Detailed Note and Advisory on Security Risks of CCTV/Video Surveillance Systems

Abstract: Addressing National Security Risks in CCTV/Video Surveillance Systems

The rapid proliferation of CCTV/Video Surveillance Systems (VSS) across public and private sectors has become a critical part of modern infrastructure, providing essential security and monitoring capabilities. However, a significant portion of these systems—nearly 80-90%—are of Chinese origin or incorporate Chinese components such as chips, firmware, or System on Chip (SoC). This presents substantial national security risks, including potential vulnerabilities for unauthorized data access, surveillance backdoors, and cyberattacks that could be exploited by foreign adversaries. Recognizing these risks, efforts led by the CSAI Chairman, Lt Gen Dr. Rajesh Pant, and other industry bodies such as CSAI, CMAI, and TEMA have driven the Indian government to take action over a span of 5-6 years.

The Ministry of Electronics and Information Technology (MeitY) has issued critical directives, including the Public Procurement Order (PPO), Compulsory Registration Order (CRO), and an advisory for government procurement. The PPO, enforced since June 2024, aims to prioritize "Make in India" solutions in government procurement. Meanwhile, the CRO, initially intended for implementation on October 1, 2024, has been delayed until April 9, 2025, requiring the compliance of VSS systems with security standards like OWAS 2. Despite these regulatory steps, several challenges persist in ensuring compliance, such as inconsistent enforcement of the PPO, resistance from suppliers, and a general lack of awareness regarding the associated risks.

This abstract explores the key challenges and potential solutions for effectively mitigating these risks. It discusses the need for stronger enforcement mechanisms for the PPO and CRO, more stringent testing protocols, and the expansion of Bureau of Indian Standards (BIS) labs for compliance testing. Additionally, it highlights the importance of distinguishing between the goals of the "Make in India" initiative and the broader national security imperatives, ensuring that regulations address the specific threats posed by Chinese-origin components. The advisory emphasizes a proactive approach involving public awareness campaigns, better monitoring mechanisms to prevent the unauthorized substitution of approved models by suppliers, and stricter verification processes for procurement.

The abstract concludes by suggesting a multi-pronged approach to safeguard India's surveillance infrastructure, including international collaboration on secure technologies, localized data storage mandates, and periodic security audits. By addressing these critical gaps, India can fortify its cybersecurity posture and secure its critical surveillance systems from evolving threats, thereby ensuring greater national resilience in the face of geopolitical and technological challenges.

?

Background

The widespread use of CCTV/Video Surveillance Systems (VSS), where 80-90% of devices are of Chinese origin or contain Chinese chips, firmware, or SoC (System on Chip), presents significant national security risks. Concerns have been raised about potential vulnerabilities and backdoors, which could be exploited for unauthorized data access, surveillance, or cyberattacks. Lt Gen Dr. Rajesh Pant, former NCSC Chairman, championed efforts to address this risk through stringent government regulations. In response, the Ministry of Electronics and Information Technology (MeitY) issued key orders, including the Public Procurement Order (PPO), Compulsory Registration Order (CRO), and an advisory for government procurement.

?

Key Orders and Their Current Status

1. Public Procurement Order (PPO): Enforced since June 2024, this order aims to regulate government procurement by promoting "Make in India" initiatives. However, the order lacks comprehensive enforcement across all government entities.
2. Compulsory Registration Order (CRO): Initially intended to take effect on October 1, 2024, the implementation of the CRO has been extended to April 9, 2025. It aims to ensure compliance with certain security parameters, including the testing of OWAS 2 standards for CCTV/VSS products.
3. Advisory for Government Procurement: Provides guidelines for safer procurement practices but falls short of explicitly banning Chinese components in CCTV/VSS systems.

?

Issues to Address and Recommendations

1. Enforcement of PPO: Current Situation: Despite the PPO's intent to prioritize domestic manufacturing, its implementation has been inconsistent across various government agencies. Recommendation: A centralized monitoring mechanism should be established to ensure uniform enforcement of PPO across all government bodies. This can be further strengthened by creating periodic review sessions involving key stakeholders to ensure compliance.
2. Urgent Implementation of CRO: Current Situation: The delay in the CRO's implementation (now set for April 9, 2025) poses risks as the market remains open to non-compliant products. Recommendation: Accelerate the application of CRO by collaborating with industry associations and cybersecurity experts. Government should conduct workshops for suppliers to emphasize the need for compliance, and the timeline should be reviewed to ensure earlier adoption.
3. Pressure on Government for Faster Implementation: Current Situation: Although PPO is active in government procurement, there is a need for proactive pressure to apply similar standards across non-government sectors. Recommendation: The CSAI, CMAI, and other industry bodies should increase engagement with policymakers, leveraging public awareness campaigns and media outreach to emphasize the urgency of faster adoption of the CRO.
4. Testing Requirements (OWAS 2 and Essential Parameters): Current Situation: Compliance with OWAS 2 standards is required but may be seen as insufficient in addressing broader security risks. Recommendation: Advocate for a review and update of the testing parameters to include advanced cybersecurity checks, particularly targeting the identification of vulnerabilities in chips, firmware, and communication protocols.
5. Resistance from Suppliers: Current Situation: Suppliers often attempt to bypass regulations by continuing to offer Chinese-made products. Recommendation: Introduce a digital tracking system that enables real-time verification of registered and approved models, ensuring that suppliers adhere strictly to authorized specifications. Implement penalties for non-compliance to deter this behaviour.
6. Raising Mass Awareness: Current Situation: Awareness among the general public and procurement entities regarding the risks of Chinese-origin products is limited. Recommendation: Initiate a comprehensive awareness campaign targeting industry stakeholders, policymakers, and the general public. Use digital platforms, seminars, and industry forums to educate about the implications of using non-compliant devices and the importance of secure alternatives.
7. Gap in PPO Regarding Chinese Risks: Current Situation: The PPO promotes "Make in India" but does not explicitly prohibit components with Chinese origins, thus leaving room for security risks. Recommendation: Advocate for an amendment to the PPO that clearly addresses the potential risks posed by components from high-risk regions, including specific requirements for component traceability and country of origin disclosure.
8. Model Substitution by Suppliers: Current Situation: Suppliers sometimes get approval for one model but deliver another under the same model number. Recommendation: Establish stricter verification and audit protocols for deliveries, using digital certificates or blockchain-based tracking to ensure model integrity. Consider a whistleblower mechanism for reporting discrepancies.
9. Differentiating "Make in India" from National Security: Current Situation: The current narrative often conflates domestic manufacturing with national security, missing the specific risks associated with foreign-origin components. Recommendation: Create policy briefs that delineate the distinction between "Make in India" and broader national security concerns. These should highlight the risks of potential espionage or cyberattacks through compromised hardware and software, irrespective of the manufacturing location.
10. Proliferation of BIS Labs: Current Situation: The limited availability of Bureau of Indian Standards (BIS) certified labs for testing poses a bottleneck. Recommendation: Expand the network of BIS-certified testing labs across key states to streamline the testing process and encourage compliance. Introduce incentives for private testing centers that meet BIS standards, further reducing the load on government facilities.
11. Additional Recommendations: Data Localization: Mandate local storage of CCTV footage for critical sectors, ensuring data remains within national boundaries and is protected under local laws. Periodic Security Audits: Establish a framework for mandatory security audits of CCTV/VSS systems every two years to ensure they remain secure against evolving threats. International Collaboration: Explore collaboration with friendly nations on the development of secure surveillance technologies, leveraging shared expertise to create safer alternatives.

?

Conclusion

To mitigate the risks posed by Chinese-origin CCTV and VSS systems, a multi-pronged approach is required. This includes robust policy enforcement, clear guidelines on acceptable components, and a heightened focus on educating stakeholders. By proactively addressing the gaps in the existing regulations and increasing transparency in the supply chain, we can strengthen the country's cybersecurity posture and protect critical surveillance infrastructure from potential threats.

?

#CyberSentinel #DrNileshRoy #CyberSecurity #NationalSecurity #SurveillanceRisks #SecureSurveillance #DataPrivacy #MakeInIndia #SecureInfrastructure #CCTVSecurity #ChineseRisks #DigitalSovereignty #SupplyChainSecurity #GovtRegulations #SecureTechnology #CriticalInfrastructure #ComplianceMatters #DataProtection #TechPolicy #SurveillanceSafety #CyberAwareness #SecureIndia

?

Article shared by Dr. Nilesh Roy from Mumbai (India) on 19th October 2024