The Secure by Default initiative officially launched on 20th June at IFSEC on Surveillance Camera Day. The initiative aims to make participating manufacturers more responsible for designing networked systems that can be installed securely, helping to combat cybercrime, and ensuring that the video surveillance industry is working to the highest possible standards.
Connectedness and Cybercrime
The world in which we live is becoming increasingly connected – allowing consumers and businesses alike to benefit from a shared flow of information and simple set-up of IP devices that can be automatically connected and added to a system. Whilst this creates many advantages, a lack of regulation and standards has also allowed an opening for cybercriminals to exploit weaknesses in systems.
There are many different types of cybercrime. A current and ongoing problem is the cyberattacks on connected devices which can happen from anywhere in the world. There have been numerous highly publicised attacks such as the Mirai Botnet in 2016 and the Reaper in 2017. Mirai is a type of software that was used to form a malicious botnet by infecting a network of connected devices (bots). After primarily attacking IP cameras and home routers, Mirai went on to perform large-scale network attacks on high-profile platforms such as Netflix and Twitter by exploiting the use of common default credentials and poor security configuration of devices. Reaper was an advanced version of Mirai that targeted security weaknesses in internet routers, security cameras and digital video recorders. It exploited publicly known vulnerabilities of many popular router brands as well as IP cameras and servers.
This is a prime example of technology developing faster than our ability to assess implications and create much needed standards.
A new code of practice
Tony Porter, the Surveillance Camera Commissioner, was assigned the task of reviewing and encouraging compliance with the Surveillance Camera Code of Practice and advising government ministers about the code’s evolution. Alex Carmichael, Chief Executive SSAIB, was brought in to assist Porter and together they selected a task force comprised of industry experts and leading manufacturers to assist with the task. These included Mike Gillespie, Managing Director of Advent IM and Buzz Coates, IP Projects Manager at Norbain, along with manufacturers Axis, Milestone, Bosch, Hanwha and Hikvision.
The result is the new Secure by Default initiative which conveys the basic standards required for Video Surveillance Systems to be secure from tampering or damage by a cyber-attacker. The standard, available on the Surveillance Camera Commissioner’s website, aims to protect the surveillance system by making sure passwords are changed from the manufacturer default start-up, chosen passwords are of sufficient complexity and ensuring that the default configuration settings are as secure as possible.
Secure by Default incorporates a self-certification scheme which permits manufacturers to assess their products’ compliance and then apply for a Commissioner’s Secure by Default certification mark. The Commissioner’s Office evaluate against the guidance; if the business passes the compliance test then they will be awarded a certification mark which can be used to market the product. The Secure by Default logo give consumers a clear indication that the products they’re buying have a robust level of security, giving them confidence in the products they’re purchasing.
The first link in the chain
Although this initiative is currently voluntary, Porter is striving towards a more permanent and robust system in the future. Of course, just producing products that have security built-in from design is just the beginning. If those products are installed into poorly designed systems or are installed incorrectly, we could still be opening ourselves up for more cyber-related issues. To this end, there will be two additional initiatives to follow.
The next will be Secure by Design, for anyone involved in designing systems, such as consultants, integrators and manufacturers. The final part will be Secure by Install which will help installation companies ensure they’re fitting the products securely.
If you would like to join the Secure by Default scheme, please click here.