UK GOV has launched a voluntary security standard for manufacturers of surveillance camera systems and components.
Announced by the UK Surveillance Camera Commissioner (SCC) on Thursday, the standard is aimed at ensuring surveillance equipment is secure by design and default.
The scheme includes a range of requirements for companies, such as setting up controls for remote access and making sure manufacturer passwords are changed before the device is powered up - something that we'd like to see spread to the rest of IoT devices.
Several manufacturers have helped to create the standard, including Axis, Bosch, Hanwha, Hikvision and Milestone Systems. According to officials, it has been 'designed by manufacturers, for manufacturers'.
The launch of the standard comes, unhelpfully, after a number of high-profile cyber attacks have been caused by hackers using connected camera systems.
One prime example is Mirai, a form of malware that hijacks connected devices and turns them into botnets for large scale cyber attacks. It's thought to have infected more than 600,000 devices.
"Several high profile and well-publicised compromises of systems demonstrated that they were being left live and internet-facing in an unacceptable security configuration," quipped the government in its announcement.
"Some of these compromises, like Mirai botnet, that brought down social media and financial websites across the globe, also showed the root cause was down to poor design and manufacturing."
It said the standard has been "driven by the need to ensure the UK's resilience against this and other forms of cyber security vulnerability" and is an "important step forward for manufacturers, installers and users alike."
Cybersecurity advisor Mike Gillespie, who is leading the scheme, added: "If a device comes out of the box in a secure configuration, there's a good chance it will be installed in a secure configuration.
"Encouraging manufacturers to ensure they ship their devices in this secure state is the key objective of these minimum requirements for manufacturers.
"Manufacturers benefit by being able to demonstrate they take cyber seriously and their equipment is designed and built to be resilient. Installers and integrators benefit from the introduction of the requirements by not having to know how to turn dangerous ports or protocols off during the installation.
"End users benefit because they know they are buying equipment that has demonstrated it has been designed to be resilient to cyber-attack and data theft."
As part of the scheme, manufacturers must complete a self-certification form and submit it to the commission's office to be validated. If certified, they'll receive the certification mark. µ
Bad for shareholders, mildly good for the planet
YouTube on the Tube
Claims that it hasn't ever actually worked