UK to launch security standard for surveillance cameras

The UK is launching the world’s first voluntary cyber security standard and compliance certification mark for the manufacturers of surveillance cameras

Warwick Ashford   Security Editor

The UK Surveillance Camera Commissioner (SCC) is launching a voluntary set of minimum requirements to ensure that surveillance cameras and components are manufactured in a way that is secure by design and secure by default.

Secure by default and design is a key element of UK government policy on technological innovation. In January 2019, the government announced a £70m investment in making the UK a world leader in eliminating cyber threats to businesses and consumers by developing more resilient IT hardware, with security and protection designed directly into the hardware and chips.

Several of the biggest and best-known brands in the surveillance industry have collaborated with a team appointed by surveillance camera commissioner Tony Porter to draw up a baseline standard for manufacturers.

The result is a standard that has been written by manufacturers for manufacturers. It includes requirements such as ensuring that passwords have to be changed from the manufacturer default at start-up, that the chosen passwords should be of sufficient complexity to provide a degree of assurance, and placing controls around how and when remote access should be provisioned.

The official launch of the standard at the IFSEC International Conference in London on 20 June coincides with the world’s first Surveillance Camera Day, which aims to raise awareness about surveillance cameras and generate a debate about how they are used.

Surveillance Camera Day is an initiative by the SCC and the Centre for Research into Information, Surveillance and Privacy (Crisp), and forms part of the UK’s National Surveillance Camera Strategy.

The surveillance camera commissioner said in a statement: “It has been an enlightening and positive experience working with manufacturers toward a common goal. It’s a genuine first and further standards will follow over the next couple of years.”

Cyber attack resilience built-in

The voluntary standard comes in the wake of several high-profile compromises of systems showed that CCTV systems were being left live and internet-facing due to poor security configurations.

Some of these incidents, like the distributed denial of service attacks enabled by the Mirai botnet that brought down social media and financial websites around the world in October 2016, also showed that the root cause was poor design and manufacturing standards. “Encouraging manufacturers to ensure they ship their devices in a secure state is the key objective of these minimum requirements for manufacturers” Mike Gillespie, Advent IM

In an effort to ensure the UK’s resilience to attacks that exploit vulnerabilities in network-connected cameras, the SCC said the minimum requirements were an important step forward for manufacturers, installers and users alike. 

The work has been led by Mike Gillespie, cyber security advisor to the SCC and managing director of information security and physical security consultancy Advent IM, along with Buzz Coates, business development manager at CCTV distributor Norbain.

The standard was developed in consultation with surveillance camera manufacturers Axis, Bosch, Hanwah, Hikvision and Milestone Systems.

Speaking ahead of the official launch, Gillespie said that if a device came out of the box in a secure configuration, there was a good chance it would be installed in a secure configuration.

“Encouraging manufacturers to ensure they ship their devices in this secure state is the key objective of these minimum requirements for manufacturers,” he said.

Manufacturers benefit, said Gillespie, by being able to demonstrate that they take cyber seriously and that their equipment is designed and built to be resilient.

“Installers and integrators benefit from the introduction of the requirements by not having to know how to turn dangerous ports or protocols off during the installation, and users benefit because they know they are buying equipment that has been designed to be resilient to cyber attack and data theft,” he said.

Manufacturers can demonstrate that they meet the minimum requirements by completing a self-certification form and submitting it to the SCC for validation. If successful, they will be able to list the component or system as certified by the SCC and will be able to display the SCC’s certification mark.