Participants:

‍

Senior officials from BPR&D, IPS, NSCS, CPF, industry leaders (CP Plus, Bosch, Hero Qubo), academia (NFSU, MDI), standard setting orgnization (QCI) and experts from armed forces and national cybersecurity bodies.

Rationale:

‍

The roundtable was convened to address critical vulnerabilities in India's expanding CCTV surveillance infrastructure. While the number of CCTV installations across states has grown significantly, especially under the Smart City initiative, the lack of standardization, indigenous design, and cybersecurity integration remains a serious concern. India imports most of its CCTVs from China, Hong Kong and USA. Because of this, there is growing alarm over national security risks from backdoors, data exfiltration, and vendor lock-in.

The event aimed to:

‍

• Evaluate security, privacy, and interoperability challenges in CCTV deployment
• Promote indigenous technology and trusted supply chains
• Identify low-hanging fruit for quick implementation
• Build a collaborative roadmap across stakeholders: government, industry, academia, and civil society.

‍

Introduction

‍

In an era where surveillance systems form a vital layer of national and local security infrastructure, the need to safeguard these systems from evolving cyber threats has become increasingly urgent. Recognising the growing risks associated with vulnerable CCTV networks, the Bureau of Police Research and Development (BPR&D) and the National Crime Records Bureau (NCRB), in collaboration with the CyberPeace Foundation, convened a high-level roundtable on June 11, 2025, on the theme “Securing CCTV Systems from Cyber Threats.”

This closed-door discussion was hosted at the BPR&D Conference Room and brought together a diverse and informed group of stakeholders. Participants included experts and senior professionals from the law enforcement community, representatives from cybersecurity and surveillance industries, technical institutions, policy circles, and standards bodies. Their objective was to share perspectives, identify vulnerabilities, and co-develop practical strategies to secure India's surveillance systems against increasingly sophisticated cyber threats.

The roundtable served as a prelude to the Surveillance Security & Forensics Hackathon, which seeks to crowdsource innovative technological solutions for securing CCTV infrastructure and enhancing forensic capabilities. By fostering dialogue among practitioners, researchers, and technologists, the session aimed to inform and inspire collaborative efforts toward building scalable, tamper-resistant, and context-aware surveillance ecosystems.

This report outlines the key takeaways and recommendations that emerged from the discussion. These insights reflect not only the urgent need to strengthen CCTV system security but also the broader push toward indigenous technology development, integration of AI and analytics, and responsible policy frameworks in support of national and public security.

Key Gaps in the CCTV Ecosystem

‍

Through the discussion, the following key gaps emerged:

Supply Chain Vulnerabilities

• Over-dependence on foreign hardware and firmware, especially Chinese components
• Insecure default settings and lack of HSM (Hardware Security Modules) in most CCTVs
• Unknown vendor backdoors in firmware and cloud storage

‍

Cybersecurity Weaknesses

• Poor password hygiene, outdated firmware, and lack of network segmentation
• Cybersecurity Weaknesses
• CCTVs being exploited for DDoS attacks (e.g., Mirai botnet) and espionage
• Insecure cloud protocols and inadequate certification for cloud storage providers

‍

Implementation Failures

• Inadequate or nonexistent compliance with STQC or ISMS standards during installation
• Disorganized tendering processes on GeM that ignore cybersecurity specifications
• Legacy systems remain active without proper decommissioning or secure integration.

‍

Operational & Policy Gaps

• No centralized data integration or interoperability framework
• Ambiguity in liability for breaches (OEM vs System Integrator)
• Fragmented networks at state/city levels with little coordination
• Lack of skilled workforce in the Critical Information Infrastructure (CII) domain

‍

Key Takeaways from Keynote Addresses

‍

The Growing Role of CCTVs and Emerging Concerns:

CCTV systems have become central to surveillance and crime prevention strategies across India, particularly within state police forces. However, despite the large number of installations, many systems are isolated or improperly configured, making them ineffective for real-time monitoring or post-incident investigation. Participants noted that the utility of CCTV is often compromised by poor integration and inconsistent deployment.

Lack of Standards and Uniform Practices:

A core issue identified during the discussion was the absence of national standards for CCTV installation, networking, and data management. Without a unified regulatory framework, many cameras operate without security protocols, fail to provide analyzable footage and are simply not part of a larger surveillance ecosystem. The need for standardised guidelines and certification was repeatedly emphasised, with institutions like NFSU being urged to take the lead in this area.

Dependence on Foreign Technologies and Components:

India’s surveillance infrastructure is significantly dependent on foreign-manufactured CCTV devices and components, especially from China. This dependence not only raises national security concerns but also exposes critical infrastructure to the risk of espionage. Backdoors in firmware, undocumented remote access, and foreign-controlled update systems are all vectors of vulnerability. Participants called for urgent steps to promote indigenous alternatives and reduce reliance on untrusted sources.

Technical Vulnerabilities and Attack Vectors:

The roundtable explored several technical weaknesses common in CCTV systems. These included the use of default login credentials, lack of encryption, outdated firmware, and insufficient network segmentation. CCTVs are increasingly being exploited for distributed denial of service (DDoS) attacks and unauthorised surveillance. Case studies like the Verkada breach, which exposed over 150,000 cameras globally, were cited as stark warnings of what could happen if such vulnerabilities are not addressed.

Privacy and Real-Time Intelligence Challenges:

Alongside security issues, there were concerns about privacy, particularly with regard to unauthorised access to surveillance feeds. Several incidents were mentioned where camera footage from sensitive locations ended up on open websites, leading to embarrassment and public distrust. There was also a call to evaluate whether the vast number of installed CCTVs are actually contributing to real-time intelligence and actionable insights or merely serving as passive monitors.

Recommendations and Way Forward:

Key suggestions included implementing trusted product frameworks, such as the one currently used in telecom networks, for all internet-connected CCTVs. The idea of cybersecurity labeling or star ratings, similar to models used in the US , Singapore etc., was proposed to help consumers and institutions make informed choices. The roundtable encouraged deeper collaboration among government, industry, and academia to conduct vulnerability research, pilot secure designs, and establish indigenous manufacturing pipelines. Emphasis was placed on secure-by-design principles, stronger policy frameworks, and the need to build local testing capacities for certifying devices.

Expert Recommendations

‍

1. Implementation Gaps in Secure CCTV Deployment:

While many products now comply with STQC and IoT cybersecurity standards, improper on-ground implementation continues to undermine security. System integrators often install CCTVs without adhering to proper guidelines, resulting in misconfigured access control, unmonitored health status, and insecure default settings. There is a clear need for enforceable national guidelines for secure installation, configuration, and ongoing monitoring.

2. Procurement Criteria Hindering Cybersecure Solutions:

The discussion highlighted that current procurement practices on platforms like GeM are outdated and not aligned with cybersecurity goals. Tenders primarily evaluate vendor registration, past project size, and OEM certification, rather than technical merit or compliance with security protocols. This approach excludes technically sound and security-focused vendors. Participants recommended revising procurement frameworks to prioritise cybersecurity and indigenous innovation.

3. Progress in Indigenous Manufacturing and Security Features:

Some manufacturers, like CP Plus and Qubo, shared their progress in local production. While manufacturing of camera housings, lenses, and firmware is increasingly localised, India remains dependent on foreign-made semiconductors and sensors. Companies are working on incorporating advanced security features such as embedded HSM modules, secure firmware, and in-house Security Operations Centres (SOCs). These enhancements help ensure both physical and digital security of surveillance systems.

4. Hardware Security Modules (HSMs) and Tamper Resistance:

Embedding HSMs within cameras was presented as a critical solution for secure cryptographic operations and tamper resistance. These modules help validate digital signatures of servers before connection and can detect physical tampering, preventing booting if compromised. However, experts clarified that HSMs are not a standalone solution. They must be part of a broader secure-by-design framework that spans the entire product lifecycle.

5. Learning from Global Standards and Frameworks:

International best practices, especially the European Union’s Cyber Resilience Act (CRA), were praised as comprehensive models. The CRA mandates that digital products be secure from design through deployment and enforces penalties for non- compliance. Standards like IEC 62443 and ISO 21434 (originally for industrial control systems and automotive cybersecurity, respectively) were recommended as strong references for developing a national CCTV security framework.

6. Challenges of Cloud Security and Third-Party Applications:

Security concerns around cloud integration and third-party software layers were emphasised by both academia and industry. Even if the CCTV hardware is secure, third-party apps and open cloud configurations introduce vulnerabilities. Ensuring access control, encryption, and server validation are essential for safeguarding cloud- based CCTV data, especially when deployed at scale in smart cities and public infrastructure.

7. Integration and Interoperability of Heterogeneous Systems:

Experts from NFSU and Bosch flagged the difficulty of integrating legacy and diverse- brand CCTV networks. Many cities operate disparate systems without centralised control, making it hard to build unified surveillance infrastructures. Standardised protocols like RTP and RTCP help, but there is a need for national guidelines that define interoperability norms and recommendations on how to handle outdated systems using bridges or encoders.

8. Data Management and Evidence Handling:

A major concern identified was the lack of structured data management across surveillance systems. Centralised storage, governed by blockchain or other tamper- proof methods, is crucial for ensuring evidentiary integrity. NFSU proposed treating data handling as a core component of the CCTV ecosystem; particularly when systems are used in forensic or legal contexts.

9. Product Vulnerabilities and Supply Chain Risks:

Participants emphasised the need to secure CCTV systems from the ground up, beginning with trusted hardware sources. Many current vulnerabilities arise from backdoors in imported systems, especially those sourced from unverified vendors. The absence of standardised testing and certification labs was highlighted, and it was suggested that organisations like STQC step in to establish trusted frameworks. Indigenous development of hardware and software was highlighted as a sustainable solution.

10. Implementation Gaps and Configuration Weaknesses:

A major concern was poor implementation. Systems are often deployed with outdated or pirated operating systems, default passwords, and unpatched software, making them easy targets. Participants recommended robust security practices, including logical air-gapping, clear implementation guidelines, and periodic inspections to ensure secure configurations.

11. Patch Management and Legacy Systems:

The need for systematic and secure patch deployment was stressed. Drawing from defence protocols, a model was proposed where patches are first tested on sanitised proxy servers before full deployment. Legacy systems pose a unique threat due to outdated firmware and hardware; these must be retired or updated regularly, with data and memory securely wiped to prevent misuse.

12. Role of Artificial Intelligence:

AI was seen as a game-changer for surveillance. It can identify anomalies like gunshots, drone activity, or abnormal behaviour, reducing human dependency for constant monitoring. AI-driven alerts should be integrated with local and centralised systems for a timely response. However, concerns around AI bias and responsible deployment were also raised.

13. Secure Design and Cybersecurity by Operations:

The discussion underlined the need to incorporate cybersecurity considerations at the design stage itself. Security professionals should be involved in drafting RFPs, not just physical security experts. Clear mandates for cybersecurity, including requirements for operations, patches, and audits, must be embedded from the beginning.

14. Field-Level Awareness and Situational Tools:

There is a significant need for situational awareness tools. For example, law enforcement should be able to access nearby CCTV feeds at crime scenes through centralised systems or mobile apps. A national platform or Centre of Excellence could be established under initiatives like the National AI Mission to support such innovations.

15. Storage, Standards, and Compliance:

Where and how surveillance data is stored was another concern. Standardized protocols are needed for cloud storage, codec implementation, and data life-cycle management. CCTVs, especially those in critical infrastructure, should be brought under ISMS (Information Security Management System) to align with broader cybersecurity frameworks.

16. Third-Party Risks and Accountability:

The diffusion of responsibility among system integrators and third parties was highlighted as a concern. Equal liability should be assigned across stakeholders. Encrypted wireless communications, localised data lakes, and a layered systems approach were proposed to address these third-party risks.

17. Public Awareness and Training:

The diffusion of responsibility among system integrators and third parties was highlighted as a concern. Equal liability should be assigned across stakeholders. Encrypted wireless communications, localised data lakes, and a layered systems approach were proposed to address these third-party risks.

18. Calls for National Strategy and Updated Governance:

Representatives from NCRB and other stakeholders urged that India adopt a unified national strategy combining centralised and decentralised CCTV networks. They recommended building isolated surveillance networks, embedding quantum-safe encryption, and integrating AI for automated threat detection. Testing agencies for both hardware and software were proposed to evaluate attack surfaces and ensure resilience before public deployment. People, process, and technology - all need to be addressed.

Conclusion:

The roundtable underscored the urgent need to transition from a fragmented, foreign-dependent CCTV environment to a secure, standardized, and self-reliant ecosystem. The complexity of the problem, spanning from component sourcing to AI- enabled analytics, demands a systems approach, robust public-private collaboration, and clear accountability. A national action plan incorporating these recommendations should be initiated with BPR&D, NSCS, and MeitY at the helm, supported by industry leaders and academia. A hackathon and further consultations were proposed as immediate next steps to crowdsource implementable solutions.

‍