Cydea’s risk advisories are intended for senior management to aid their understanding of current events and the cyber risk posed to their organisations.
The UK government has banned the deployment of IP CCTV cameras at ‘sensitive sites’ that are produced by companies subject to the National Intelligence Law of the People’s Republic of China.
What has happened?
The UK Cabinet Office has instructed government departments to stop deploying Chinese-made video surveillance systems at ‘sensitive sites’, citing security risks. You may have seen coverage on the BBC or Financial Times.
The ban follows a review, conducted by the Government Security Group, that has concluded the increasing capabilities and remote connectivity of these systems warrants a more controlled approach. The government’s concern stems from the National Intelligence Law of the People’s Republic of China, that can compel Chinese firms to “support, co-operate with, and collaborate in national intelligence work”.
CCTV cameras and other physical security systems increasingly run over computer networks, which also allows them to be managed and monitored remotely. These systems are often not patched as regularly as laptops and tablets. This means that they could be used as a backdoor into an organisation’s networks, or their images may provide useful intelligence about activities at sensitive locations.
The UK government is asking its departments and agencies to cease deploying new Chinese-manufactured surveillance systems, and ensure that existing systems are isolated from core business networks, while considering them for expedited replacement or removal.
What is the risk?
There are two ways to view this risk: the concern as the UK government sees it, and how that manifests for affected organisations.
The UK government is concerned about espionage and the economic impacts of Chinese state access to sensitive sites:
- Source: State-Sponsored
- Event: Unathorised access to system
- Consequence: Reduced growth
The same risk to your organisation manifests itself differently, essentially as a change in rules resulting in a loss of suppliers and business disruption where you need to comply with the new measures.
- Source: Regulator
- Event: Regulation (Rules Change)
- Consequences: Operational (Loss of Suppliers, Business Disruption)
The concern over building systems being a target for network intrusions is not unprecedented. US retailer Target was breached in 2013 via an air conditioning vendor. Target settled a case brought over the breach, which resulted in the theft of 41 million payment card details, in 2017 for $18.5 million.
What factors drive the consequences?
These consequences immediately apply to those who deliver facilities or building services to UK government departments and agencies at ‘sensitive sites’.
The level of business disruption, or potential loss of suppliers, will depend on the extent to which Chinese-produced IP CCTV cameras, such as those manufactured by Hikvision, are deployed.
It will also depend on the extent to which good architectural practice has been followed, with those who have deployed these systems on networks segregated from other business activities being best protected.
What factors drive the frequency?
Businesses that supply the UK government or operate critical infrastructure are likely to face an increasing frequency of this risk at their organisations. This ban, combined with the previous one on use of Chinese suppliers like Huawei and ZTE from core mobile telecommunications networks, reinforces a trend.
What action is required?
Action need only explicitly be taken by those involved in the supply or operation of facilities at ‘sensitive sites’ used by the UK government. However other landlords, building management companies and critical infrastructure organisations may wish to consider following similar steps and ensuring their building-related systems are appropriately segregated from business networks.
Executives can ask technology and procurement teams the following questions to understand exposure to this risk:
For those supplying UK government ‘sensitive sites’:
- Do we supply CCTV or other surveillance systems or IT networks that support these systems?
- Do we provide surveillance systems produced by Chinese firms for use at these sites?
- Do we have alternative commercial relationships that we can leverage?
For any organisation:
- Have we segregated CCTV and other building management systems (BMS) from our business IT networks?
- Who has remote access to these CCTV and BMS networks, and when was this access last reviewed?
The written statement from The Chancellor of the Duchy of Lancaster, Oliver Dowden, is available on Parliament’s website.
For further information or assistance in understanding or measuring this risk to your organisation please contact us to arrange a session with one of our cyber risk consultants.
Cydea uses the Open Information Security Risk Universe (OISRU) as a framework and taxonomy for describing information security risks independently of models or methods of analysing risks. Find out more about our contribution to the project on our cydea.tools site.