A site’s physical security systems such as CCTV, access control, and intruder detection, are its first line of defence. The security systems are more powerful and interconnected than ever before, but because of this, they are at their highest ever risk of cyber attack. A cyber attack could be used to deny an authorised user access to the site, to change the site's security settings so as to allow unauthorised access, or, to steal a site's data. Physical security products such as CCTV or access control systems are likely to be deployed in secure or non-secure areas, and this leaves them susceptible to both insider and external threats, so you must protect them accordingly. For hostiles, attacking a physical security system is not only about compromising that one specific security measure, but can act as a way to compromise your wider corporate network. One compromised asset can be a gateway to your whole site.
In order to protect your site and your business's critical information, you must ensure that you are protected against any potential cyber attacks. CAPSS stands for the Cyber Assurance of Physical Security Systems. It is an assurance program designed for physical security products, and it focuses on the protective measures implemented in a product that form its defence against cyber attack. CAPSS aims to secure each individual security product on your site against a cyber attack, so that a systems on your site become more connected, there are multiple layers of cyber protection in place, making the whole system robust.
Through rigorous testing. CAPSS assures that, the mitigations a product claims to have are in place, that these mitigations have been developed and implemented properly, and that deployment guidance is provided to ensure correct installation and configuration. Through examining a product's development lifecycle, CAPSS confirms that security has been baked into the product from the earliest stage. It tests that products are focused on security as well as functionality.
Throughout the assurance process, CAPSS asks questions of various key threat areas.
Basic General Security: Is the product able to be updated securely? Is sensitive data suitably encrypted?
Physical Security: How accessible are the physical ports and any removable media? Are there tamper protection boundaries in place? Is the product still secure if there is a loss of power or network connectivity? Secure Configuration: Are the product’s configuration settings protected? Are there controls over who can change them? Is it backed up securely, so the system can be restored following a catastrophic system failure?
Network Security: How are communications between the product and other systems secured? Is data suitably encrypted? What is in place to limit the impact of a denial of service attack? Are wireless networks used? If so, are they securely protected?
Authentication Management: How are users authenticated to the system? What is the password policy? Are security privilege based on roles? And is the principle of least privilege applied?
Monitoring: What is the product's logging capability? Are incidents timestamped, and are these accurate? Are these logs protected when backed up?
Cloud Services: Does the product use any external cloud services to store information? And if so, do they meet the National Cyber Security Centre’s cloud security principles?
By testing these mitigations, and more, we can be sure that products given CAPSS assured status in the catalog of security equipment, are reliable, and protected against cyber attack. If it's not possible to purchase or deploy physical security products that are CAPSS assured, then it's essential to consult with the manufacturer or supplier, checking what cyber mitigations are in place. NPSA have developed an in-depth guidance document designed for site security managers or those involved in the procurement of physical security products. This guidance provides a range of information covering key areas, such as why sites need to be concerned about cyber threats, how to achieve senior management support, easily understandable frameworks to help identify areas of concern, and checklists of specific controls that a site can easily translate into an ask of a vendor. In today's digital, interconnected world, it's more important than ever to ensure the physical security products the site uses, are developed, tested, and deployed with cyber protection capability, at the core of their functionality.
Cyber attacks are an ever increasing threat to the UK's critical national infrastructure. Whether it is to deny service or steal intellectual property, the threat has never been greater. It's essential that software and hardware security systems have the full set of threat mitigations at the core of their functionality and are utilised by a site for maximum effect. CAPSS is designed to assist security managers in focussing on key areas when it comes to protecting against cyber attacks.
What is CAPSS?
While NPSA is the lead authority for physical security and NCSC leads on all things cyber, there is a critical programme within NPSA that covers both physical and cyber security called CAPSS.
CAPSS is about gaining confidence in the "cyber" components of electronic security products which, while robust in the physical security domain, could potentially be compromised by a hacker in their bedroom miles away. CAPSS has been jointly written by NCSC and NPSA leveraging the expertise of both technical authorities.
The primary aim of CAPSS is to provide a mechanism by which CNI sites can gain a good level of confidence that the software and hardware security solutions they have in place, or are considering purchasing, have strong and effective cyber mitigations at the core of their development and operation. By utilising CAPSS assured products sites can ensure that their systems are not the "low hanging fruit" within a corporate IT system, allowing an attacker to gain entry to the wider corporate network or manipulate and circumvent the physical security systems.
The CAPSS programme comprises of two main elements: the CAPSS Standard and CAPSS Guidance.
|The main document of the assurance programme where a security product's cyber-attack mitigations are independently assured against a set of Security Characteristics covering a variety of potential cyber-attack threats. The Standard is coupled with assurance of a manufacturers development and build processes to ensure cyber defence is a key building block in any products DNA. Products that pass CAPSS are awarded the NPSA CAPSS Trademark and are placed in the NPSA Catalogue of Security Equipment (CSE).
|Wider ranging guidance and advice. It is aimed at personnel responsible for a sites physical security and covers areas such as policies to focus on, potential threat vectors, real world examples, and provides specific questions to ask a manufacturer if a CAPSS assured product is not able to be utilised.
Both the CAPSS standard and guidance, along with supporting documents, are available below in the guidance section.
The original CAPSS standard created back in 2015 focused on physical solutions to IT problems, for example, securing devices in 'locked boxes'. The recently updated CAPSS, however, takes a more flexible approach and looks at the impact of decisions - why secure something into a locked box if all the data is encrypted? The overall aim is to trust the CAPSS assured devices, rather than have to "lock" an entire network.
The updated standard allows individual components (or systems of components) to be tested, which will allow networks of CAPSS assured products to be built in the real world. This means end users are not tied to complete systems that must never change. CAPSS will now allow more flexibility and choice across a broader range of assured products.
The new standard works on a simplified approach, focusing on six main areas:
- physical security (we are NPSA after all)
- secure configuration
- network security
- authentication management (privileges)
- cloud services
Each of these main areas will have specific mitigations specified under three main topics:
- DEV development mitigations
- VER verification mitigations
- DEP deployment mitigations
Depending on what the product is will determine which individual tests under each topic will be applied. The end result will be a Tailored Security Characteristic specific to that product.
The CAPSS standard helps guide manufacturers to build better, more robust products - and also do all the good stuff in their development lifecycle and vulnerability disclosure. This is done in three ways:
- ensuring that the product is developed with a design that embeds security
- testing and verifying that the product functions in a secure manner
- confirming that the product is deployed securely, following best practice - even the best product can end up deployed insecurely
With a more flexible approach, and more possibilities as to how security can be achieved, the new CAPSS Standard will deliver products fit for the modern world.
What can be tested
CAPSS testing is available to be undertaken on any security product, be it hardware or software. Examples of potential products available to be assured are physical security information management systems software, visitor management systems software, access control hardware and software, perimeter intrusion detection software and hardware, intrusion detection systems hardware and software - the list goes on.
It is worth noting CAPSS is not a replacement for the functional standards assurance programmes run by NPSA. Where there is a functional standard, it is strongly recommended that these are adhered to as well as undertaking CAPSS assurance.
Systems that successfully pass CAPSS will be entered into the NPSA Catalogue of Security Equipment (CSE) with full details of all the components tested published, including both core and peripheral items. These are defined in more detail below:
- Core Components - items which make up the device being tested (for example a Video Management System is made up of a video server, network data storage and a viewing computer)
- Peripheral Items - items which need to be added to a system to make it functionally work but in themselves are not assured (for example a CCTV camera connecting to a Video Management System. The CCTV camera itself is not assured, however the connecting of the camera does not adversely affect the cyber security of the Video Management System).
The CAPSS trademark will be awarded initially for a period of 2 years at which point a small re-evaluation of the product will be required. If nothing significant has changed materially affecting the security mitigations within that period, a further 2 year period of assurance will be issued. This will continue until the product has been assured for 6 years at which point a full revaluation will be required.
- For manufacturers wishing to undertake CAPSS, key documents required can be downloaded via the document links at the bottom of this page. They are:
- CAPSS 2024 - Security Characteristic v1.0
- CAPSS 2024 - Application Notes for Manufacturers v1.0
- NCSC Build Standard 1.4
- CAPSS 2024 TSC and ERR Recording Spreadsheet
- CAPSS The Evaluation Process
- CAPSS The Evaluation Maintenance - FAQ
CAPSS guidance is more a wide ranging set guidance and advice. It is aimed at personnel responsible for a sites physical security and covers areas such as policies to focus on, potential threat vectors, real world examples, and provides specific questions to ask a manufacturer if a CAPSS assured product is not able to be utilised.
The CAPSS guidance utilises technical elements of the CAPSS Standard to provide site managers with high level guidance about what to focus their resources on, to defend against cyber attacks on their physical security systems. It is intended for sites who do not utilise, or are unable to utilise, products within NPSAs CSE, and enables sites to identify the major areas of risk and apply mitigation to their own systems using a consistent framework approach.
This newly created guidance document (see below document link to CAPSS Guidance) provides advice covering the following areas in detail:
- Why sites need to worry about cyber threats
- organisational challenges in mitigating cyber threats
- recommended policies for sites to focus on to mitigate cyber threats
- the primary security control groups a site should consider providing mitigations for
- risk, versus complexity, versus cost of implementing certain threat mitigations
- a comprehensive list of security controls that a site can easily translate into an "ask" of a vendor or manufacturer to provide assurance of a product's cyber protection
- a decision making framework that can assist in deciding where best to deploy protective controls based on the nature of a sites IT infrastructure configuration
CAPSS Frequently Asked Questions
- CAPSS 2024 Application Notes for Manufacturers05-02-2024Download
- CAPSS 2024 Security Characteristic05-02-2024Download
- CAPSS 2024 TSC and ERR Recording spreadsheet05-02-2024Download
- CAPSS Guidance05-02-2024Download
- CAPSS Evaluation Maintenance – Frequently Asked Questions16-07-2021Download
- CAPSS Evaluation Process15-07-2020Download
- CAPSS Guidance Poster02-07-2020Download