UK Government unveils security standard for surveillance cameras

The standard aims to combat attacks launched by infected camera systems

The UK government has unveiled new security requirements for manufacturers of surveillance camera systems and components.

Announced by the UK Surveillance Camera Commissioner (SCC) on Thursday, the standard is aimed at ensuring surveillance equipment is secure by design and default.

The scheme is voluntary and includes a range of requirements for companies, such as setting up controls for remote access and making sure manufacturer passwords are changed before the device is powered up (something that we'd like to see spread to the rest of the IoT - Ed.)

Several manufacturers have helped to create the standard, including Axis, Bosch, Hanwha, Hikvision and Milestone Systems. According to officials, it has been 'designed by manufacturers for manufacturers'.

The launch of the standard comes as a range of high-profile cyber attacks have been caused by hackers using connected camera systems.

One prime example is Mirai, a form of malware that hijacks connected devices and turns them into botnets for large scale cyber attacks. It's thought to have infected more than 600,000 devices.

'Several high profile and well-publicised compromises of systems demonstrated that they were being left live and internet-facing in an unacceptable security configuration,' said the government in an announcement.

'Some of these compromises, like Mirai botnet, that brought down social media and financial websites across the globe, also showed the root cause was down to poor design and manufacturing.'

It said the standard has been 'driven by the need to ensure the UK's resilience against this and other forms of cyber security vulnerability' and is an 'important step forward for manufacturers, installers and users alike'.

Cyber security advisor Mike Gillespie, who is leading this scheme, said: "If a device comes out of the box in a secure configuration, there's a good chance it will be installed in a secure configuration.

"Encouraging manufacturers to ensure they ship their devices in this secure state is the key objective of these minimum requirements for manufacturers.

"Manufacturers benefit by being able to demonstrate they take cyber seriously and their equipment is designed and built to be resilient. Installers and integrators benefit from the introduction of the requirements by not having to know how to turn dangerous ports or protocols off during the installation.

"End users benefit because they know they are buying equipment that has demonstrated it has been designed to be resilient to cyber-attack and data theft."

As part of the scheme, manufacturers must complete a self-certification form and submit it to the commission's office to be validated. If certified, they'll receive the certification mark.

Independent Surveillance Camera Commissioner Tony Porter said: "It has been an enlightening and positive experience working with manufacturers toward a common goal and it's a genuine first and further standards will follow over the next couple of years."