News story

Secure by design, secure by default: self-certification scheme launched

New requirements for manufacturers of surveillance camera systems and components.

Today on the world’s first Surveillance Camera Day Tony Porter, the Surveillance Camera Commissioner, is launching another global first: secure by default/secure by design minimum requirements for manufacturers of surveillance camera systems and components.

Several high profile and well publicised compromises of systems demonstrated that they were being left live and internet-facing in an unacceptable security configuration. Some of these compromises, like Mirai botnet, that brought down social media and financial websites across the globe, also showed the root cause was down to poor design and manufacturing.

Driven by the need to ensure the UK’s resilience against this and other forms of cyber security vulnerability, as well as to provide the best possible assurance stakeholders, the new minimum requirements are an important step forward for manufacturers, installers and users alike.

The work has been led by Mike Gillespie, cyber security advisor to the Commissioner (Advent IM) and Buzz Coates (Norbain) and developed in consultation with manufacturers (Axis, Bosch, Hanwha, Hikvision and Milestone Systems). It’s been designed by manufacturers for manufacturers.

Mike Gillespie said,

If a device comes out of the box in a secure configuration, there’s a good chance it will be installed in a secure configuration. Encouraging manufacturers to ensure they ship their devices in this secure state is the key objective of these minimum requirements for manufacturers. Manufacturers benefit by being able to demonstrate they take cyber seriously and their equipment is designed and built to be resilient. Installers and integrators benefit from the introduction of the requirements by not having to know how to turn dangerous ports or protocols off during the installation. End users benefit because they know they are buying equipment that has demonstrated it has been designed to be resilient to cyber-attack and data theft.

Manufacturers can demonstrate they meet the minimum requirements by completing a self-certification form and submitting it to the Commissioner’s office for validation. If successful they will be able to list the component or system as certified by the Commissioner and will be able to display his certification mark.

Tony Porter said:

It has been an enlightening and positive experience working with manufacturers toward a common goal and it’s a genuine first and further standards will follow over the next couple of years.

Published 20 June 2019