it will be withdrawn from all products the manufacturer has certified,” he told Computer Weekly, adding that the SCC will keep a list of self-certified products and manufacturers on the SCC website.
Speaking at the official launch of the secure by default requirements, Porter said it would not be in the commercial interests of any manufacturers to make false claims about the security of their products. “Exposure of such a lie would be commercially fatal,” he said.
Porter also emphasised that publishing the set of requirements and offering a self-certification process against them is merely the beginning.
There are intentions to introduce further iterations of secure by default requirements which will further raise the bar, said Gillespie.
“It is likely these will require independent third party verification of claims, and ultimately require CPNI [Centre for the Protection of National Infrastructure] CAPSS [Cyber Assurance of Physical Security Systems] certification. These increased requirements will provide increased confidence, and are expected to be required where VSS are to be deployed on more sensitive or more secure sites,” he said.
The aim is to move to the elevated certification within a year, and in time, it is hoped that all surveillance cameras and system components will be secure by design and default. But what about the huge number of cameras already in use that do not comply?
Complying with requirements
Gillespie admits this is an issue and that some legacy systems will never comply with all the requirements, but said organisations will be able to assess their existing systems against the requirements, and in so doing, risk assess them.
“Certain requirements such as changing default passwords and protecting systems from being remotely discoverable or disabling out of date and vulnerable protocols will be possible without the need for any software or firmware updates by manufacturers.
“Where firmware updates have been made available by responsible manufacturers, but not applied by users then it is anticipated that these requirements will encourage users to now apply updates which will further improve cyber resilience,” he said.
“Where systems are vulnerable and it is not possible to retrofit a solution then it may well be possible that other IT security countermeasures could be used to aid in protecting the systems. And as organisations go through a technical refresh, then these legacy vulnerabilities will start to disappear as they are replace with secure by default products.”
Just the start of awareness building
Looking to the future, Porter said the launch of the secure by default requirement at IFSEC on 20 June as part of Surveillance Camera Day was just the start of the awareness building.
“I will be writing to manufacturers to encourage them to self-certify their products and maintaining a list on my site. Speaking to manufacturers and industry experts I understand that this is long overdue and a world first – I’m expecting word of mouth and industry competition to lead to a good uptake of the requirements.”
The surveillance camera commissioner also called on the industry to engage with his office about the secure by default requirements and provide feedback to help move the process forward.
The official launch came a day after Porter briefed the Home Office on the secure by default initiative. “We believe it’s a global first, and I have been briefing the Home Office on its impact and import,” he said. “Needless to say, the message has not been lost.”