The surveillance camera commissioner for England and Wales has published minimum requirements for manufacturers of surveillance camera systems and components to ensure their products are secure by design and secure by default to improve the UK’s resilience to cyber attacks, but the ambition is to have a positive impact beyond the UK by raising the bar around the world.
The need for improved manufacturing standards is underlined by several high profile compromises of systems in recent years that have shown that CCTV systems were being left live and internet-facing due to poor security configurations.
In particular, the distributed denial of service (DDoS) attacks enabled by the Mirai botnet that brought down social media and financial websites around the world in October 2016, also showed that the root cause was poor design and manufacturing standards.
“Mirai exploited a number of poor manufacturing elements including the use of default usernames and passwords, in some cases hardcoded into the firmware, and the use of insecure and out of date connectivity protocols,” said Mike Gillespie, cyber security advisor to the surveillance camera commissioner (SCC) and managing director of information security and physical security consultancy Advent IM, who led the secure by default initiative with Buzz Coates, business development manager at CCTV distributor Norbain.
“Many video surveillance systems [VSS] today are manufactured to be plug-and-play to make installation easy, but this does not always equate to being securely installed. The secure by default requirements are intended to reduce the likelihood of a VSS product having these vulnerabilities out of the box, and this in turn will reduce the opportunity for installers to make mistakes during setup,” he said.
Asked in what sense the set of minimum requirements will boost UK resilience to cyber threats like Mirai, Gillespie said the surveillance camera commissioner’s primary remit is as regulator of UK-relevant authorities, and as such the minimum requirements are intended to raise the standard of cyber resilience in those organisations.
Any surveillance camera manufacturer can also apply for the SCC “secure by default” certification mark by completing and submitting a self-assessment document.
“There is no requirement for any manufacturer to comply with these requirements, however the requirements are mandatory for any manufacturer wishing to claim the SCC certification mark.