NC Nov-Dec 2023
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
SECURITY UPDATE<br />
approach is required that considers all<br />
possible threat vectors. It is expected that<br />
those businesses that need to comply with NIS<br />
2 will have to carry out a greater level of due<br />
diligence on their technology partners. As part<br />
of this evaluation process and a vendor risk<br />
assessment, it is highly likely that policies and<br />
processes will play a much greater role.<br />
Securing a network, its devices, and the<br />
services it supports requires active<br />
participation by the entire vendor supply<br />
chain, as well as the end-user organisation.<br />
For the physical security industry, working<br />
closely with customers and other stakeholders<br />
will help to ensure a joined-up approach that<br />
everyone can agree on. Dedicated tools,<br />
documentation and training will help mitigate<br />
risks and keep products and services up-todate<br />
and protected.<br />
Equally, end-users will now be seeking to<br />
work with those suppliers and / or vendors<br />
who follow appropriate policies and<br />
processes, as well as holding third-party<br />
certifications. It's therefore imperative that<br />
physical security businesses can<br />
demonstrate, for example, that they adhere<br />
to a Vulnerability Management Policy, hold<br />
certification for ISO/IEC 27001 for<br />
Information Security Management Systems<br />
(ISMS), and Cyber Essentials Plus<br />
accreditation.<br />
DEVICE AND SYSTEM CONTROLS<br />
AND HARDENING<br />
Product integrity controls and features help to<br />
ensure that both hardware and firmware are<br />
protected from unauthorised change or<br />
manipulation. Signing a firmware image with<br />
a private key prevents firmware from being<br />
installed or upgraded without presentation of<br />
the appropriate credentials. Additionally,<br />
secure boot, based on the use of signed<br />
firmware, consists of an unbroken chain of<br />
cryptographically validated software, starting<br />
in immutable memory, that ensures a device<br />
can boot only with authorised firmware. A<br />
move to the use of signed video ensures that<br />
video evidence can be verified as<br />
untampered, making it possible to trace the<br />
video back to the camera from which it<br />
originated and verify that the video has not<br />
been modified or edited.<br />
The use of system hardening processes aims<br />
to protect and secure devices and systems<br />
against cyberattacks by reducing the attack<br />
surface - essentially protecting all possible<br />
points of entry that could be used by an<br />
attacker. Creating strong passwords,<br />
removing or disabling all superfluous drivers,<br />
services, and software, and setting system<br />
updates to install automatically are all<br />
recommended approaches. The likelihood of<br />
unauthorised or unauthenticated user access<br />
is further reduced by applying a Zero Trust<br />
policy, in line with the National Institute of<br />
Standards and Technology's (NIST) risk<br />
management framework which promotes a<br />
never trust and always verify approach to any<br />
request for systems access.<br />
While it is very unlikely that physical security<br />
systems will be classed as a critical asset as<br />
far as the scope of the NIS 2 Directive is<br />
concerned, it is important that organisations<br />
consider a holistic approach during the<br />
scoping of such technology. Physical<br />
security businesses, working closely in<br />
partnership with supply chains and<br />
customers, can deliver a system that is<br />
secure from both a physical and<br />
cybersecurity perspective, while<br />
helping to meet NIS 2 requirements.<br />
Stringent security measures, backed<br />
by policies and processes, tools,<br />
documentation and training, will<br />
help reduce risk and keep customers<br />
protected.<br />
The NIS 2 Directive - Axis briefing<br />
paper to support cybersecurity<br />
compliance: https://www.emeacomms.axis.com/nis-2-directivebriefing<br />
ABOUT STEVEN KENNY<br />
Steven Kenny has spent 18 years in the<br />
security sector in roles that have seen him<br />
take responsibility for key elements of<br />
mission critical, high-profile projects across<br />
a number of different vertical markets. His<br />
current role sees him lead a team of<br />
Architect and Engineering managers across<br />
the EMEA region whilst supporting various<br />
industry associations and standards<br />
organisations. He currently sits on the EMEA<br />
Advisor Council as the emerging technology<br />
lead for TiNYg (Global Terrorism<br />
Information Network), and on various<br />
standards committees to support IoT<br />
security, as well as the BSI Private Security<br />
Management and Services. <strong>NC</strong><br />
WWW.NETWORKCOMPUTING.CO.UK @<strong>NC</strong>MagAndAwards NOVEMBER/DECEMBER <strong>2023</strong> NETWORKcomputing 17