New Physical Security System Cyber Guidance

Recent NIST guidance includes how to apply foundational NIST cybersecurity documents to a physical access control system (PACS).

Q: Our CISO just informed me that NIST has classified physical access control systems as Operational Technology (OT) and he wants to meet with me. What’s this about?

A: Likely this is good news. He’s referring to the September 2023 revision of the Guide to Operational Technology (OT) Security — NIST SP 800-82r3.

The glossary of the Guide to Operational Technology (OT) Security defines Operational Technology this way: “A broad range of programmable systems and devices that interact with the physical environment or manage devices that interact with the physical environment. These systems and devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building automation systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems.” So yes, NIST has defined physical access control systems as OT, and this can be helpful to you in several ways.

Unifying Perspective

First, this NIST guide provides a common frame of reference for both you and the IT folks you’ll be collaborating with on the cybersecurity of your PACS deployment. It’s also applicable to your video surveillance system as well. Second, you’ll likely get very strong support from IT for applying the guide and any costs involved in making your systems more cyber secure. Third, if the PACS manufacturer provided a hardening guide or cybersecurity guidance and your systems integrator followed it, then you will already have some or many of the applicable cybersecurity controls in place. The controls cover the people, process, and technology aspects of system cybersecurity, and it’s likely the guide will provide people and process recommendations (such as data privacy controls) for areas of possible improvement as well.

NIST has defined physical access control systems as OT, and this can be helpful to you in several ways.

Section 2.3.6., titled, “Physical Access Control Systems”, explains how an access control system works and provides a logical diagram of a PACS. This is extremely helpful to the IT folks. The concluding paragraph of that section states, “While this guide contains recommendations that are applicable and could be used as a reference to protect a PACS against cybersecurity threats, readers are encouraged to perform a risk-based assessment on their systems and tailor the recommended guidelines and solutions to meet their specific security, business, and operational requirements.”

The fourth way the guide can be helpful is that it includes a section on performing a risk-based cybersecurity assessment on a PACS system or any OT system.

NIST Cybersecurity Framework

One specific purpose for the recent update to the NIST guide is to provide “additional alignment with other OT security standards and guidelines,” including two foundational NIST cybersecurity guidelines:

  • NIST Cybersecurity Framework
  • Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53 Rev 5)

Two important aspects of this improved cross-guidance alignment are:

  1. New tailoring guidance for NIST SP 800-53, Rev. 5 security controls. This tailoring guidance shows how to adjust the NIST SP 800-53 controls for a better fit for OT products and systems. There are 67 additions labeled, “OT-Specific Recommendations and Guidance”, most of which apply to electronic security systems deployments. Some guidance will apply conceptually and require only a little added thinking to fine-tune it for specific deployments, and some guidance very directly applies.
  2. Appendix F provides an OT overlay for NIST SP 800-53, Rev. 5 security controls. This provides tailored security control baselines for low-, moderate-, and high-impact OT systems. Some are specific to physical access control systems.

Most IT security personnel are familiar with the NIST Cybersecurity Framework and NIST SP 800-53 and should find it interesting to aid you in applying the Guide to Operational Technology (OT) Security and help you with the material in that you are not familiar with.

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities ( In 2018 IFSEC Global listed Ray as #12 in the world’s Top 30 Security Thought Leaders.He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and is a member of the ASIS communities for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS.

© 2024 RBCS