Several video manufacturers have participated in the development of a U.K. 'Secure by Default' baseline standard to ensure cybersecurity measures are included in equipment as it leaves the factory. The standard includes ensuring that passwords must be changed from the manufacturer default at start-up, that chosen passwords should be sufficiently complex to provide a degree of assurance, and that controls are placed around how and when remote access should be commissioned.
The standard aims to ensure security products are cyber- and network-secure by default and out of the box. The concept is that network video products will ship to installers in the most hardened, cyber-security-optimal form possible, with default settings that provide minimal vulnerabilities on first use.
Secure by Default is a self-certification scheme that allows manufacturers to assess their systems for compliance and to apply for the U.K. Surveillance Camera Commissioner’s Secure by Default mark. The mark demonstrates to installers and customers that they are a competent manufacturer who takes the security of their products seriously.
The Secure By Default mark demonstrates to installers and customers that they take the security of their products seriously |
Axis, Bosch, Hanwha, HikVision and Milestone Systems participated in developing the standard, which was officially unveiled at the IFSEC 2019 show. “The launch of the standard is not the end of the journey, but rather the beginning of something unique, exciting and vital for the future success of video surveillance,” says cybersecurity consultant Mike Gillespie, who works with the National Surveillance Camera Strategy for England and Wales.
The standard has been developed so as not to present a barrier to entry
The manufacturer standard is intended to lay out the basic areas where all video surveillance systems should be secure, regardless of their intended use, whether in public space or not, says Gillespie. “This is very much intended to be an entry-level standard and has been written with the intention of providing [video] manufacturers with a minimum baseline level all should aspire to,” he says.
The standard has been developed so as not to present a barrier to entry for any competent and responsible manufacturer, he adds. The Secure by Default standards form part of a wider set of cyber security proposals from the Surveillance Camera Commissioner for the UK Home Office.
Adoption within the industry
Hanwha Techwin has embraced Secure by Default as part of its comprehensive approach to cybersecurity. “Although we appreciate security needs to be easy to implement, we do not allow for a default password to be used,” according to Hanwha Techwin. “We consider it essential that a secure password be set up during the initial installation process, which is why we prohibit the consecutive use of the same letter or number and we encourage the use of special characters as well as a combination of letters and numbers.”
Hanwha Techwin’s approach has been to make security a fundamental feature of cameras and recording devices. Cybersecurity has been taken into account at the start of the design and development process, and not just treated as an optional feature.
Article 25 mandates that organisations put in place appropriate technical and organisation measures
Axis is aligned with the Secure by Default principles recommended by the U.K. National Cybersecurity Strategy Code of Practice. Furthermore, General Data Protection Regulation (GDPR) makes data protection and security by design and default a legal requirement. Article 25 mandates that organisations put in place appropriate technical and organisation measures designed to implement data protection in an effective manner.
Gary Harmer, UK and Ireland Sales Director for Hikvision, said the new Secure by Default scheme is a further positive step forward for the industry, one which Hikvision fully supports.
“The process of developing these standards has been one of open collaboration between companies across the network video security industry,” he said. “It’s a truly positive and genuine initiative geared towards creating a more secure environment for all stakeholders in the network security ecosystem.”