This is to bring to your kind notice that during ongoing security evaluation activities of CCTV cameras under CRO Scheme of BiS, several cameras are found to be using software libraries and components that have reached their end-of-life (EOL) and are no longer supported by their maintainers or developers.
Use of such deprecated libraries poses significant cybersecurity risks and is inconsistent with secure software design and maintenance practices. It is imperative that all CCTV camera manufacturers ensure timely patching, updation, and remediation of such software components in order to maintain the integrity, confidentiality, and availability of the CCТV Camera surveillance infrastructure.
In this regard,The following has been decided:
1. All CCTV camera manufacturers are provided a maximum duration of six months from the date of issuance of this letter to:
- Identify all EOL libraries and dependencies (e.g. Linux Kernel libraries, OpenSSL, BusyBox, Net-SNMP etc.) currently used in their products.
- Replace or update these with supported and secure alternatives.
- Provide detailed do umentation on the updated software stack and versioning.
2. STQC shall undertake a security review of these updated libraries and components as part of the surveillance process or at any stage as deemed necessary.
3. Further, STQC will recommend BIS to withdraw the CRO certification granted to the concerned CCTV camera models in the event of non-compliance with the above directions within the stipulated timeframe or failure to demonstrate closure of the identified vulnerabilities.
Manufacturers are advised to maintain detailed records of the update process and coordinate witn STQC for review and verification.
This initiative is felt essential in ensuring continued compliance with applicable Essential Security Requirements ER01:2024 and maintaining a secure surveillance ecosystem in the country.
Download the File For more Details : STQC/ITE GOV/2025/01