The British Security Industry Association (BSIA), which claims to represent a membership ‘responsible for more than 70% of privately provided UK security products and services (by turnover)’, released in early January a document titled Cyber secure it – Best practice guidelines for connected security systems with the aim of ‘summaris[ing] current guidelines to minimise the exposure to digital sabotage of network connected equipment, software and systems used in electronic security systems.’ Here, we will give you a brief overview of the guidance.
The guidance is aimed at businesses from across the supply chain of electronic security systems, from product design and installation to maintenance and remote monitoring. It is divided into sections aimed at each stage of the product lifecycle, although the authors encourage readers ‘to become familiar with all sections of [the] document.’ They also clarify that the document does not ‘cover additional vulnerabilities to which connected security systems may be exposed’, such as supply chain or social engineering attacks.
After an initial section that lays out the primary principles underpinning the guidance to be given—e.g., ‘users accessing the system remotely should be uniquely identified and authenticated’, ‘storage of data on a remote device should be kept to a minimum and should be encrypted, etc.—the advice for product designers is presented. This focuses on areas such as documentation and the need to ‘follow a structured design process’ that includes threat modelling, as well as the benefits of having a communications plan ‘to inform system designers, installers and users as appropriate of product or application updates.’
There follow sections on system installation design and the system installation itself, which again reiterate the need for documentation as well as some good, albeit simple, bits of advice such as changing default usernames and passwords before handover to a client and checking port configurations to ensure unnecessary ports are not left open.
The next two sections cover maintenance by the security company and remote maintenance (and monitoring), with the latter section recommending—amongst other things—that ‘remote centres should consider compliance with minimum IT security best practice as defined within Cyber Essentials’. As you may have noticed, we’re big fans of the UK Government’s cyber security framework here.
The document provides a short list of guidelines for users next, such as implementing and consistently applying a password policy and keeping the security system up-to-date. This feels like a missed opportunity to reiterate the benefits of Cyber Essentials accreditation for all businesses, but the remainder of the advice is sound. The document closes with a brief exhortation for each stakeholder in the supply chain to ‘have robust and appropriate contingency planning measures in place that should address where a breach has or is likely to occur or where vulnerabilities become known.’
Ultimately, the document contains a lot of good advice for all businesses, not just those in the security sector. The primary principles are applicable to almost anyone, as are many of the guidelines on system installation, whether the system is a cyber-physical one or just a new piece of software.