Today the UK introduced what the Surveillance Camera Commission describes as ‘secure by default/secure by design’ minimum requirements for manufacturers of surveillance camera systems and components. These specifically address the issue of compromises of systems left live and internet-facing in an ‘unacceptable security configuration.’
The Commission noted how poor design and manufacturing was the root cause of the Mirai botnet, which brought down social media and financial websites globally.
Mike Gillespie, cyber security advisor to the Commissioner (Advent IM) and Buzz Coates (Norbain) led the development in consultation with manufacturers (Axis, Bosch, Hanwha, Hikvision and Milestone Systems).
Gillespie said, "If a device comes out of the box in a secure configuration, there’s a good chance it will be installed in a secure configuration. Encouraging manufacturers to ensure they ship their devices in this secure state is the key objective of these minimum requirements for manufacturers. Manufacturers benefit by being able to demonstrate they take cyber seriously and their equipment is designed and built to be resilient. Installers and integrators benefit from the introduction of the requirements by not having to know how to turn dangerous ports or protocols off during the installation. End users benefit because they know they are buying equipment that has demonstrated it has been designed to be resilient to cyber-attack and data theft."
Components or systems as certified by the Commissioner can display a certification mark.
Tony Porter, the Surveillance Camera CommissionerTony Porter said "It’s a genuine first and further standards will follow over the next couple of years."
It remains to be seen if any other regulators of internet-facing devices also adopt minimum cyber-security requirements.