Closed-circuit TV, traditionally know as CCTV, is now part of day-to-day life. They are along your street, and in your offices and homes. They are a symbol of safety for many, however a wave of malware has brought to light cybersecurity concerns.
CCTV is a security control, bought by governments, businesses and private citizens to protect the things that are important to them. Insecure CCTV can at all, with attackers gaining access view your secure locations and private activities.
As businesses and governments start to see CCTV as a possible attack vector, manufacturers must react to preserve their reputation and protect their users. Focus on ways to ensure cybersecurity and resilience is based around 2 principles: Secure by Design, and Secure by Default.
Secure by Design
The Secure by Design principle describes the need to include security requirements from the get-go, ensuring that this is baked into the fundamental design of products and systems, creating more secure devices with less overall effort. Whilst this creates some additional challenges at the beginning of a project, there are significant savings later because security does not have to be ‘bolted-on’ to an already developed product. This is supported by a secure software development lifecycle and clear fault management processes.
Secure by Default
The Secure by Default concept refers to the default settings and configurations of the devices ‘out of the box’.
As with all systems, there are configuration decisions made when installing and managing CCTV devices. For installers and maintenance teams without a deep understanding of security, it can be difficult to know what settings should be changed to align with best practice. Settings that don’t relate to functionality are often left at the default, which can include insecure options.
To address this, the devices should be sold to customers with the default configuration being the most secure. Some examples include;
- Enabling encryption for communications
- Using secure versions of protocols, like https instead of http
- Forcing users to change passwords from manufacturer defaults when they first log in
What this means for manufacturers
CCTV manufacturers and installers now need to apply these concepts throughout their development lifecycle.
For global organisations that sell to the UK market, the Surveillance Camera Commissioner has implemented a scheme to help manufacturers, installers and users improve the security of these devices.
Self-certification
Organisations can self-certify against these requirements. The self-certification requires that organisations answer a set of questions to confirm whether they have implemented the scheme.
How we can help
Support for self-certification
Self-certification can be challenging for a variety of reasons and require that organisations ensure the declarations are accurate and any gaps properly closed.
Organisations must:
- Gain high-level buy-in from Senior Management to support a complete and honest evaluation against requirements
- Identify stakeholders and interested parties
- Fully understand the guidelines and what ‘good’ looks like
- Relate each requirement to the products being certified
- Judge whether the organisation meets the spirit of the requirement
- Identify any gaps and work required to close them
- Complete the forms and submit to the commissioner
BSI can help with any of these steps, using our highly qualified consultants with experience in physical security, government assurance schemes and security risk management.
Independent verification
Some organisations also want a deeper understanding of their risks and the possible impacts of a security breach, to help them manage the risks appropriately.
BSI are able to provide a deep-dive evaluation of an organisation against the requirements, using established audit methodologies, supported by security testing of the relevant products. The output of this is a maturity report for each requirement, with prioritised recommendations to fix any risks, and a technical security report with risk-assessed vulnerabilities.
Summaries can be provided to prospective customers, helping to set your organisation apart from other security system manufacturers during the procurement process.
Get in touch to find out how we can help you >