Rapid technological developments and policy developments have brought new challenges for alarm systems and the alarms systems’ market. One of these challenges is the cyber security of the connected alarm systems. Euralarm members are involved in these challenges via the Cenelec Technical Committee 79 (TC 79)
Within Europe the Cenelec Technical Committee 79 (TC 79) is developing and maintaining standards for detection, alarm and monitoring systems for protection of persons and property, and for elements used in these systems. The scope includes in particular intruder and hold-up alarm systems, access control systems, periphery protection systems, combined alarm – fire alarm systems, social alarm systems, video surveillance systems (formally known as CCTV systems), other monitoring and surveillance systems related to security applications, as well as associated and dedicated transmission and communication systems. Its standard publications also include the services aspects, such as planning and design, engineering, installation and handover.
Within TC 79 one specific Working Group (WG17) focuses on the cyber security aspects of the connected alarm systems. The Working Group was originally set up in 2018 by TC79 as an ad-hoc group to address the growing concerns of cyber security in connected alarm systems. The scope of the activities includes all functional elements of alarm systems as mentioned above.
The objectives of the Working Group are to research and collate the existing initiatives in the field of cyber security as well as develop best practice guidance related to this topic. The know-how is shared with members of TC79. Apart from the research the Working Group has already developed a set of security policies based on best practices for adoption within the connected alarm systems. Also, a cyber task group has been set up to report on important developments from cyber related regulation impacting on alarm systems.
Alarm systems consist generally of devices that are located locally within supervised premises. The devices communicate together using dedicated or shared local interconnections. The system itself communicates away from the local site via a gateway, often controlled by a fire wall. For communication, a public data communication system is often used, such as a cloud system. Many legacy systems still use analogue connectivity, e.g., PSTN or other landline (non IP) technology. The data storage and the processing may be hosted remotely or can be shared as a cloud resource. The operations, maintenance and 3rd party services are undertaken at a remote location.
Based on the comprehensive research of European and global initiatives, standards, and best practices the TC79 WG17 developed a database citing over four hundred standards relating to many facets of cyber security. The database now covers both vertical markets, such as cyber security aspects of power plants and automotive as well as horizontal markets such as IT systems, ICAS. Some of the standards and best practices cover principles, such as management systems and procedures while others cover techniques, such as encryption and technical functions. The Working Group decided to focus on linking the relevant standards to threats and defences.
Based on the research and findings the Working Group concluded that cyber security is a holistic process. It also published ‘Reference Standards and Guidance on Best Practice Cyber Security for Alarm Systems’. This best practice document, of which the second edition was released last June, provides a summary of cyber security topics and standards that are relevant to alarm systems.
Also, a dedicated Cyber task group was created within the Working Group. This task group shares key cyber related issues impacting alarm systems, such as RED Essential Requirements impacting alarm systems and certification schemes developed by ENISA as part of the Cyber Security Act.
Within the BSIA the activities of the Working Group on cyber security aspects of connected alarm systems have led to the launch of the Cyber Security Product Assurance Group (CySPAG). The group is made up of member companies and other stakeholders from a range of industry sub-sectors and subject matter experts who are focused on reducing the risk of product and service-related cyber crime. This interest group is actively engaged in developing industry codes of practice, guidance, certification schemes, and education to support product manufacturers, specifiers, and installers with managing their cyber security risks