By Vikrant Rana , Anuradha Gandhi and Rachita Thakur
INTRODUCTION
A Closed-circuit television (CCTV), is a “system that uses video cameras to send television signals to a specific limited viewership. Unlike broadcast television, closed-circuit television (CCTV) does not openly transmit its signal to the public but rather between set points that are decided by the camera’s owner or operator.[1]”
While the benefits of CCTV cameras are manifold and obvious, their dangers can range from vandalism to unauthorized access. To curb the same, and regularize the use of CCTV systems, the Ministry of Electronics and Information Technology (MeitY) has introduced certain regulatory rules by way of an amendment.
THE AMENDMENT OF THE CCTV RULES
The Ministry of Electronics and Information Technology (MeitY) has taken a decisive step to improve CCTV security in government establishments by introducing “Essential Requirement(s) for Security of CCTV” (hereinafter referred to as the “Rules”) by way of an amendment to the “Electronics and Information Technology Goods (Requirement of Compulsory Registration) Order, 2021” (hereinafter referred to as the “Amendment”)[2] on April 9, 2024. The Amendment comes after the internal advisory, ‘Advisory on the Threat of Information Leakage through CCTV/ Video Surveillance system (VSS)/ Digital Video Recorders /Network Video Recorders’ (hereinafter referred to as the “Advisory”) dated March 11 which was circulated to all the Government Ministries/Departments directing them to strongly adhere to the guidelines outlined within the ambit of the Public Procurement Orders to safeguard the overall security and integrity of CCTV Cameras and IoT Devices.[3]
WHY WAS THE ADVISORY ISSUED?
The Advisory came after the government noticed multiple cybersecurity incidents due to security flaws in the surveillance cameras, potential data tampering and cyberattacks.[4]
An example to this is existence of websites such as Insecam which livestream hacked private CCTV cameras worldwide. Most such cyberattacks happen due to weak passwords. The ministry had advised government departments and ministries to avoid procuring equipment from suppliers who have history of security and data breaches.[5]
The Advisory acknowledged the benefit of surveillance technologies and noted that, “While these surveillance technologies undoubtedly offer a range of benefits and are valuable tools for monitoring and security, they also raise certain concerns and risks. Some of the growing risks associated with CCTV systems include data security, privacy breach, hacking and cyber-attack etc. Various incidents have also been reported due to security flaw in the surveillance cameras.”[6]
WHAT DOES THE AMENDMENT ENTAIL?
The Advisory was followed by the Amendment by MeitY notifying the Rules on April 09, 2024. Vendors, now will have to ensure network security of CCTV systems by “employing encryption of data transmission” and deploy penetration testing to assess resistance to cyberattacks. ”
Security Requirements of CCTV System
The Rules are based on the following basic security requirements of a CCTV system:[7]
- Physical Security- Use tamper-resistant camera enclosures and locking mechanisms to deter physical tampering.
- Access Control- by Authentication, Role-Based Access Control (RBAC) and regularly review and update access permissions to reflect personnel changes.
- Network Security- by employing encryption of data transmission.
- Software Security- by Regular Updates, Disable Unused Features and Strong Password Policies
- Penetration Testing- Employ penetration testing to assess the system’s resistance to cyberattacks and address vulnerabilities.
The Rules further provide detailed parameters thereby categorizing the essential Security Requirements:
- Hardware Security – entities are directed to use testing infrastructure available to ensure cryptographic keys and certificates are unique to each device. For network security the entities are directed to observe general security practices for installation and monitoring. For example, vendors are mandated to provide documentation regarding the process of mutual authentication as implemented in the device when wireless communication are initiated.
- Software/Firmware- Parameters to verify and control data transit, protection controls, ensuring that the devices are not tampered with, testing for vulnerabilities which can affect the security and having secure server connections have been set under this category.
- Secure Process Conformance – The category provides parameters to ensure encryption of all communication between cameras, recorders and viewing devices to prevent unauthorized access and interception of sensitive information.
- Security Conformance at product development stage – This category prescribes paarmeters for entities to ensure implementation of mitigation strategies for tainted and counterfeit products, malware detection tools to be deployed and techniques to be used before packaging and delivery of products.
CONCLUSION
It should be noted that the Advisory came after the series of discussions on how to curb alleged snooping threats by Chinese origin CCTV cameras installed across government and military premises in India. To this date, the government had no way of checking these cameras as the certification only looked into aspects such as fire hazard or durability, and not security or snooping threats.
But with the Amendment, MeitY amended the Compulsory Registration Order (CRO) for CCTV cameras sold in India. This amendment makes the testing of ‘essential security parameters’ of all CCTV cameras mandatory and provided the immense network of such cameras, the new regulation comes into effect on October 9, 2024, thereby allowing manufacturers sufficient time to adapt.
The Rules form a guidance for government organizations in a time when cyberattacks and hackings are on the rise. These Rules form a blueprint of best practices on security and data minimization as well as storage limitations under the new Data Protection Framework.
Ahana Bag, Junior Associate Advocate at S.S. Rana & Co. has assisted in the research of this article.
[1] https://www.britannica.com/technology/closed-circuit-television
[2] https://www.meity.gov.in/writereaddata/files/Gazette%20notification%20of%20ER%20of%20CCTV.pdf
[3] https://www.meity.gov.in/writereaddata/files/advisory_11_3_2024_PDF.pdf
[6] https://www.meity.gov.in/writereaddata/files/advisory_11_3_2024_PDF.pdf
[7] https://www.meity.gov.in/writereaddata/files/Gazette%20notification%20of%20ER%20of%20CCTV.pdf