UK Office of the Biometrics Surveillance Camera Commissioner
Secure by Design, Secure by DefaultVideo Surveillance Products
This guidance is for any organisation manufacturing Video Surveillance Systems (VSS), or manufacturing or assembling components intended to be utilised as part of a VSS.
Publisher – UK Surveillance Camera Commissioner / CSCIS
Release – August 15, 2019
About This Standard
Introduction : This guidance is for any organisation manufacturing Video Surveillance Systems (VSS), or manufacturing or assembling components intended to be utilised as part of a VSS. It is intended to layout the Surveillance Camera Commissioners (SCC) minimum requirements to ensure such systems are designed and manufactured in a manner that assures they are Secure by Design.
CSCIS Involvement on This Standard
CSCIS has been working with the UK Surveillance Camera Commissioner Tony Porter on a standard relating to surveillance cameras This standard was formally launched by Tony and and CSCIS Senior Vice President, Europe, Mike Gillespie, on Thursday 20th June as part of Surveillance Camera Day and was presenting in the IFSEC Keynote Theatre
Background and Context
The nature of the Internet means that connected devices can be subjected to a cyber attack from anywhere in the world. Widespread attacks on connected products is a current and real threat, and a number of highly publicised attacks have already occurred.
The Mirai malware targeted devices such as internet-enabled cameras (IP cameras). Mirai was successful because it exploited the use of common default credentials (such as a usernameand password being set by the manufacturer as ‘admin’) and poor security configuration ofdevices. Ultimately, this facilitated attacks on a range of commercial and social media services and included an outage of streaming services such as Netflix.
In order to reduce the risk of harm and damage to organisations utilising VSS, it is vital that component and system manufacturers are able to demonstrate that their products meet the minimum requirement to be deemed Secure by Design. This will provide confidence to the end user that systems, if installed in the recommended configuration, can be used in a connected environment without introducing any undue, additional vulnerabilities.
In putting together this guidance, consideration has been given to existing International and National Standards and a range of Industry Guidance and Best Practice.
- Self-certification allows manufacturers of surveillance camera devices and components to clearly demonstrate that their products meet minimum requirements to ensure that they are secure by default and secure by design.
- It will mean that the UK’s resilience against cyber security attacks via VSSs is higher. The new requirements are an important step forward for manufacturers, installers and users alike in providing the best possible assurance for stakeholders that products aren’t vulnerable to cyberattacks.
- This document sets out what criteria products must meet to be considered secure by default.