'Secure by Default' Standards
Security Camera Manufacturers Agree on Common Security Standards
The UK government has launched an initiative to make “Secure by default and design” a key element for technological innovation. It has announced a GBP 70 million investment in making the UK a world leader in eliminating cyber threats to businesses and consumers by developing more resilient IT hardware. As part of the initiative, the Secure by Default standard was introduced by UK Surveillance Camera Commissioner Tony Porter on June 20 at IFSEC International, as part of the first ever National Surveillance Camera day.
The introduction of ‘Secure by Default’ standards aims to provide a guarantee for users that network video security products are as secure as possible in their default settings out of the box.
The development of the standard was led by security consultant lead Mike Gillespie, cyber security advisor to the Commissioner and co-founder of independent security consultancy Advent IM and Buzz Coates, business development manager at distributor Norbain, in consultation with leading manufacturers Axis, Bosch, Hanwha, Hikvision and Milestone Systems. The concept behind the new set of standards is that network video products will ship to installers in the most hardened, cyber-security-optimal form possible, with default settings which provide minimal vulnerability on first use.
A standard to Make Hardware More Resilient
The result is a standard that has been written by manufacturers for manufacturers. It includes requirements such as ensuring that passwords must be changed from the manufacturer default at start-up, that the passwords have sufficient complexity and it defines controls about how and when remote access should be given.
The surveillance camera commissioner Tony Porter said in a statement: “It has been an enlightening and positive experience working with manufacturers toward a common goal. It’s a genuine first and further standards will follow over the next couple of years.”
Gillespie explained the advantages for manufacturers, installers and end-users: „If a device comes out of the box in a secure configuration, there’s a good chance it will be installed in a secure configuration.
Encouraging manufacturers to ensure they ship their devices in this secure state is the key objective of these minimum requirements for manufacturers. Manufacturers benefit by being able to demonstrate they take cyber security seriously and their equipment is designed and built to be resilient. Installers and integrators benefit from the introduction of the requirements by not having to know how to turn off dangerous ports or protocols during the installation. End users benefit because they know they are buying equipment that has demonstrated it has been designed to be resilient to cyber-attack and data theft.“