Earlier this year, the UK Surveillance Camera Commissioner Tony Porter launched the UK Government’s ‘Secure by Default’ standard to keen interest from the security industry.
We applaud the UK Government for launching the scheme. It addresses some of the concerns many security practitioners have had with regards to locking down potential gaps generated by the increasing numbers of devices and systems sharing IT networks.
Closing the Gaps
In my opinion, one of the greatest strengths of Secure by Default is that it was developed by manufacturers (in association with the Government and the Surveillance Commissioner and his team) specifically to aid manufacturers and give peace of mind to installers and end-users.
Speaking as manufacturers, TDSi has increasingly been concerned by the potential for an ever-widening variety of unprotected endpoint devices to share networks with vital security systems. When you develop security systems you need to be able to work with defined certainties to ensure they do their job reliably, otherwise, there is the possibility of unforeseen and potentially catastrophic consequences.
If you can be assured that other manufacturers are also protecting their products from potential intrusion or hacking (by showing that specific entry points are closed and certain protocols are shut off for example), then you can design your products to take advantage of this.
Benefits for All
Security is not an area where you want to have any doubts. If there are potential loopholes for intruders to exploit it negates the primary benefits of having security at all. Having a scheme such as Secure by Default ensures that end-users know they are buying a product from a supplier who is cyber-savvy and cyber-aware, giving them much greater peace of mind. Equally, it ensures installers can cherry-pick the very best solutions to suit their customers, ensuring they can offer real value for money and stay competitive in the market.
From a manufacturer’s point of view, having to constantly cater for a huge variety of unknown threats is difficult to achieve and adds considerable development costs, which regrettably are reflected in the final pricing. Having potentially insecure elements in the network has a ripple effect right through the supply chain, causing everyone a headache.
Expanding Secure by Default
It is interesting that Secure by Default has been initially rolled out for CCTV systems. This may be partially due to press coverage and a public perception that CCTV networks are somehow especially vulnerable to intrusion. Whether this is true or not is another matter, but it never does any harm to allay the fears of the public.
However, I would strongly argue this type of scheme should be rolled out across the entire security spectrum and beyond (including access control and intruder alarms etc.), including technology sectors which are often complementary to security. Secure by Default could easily be expanded to cover any related manufacturers, whether its sensors that connect to the network, heating and ventilation systems or building management controls, to name a few.
If you put systems into an IP network, then you should be able to close vulnerabilities, protect those systems and have it certified out of the box. Having commonly recognised markings (like a Kite Mark) would be a very positive step forward.
I would like to see the Secure by Default initiative rolled out even further with some of the large trade associations such as the BSIA or ADS getting involved – so manufacturers can work with their trade associations as well as government to get things done.
This is an excellent approach which will build trust and ensure security systems do their job properly. There already seems to be considerable interest from all concerned, so I hope the scheme continues to grow and give us all greater peace of mind.