The information technology (IT) ministry has advised government departments and ministries to avoid procuring equipment from suppliers who have a history of security and data breaches. The move comes after the government observed cybersecurity incidents due to security flaws in surveillance cameras.
In an internal advisory issued by the Ministry of Electronics and Information Technology (MeitY) in March, government ministries and departments have been urged to adhere to guidelines of public procurement to ensure safety of CCTV cameras and IoT devices.
The advisory comes after several ministries and departments raised concerns after security implications associated with deployment of CCTV cameras and regarding hardware testing of such devices.
“Some of the growing risks associated with CCTV systems include data security, privacy breach, hacking and cyber-attack etc. Various incidents have also been reported due to security flaws in the surveillance cameras,” said the advisory issued on March 11.
Apart from advising ministries to avoid procuring from suppliers who have had a history of data breaches, the IT ministry also asked entities to follow procurement guidelines, specifically the public procurement order (Make In India), 2017 and the electronics and information technology goods (requirement of compulsory registration) order, 2021.
For hardware security of CCTV cameras, MeitY has directed entities to take the help of Standardisation Testing and Quality Certification (STQC) Laboratory. For network security, they have been advised to maintain network isolation.
“In this regard, the government ministries, departments are advised to instruct the Chief Information Security Officers (CISOs) of their respective organisations and subordinate organisations for enforcing the above measures to address the security threats of the CCTV network vulnerability and to ensure the overall security and integrity of CCTV/video surveillance systems,” the advisory added.
A few days before sending out the advisory, MeitY issued a gazette notification to ensure further security of CCTV cameras in public procurement. The March 7 notification amended the public procurement order to notify that “preference shall be provided by all procuring entities to locally manufactured video surveillance systems for security…”.
The notification also lays down the essential requirements for ensuring security of CCTV cameras, which include ensuring its physical security by making sure that CCTV cameras are in tamper-resistant camera enclosures, implementing encryption protocols or maintaining network security.
TEMA/CMAI/CSAI has complimented Govt. of India and MeitY for their release of Notification for amendments to CRO order for CCTV for all, making it mandatory for testing of the “essential security parameters.” The test reports from BIS recognized labs like STQC etc. would need to be submitted.
*With this the Government has ensured that any and all CCTV cameras deployed in India are safe from national security issues and ensure a trusted source of critical components for CCTV/Video Surveillance Systems.*
This was a long pending demand of TEMA/CMAI Video Security Surveillance Advisory Council of India and CSAI- Cyber Security Association of India. It would go a long way to ensure National Security aspects in CCTV/Video Surveillance Systems deployed in the Country.
Earlier on 6th March, 2024, MeitY issued notification for Public Procurement of CCTV for essential testing of critical essential security parameters and giving details for Local Content (LC) calculations.
Of special importance are requirements of verification for Trusted Source for sourcing the critical hardware components related to security functions like *SOC*, Not allowing Proprietary Network Protocol or giving implementation schedule and Source Code, verification of all codes including third parties(backdoors) and not using banned C functions etc.