While CPNI is the lead authority for physical security and NCSC leads on all things cyber, there is a small programme within CPNI that covers both physical and cyber security, we like to call this CAPSS.
CAPSS (Cyber Assurance of Physical Security Systems) is about gaining confidence in the ‘cyber’ components of electronic security products which, while robust in the physical security domain, could potentially be compromised by a hacker in their bedroom miles away.
CAPSS was jointly written by NCSC and CPNI, while leveraging the expertise of both technical authorities, and this month the CAPSS standard has been updated and re-released to bring it in line with modern best practices.
The original CAPSS standard focused on physical solutions to IT problems, for example, securing devices in ‘locked boxes’. The updated CAPSS, however, takes a more flexible approach and looks at the impact of decisions - why secure something into a locked box if all the data is encrypted? The overall aim is to trust the CAPSS assured devices, rather than have to ‘lock’ an entire network.
The udpated standard allows individual components (or systems of components) to be tested, which will allow networks of CAPSS assured products to be built in the real world. This means end users are not tied to complete systems that must never change, CAPSS will now allow more flexibility and choice across a broader range of assured products.
The new standard will work on a simplified approach, focusing on 6 main areas:
- physical security (we are CPNI after all)
- secure configuration
- network security
- authentication management (privileges)
- cloud services
CAPSS uses a flexible approach, where only relevant sections are applied during the assessment.
The updated CAPSS standard helps guide manufacturers to build better, more robust products – and also do all ‘the good stuff’ in their development lifecycle and vulnerability disclosure. It also assesses products to gain confidence that they actually do provide defence in depth. This is done in three areas:
- ensuring that the product is developed with a design that considers security
- testing and verifying that the product functions in a secure manner
- confirming that the product is supplied with any additional material allowing the product to be deployed following best practice, even the best product can end up deployed insecurely
With a more flexible approach, and more possibilities as to how 'security' can be achieved, the new CAPSS standard will deliver products fit for the modern world.