Quality Certification for CCTV Devices: Ensuring Timely Mitigation of EOL Vulnerabilities

CCTV cameras are an essential component of the security and surveillance systems of any organisation, public setting, or household. But recent security audits conducted under the BIS Conformity Assessment (CRO) Scheme have revealed something concerning. Most CCTV camera models utilize old software libraries and components that are designated as End-of-Life (EOL). These are old libraries and software tools that are no longer being developed with updates or security patches by their creators.

This is an inappropriate practice. Utilising EOL components is a significant security threat and goes against established international practices for software maintenance and safety. The purpose of this notice is to bring this matter to the attention of everyone and to clearly explain the immediate steps and timelines that all CCTV camera makers will need to take to correct this issue.

Understanding EOL (End-of-Life) Software Libraries

Software libraries are a collection of code or utilities in a large system. With time, newer and more secure versions of these libraries are published. Once the library becomes too outdated, the developers discontinue maintenance on it. This phase is referred to as End-of-Life (EOL). When EOL libraries are employed in CCTV cameras, hackers can use them to gain unauthorized entry into video feeds or configure the settings of devices. This threatens user privacy and national security.

Compliance Timeline and What You Must Do

To fix this urgent problem, all manufacturers of CCTV cameras are given six (6) months from the date of notice:

• Review all outdated/EOL software libraries, tools, and components used in the firmware of their CCTV cameras.
• Update or replace them with currently supported secure versions. Document and justify if no replacement occurs.

Create documentation that clearly shows:

• The updated or replaced list of components.
• Version numbers (previous and current).
• Documented proof that he firmware was tested with updates.
• Identify vulnerabilities that were fixed.

Forward the documentation to STQC (Standardisation Testing and Quality Certification Directorate) for review.

Security Review Process for all CCTV Camera Manufacturers

After manufacturers have replaced the components and sent in documentation, STQC will perform a security check. The security check can be done:

• As part of the regular surveillance process, or
• At any time, it is necessary according to the authority
• The purpose of the review is to ensure:
• Whether EOL components are removed or replaced
• Whether vulnerabilities were correctly resolved
• Whether the new software is secure and conforms to security standards

Non-Compliance and Penalties

If a manufacturer:

• Fails to take action within 6 months, or
• Cannot prove that all vulnerabilities have been properly resolved,

Then the STQC will recommend that BIS revoke the CRO certification for those CCTV camera models. This means the product will no longer be approved for sale under the BIS scheme. To provide safety and reliability to CCTV customers, manufacturers must obtain Bureau of Indian Standards Registration. 

Manufacturers are expected to:

• To keep full and detailed records of all update actions performed
• To liaise with STQC at review or audit times
• To be prepared to provide documentation or evidence on short notice

It is also recommended to have a schedule for periodic patch management and security testing as part of your product maintenance life cycle.

Why This Action is Critical

This initiative is not just a regulatory formality; it is a matter of national security. Outdated software is the number-one cause of cyberattacks globally. This is why BIS CRS Registration for CCTV Cameras is mandatory in India. Keeping software libraries current, manufacturers can:

• Protect users' data privacy
• Keep surveillance systems safe from unauthorized access
• Maintain confidence in the digital and surveillance ecosystem
• India is converging towards a safer digital infrastructure, and the safety of surveillance goods such as CCTV cameras is everyone's responsibility.

Conclusion 

All CCTV manufacturers need to take this issue seriously and promptly. It is not optional to update EOL software components; it's a requirement for ongoing certification and market access. Join ERCS Private Limited to create a safe, up-to-date, and secure surveillance environment that safeguards people and information.