- Introduction
- What Do We Mean By ‘Network Connected Security Technology’?
- Part 1: Considering the Risks Associated with the Deployment of Network Connected Security Technologies
- Suitability of Technology
- Security Considerations for Organisations
- National Concerns
- Conclusion
- Part 2: Managing the Risks Associated with the Deployment of Network Connected Security Technologies
- Managing Deployment Risk
- Securing Common Deployment Scenarios
- Scenario 1: Isolated network security system
- Scenario 2: Connected Networks
- Scenario 3: Cloud Connected
- Conclusion
- Annex: Further Standards
- Scenario 1 Controls
- Scenario 2 Controls
- Scenario 3 Controls
Introduction
In the increasingly connected world we operate in, the products we trust with our security are more and more reliant on ubiquitous connectivity in order to fulfil their core functions. When these technologies, which are often capable of capturing personally identifiable information, biometrics and pattern-of-life information, are connected to other security systems, corporate networks or the internet, they can present an increased, and sometimes intolerable, security risk.
This document has been developed by NPSA and NCSC with assistance from UK NACE and Defence Intelligence (DI) to guide the reader through some of these potential risks.
Electronic security technologies, such as video surveillance systems (VSS), and access control systems, are critical to keeping your organisation and your people safe, however, they may also be exploited by adversaries. Network connecting these devices could place your data and knowledge assets at risk. The information generated by such equipment may be sensitive, and open to exploitation, posing risks to your organisation and individuals. If you are using or considering buying a network connected security technology system, for example a VSS, then you should ensure that you understand the data protection and cyber risks associated with it so that you can manage them appropriately.
When using network connected security technologies, you should consider the risk of:
- An adversary, whether a nation state actor, direct competitor or cyber-criminal gaining access to sensitive personal information (e.g. in recorded data or captured audio and/or images) about your staff or other individuals that is stored and processed on your security technology system.
- An adversary gaining access to sensitive corporate information (e.g. intellectual property, staff or customer personally identifiable information (PII)) that is stored and/or processed on your corporate systems.
- An adversary making changes to your corporate or security technology system, adversely affecting the way the system works.
- An adversary taking control of your corporate or security technology system.
- The inability for you and/or your customers to access your corporate systems including your access to any security technology system, for example caused by a successful ransomware or other denial of service attack.
- Damage to your organisation’s finances via loss of intellectual property.
- Damage caused to your organisation’s reputation from losses of data, information or loss of control over your systems.
- Breach of your legal and regulatory obligations, for example the Data Protection Act (2018) or the Product Security and Telecommunications Infrastructure Act (2022).
Irrespective of the size or nature of your organisation, if you have, or are considering, deploying network connected security technologies, from any manufacturer, in your environment, then this guidance will help you to make decisions around its suitability and when proceeding, how to understand and manage the risks appropriately.
What Do We Mean By ‘Network Connected Security Technology’?
The use of security technology continues to play a vital role in protecting our national interests. This includes deploying cameras and access control systems to protect sensitive environments, or software and services that monitor areas for intrusion and, while there is great benefit in deploying this technology, careful consideration needs to be undertaken in the deployment of any IP-connected security technology.
The term “network connected security technology” is primarily associated with physical security or surveillance systems but could include a diverse range of applications including, software, hardware, data analytics and processing services, cloud storage and remote access capabilities. It is important that you understand the risks associated when deploying these technologies, whether they relate to location sensitivities, data protection considerations or privacy concerns.
For example, a camera pointed at a non-sensitive site may not have privacy considerations but may be able to facilitate access to your wider IT network if it is not architected securely.
As with any technology system, it is important that you understand the risks and threats posed by that technology and its use. These risks, as previously mentioned, might include data protection and cyber security risks. These risks will manifest themselves throughout the entire lifecycle of the product, including within the supply chain, through use of the product and up to the point of secure destruction (of the data and potentially the product). The supply chain might include security technology system manufacturers, vendors, resellers, installers and maintainers.
The scope of this guidance does not apply to the following areas:
- Products/services that are beyond physical security systems, such as communications systems, anti-virus software, social media monitoring systems, etc.
- Specific military/defence equipment.
This guidance is split into two individual parts, which can be consulted individually, or together.
- Part 1 - Considering the risks associated with the deployment of network connected security technologies.
- Part 2 - Managing the risks associated with the deployment of network connected security technologies.
Part 1: Considering the Risks Associated with the Deployment of Network Connected Security Technologies
Suitability of Technology
When making a decision about the procurement and installation of networked security technologies, you are likely to use a range of factors to inform your choice of both supplier and equipment, such as:
- The availability of the product.
- The cost, both up front and during the lifecycle of the device.
- The specifications and functionality of the product, and whether it meets your requirements, including if there are any functions that you want to explicitly NOT have (e.g. facial recognition).
- How it compares to other models on the market, if there are alternatives available.
- The cyber security of the product.
As with all decisions to procure new products and services, a risk vs benefit analysis and due diligence process should be undertaken.
It is important to consider the implications of deploying any network connected security technology within your environment, including the risks that may affect the security of the organisation, the UK and its partners and allies, when weighed against the benefits that the deployment of the technology will bring.
On the 24th November 2022, Rt Hon Oliver Dowden MP made a statement to the UK parliament that “visual surveillance systems" (often called Video Surveillance Systems) subject to the National Intelligence Law of China should cease to be deployed onto government sensitive sites. Furthermore, no such equipment should be connected to government department core networks and existing equipment should be considered to determine whether it should be removed and replaced with alternatives. (Parliament - written statements)
Additionally, the Procurement Act (2023), legislation to simplify and replace the EU procurement regime, contains national security provisions to exclude or debar certain suppliers from public contracts where necessary.
These two examples illustrate the seriousness with which His Majesty’s Government (HMG) is taking the threat posed by security technology suppliers within UK public supply chains. They both cover more than the network connected security technologies covered in this guidance and, while for the most part they are only applicable, with some exceptions, to public sector procurement, they reveal some of the concerns that those in the private sector should share when making procurement decisions.
Security Considerations for Organisations
All organisations face risk, irrespective of their size or what they do, and these risks need to be managed proportionately to prevent or limit harmful impacts. The risks an organisation may face resulting from the use of network connected security technologies, could include:
- Unauthorised access to sensitive information (including images and audio) – an adversary may gain unauthorised access to sensitive information such as images or audio whilst it is being stored, or processed, on an organisation’s premises, or in a cloud service (irrespective of deployment model) which is accessible by, operated, maintained and or owned by either the vendor of a network connected security technology, or any other third party in the supply chain. This could be information relating to;
- people, your staff or other individuals visiting the site.
- corporate information, intellectual property, or business engagements. - Loss of control of a network connected security technology system – an adversary could take control of your network connected security technology system, including forming a botnet (such as Mirai). This control could allow them to;
- Identify and observe individuals, systems, information, behaviours or places of interest.
- Use the networked security system to facilitate or support other attacks, for example physical or distributed denial of service (DDOS) attacks. - Pattern Analysis - compromised systems or applications could be used to facilitate pattern analysis on events or metadata that may subvert the safety and security of a site or its personnel. For example, regular entry/exit events on an access control service could allow an attacker to identify critical business decisions or ongoing investment discussions.
- Denial of services – an adversary could deny the use of a network connected security technology system to authorised users so that its security function (access control), monitoring (alarm detection) or recording capabilities (video surveillance systems) are not available as and when they are required.
- Gain access to other connected systems – an adversary could use their access to a compromised network connected security technology to extend, pivot and gain further access to other systems that are connected to it. This could include other security technology systems or other corporate networks.
- Legal and regulatory compliance – there are laws and regulations that aim to ensure and direct the proper use of technology systems and services. This is no different
for network connected security technology systems and you should ensure that
your use of them complies with any applicable laws or regulations such as the UK Data Protection Act (2018) affecting the use and processing of sensitive personal information.
National Concerns
The use of certain networked security technologies can have an impact on the United Kingdom and its allies. If your organisation operates at a national level (such as central government, defence, or an enterprise that champions the success of the UK) then this will be of particular importance. The procurement of certain network connected security technologies may also have the potential to impact the reputation of your organisation, as well as the security of the country. National level impacts could include:
- Erosion of National Capability – using products developed and manufactured overseas will have an impact on the success of local technology companies that produce similar systems. Over time, this may lead to a reduced capacity for the UK to produce similar systems locally, although in some cases there may be no alternatives.
- Mass Surveillance Capability – widespread procurement and deployment of systems from overseas manufacturers within the UK may lead to the development of a hostile, mass surveillance capability for a foreign state, which could be used to identify and observe sensitive assets and individuals of interest, who maybe living in, working in or visiting the UK.
- Mass Dependence on Technology or a Single Supplier – the deployment and reliance on technology developed by one or more vendors originating from another country could be leveraged to cause an aggregated impact on the UK.
- Inadvertent Funding of Foreign States – mass procurement of some technologies could lead to inadvertent funding of countries considered to pose a state threat to the UK.
- Impact on Relations with Allies – the use of technology originating from certain overseas territories could have an impact on the UK’s relationship with its allies.
The use of technology in sensitive environments (for example, Telecommunications Networks) may be prohibited elsewhere and its use may impact relations.
Whilst the lists of national and organisational considerations above are intended to help inform your understanding of the risks related to network connected security technology systems, good risk management is not simple and should be done by suitably qualified and experienced people. It is therefore recommended that in the first instance you reach out to any legal, cyber security and physical security risk management expertise that might already exist within your organisation, so that the risks associated with your use of network connected security technology can be properly understood and managed.
Where this risk management expertise does not exist then further information on cyber security and protective security risk management can be seen here:
https://www.ncsc.gov.uk/collection/risk-management
https://www.npsa.gov.uk/protective-security-risk-management-psrm-0
Conclusion
The first part of this guidance has detailed national and organisational concerns associated with the use of network connected security technology within your environment, along with topics to consider when deciding whether to procure new network connected security technologies.
A flowchart to support the decision making process has been included below. If any of the considerations provided in this section are a cause for concern to you, then you may wish to reduce, limit or exclude the deployment of network connected security technologies in some circumstances, and/or discontinue their use in others.
It is recognised that in many circumstances the deployment of networked security technologies remains essential, despite the risks. In these circumstances their deployment, or continued use, must be subject to robust risk management, around both data protection and cyber security, in order to reduce the risk to your organisation.
The second part of the guidance can be used to help appropriately manage the risks of deploying network connected security technologies if your organisation chooses to proceed with their deployment or decides to maintain existing systems already within its environment.
Part 2: Managing the Risks Associated with the Deployment of Network Connected Security Technologies
Managing Deployment Risk
Given the abundance of security hardware, software and services that are available, it is expected that network connected security technologies will have already been deployed in many environments.
There are both risks and benefits associated with the use of network connected security technologies and while the nature of the supply chain for these systems means that some products can offer significant cost benefits over others, they may pose increased risks in certain areas.
In the right (and well risk managed) context, the use of network connected security technologies could be appropriate for an organisation and the risks associated with them could be managed if careful planning is undertaken.
Network connected security technology systems are often commissioned, procured, implemented, used, managed and maintained outside of the normal organisational/enterprise IT channels and as such important risk management processes missed.
Those buying and installing networked security technology systems, including physical security teams, should engage with their organisation’s existing IT, IT security or cyber security teams at the earliest opportunity to ensure that the risks associated with what they are doing are properly understood and managed. If cyber security expertise does not already exist within an organisation, then decision makers and leaders should seek that expertise from third party sources, for example from an NCSC assured cyber security consultancy. Further information on assured cyber security consultancy companies can be found here:
https://www.ncsc.gov.uk/information/ncsc-assured-cyber-security-consultancy
Whatever the driver or incentive to deploy network connected security technologies, they need to be deployed securely so that any risks associated with them are being effectively and proportionately managed.
To achieve this, organisations must assess the risks they face. This is done by firstly assessing the threats they face (e.g., nation states, organised crime, or opportunistic attackers), considering the technical and non-technical vulnerabilities exposed by the networked security system they are using, and by understanding the impacts a successful attack might have on them.
These impacts might affect the confidentiality, integrity, or availability of sensitive information, and the operation of:
- Security technology systems (such as Video Surveillance System (VSS) streams or access control devices), connected services (such as servers, workstations, mobile devices) or data storage (such as video or audio recordings) associated with them.
- The wider corporate IT system.
This analysis of threat, vulnerability and impact can then be used to help to understand the risks and how best to manage them. Most organisations will have methodologies to work with IT, information or cyber security risk and these approaches can be used to help elicit and manage the risks associated with using a network connected security technology.
It is important to ensure the physical security technology system is operated, managed and maintained securely. This will include limiting and managing privileged access to the system, properly training users, administrators and maintainers, keeping the system patched and up to date to address new vulnerabilities and monitoring the system for attacks and breaches of organisational security policies. Organisations should also ensure that there is a security incident management plan in place to ensure that security incidents are effectively and securely managed.
The high-level guidance presented here is intended to inform good risk management, but will not serve as a replacement for properly contextualised and diligent risk management work. It is important to ensure that cyber security professionals and risk management practitioners are engaged in the process of managing the risks associated with the deployment of any network connected security technology.
The design, installation, configuration, maintenance and support of networked security systems (as with all other IT systems), should be completed by a team of suitably skilled professionals with an appropriate level of experience in cyber security and IT management.
The intention of the remainder of this guidance is to help you to understand, and manage, some of the common risks associated with using network connected security technologies in your physical security operation. It provides reference to existing best practice, guidance and frameworks (see Annex for details) that can be used to implement effective security controls.
Securing Common Deployment Scenarios
This section will present three representative deployment scenarios to help you better understand the risk associated with each and the mitigations that can be used to manage them.
A tiered approach has been taken. The recommendations made for each scenario are cumulative, in that they build upon each other as the representative deployment scenarios increase in complexity, from a physically isolated scenario through to a fully connected cloud-based scenario.
The Annex below provides more detail on the risks associated with the deployment scenarios and provides references to other guidance provided by UK and international authorities on physical and cyber security as well as best practice standards.
Scenario 1: Isolated network security system
There are very few examples of truly isolated systems (i.e. not connected to any other internal or external networks, either physically or virtually), most systems will import and/or export information. Furthermore, systems will need managing and will require the installation of patches and updates, these are either installed via removable media or through the connection of management devices. As such, these connections and data exchanges introduce risks to the system.
Figure 1 below shows an isolated physical security system within the blue square, in this example a VSS network.
Isolating a networked security system will dramatically reduce the risk of deploying it within an environment. However, there are still some risks that must be managed, for example gaining physical access to the network, or compromising a device before installation. As always there is a risk-management decision to be made, however in high threat/high risk environments an isolated model will afford the best protection.
As an example, a camera hosted on a segregated network may be streaming video to a monitoring station and/or a Network Video Recorder (NVR) which are also hosted on an isolated security network. If an attacker has managed to physically attach to the network and has compromised the camera, then it may be possible to disable it, which in turn would significantly weaken the monitoring coverage of a physical location.
Additionally, sensitive information may be extracted from the compromised camera. For example, administrative passwords could be identified and used to exploit other devices, including the monitoring station or NVR on the security network. If the installer or administrator has re-used those passwords elsewhere, then devices on completely different networks could then also be compromised.
To decrease the risk of compromise to devices on an isolated network, basic security controls should be implemented. Applying these controls and following good IT security practices will significantly reduce the likelihood of a successful attack, irrespective of how your system has been architected, implemented and configured (i.e. isolated, network connected, or cloud connected).
Some examples of security controls that might be implemented to help manage the risks posed to and from an isolated network would include:
- Appropriate Vendor and Product Selection - consider supply chain security (follow guidance from NPSA and the NCSC ) and ensure that vendors provide sufficient product support post-purchase/post-installation to maintain security.
- Ensure that devices are resilient to attack and have inherent protection mechanisms. Further guidance on these can be found in the latest NPSA CAPSS guidance and where possible products should be chosen that have CAPSS assurance.
- Review the update history of the device model(s), or similar devices previously released by the vendor and look for regular updates that address security vulnerabilities. Also, ensure that devices remain supported for reasonable timeframes and will not be considered “end-of-life” within a short timeframe or the near future, which may leave them exposed to attack and then in need of replacement.
- Understand security requirements and define them in contracts and agreements. Whilst this might not be straightforward with an offshore product manufacturer, this may be a consideration for support companies such as integrators.
- Ensure that suppliers make use of secure design, development and deployment practices such as those described in the NCSC’s secure design, development and deployment guidance. - Review Terms and Conditions - Examine the Terms and Conditions for any security technology you either use or are thinking of using as these will often say where and how information is stored and handled, how information is shared with any third parties and what laws a vendor or service provider must comply with. Ensure that these are acceptable in the context of the risks and considerations described in this guidance and your organisation’s legal and regulatory obligations.
- Prevent Connection of Unauthorised Equipment - Implement a solution that would restrict access to the network, such that it makes the connection of unauthorised equipment harder. Examples include a Network Address Control security appliance or an approach such as IEEE 802.1x, if supported by the switches and security devices.
- Secure System Configuration - Systems should be securely configured (also known as “hardening”). This process would make a system and its devices more resilient to attacks, and might include:
- Disabling unnecessary interfaces, including telecommunications interfaces such as 4G/5G access (which may allow a remote bridge into your environment) or USB interfaces that could be used to import or export data.
- Limiting the number of services present on the device, to only those that are necessary.
- Removing default accounts with known passwords.
- Using secure cryptographic protocols and measures to enable data integrity and authenticity checking and to protect sensitive data in transit and in storage.
- Ensuring that all accesses by people, other systems and devices are authenticated and authorised.
- Disabling unnecessary administration interfaces.
- Implementing access control lists.
- Ensure the use of Multi Factor Authentication (MFA) for access to privileged accounts and to carry out privileged activities (e.g. for administrators and maintainers).
Further useful information can be seen here:
- https://www.ncsc.gov.uk/collection/10-steps/architecture-and-configuration
- https://www.ncsc.gov.uk/collection/10-steps/data-security
- https://www.ncsc.gov.uk/collection/10-steps/identity-and-access-management
- https://www.ncsc.gov.uk/collection/device-security-guidance/infrastructure/enterprise-authentication-policy
- https://www.ncsc.gov.uk/guidance/authentication-methods-choosing-the-right-type
- Protect data whilst it is in transit and in storage - All sensitive data transmitted across and between networks needs to be protected in transit from interception and unauthorised change, this can be achieved using secure network protocols such as Transport Layer Security (TLS) and Internet Protocol Security (IPSec). Any sensitive data stored on a locally hosted system or in a cloud service must be appropriately protected against unauthorised access, this can be achieved using suitably strong cryptographic solutions to encrypt data at rest.
Further information on protecting data in transit and in storage can be seen here:
- https://www.ncsc.gov.uk/collection/device-security-guidance/security-principles/protect-data-at-rest-and-in-transit
- https://www.ncsc.gov.uk/collection/10-steps/data-security
- https://www.ncsc.gov.uk/guidance/using-tls-to-protect-data
- https://www.ncsc.gov.uk/guidance/using-ipsec-protect-data
- Restrict Physical Access to Systems - Prevent unauthorised physical access to any computer, network equipment or cabling used to deliver a security system to protect against attacks such as theft, damage, sabotage or unauthorised change.
- Vulnerability Management - Ensure that hardware devices and software are regularly updated and patched, particularly when they are affected by a known vulnerability. When designing a process to apply updates and patches, be cognisant of the risk posed from connecting removable media.
- Logging and Monitoring - Monitor security systems, services and networks for malicious activity and breaches of security policy. For example this might include monitoring the environment for devices that go offline or reporting on potential attacks (where supported) and providing an alerting mechanism to warn administrators or operators of suspicious events. Security relevant events could include unauthorised attempts to access systems, information, services and management interfaces, changes to systems, creation of new accounts and changes to user privilege levels, and the use and attempted use of sensitive systems, services or functions. Ensure that logs of security relevant events are stored securely where they cannot be tampered with or destroyed maliciously and are available to authorised staff only for review in the event of a security incident. Ensure that logs, system time and time stamping of live or recorded events can be trusted and are protected. For further information, you should consult the NCSC logging and protective monitoring guidance.
- Data Imports and Exports - Understand the risk posed by importing information to and exporting information from your security system. These risks might include the introduction of malware and the unauthorised release of sensitive information. Consider how to securely manage data imports to and exports from your security systems, these might include the import of security updates and patches, and the transfer of information to another system for some reason. Ensure that support personnel and integrators do not compromise an isolated network to enable temporary or regular updates or data imports. They should not connect isolated security systems to an external network, or connect any devices to a network connected security technology system without authority. This could be governed by providing security policies / operating procedures and contractual terms as well as agreeing secure processes for importing and exporting information in advance. Place limits on and control information exports and as a minimum check imported information for the presence of malware and seek assurance in the integrity and authenticity of any imported information (e.g. patches and updates), for example by checking hashes and digital signatures.
Further NCSC guidance on importing and exporting data can be seen here:
- https://www.ncsc.gov.uk/guidance/pattern-safely-importing-data
- https://www.ncsc.gov.uk/guidance/design-pattern-safely-exporting-data
- Secure Maintenance and Management - Network connected security technology systems need to be managed and maintained securely. Where there is a need to connect additional equipment or devices to a networked security technology system for management or maintenance purposes then this should follow a browse down model using privileged access workstations (PAW) as described here: https://www.ncsc.gov.uk/collection/secure-system-administration
-
Malware Protection - Use malware controls to detect and prevent the introduction and execution of malware (including ransomware) within the environment, particularly associated with patches, updates and any other data imported into the environment.
Further useful information can be seen at:
- https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks - Data Backups - Ensure backups of security systems’ software, firmware, configurations and important operational data are made, so that in the event of an attack on the integrity or availability of the system being successful, the service can be restored to normal operation as soon as possible. Test system restore processes and ensure that systems are included in any relevant business continuity and disaster recovery planning processes.
Further information on backups and protecting cloud-based backups from ransomware attacks can be seen here:
- https://www.ncsc.gov.uk/collection/10-steps/data-security
- https://www.ncsc.gov.uk/guidance/principles-for-ransomware-resistant-cloud-backups
-
Independent Security Testing - Arrange an independent security assessment of your security systems and any supporting network architecture (e.g. see the NCSC website for further information) . The scope of the test should determine whether it is possible to compromise systems on the network through software vulnerabilities or configuration weaknesses, as well as identifying whether any information is leaked over the network. The scope of security testing should include checks to assess whether systems have been configured securely in line with recommended best practices, and where necessary testing should consider attacks that seek to overcome network boundaries, gain unauthorised access to systems and information, and move around and between networks.
You should note that independent security testing is only one way in which you can gain confidence in your security technology system, and you should seek expert advice from your IT security team on other ways by which you can gain and maintain security assurance.
Further useful information on gaining and maintaining security assurance can be seen here:
- https://www.ncsc.gov.uk/collection/risk-management/how-to-gain-and-maintain-assurance
- https://www.ncsc.gov.uk/guidance/penetration-testing
- https://www.ncsc.gov.uk/information/using-check-provider
Scenario 2: Connected Networks
At the time of publication, the majority of security networks will be “connected networks”. These are networks with connectivity to any other network.
This category includes networks which are implemented with use of Virtual Local Area Network (VLAN)s. This is technology that can provide logical separation between ports on a single network switch. VLANs are typically used to enable ‘logically separate’ networks over a single cabling and switch infrastructure. Common examples may include building control / security and Voice over IP (VoIP) networks.
Whilst this implementation may provide logical network isolation, they are often misconfigured allowing attackers to gain access (“VLAN hop”) to other VLAN segments attached to the switch. Figure 2 shows a typical VLAN configuration that might be implemented, this example demonstrates two VLANs logically separating a VSS network (VLAN 1) and an example simple corporate network (VLAN 2) hosting sensitive company information in a database.
The relative attack surface of a network-connected environment will be larger than one that is physically isolated. You should consider whether the risk associated with this model is manageable in the context of what your organisation does and what it cares about.
An example scenario of “connected networks” would be the connection of a security device, connected via IP, to a controlling management server and a network-based video recorder. In this case, there may be a requirement for the IT department to gain access to the system (to apply patches and updates) as well as building facilities management to view streams from a management server. Rather than requiring those teams to attach to a separate network to operate the system, it would be more convenient for them to have access from their workstations on the corporate network.
Building on this, there may also be onward connectivity to the internet, through a firewall protecting the segregated network that hosts the VSS devices, or via a route through the corporate network. An internet connection may be necessary to facilitate manual or automatic patch and firmware updates for surveillance devices or to allow remote support from a third party (potentially) via a Virtual Private Network (VPN) or Remote Access Server (RAS). Remote access may be particularly relevant where the security networks are hosted in geographically distant environments, or an organisation outsources physical security or IT management to a third-party.
A system that is connected to third-party management and integration systems, e.g. a security management system (SMS) would be considered to be an example of “connected networks”.
Figure 3 shows an example of a “connected networks” security technology system. In this case, the network is segregated from the main corporate network using a firewall, however this firewall also provides remote access for a vendor to support the surveillance equipment. In this example, the internet connection is also used for downloading and applying firmware updates.
Any connection to another network e.g. to a vendor network for support purposes, could enable an adversary to carry out a number of attacks. These might include:
- The import of malicious code, including ransomware.
- The export of sensitive information.
Unauthorised access to systems, services and information. - Use of the physical security technology system as a route to launch attacks on and gain access to other connected networks, e.g. the corporate network.
- Taking control of the physical security technology system.
- Denying the use of the physical security technology system and any other connected system to authorised users.
You should seek to design your systems, networks and architectures with security in mind and NCSC advice and guidance here will help:
- https://www.ncsc.gov.uk/collection/cyber-security-design-principles
- https://www.ncsc.gov.uk/collection/developers-collection
- https://www.ncsc.gov.uk/guidance/preventing-lateral-movement
Building upon the controls recommended for a physically isolated system, further measures are needed to protect a network connected security technology system, including:
- Network Boundary Protection - Protect the boundary of your network from unauthorised access and connectivity, import of malware and unauthorised export of information.
- Network Segregation - Separate your networks into smaller network segments by function, sensitivity of information or criticality to make it harder for attackers to move between networks and limit the effect an attack can have on the organisation or system as a whole.
- Secure Remote Access - Control and manage all remote access to your systems including third party access for management and maintenance purposes. Ensure that all remote accesses are authenticated and authorised using multi-factor authentication, encrypted to protect information in transit, monitored and time limited.
Scenario 3: Cloud Connected
Building on the network connected example above, there are many other scenarios whereby networked security technologies might be deployed in more complex architectures that make use of cloud services (e.g. Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP), as well as manufacturer-specific cloud instances).
This scenario could include the use of cloud services, to store and process collected information, and to use, manage and maintain the physical security technology system itself. The specific risks associated with the use of cloud services will depend on the service and deployment model that is being used but irrespective of this, these cloud services are most likely to be public and be globally accessible from the internet.
If your physical security technology system makes use of cloud services to store and process information or to facilitate its use, management or maintenance then you should consider the following risks:
- Public cloud services can be hosted anywhere in the world including in countries and territories that are not considered to be compliant with UK security and privacy laws and regulations.
- Public cloud services are by definition connected to the internet so that users can gain access to them. This means that any aspect of a networked security technology system that is hosted in a public cloud service is, without the right security and privacy measures, accessible from anywhere in the world.
- The deployment and shared responsibility model used to deliver a cloud based networked security technology system will dictate the things that the owning organisation can control and manage, and the things that they cannot.
- Because cloud based services need to be connected to the internet to enable user access to hosted services and information, poor implementation and application of available security controls can lead to unauthorised access, change and denial of service.
- Public cloud services are usually hosted on shared infrastructure, meaning that the same piece of infrastructure will host multiple client tenants using virtualisation software solutions to separate one tenant from another. This means that there is a risk that a virtualisation vulnerability, implementation error or malware attack could lead to an attacker being able to take control of and move between the various customer tenants that are hosted on shared cloud infrastructure.
One of the most important risks to consider in the implementation of a “cloud connected” model is that you have handed custody of your data to a third party and thus some elements of monitoring and intrusion detection will be harder to implement.
Building on the controls outlined for scenarios 1 and 2, further measures should be considered to protect an environment that is cloud connected. These include:
- Data Transfer and Storage Locations - Cloud services can be hosted anywhere in the world, therefore your data and services could be hosted, transferred to and or stored anywhere in the world. You should ensure that the cloud services you are using are geographically located in countries and territories that meet your security and privacy needs and any legal or regulatory obligations you must meet. When configuring and managing the security of your cloud service you might also need to place limits on the geographical locations from where your services and information can be accessed.
Further information about protecting cloud services can be seen here:
- https://www.ncsc.gov.uk/collection/cloud
- Understand what you are responsible for doing to secure your use of cloud services - Most cloud service providers use a shared responsibility model to describe who is responsible for looking after your data and services. What you are responsible for and what your service provider is responsible for will depend on the type of service you are using and how it is being implemented. It is therefore important that you clearly understand what you are responsible for doing from a security perspective to help you understand what you need to do to keep your data and services secure.
Further information on securing any cloud service related to your security system and on cloud security shared responsibility models can be seen here:
- https://www.ncsc.gov.uk/collection/cloud
- https://www.ncsc.gov.uk/collection/cloud/understanding-cloud-services/cloud-security-shared-responsibility-model
- Cloud Service Provider Security - Ensure that the vendor has demonstrated strong security maturity of their services, for example with the publication for both the vendor and data centres / IaaS cloud providers of in date certifications (with suitable scope / statement of applicability statements) such as ISO27001, SOC/2, CSA CSM. Additionally, that key assurance activities are taking place such as security updates, penetration tests and external audits. Review technical assurance statements and architecture details and seek assurances on how separation is enforced.
- Security of your Use of Cloud Services - Review and update cloud service security settings (consult vendor documentation or engage a security team to assist), for example ensure MFA is setup for administrative access to the service, default / generic usernames (such as “admin”) are removed and that users are set up with only the necessary privileges to administer the areas of the service that are required.
Conclusion
In a similar manner to any other IT system, whether your security technology system is deployed in an “isolated”, “connected networks” or “cloud connected” scenario, the risks to the organisation need to be appropriately understood, and managed, in line with your organisation’s risk appetite.
This section of the guidance has provided a high-level view of the potential risks that would be associated with deploying network connected security technologies in different configurations and presented an overview of outcomes that can be adopted to manage them.
The Annex of this document provides further practical guidance and a mapping of the above security controls onto a number of different publicly available cyber assurance standards, namely NPSA’s Cyber Assurance of Physical Security Systems (CAPSS), NCSC Cyber Assurance Framework (CAF) and Cloud Security Principles and ISO 27002. While these are not an exhaustive list of standards relevant to the security of networks hosting networked security technologies, these should cover the vast majority of controls relevant to this area.
Annex: Further Standards
This section provides a mapping of the guidance in section 2.1 and provides further references and resources for the management of risks associated with the deployment of networked security technologies in your environment. It includes references to further guidance including the NPSA’s CAPSS, the NCSC’s CAF and ISO27002. This information is not exhaustive and other standards such as ETSI EN 303 645 may be relevant.
Scenario 1 Controls
Number | Control | Isolated | Connected | Cloud | Further Detail | NPSA CAPPS | NCSC CAF | ISO 27002: 2022 | NCSC Cloud Security Principles |
1 | Appropriate Vendor and Product Selection | X | X | X |
|
Pre-Req 3 Pre-Req 4 |
A4 | 5.199 | P2.1 |
2 | Review Terms and Conditions | X | X | X | Examine the Terms and Conditions for any security technology you either use or are thinking of using as these will often say where and how information is handled and what laws a vendor must comply with. Ensure that these are acceptable in the context of the risks and considerations described in this guidance and your organisation’s legal and regulatory obligations. | N/A | A4 |
5.20 5.21 5.2 5.23 |
P2.1 |
3 | Prevent Connection of Unauthorised Equipment | X | X | X | Implement a solution that would restrict access to the network, such that it makes the connection of unauthorised equipment harder. Examples include a NAC security appliance or an approach such as IEEE 802.1x, if supported by the switches and security devices. | 402 | B2 | 5.15 | P2.2 |
4 | Secure System Configuration | X | X | X |
Systems should be securely configured (also known as
|
105 500 501 502 503 506 |
B2 B3 B4 |
5.14 5.21 7.10 8.24 8.26 8.27 |
P7 |
5 | Protect data whilst it is in transit and in storage | X | X | X |
All sensitive data transmitted across and between networks needs to be protected in transit from interception and unauthorised change, this can be achieved using secure network protocols such as transport layer security (TLS) and Internet Protocol Security (IPsec). Any sensitive data stored on a locally hosted system or in a cloud service must be appropriately protected against unauthorised access, this can be achieved using suitably strong cryptographic solutions to encrypt data at rest. |
100 105 401 406 |
B3 |
5.14 8.24 8.26 8.27 |
P1 P2 |
6 | Restrict Physical Access to Systems | X | X | X | Prevent unauthorised physical access to any computer, network equipment or cabling used to deliver a security system to protect against attacks such as theft, damage, sabotage or unauthorised change. |
201 203 204 |
B2 |
7.1 7.4 7.8 |
P2.2 |
7 | Vulnerability Management | X | X | X | Whilst understanding the risk posed from connecting removable media or another device to your security system, ensure that hardware devices and software are regularly updated with firmware updates and patches, particularly when they are affected by a known vulnerability. | 106 | B4 | 8.8 | P5 |
8 | Logging and Monitoring | X | X | X |
Monitor security systems, services and networks for malicious activity and breaches of security policy. For example this might include monitoring the environment for devices that go offline or reporting on potential attacks (where supported) and providing an alerting mechanism to warn administrators or operators of suspicious events. Security relevant events could include unauthorised attempts to access to systems, information, services and management interfaces, changes to systems, creation of new accounts and changes to user privilege levels, and the use and attempted use of sensitive systems, services or functions. Ensure that logs of security relevant events are stored securely where they cannot be tampered with or destroyed maliciously and are available to authorised staff only for review in the event of a security incident. Ensure that logs, system time and time stamping of live or recorded events can be trusted and are protected. For further information, you should consult the NCSC logging and protective monitoring guidance . |
403 600 601 602 603 604 605 |
C1 C2 |
6.8 8.15 8.16 8.17 |
P5.2 P5.3 P13 |
9 | Data Imports and Exports | X | X | X |
Understand the risk posed by importing information to and exporting information from your security system. These risks might include the introduction of malware and the unauthorised release of sensitive information. Consider how to securely manage data imports to and exports from your security systems, these might include the import of security updates and patches, and the transfer of information to another system for some reason. Ensure that support personnel and integrators do not compromise an isolated network to enable temporary or regular updates or data imports. They should not connect isolated security systems to an external network, or connect any devices to a network connected security technology system without authority. This could be governed by providing security policies / operating procedures and contractual terms as well as agreeing secure processes for importing and exporting information in advance. Place limits on and control information exports and as a minimum check imported information for the presence of malware and seek assurance in the integrity Further NCSC guidance on importing and exporting data can be seen here: |
106 107 110 301 |
B4 |
7.10 8.20 |
P1 |
10 | Secure Maintenance and Management | X | X | X | Network connected security technology systems need to be managed and maintained securely. Where there is a need to connect additional equipment or devices to a networked security technology system for management or maintenance purposes then this should follow a browse down model using privileged access workstations (PAW) as described here: https://www.ncsc.gov.uk/collection/secure-system-administration |
204 300 301 404 500 506 |
B2 B4 |
5.37 7.13 8.3 |
P12 |
11 | Malware Protection | X | X | X | Use malware controls to detect and prevent the introduction and execution of malware (including ransomware) within the environment, particularly associated with patches, updates and any other data imported into the environment. Further useful information can be seen at https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks | 303 | C2 | 8.7 | P2.5 |
12 | Data Backups | X | X | X |
Ensure backups of security systems’ software, firmware, configurations and important operational data are made, so that in the event of an attack on the integrity or availability of the system is successful, then the service can be restored to normal operation as soon as possible. Test system restore processes and ensure that systems are included in any relevant Business Continuity and Disaster Recovery planning processes. Further information on backups and protecting cloud-based backups from ransomware attacks can be seen here: |
302 | B5 | 8.13 | P2.5 |
13 | Independent Security Testing | X | X | X |
Arrange an independent security assessment of your security systems and any supporting network architecture (e.g. see the NCSC website for further information). The scope of the test should determine whether it is possible to compromise systems on the network through software vulnerabilities or configuration weaknesses, as well as identifying whether any information is leaked over the network. The scope of security testing should include checks to assess whether systems have been configured securely in line with recommended best practices, and where necessary testing should consider attacks that seek to overcome network boundaries, gain unauthorised access to systems and information, and move around and between networks. Where your security system involves the use of cloud services then you should seek assurance in both the security of the services provided by the cloud service provider and in the way you are using and managing those services. You should note that independent security testing is only one way in which you can gain confidence in your security technology system, and you should seek expert advice from your IT security team on other ways by which you can gain and maintain security assurance. Further useful information on gaining and maintaining security assurance can be seen here: |
N/A | A2 |
5.35 8.8 |
N/A |
Scenario 2 Controls
Number | Control | Isolated | Connected | Cloud | Further Detail | NPSA CAPPS | NCSC CAF | ISO 27002: 2022 | NCSC Cloud Security Principles |
14 | Network boundary protection | X | X | Protect the boundary of your network from unauthorised access and connectivity, import of malware and unauthorised export of information. | Ref 404 | B4 and B5 | 8.20 | P1 | |
15 | Network segregation | X | X | Separate your networks into smaller network segments by function, sensitivity of information or criticality to make it harder for attackers to move between networks and limit the effect an attack can have on the organisation or system as a whole. | Ref 404 | B4 and B5 | 8.20 and 8.22 | P1 | |
16 | Secure remote access | X | X | Control and manage all remote access to your systems including third party access for management and maintenance purposes. Ensure that all remote accesses are authenticated and authorised using multifactor authentication, encrypted to protect information in transit, monitored and time limited. | Ref 506 | B4 and B5 | 6.7 and 7.13 | P6, 9, 10, 11, 12 |
Scenario 3 Controls
Number | Control | Isolated | Connected | Cloud | Further Detail | NPSA CAPPS | NCSC CAF | ISO 27002: 2022 | NCSC Cloud Security Principles |
17 | Data Transfer and Storage Locations | X | Cloud services can be hosted anywhere in the world, therefore your data and services could be hosted, transferred to and or stored anywhere in the world. You should ensure that the cloud services you are using are geographically located in countries and territories that meet your security and privacy needs and any legal or regulatory obligations you must meet. When configuring and managing the security of your cloud service you might also need to place limits on the geographical locations from where your services and information can be accessed. Further information about protecting cloud services can be seen here: https://www.ncsc.gov.uk/collection/cloud |
700 | A4 | 5.14, 8.26 | P2.1 | ||
18 | Understand what you are responsible for doing to secure your use of cloud services | X | Most cloud service providers use a shared responsibility model to describe who is responsible for looking after your data and services. What you are responsible for and what your service provider is responsible for will depend on the type of service you are using and how it is being implemented. It is therefore important that you clearly understand what you are responsible for doing from a security perspective to help you understand what you need to do to keep your data and services secure. Further information on securing any cloud service related to your security system and on cloud security shared responsibility models can be seen here: - https://www.ncsc.gov.uk/collection/cloud - https://www.ncsc.gov.uk/collection/cloud/understanding-cloud-services/cloud-security-shared-responsibility-model |
700 | A2, A4, B3 | 5.23 | P4, P14 | ||
19 | Cloud Service Provider Security | X | Ensure that the vendor has demonstrated strong security maturity of their services, for example with the publication for both the vendor and data centres / IaaS cloud providers of in date certifications (with suitable scope / statement of applicability statements) such as ISO27001, SOC/2, CSA CSM. Additionally, that key assurance activities are taking place such as security updates, penetration tests and external audits. Review technical assurance statements and architecture details and seek assurances on how separation is enforced. |
700 | A2, A4, B3 | 5.23 | P1 to P14 | ||
20 | Security of your use of Cloud Services | X | Review and update cloud service security settings (consult vendor documentation or engage a security team to assist), for example ensure Multi-Factor Authentication (MFA) is setup for administrative access to the service, default / generic usernames (such as “admin”) are removed and that users are setup with only the necessary privileges to administer the areas of the service that are required. | 700, 500, 501, 502, 503, 506 | A2, A4, B3 | 5.23 | P4, P14 |