The UK National Protective Security Authority (NPSA) has published guidance on the threat of cyber attacks aimed specifically at security systems with the goal of corrupting data, opening a portal, or disabling alarms.
In response to the issue, NPSA has established the ‘Cyber Assurance of Physical Security Systems (CAPSS)’ scheme, aimed at helping critical national infrastructure (CNI) providers and other organizations gain confidence in the cyber components of electronic security products which, ‘while robust in the physical security domain, could potentially be compromised by a hacker in their bedroom miles away’.
The CAPSS programme comprises of two main elements: the CAPSS Standard and CAPSS Guidance:
The CAPSS Standard is the main document of the assurance programme where a security product's cyber attack mitigations are independently assured against a set of Security Characteristics covering a variety of potential cyber attack threats. The Standard is ‘coupled with assurance of a manufacturers development and build processes to ensure cyber defence is a key building block in any product’s DNA’. Products that pass CAPSS are awarded the NPSA CAPSS Trademark and are placed in the NPSA Catalogue of Security Equipment (CSE).
Wider ranging guidance and advice is aimed at personnel responsible for a site’s physical security and ‘covers areas such as policies to focus on, potential threat vectors, real world examples, and provides specific questions to ask a manufacturer if a CAPSS assured product is not able to be utilised’.