MeiTY warns against IT equipment from suppliers with security breach history

The information technology (IT) ministry has advised government departments and ministries to avoid procuring equipment from suppliers who have history of security and data breaches.

The move comes after the government observed cybersecurity incidents due to security flaws in surveillance cameras.

In an internal advisory issued by the Ministry of Electronics and Information Technology (MeitY) in March, government ministries and departments have been urged to adhere to guidelines of public procurement to ensure safety of CCTV cameras and IoT devices.

The advisory comes after several ministries and departments raised concerns after security implications associated with deployment of CCTV cameras and regarding hardware testing of such devices.

“Some of the growing risks associated with CCTV systems include data security, privacy breach, hacking and cyber-attack etc. Various incidents have also been reported due to security flaw in the surveillance cameras,” said the advisory issued on March 11. Moneycontrol has reviewed a copy of the advisory.

Apart from advising ministries to avoid procuring from suppliers who have had a history of data breaches, the IT ministry also asked entities to follow procurement guidelines, specifically the public procurement order (Make In India), 2017 and the electronics and information technology goods (requirement of compulsory registration) order, 2021.

For hardware security of CCTV cameras, MeitY has directed entities to take the help of Standardisation Testing and Quality Certification (STQC) Laboratory. For network security, they have been advised to maintain network isolation. The ministry has also urged departments to use strong passwords and use VPNs for accessing CCTVs remotely among other precautions.

“In this regard, the government ministries, departments are advised to instruct the Chief Information Security Officers (CISOs) of their respective organisations and subordinate organisations for enforcing the above measures to address the security threats of the CCTV network vulnerability and to ensure the overall security and integrity of CCTV/video surveillance systems,” the advisory added.

A few days before sending out the advisory, MeitY issued a gazette notification to ensure further security of CCTV cameras in public procurement.

The March 7 notification amended the public procurement order to notify that “preference shall be provided by all procuring entities to locally manufactured video surveillance system for security…”.

The notification also lays down the essential requirements for ensuring security of CCTV cameras, which include ensuring its physical security by making sure that CCTV cameras are in tamper-resistant camera enclosures, implementing encryption protocols or maintaining network security and so on. Moneycontrol