UK to launch security standard for surveillance cameras

The UK is launching the world’s first voluntary cyber security standard and compliance certification mark for the manufacturers of surveillance cameras

Warwick Ashford   Security Editor

The UK Surveillance Camera Commissioner (SCC) is launching a voluntary set of minimum requirements to ensure that surveillance cameras and components are manufactured in a way that is secure by design and secure by default.

Secure by default and design is a key element of UK government policy on technological innovation. In January 2019, the government announced a £70m investment in making the UK a world leader in eliminating cyber threats to businesses and consumers by developing more resilient IT hardware, with security and protection designed directly into the hardware and chips.

Several of the biggest and best-known brands in the surveillance industry have collaborated with a team appointed by surveillance camera commissioner Tony Porter to draw up a baseline standard for manufacturers.

The result is a standard that has been written by manufacturers for manufacturers. It includes requirements such as ensuring that passwords have to be changed from the manufacturer default at start-up, that the chosen passwords should be of sufficient complexity to provide a degree of assurance, and placing controls around how and when remote access should be provisioned.

The official launch of the standard at the IFSEC International Conference in London on 20 June coincides with the world’s first Surveillance Camera Day, which aims to raise awareness about surveillance cameras and generate a debate about how they are used.

Surveillance Camera Day is an initiative by the SCC and the Centre for Research into Information, Surveillance and Privacy (Crisp), and forms part of the UK’s National Surveillance Camera Strategy.

The surveillance camera commissioner said in a statement: “It has been an enlightening and positive experience working with manufacturers toward a common goal. It’s a genuine first and further standards will follow over the next couple of years.”

Cyber attack resilience built-in

The voluntary standard comes in the wake of several high-profile compromises of systems showed that CCTV systems were being left live and internet-facing due to poor security configurations.

Some of these incidents, like the distributed denial of service attacks enabled by the Mirai botnet that brought down social media and financial websites around the world in October 2016, also showed that the root cause was poor design and manufacturing standards. “Encouraging manufacturers to ensure they ship their devices in a secure state is the key objective of these minimum requirements for manufacturers” Mike Gillespie, Advent IM

In an effort to ensure the UK’s resilience to attacks that exploit vulnerabilities in network-connected cameras, the SCC said the minimum requirements were an important step forward for manufacturers, installers and users alike. 

The work has been led by Mike Gillespie, cyber security advisor to the SCC and managing director of information security and physical security consultancy Advent IM, along with Buzz Coates, business development manager at CCTV distributor Norbain.

The standard was developed in consultation with surveillance camera manufacturers Axis, Bosch, Hanwah, Hikvision and Milestone Systems.

Speaking ahead of the official launch, Gillespie said that if a device came out of the box in a secure configuration, there was a good chance it would be installed in a secure configuration.

“Encouraging manufacturers to ensure they ship their devices in this secure state is the key objective of these minimum requirements for manufacturers,” he said.

Manufacturers benefit, said Gillespie, by being able to demonstrate that they take cyber seriously and that their equipment is designed and built to be resilient.

“Installers and integrators benefit from the introduction of the requirements by not having to know how to turn dangerous ports or protocols off during the installation, and users benefit because they know they are buying equipment that has been designed to be resilient to cyber attack and data theft,” he said.

Manufacturers can demonstrate that they meet the minimum requirements by completing a self-certification form and submitting it to the SCC for validation. If successful, they will be able to list the component or system as certified by the SCC and will be able to display the SCC’s certification mark.  

 

Recent Case Studies

“Monkton Combe School have used FTL since 2014, they have been very helpful with assisting Monkton with their initial installation of electronic door access control and developing the schools system. The school has TDSI installed, at present we have 80 doors with electronic access control. We have a good working relationship and they are always available to offer advice over the phone or attend within a short period of time dependent on security needs if we have any issues. We have found them to be very proactive.”

A. Clark
Monkton Combe School

“Extremely professional, efficient and friendly. Been a pleasure to work with.”

I. Davis
Wellington College

The level of after sales support offered by FTL is paramount and we have found the technical support team to be one of the best we have ever dealt with - there has never been anything that they haven't resolved immediately and their staff are quick to respond, knowledgeable and professional.

IT Manager
Elegant English Hotels

“FTL have provided us with excellent service from pre sales through installation and post install bug fixes (even when it was our fault). Their technical skills and focus on details makes us feel confident in the systems installed in our school. This has allowed us to use them throughout our school on a variety of projects and are confident we have the right solutions in place to offer a safe learning environment for our students and staff.”

B. Maytham
Gumley House Convent

“Working with FTL has been a straightforward and reassuring experience at all stages. Their process is extremely thorough and exacting and they make a significant effort to ensure that your requirements have been fully understood and will confirm at all stages that they have correctly understood the solution you are asking for. They work extremely well on site maintaining professionalism at all times whilst keeping work quick and disruption to a minimum. They have delivered a top quality solution at BEN and have at every stage ensured that we fully understood exactly what we were paying for before going forward with any works.”

B. Cummins
BEN Motor and Allied Trades Benevolent Fund, Lynwood Court Care Home

With their technical ability, Isoscan has installed and maintained various systems which allow bmi to maintain cost effective management of key sites. I can safely recommend Isoscan as a competent and trustworthy contractor.

Facilities Manager
bmi