The Union Ministry of Home Affairs (MHA) has asked all States and government departments to avoid procuring CCTVs, its allied solution and hardware, from suppliers who have a “history of security and data breaches.”
The MHA memorandum comes in the wake of a series of guidelines issued by the Ministry of Electronics and Information Technology (MeITY) since March after various ministries raised concerns regarding the security implications associated with CCTVs and other Internet of Things (loT) devices. In a March 11 advisory, MeITY said that “various incidents have also been reported due to security flaw in the surveillance cameras.”
The advisory titled “Threat of Information Leakage through CCTV/ Video Surveillance system (VSS)/ Digital Video Recorders /Network Video Recorders” said that “while surveillance technologies undoubtedly offer a range of benefits and are valuable tools for monitoring and security, they also raise certain concerns and risks. Some of the growing risks associated with CCTV systems include data security, privacy breach, hacking and cyberattack etc.”
On March 6, MeITY amended the public procurement order for CCTVs and video surveillance systems and on April 9 amended the Electronics and information Technology Goods (Requirement of Compulsory Registration) Order, 2021 to tighten the norms.
In an advisory issued on April 26, the MHA advised all government agencies to adhere to the guidelines outlined within the ambit of the Public Procurement Orders by MeITY “to safeguard the overall security and integrity of CCTV cameras and IoT devices.”
While MeiTY did not mention any specific brands of CCTV cameras to avoid in its March memorandum, it urged States to procure cameras made in India, or equipment that was certified in accordance with norms set by the Bureau of Indian Standards.
However, last March, the Indian Computer Emergency Response Team (CERT-in) flagged “vulnerabilities” in some foreign firms’ equipment. These firms are Chinese firms Hikvision, Milesight and Dahua; Germany-headquartered Mobotix, ABUS and Bosch.
The MeiTY advisory also suggested restricting physical access to the CCTV control room and equipment and to ensure all communication between cameras, recorders, and viewing devices is encrypted. “This prevents unauthorised individuals from intercepting and accessing sensitive information,” MeITY said.