A practical resource for examining network use in the context of modern network technologies is the free e-book network design for physical security systems. The book takes a closer look at the book for physical security systems and networking and examines the requirements for a CPS protective platform of the corporate scale.
Basics of Zero Trust
Zero Trust is a cyber security approach – not a product – in which no device, no user or a system is naturally trustworthy, whether inside or outside the network. Trust is continuously checked by authentication, authorization and health exams. His principles correspond to security systems due to their predictability and the limited scope.
1. Never trust, always check – Assume Breach
No device or user will trust by default. Each action requires a review. Networks are designed in such a way that damage limits when a device is impaired, provided there may already be a violation.
2. Device identity and network integrity
Compounds require verified identities with encrypted data to prevent hearing or malicious traffic. This includes:
- Authentic digital certificates for all devices and systems.
- Certificate -based encryption using strong standards.
- The mutual authentication between devices that connect is a cornerstone of Zero Trust.
Providers such as Avigilon, Axis Communications, Hanwha Vision and Bosch support mutual authentication (see product documentation and hardening leader, e.g. the axis hardening instructions). Security teams must collect product ceremony instructions and safety network specifications for devices in order to prepare for the cooperation.
3. Microsis segmentation
Networks are divided into isolated segments (microsmentation) by function, which limits the potential spread of threats. For example, card readers and controllers are grouped separately by cameras. Vlans often isolate video traffic, a common practice. The micro -segmentation supports the industrial IoT Ethernet, a modern LAN practice that lowers the costs. Access control devices with lower bandwidth requirements are well suited for long-distance Ethernet segments.
Modern LAN enables inexpensive zero confidence over large routes, with the long-distance performance via Ethernet (POE) using non-protected Twisted Pair (UTP) or reused coaxial cabling. The following tables show supported cable lengths and data rates.
4. Access the least privileges
Devices and users receive minimal access that is required for their functions, which is already a standard practice among the leading security teams.
5. Continuous monitoring
Devices and users are continuously evaluated to comply with the expected behaviors, firmware versions and configurations, whereby device errors or deviations specify potential safety compromise (e.g. malware, hacking tests).
6. Incremental implementation
Zero Trust is not an all-or-not approach. It can be used in phases, starting with simple network segmentation and device insulation. A practical starting point could be to create isolated VLANs for cameras, access control systems and intercoms. Then limit the communication paths of the devices and implement authentication at important connecting points. Most of existing infrastructure supports this.
In every provision of the existing physical security system, the degree of device and application support for Zero Trust network varies partly at the age of the products provided. An essential step for security teams in preparing for cooperation with zero-trust with IT is the inventory and the evaluation of the software and hardware landscape of the physical security systems, including product talent, guarantee and other product life cycle information.
Zero Trust Advocacy
Physical security experts do not have to be a zero -trust experts, but should work for it and define the general network design and the use of their systems. It can support the certificate infrastructure, cyber security details and the tasks such as Switch and Router (if not outsourced to a technology provider) as well as the network validation and tests. However, security teams and partners must lead design and ensure the agreement with the system functions that depend on the safety processes of the website.