I have been fortunate to be involved in the Surveillance Camera Commissioner’s National Surveillance Camera Strategy for England and Wales for the last 2 years since Tony Porter invited me to provide a consistent, cross cutting advisory role into his National Strategy.
Needless to say, with the growing cyber threat to the physical estate and the ever expanding area of threat convergence having been an area I have enthusiastically espoused a view on over the last few years, I leapt at the chance.
Whilst engagement with the surveillance industry has not always been plain sailing, with the unflinching assistance of the management and technical team at Norbain, the last 9 months has seen real and significant progress. This progress is, I believe, long overdue and much needed, both for the future success of the video surveillance industry and for the ongoing protection of our critical infrastructure.
It is with no small sense of pride therefore that I am able to write about, what I believe, to be one of the biggest successes to date of my cross-cutting cyber work. To get several of the biggest and best-known brands in this industry in a room together to collaborate on a baseline standard for manufacturers. A standard that has been written by manufacturers for manufacturers. A standard that will ensure that video surveillance equipment is Secure by Design and Secure by Default.
Why? Because, like me, they genuinely agree that it is ridiculous that it is possible to buy insecure security systems. That surveillance systems intended to keep our public spaces safe and secure should not be open to tampering, misuse or damage by an attacker in cyber space.
The manufacturer standard is intended to lay out the basic areas where all video surveillance systems (VSS), regardless of their intended use, whether in public space or not, should be secure. This is very much intended to be an entry level standard, and has been written with the intention of providing manufacturers of VSS and the components that go into VSS with a minimum baseline level that all should aspire to.
Rather than opt for the ‘gold standard’ we have instead sought to develop a standard that should provide no barrier to entry for any competent and responsible manufacturer. The standard includes ensuring that passwords have to be changed from the manufacturer default at start-up, and that the chosen passwords should be of sufficient complexity so as to provide a degree of assurance, places controls around how and when remote access should be provisioned. Not only will some of these requirements help to protect the surveillance system itself but they will also reduce the risk of compromise of other systems where onward connections exist.
Working with the Commissioner and his team, we have developed a self-certification scheme that will allow manufacturers to assess their systems for compliance, and to apply for the Commissioner’s Secure by Default certification mark to display. Thereby demonstrating to installers and the people who buy their products that they are a competent manufacturer who takes the security of their product seriously.
I am indebted to Axis, Bosch, Hanhwa, HikVision and Milestone Systems for their time, honesty and contributions to this important standard. I am also grateful to them for understanding that the launch of this standard on 20 June at IFSEC, on Surveillance Camera Day, is not the end of the journey, but rather the beginning of something unique, exciting and vital for the future success of video surveillance.
It is the intention of all who work with the Commissioner on the Surveillance Camera Strategy that all organisations are using surveillance cameras in a manner that is appropriate, proportionate and lawful. Ensuring that data created by these systems and that interconnections are adequately protected remains an integral part of this, and I foresee a time in the future when these organisations will only be prepared to purchase video surveillance systems that are Secure by Design, Secure by Default.