IFSECInsider-Logo-Square-23

Author Bio ▼

IFSEC Insider, formerly IFSEC Global, is the leading online community and news platform for security and fire safety professionals.
March 17, 2022

Sign up to free email newsletters

Download

Whitepaper: Multi-residential access management – The move to digital

Physical and cyber security

Exploring the intersection of physical and cyber security

Today, residential, commercial and public building alike are getting smarter, fitting them with a network of connected systems allows the building to regulate its environment, save energy and be more secure.

Content Manager at IASME Consortium, Jane Waterfall, explains how systems such as heating, air-conditioning, smoke detectors and smoke alarms, as well as video surveillance systems can connect to generate, collect and analyse data to monitor the environment in order to improve effectiveness of service.

Protecting physical security technology

The connected, embedded sensors and devices that make up the internet of things (IoT) contains a software which provides these systems with their ‘intelligence’. All software contains millions of lines of code, and these inevitable always contain some mistakes.

In the world of cybersecurity, mistakes are called vulnerabilities and can be the equivalent of a window left open for cyber criminals to gain access.

Herein lies the paradox, the hundreds of IoT devices brought in to help make a building more secure, can in fact create open gateways for hackers to access, not only the device with the vulnerability, but the whole IT network that the device is connected to.

Cyber security is concerned with preventing unauthorised access to a building or a company’s network and data. Many physical security systems now include numerous connected devices with remote access from the cloud, closely resembling an IT architecture.

Cyber security is viewed as essential for technology that connected to the internet. Yet, if you consider the fact that many features in smart buildings still contain critical defects and overlook best practice, from a security point of view, many smart systems are far from ‘smart’.

Essential cyber security for IoT

IoT is a very attractive target for hackers, not least because the numerous IoT devices make it simple for attackers to steal valuable data, take control of or disrupt a system, or access bigger prizes within a network.

Attacking the physical is often part of a larger attack where its role is to act as an easier gateway to another system.

IoT systems security is somewhat behind the security level of most business computers, with some security experts estimating it is at the stage in its journey where information security was 15 years ago. Consumer IoT devices and those found in many smart buildings, frequently do not have even the basics in place, leaving the devices and the networks vulnerable to cyber-attacks.

The ETSI EN 303 645 standard was created by a team of experts from across the EU, in industry, academics and government, to prevent large-scale, prevalent attacks against smart devices. The standard, released in 2020, describes 13 requirements to establish a security baseline for connected consumer products and provides a basis for future IoT certification schemes.

New legislation coming into UK law in the near future will bring some much-needed improvement to consumer IoT device security. The new legislation will specify three mandated security features which are aligned with the top three requirements of the European Technical Standard for IoT Security (ETSI).

Physical security to protect information technology

In the same way that cyber security is needed to protect physical security technology, physical security practices are essential in helping to protect information technology.

Access control is one of the key principles of cyber security, covering the essential precaution of controlling who can access your devices, accounts and data. The technical control includes creating user accounts for everyday use and limiting access to the administrative accounts to those people that need them for their roles.

Access control also includes physical access to equipment and premises. This would include, for example, protection from unauthorised people walking unchecked into an office or server room, or even just looking through a window.

The rule of ‘least privilege’ is a secure way to work. This simply means staff are given all the resources and data necessary to perform their roles, but no more. The same rule can be applied to accessing different parts of the business premises. Physical access control measures can include using a key card or biometric scan to enter the building and further access control for different offices, ensuring that computer screens are not visible for the window and devices in use to access organisational data automatically lock after a period of inactivity.

Physical and cyber security have long been seen as separate sectors, but with the rise of smart buildings and the interdependence of physical systems with web based or cloud-based networks, the boundaries between the two are becoming less visible.

Organisations, facilities managers and those in the security industry need to find ways to better identify, mitigate and respond to risks across multiple security operations when the surface are of those risks is larger and continuously expanding.

Security convergence

Security convergence is the practice of integrating physical security and information security within projects and organisations. The idea is to manage the total risk to assets, property, systems and networks in a holistic security strategy, anchored by shared practices and goals.

Effective security convergence has needed a culture shift from that of siloed departments with separate funding sources and strategies to one of inclusion and collaboration. The security sector knows that it needs to build more awareness of IoT breaches, provide education, share best practices, and accelerate the development and adoption of cyber security standards.

Good security strategies focus on people, processes and technology, encourage training and education for their teams and prioritise working with trusted providers who use assured products and technology to connect their building assets.

IASME developed the IoT Security Assured certification scheme to provide an accessible and achievable way for manufacturers to demonstrate the security of their internet-connected devices and to show they are compliant with best-practice security.

When the IoT Security Assured scheme badge is displayed on the device, it will reassure end-users that their devices include the most important security features.

The IoT Security Assured scheme is aligned with the leading global technical standard in IoT security, ETSI’s EN 303 645, and with imminent UK IoT security legislation and guidance.

Within the IoT Security Assured scheme, there are three levels of security that a device can be certified to:

  1. The Basic level – this level is aligned with proposed UK legislation and covers the top three requirements of the ETSI standard
  2. The Silver level – this is aligned with the 13 ETSI mandatory requirements and Data protection provisions
  3. The Gold level – this is aligned with the 13 ETSI mandatory requirements, as well as all the additional ETSI recommended requirements and Data protection provisions.

An information security management system (ISMS) such as IASME Governance standard is a documented systematic approach that addresses people, processes and technology. The Governance integrates both cyber security and physical security, helping organisations embed good security awareness, knowledge and behaviour into its practices as business as usual.

Register today for IFSEC 2023

16-18 May 2023, ExCeL London | IFSEC 2023: Recognising the past, embracing the future

Join thousands of likeminded security and risk professionals at IFSEC 2023 in May, as the UK's largest and longest running security event looks ahead to what's next in the sector as it celebrates its 50th birthday. This year will see the launch of the IFSEC distributor network, while London's new Elizabeth Line makes travel to the venue easier than ever!

You’ll find hundreds of leading exhibitors from the physical and integrated security sector, showcasing all the latest in video surveillance, access control, intruder detection, perimeter protection and software solutions. Join the community and secure your ticket today!

IFSEC-2023

Related Topics

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments