CySPAG – enabling collaboration for cyber security for security systems
NSI has been working on raising standards in cyber security for security systems – alongside other stakeholders, including the FIA, Internet of Things Security Foundation (IoTSF) Smart Buildings Working Group, and SSAIB – in the British Security Industry Association’s Cyber Security Product Assurance Group (CySPAG).
A number of cross-industry efforts are in place to address important and evolving personal security risks posed by cyber security breaches.
Risk management policy and procedure continues to rise up the agenda in response not only to the COVID-19 pandemic, but also due to increasing risks associated with network-based communications. Since spring 2020 security managers have been prompted to review all aspects of business and staff safety and security – including a heightened emphasis on cyber security.
The importance of network protection – already a pressing concern – is further underlined by the almost daily emergence of new online security risks leaving individuals and companies vulnerable to cyber-attack, with potentially significant corporate and personal security and safety implications.
Connectivity to internal and external networks of safety and security systems, including intruder detection and alarms, access control and video surveillance, has increased exposure to the risk of malicious attack, and the need for effective cyber security measures in terms of their design, installation, commissioning, operation and ongoing maintenance.
Organisations increasingly recognise and are expected to demonstrate the importance of applied cyber security measures to protect their operations, for example through Cyber Essentials/Cyber Essentials Plus certification or ISO 27001 (an international standard which acts as a framework for managing information security risks). Yet equally important is competency in the installation and maintenance of security systems at client premises.
In 1736 Benjamin Franklin, a Founding Father of the United States, declared: “An ounce of prevention is worth a pound of cure”. Raising standards to improve safety and security of people and property does just that. NSI has been working on this question through its participation – alongside other stakeholders, including the FIA, Internet of Things Security Foundation (IoTSF) Smart Buildings Working Group, and SSAIB – in the British Security Industry Association’s Cyber Security Product Assurance Group (CySPAG).
Established in 2017, as a collaborative effort including product and system designers, manufacturers, installers and maintainers of security systems to bring together and harness cross-industry expertise, it provides practical and free-of-charge recommendations specifically for all installers of security systems to help reduce vulnerability to cybercrime (https://www.bsia.co.uk/cyspag).
CySPAG’s ongoing work has included the production of practical and informative guides, the first of which, ‘Cyber secure it’, was published in January 2019. Following this, a 20-page cyber security code of practice for installation of safety and security systems, released last summer, detailed cyber security requirements approved installers can apply to protect their customers’ systems. The effort to deliver this code of practice involved manufacturers, designers, installers and system maintainers all working together. The outcome was ‘CyberCop 342’. This addresses the continually increasing use of internet connected devices and systems in electronic security, and how the increasing number of devices and links on home and business networks leave individuals and companies vulnerable to cyber-attack.
A practical approach
CySPAG is committed to providing publicly available industry guidance focused on what is practicable for installers and what can be expected of clients and end users to provide meaningful and practical cyber secure solutions. This is in contrast and complementary to other cyber security schemes, where products are typically the main focus.
Addressing the essential competency of installers, and to some extent end users too, in safeguarding their systems as cyber secure, CyberCoP 342 is designed to enable professionals within the security industry to take all reasonable precautions when installing and operating security systems with cyber exposure.
CyberCoP 342 aims to ensure that installers ‘joining up the dots’ of hardware in a system do so competently and with reasonable care that delivers customer assurance in their connected solutions, and encourages sound implementation, regular testing and, where appropriate, updating of equipment and software.
As CySPAG points out, end users have a role to play in cyber security and need to be aware of their responsibilities in keeping their system secure, in practically managing cyber risks on their installed system, and also in making informed choices when selecting a company to supply, install and maintain their connected security system.
CySPAG’s ongoing work accordingly includes a review of the current industry skills and cyber security competencies, identifying required training needs. It’s recognised that industry up-skilling will be required. The group’s aims include explaining allocated responsibilities as well as ensuring installers apply products that are cyber secure in relation to the risk application scenario in which they will be used. This remit also includes ensuring cyber security updates are provided in a timely manner, with end users being made aware of their own role in keeping their systems secure. The group’s future agenda will involve publication of further industry guidance; a cyber security code of practice for manufacturers of safety and security systems was launched in April 2021.
Information security, already an important issue, is here to stay and poses significant challenges. CySPAG’s collaborative industry-wide approach in addressing this risk signals new technology can be adopted safely, allowing the benefits of interconnected systems and devices to be widely realised without compromising the corporate and personal data of those using them.