Railways’ video surveillance system project stumped by lack of cyber security clearance

With manufacturers of cameras reluctant to get cyber security testing done, the Ministry suggests NITI Aayog implement uniform guidelines for surveillance systems in all government projects

March 15, 2023 06:15 am | Updated 08:05 pm IST - CHENNAI

Image used for representational purpose.

Image used for representational purpose. | Photo Credit: Getty Images

After facing hurdles in the implementation of CCTV surveillance systems at major railway stations across the country, the Ministry of Railways has flagged a critical cyber safety issue involving national security with the NITI Aayog.

As part of enhanced security measures, the railways are implementing a Video Surveillance System at hundreds of railway stations in a phased manner. The project is being financed through the Nirbhaya Fund controlled by the Ministry of Women & Child Development.

Though funds were sanctioned and tenders finalised, there has been an inordinate delay in commencing the work since the Original Equipment Manufacturers (OEMs) of the surveillance cameras are reluctant to get cyber security testing done by the Standardisation Testing & Quality Certification (STQC) Directorate, Ministry of Electronics and Information Technology.

Also read: Four years on, mission to install CCTVs at railway stations derails

Despite constant reminders and follow-up by the Ministry of Railways with the service providers after the contract agreements were placed, not a single camera manufacturer got cyber security clearance from the STQC Directorate, sources in the railways told The Hindu.

“The OEMs are reluctant to get the testing done for reasons best known to them and not showing interest in the CCTV projects of the railways since only we are insisting on cyber security clearance of cameras and its components to ensure security. However, the cyber security clearance is not being insisted on for other surveillance camera projects funded by the Union Government like the smart cities,” a senior railway official said.

Security audit mandatory

In a meeting convened by NITI Aayog on July 30, 2019, involving top officials of the Ministry of Railways, Research Designs & Standard Organisaton, RailTel Corporation of India Ltd. etc., it was decided to make security auditing and testing mandatory for data protection.

To ensure the security of the camera and network from vulnerabilities & breaches and discourage false undertaking from OEMs, it was decided that security auditing and testing be carried out by reputed agencies like CERT-IN or STQC at the time of Proof of Concept (POC) as well as at the time of completion of project.

“In case any security breach is found in the system at any stage, including at POC level, the contract should be terminated. Before bulk supply and installation of the cameras and other components, the POC should be done and same evaluated by a competent technical team. The source code of the camera software should be taken from the supplier/OEM. If these conditions are fulfilled, the country of origin of the cameras is immaterial,” the official, quoting the resolutions passed in the NITI Aaayog meeting, said.

The official said the purpose of insisting on the cyber security clearance was to rule out vulnerabilities as many OEMs are based outside of India and supplying products through their dealers in India. “It appears that many surveillance systems have already been implemented or in various stages of implementation without the cyber security clearance of the STQC directorate,” he said.

Security concerns

The Railway Board has written to Chief Executive Officer, NITI Aaayog, stating that the cyber security clearance was mandated by the railways whereas it was not necessary for other projects like city surveillance, smart cities etc., and hence OEMs were not giving priority to refer their products for security audit and testing.

Enforcing the rule of cyber security clearance for cameras and associated software installed in all government projects “will ensure overall security concerns in the country and will mandate camera OEMs to get their products complied with cyber security standards”, the letter said.

According to railway sources, RailTel is providing Internet Protocol-based Video Surveillance System at railway stations and train coaches across the railway network. The system would have video analytics and facial recognition software backed by Artificial Intelligence to ensure proactive high-tech security at railway stations. The target is to provide the surveillance system at 6,049 stations and 14,000 plus coaches in different phases.

In the first phase of the project, the railways finalised agencies for executing the work covering 756 railway stations by January 2023. However, the target time for completing the project will now be delayed.

Top News Today


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.