Hikvision welcomes the introduction of the ‘Secure by Default’ standards
The Secure by Default standard was introduced by UK Surveillance Camera Commissioner Tony Porter on June 20 at IFSEC International, as part of the first ever National Surveillance Camera day. The introduction of ‘Secure by Default’ standards aims to provide a guarantee for users that network video security products are as secure as possible in their default settings out of the box. GIT SECURITY has talked with Gary Harmer, UK & Ireland Sales Director for Hikvision who has participated in the process of developing these landmark standards, working with the UK Surveillance Camera Commissioner alongside four other major video surveillance manufacturers.
Can you explain the wider context of the “Secure by Default” standard initiative and what is the idea behind?
Gary Harmer: The “Secure by Default” standards form part of a wider set of cyber security proposals from the Surveillance Camera Commissioner Tony Porter for the UK Home Office. The initiative is aimed at the video surveillance industry and we see the initiative as a start to define baseline requirements as an introductory base level for product conformance, with further certification levels to follow in future. The intention is that when a security camera is taken out of the box it is as secure as possible in default settings to provide maximum protection for the end-user from outside cyberattacks. It is then up to the installer to decide at the point of installation what additional functionalities should be actively enabled that may enable other product features but in doing so could increase potential risk by increasing the ability to connect to the device.
What elements does the standard include at this point?
Gary Harmer: These baseline requirements specifically address the issue of compromises of systems left live and internet-facing in an “unacceptable security configuration”. As an example, on initial power up of a camera, you are forced to change the default password to a robust secure password.
This measurement and password indicators are just the simplest of a total of 25 different criteria that need to be mapped so that you, as a manufacturer, can say that your product meets the baseline requirements. Other criteria are, for example, that only protocols that are necessary for the functioning of the component are enabled on devices and unnecessary ports are disabled as default. All enabled ports need to be fully documented as part of the shipping documentation arriving with the product ensuring relevant information is available to an installer on site. Manufacturers also need to deploy an effective strategy to quickly fix and notify on any identified vulnerabilities. Another criterium is that products have no hard-coded passwords that would have the potential to grant unauthorized access to the device.
What is your view on the initiative?
Gary Harmer: The Secure by Default scheme is a further positive step forward for the industry which we fully support. The process of developing these standards has been one of open collaboration between companies across the network video security industry that represent a very significant portion of market share in the UK. It’s a truly positive and genuine initiative geared towards creating a more secure environment for all stakeholders in the network security ecosystem. It is a great achievement when companies that normally compete with each other work together for the overall good of our industry and we were very pleased to be part of the process.
How does the certification process work?
Gary Harmer: Only components or systems certified by the Commissioner can display a certification mark. The Surveillance Camera Commissioner (SCC) has prepared a self-assessment tool that helps manufacturers to self-certify video surveillance products against the secure by default minimum requirements. The tool contains a number of yes/no questions and needs to be completed for each product or product family that you wish to self-certify. Once the completed form has been returned to the Surveillance Camera Commissioner’s office for assessment, they will issue the manufacturer with the “secure by default” branding and you will then be able to use this branding on the products that you have self-certified. The SCC will keep a list of self-certified products on the SCC website. Additionally, the UK Home office will now include information regarding the Secure by Default requirement within their ‘Buyer’s Guide’ which is issued to all UK local authorities with the recommendation that they only use and specify certified products on their installations. At the same time the SCC are appealing to the wider commercial sector such as high street retails to adopt the initiative as being part of best practice.
When do you expect the first of your products to be certified?
Gary Harmer: I would hope that we will be self-certified and get the approval for a “Secure by default” branding on the large majority of our products by the end of August or beginning of September.
Tony Porter said that further standards will follow over the next couple of years. What other specifications do you expect for the future?
Gary Harmer: This recent initiative is just the beginning in terms of default network video security standards. We will continue to collaborate across the security industry and beyond to support the development of increasing standards and further security levels for all. We expect that higher levels of product cyber security will be introduced, including different grades such as we have seen in the intruder alarm market, and these would likely require third-party certification. I can imagine a higher level of certification for products for high-security environments certified by an independent party.
For the further development of security standards, it is probably helpful to involve other stakeholders than only the manufacturers?
Gary Harmer: Yes, a broader audience needs to follow certain rules to harden a security system against cybersecurity threats. Mike Gillespie is already reaching out to a number of installers and integrators to go through the same collaborative process to evolve a set of baseline minimum requirements for the installation of the devices and for the set up and configuration of networks so that they offer resilience to cyber-attack. Consultants need to be involved for system design requirements too, and finally the end-user will play a critical role by requiring their providers of video-based solutions to deploy in line with the guidance available and writing robust operating and processing standards for the use of security systems.