IFSEC Global: Protecting CPNI

August 14, 2020

Read the original article via IFSEC Global. Darren Worswick, EMEA Sales Engineer, Identiv, explains why security professionals need to balance using the latest access control tech with ensuring it is properly certified to better protect government buildings and other high-level infrastructure environments. The security industry is going through a period of profound change worldwide, and the access control sector isn’t immune. Over the last five years, technology advances have improved and strengthened our industry as we combat more sophisticated bad actors with cutting-edge technology. At the forefront of this battle are our local, state, and national governments as they are always high on the potential target lists. The Centre for Protection of National Infrastructure (CPNI), a United Kingdom government authority that provides protective security advice to businesses, goes so far as to state: “Generally higher levels of effective and visible protective security at national infrastructure sites are likely to act as a deterrent to terrorists, who increasingly favor soft targets that allow them to achieve their aims with a greater chance of success. Nevertheless, with the continual diversification of the threat, the ambition and capability of terrorist groups to target UK infrastructure are likely to continue to evolve.” Marry that with governments and public officials being subject to higher levels of scrutiny and accountability than ever before, and you arrive at a scenario where the security measures implemented must be rigorous, easy to maintain, and flexible enough to adapt to further requirements and innovations. Furthermore, government facilities are complex sites, with multiple agencies and tenants across various buildings and geographic areas. This creates a varying range of access requirements: open, restricted, classified and secret spaces, all of which demand a variety of controls and methods to prevent unauthorised access. Often, the controlling of access to the site is the first aspect in your defence to build an in-depth strategy against ever more sophisticated threats. When approached at a national or regional level, the simplest way to achieve consistent access control and identity management is through the creation of federal regulatory and compliance programmes, ordinances, and statutes that ensure a consistent level of protection across a multitude of threat vectors and attack surfaces. Organisations like the CPNI in the UK are responsible for “providing resources, guidance, and expert advice to help protect and keep your business secure from external threats”, while FICAM in the United States provides a range of security statutes and regulations related directly to identity and access control. Working with these organisations, and using technologies that are certified by them, ensures that your facility is maintaining the national standard in security practices. An oft-quoted argument bemoans the fact that “bad actors have no integrity when adopting the latest technologies to achieve their goals, and the authorities are always one or several steps behind”. Regulatory requirements and certifications are commonly blamed for creating “red tape and bureaucracy”. While this is true to an extent, the same regulations and certifications ensure that a minimum standard of security and security features are present and provide peace of mind that they are getting a well thought out and maintained solution, guaranteed to meet their needs. Adhering to these regulations and standards also helps improve the overall security posture of the government, ensuring that there are many fewer weak links in the chain. The primary benefit of having a well-maintained set of security policies and practices is that a safer workplace is delivered for the personnel that is often the first interaction for visitors to a site. Multi-factor authentication should be standard, for instance. That multi-factor authentication should also be applied across multi-tenant environments, common to government infrastructure to improve efficiency across multiple sites, but also to create a more flexible method of managing personnel movement. One final benefit of following regulatory procedures and standards is the simplification of tabletop and simulation exercises. By using regulated advice, you already have the rule book and instruction manual to play the game effectively. Any areas of concern or improvement are immediately highlighted as the exercise progresses. Working with technology vendors that are certified and competent in these exercises will improve the experience and are likely to uncover features and areas for improvements for any oversights or omissions from the security exercise. Regular simulations and security exercises will develop your team to be agile and responsive and create a strong foundation for you to innovate in the future. The future is bright when it comes to innovation. Still, there is a balancing act to maintain between rapid change and control and coordination, and this is the path that regulators are being forced to navigate. Of course, there is still room for improvement, but creating regulations that account for innovation and interoperability will serve to set the governments of the world up for future adoption of emerging solutions and to truly take advantage of the renaissance that the physical security industry is undergoing currently. Working with innovative vendors that play by the rules will ensure that you are up to scratch as you undergo physical security transformation.