Cyber Assurance of Physical Security Systems (CAPSS)
Cyber attacks are an ever increasing threat to the UK’s critical national infrastructure. Whether it is to deny service or steal intellectual property, the threat has never been greater. It's essential that software and hardware security systems have the full set of threat mitigations at the core of their functionality and are utilised by a site for maximum effect. CAPSS is designed to assist security managers in focussing on key areas when it comes to protecting against cyber attacks.
What is CAPSS?
While CPNI is the lead authority for physical security and NCSC leads on all things cyber, there is a critical programme within CPNI that covers both physical and cyber security called CAPSS.
CAPSS is about gaining confidence in the "cyber" components of electronic security products which, while robust in the physical security domain, could potentially be compromised by a hacker in their bedroom miles away. CAPSS has been jointly written by NCSC and CPNI leveraging the expertise of both technical authorities.
The primary aim of CAPSS is to provide a mechanism by which CNI sites can gain a good level of confidence that the software and hardware security solutions they have in place, or are considering purchasing, have strong and effective cyber mitigations at the core of their development and operation. By utilising CAPSS assured products sites can ensure that their systems are not the "low hanging fruit" within a corporate IT system, allowing an attacker to gain entry to the wider corporate network or manipulate and circumvent the physical security systems.
The CAPSS programme comprises of two main elements: the CAPSS Standard and CAPSS Guidance.
The main document of the assurance programme where a security product’s cyber-attack mitigations are independently assured against a set of Security Characteristics covering a variety of potential cyber-attack threats. The Standard is coupled with assurance of a manufacturers development and build processes to ensure cyber defence is a key building block in any products DNA. Products that pass CAPSS are awarded the CPNI CAPSS Trademark and are placed in the CPNI Catalogue of Security Equipment (CSE).
Wider ranging guidance and advice. It is aimed at personnel responsible for a sites physical security and covers areas such as policies to focus on, potential threat vectors, real world examples, and provides specific questions to ask a manufacturer if a CAPSS assured product is not able to be utilised.
Both the CAPSS standard and guidance, along with supporting documents, are available below in the guidance section.
The original CAPSS standard created back in 2015 focused on physical solutions to IT problems, for example, securing devices in locked boxes. The recently updated CAPSS, however, takes a more flexible approach and looks at the impact of decisions - why secure something into a locked box if all the data is encrypted? The overall aim is to trust the CAPSS assured devices, rather than have to "lock" an entire network.
The updated standard allows individual components (or systems of components) to be tested, which will allow networks of CAPSS assured products to be built in the real world. This means end users are not tied to complete systems that must never change. CAPSS will now allow more flexibility and choice across a broader range of assured products.
The new standard works on a simplified approach, focusing on six main areas:
- physical security (we are CPNI after all)
- secure configuration
- network security
- authentication management (privileges)
- cloud services
Each of these main areas will have specific mitigations specified under three main topics:
- DEV – development mitigations
- VER – verification mitigations
- DEP – deployment mitigations
Depending on what the product is will determine which individual tests under each topic will be applied. The end result will be a Tailored Security Characteristic specific to that product.
The CAPSS standard helps guide manufacturers to build better, more robust products – and also do all the good stuff in their development lifecycle and vulnerability disclosure. This is done in three ways:
- ensuring that the product is developed with a design that embeds security
- testing and verifying that the product functions in a secure manner
- confirming that the product is deployed securely, following best practice - even the best product can end up deployed insecurely
With a more flexible approach, and more possibilities as to how security can be achieved, the new CAPSS Standard will deliver products fit for the modern world.
What can be tested
CAPSS testing is available to be undertaken on any security product, be it hardware or software. Examples of potential products available to be assured are physical security information management systems software, visitor management systems software, access control hardware and software, perimeter intrusion detection software and hardware, intrusion detection systems hardware and software…… the list goes on.
It is worth noting CAPSS is not a replacement for the functional standards assurance programmes run by CPNI. Where there is a functional standard, it is strongly recommended that these are adhered to as well as undertaking CAPSS assurance.
Systems that successfully pass CAPSS will be entered into the CPNI Catalogue of Security Equipment (CSE) with full details of all the components tested published, including both core and peripheral items. These are defined in more detail below:
- Core Components - items which make up the device being tested (for example a Video Management System is made up of a video server, network data storage and a viewing computer)
- Peripheral Items - items which need to be added to a system to make it functionally work but in themselves are not assured (for example a CCTV camera connecting to a Video Management System. The CCTV camera itself is not assured, however the connecting of the camera does not adversely affect the cyber security of the Video Management System).
The CAPSS trademark will be awarded initially for a period of 2 years at which point a small re-evaluation of the product will be required. If nothing significant has changed materially affecting the security mitigations within that period, a further 2 year period of assurance will be issued. This will continue until the product has been assured for 6 years at which point a full revaluation will be required.
- For manufacturers wishing to undertake CAPSS, key documents required can be downloaded via the document links at the bottom of this page. They are:
- CAPSS 2021 - Security Characteristic v1.0
- CAPSS 2021 - Application Notes for Manufacturers v1.0
- NCSC Build Standard 1.4
- CAPSS 2021 TSC and ERR Recording Spreadsheet
- CAPSS – The Evaluation Process
CAPSS guidance is more a wide ranging set guidance and advice. It is aimed at personnel responsible for a sites physical security and covers areas such as policies to focus on, potential threat vectors, real world examples, and provides specific questions to ask a manufacturer if a CAPSS assured product is not able to be utilised.
The CAPSS guidance utilises technical elements of the CAPSS Standard to provide site managers with high level guidance about what to focus their resources on, to defend against cyber attacks on their physical security systems. It is intended for sites who do not utilise, or are unable to utilise, products within CPNI’s CSE, and enables sites to identify the major areas of risk and apply mitigation to their own systems using a consistent framework approach.
This newly created guidance document (see below document link to CAPSS Guidance 2020) provides advice covering the following areas in detail:
- Why sites need to worry about cyber threats
- organisational challenges in mitigating cyber threats
- recommended policies for sites to focus on to mitigate cyber threats
- the primary security control groups a site should consider providing mitigations for
- risk, versus complexity, versus cost of implementing certain threat mitigations
- a comprehensive list of security controls that a site can easily translate into an “ask” of a vendor or manufacturer to provide assurance of a product’s cyber protection
- a decision making framework that can assist in deciding where best to deploy protective controls based on the nature of a sites IT infrastructure configuration