EDUCATION · PHYSICAL SECURITY

🛡️ Physical security in cyber security

Physical security is the core layer of cyber security: if an attacker has physical access to the device, logical controls are no longer protected. Depth protection, safe areas, 5 D model and standards (ISO 27002 Chapter 7, NIST SP 800-53 PE, NIST SP 800-88). Examples are fictional, intended for teaching.

Legend: codes in brackets (e.g. 7.4) refers to controls in Chapter 7 (physical) of ISO/IEC 27002:2022.

Why It Is Important

Physical access to circumvent logical controls

Fiziska piekļuve apiet loģiskās kontroles Tīkla uzbrucēju aptur loģisko kontroļu barjera, bet fiziskā piekļuve apiet to un sasniedz serveri pa apakšējo ceļu. Fiziska piekļuve apiet loģiku Ja uzbrucējam ir fiziska piekļuve ierīcei, tā vairs nav tikai tava ierīce Tīkla uzbrucējs (attālināti) Loģiskās kontroles Ugunsmūris MFA · IAM Šifrēšana EDR / AV Segmentācija · žurnalēšana aptur tīkla ceļu SERVERIS · DATI konsole · diski · RAM · porti (fiziskā robeža) Fiziska piekļuve (klātbūtne telpā) apiet visas loģiskās kontroles Vektori: konsole · BadUSB · diska izņemšana · cold-boot RAM · evil maid

Basic principle: physical and cyber security have been twisted. Physical presence allows to bypass firewall, MFA and encryption - therefore, physical controls are as important as network controls. This is also reflected in ISO 27001 Annex A.7 mandatory physical controls.

Why is it cyber security

Physical access allows you to connect devices, remove disks, read RAMs or connect to console - bypassing network and authentication controls. Therefore, server rooms, data centres and terminals are part of the attack surface.

Classical physical attacks

Evil bag (unsupervised device), hold-boot (RAM key reading), DMA via Thunderbolt/PCIE, BadUSB and read stolen disks. Countermeasures: full disc encryption, Secure Boot/TPM, port blocking, BIOS password.

Objective

Restricts who physically approaches the assets (lat privailege also premises) and arranges protection in layers (safe harbours) so that a breach of one layer does not give immediate access to the data.

Depth protection

Concentric safety zones - from perimeter to device

Koncentriskas fiziskās drošības zonas Sešas ligzdotas zonas no ārējā perimetra līdz datu nesējam centrā, katra ar savu ISO 27002 kontroli. Drošības zonas (aizsardzība dziļumā) Katrs slānis pievieno atturēšanu, atklāšanu un aizkavēšanu Perimetrs / teritorija ISO 7.1 - žogs · CCTV · apgaismojums Ēka ISO 7.2 - kontrolēta ieeja · reģistrs Drošā zona / birojs ISO 7.3/7.6 - badge · clean desk Datu centrs ISO 7.4 - monitorings · mantrap Skapis slēdzene Ierīce Kodols: TPM · pilna diska šifrēšana · portu bloķēšana · plombes

Depth protection: no individual controls are sufficient. Layers are independent of each other, so one violation (e.g. intrusion into the building) is still faced with the next one (budge to the safe area, mantrap data center, lock in the closet).

Perimeter and input (7.1,7.2)

Clearly defined perimeter (fence, wall, security item), controlled entry points with badge/PIN, registration and escorting of visitors. Purpose - only the trustees get inside and it is traceable.

Safe areas and work there (7.3/7.6)

Sensitive spaces are separated separately, with additional access control, clean desk / clean screen and rules for recording devices. Work in the safe area shall be monitored and documented.

Particular features of data centre (7.4)

Continuous monitoring (CCTV, alarms, badge logs), mantrap/loose against timekeeping, separate access to server queues and environmental controls. Access logs shall be kept and periodically reviewed.

Protection objectives

5 D model - deter, detect, deny, delay, react

Fiziskās drošības 5 D modelis Pieci secīgi aizsardzības mērķi - Deter, Detect, Deny, Delay, Respond - katrs ar piemēriem. 5 D - secīgi aizsardzības mērķi Uzbrucējs virzās pa kreisi → pa labi. Mērķis - aizkavēt ilgāk nekā reaģēšanas laiks 1 · Atturēt · žogs, vārti · apgaismojums · redzama CCTV · brīdinājuma zīmes · apsardzes postenis Deter 2 · Atklāt · kustības sensori · CCTV ieraksts · signalizācija · badge žurnāli · durvju kontakti Detect 3 · Liegt · slēdzenes · badge / PIN · biometrija · mantrap / sluzas · apsargs Deny 4 · Aizkavēt · vairāki slāņi · seifi, skapji · stiprinātas durvis · režģi, barjeras · plombes Delay 5 · Reaģēt · apsardze · izsaukums (112) · incidentu plāns · eskalācija · pierādījumi Respond Galvenā formula: aizkavēšanas laiks > atklāšanas + reaģēšanas laiks

CPTED and 5 D: physical security is not a guarantee of non-refoulement, but of an attack being spotted and stopped before reaching the target. Therefore, the delay should be longer than the time needed for detection and response.

International practice

ISO/IEC 27002:2022 Chapter 7 and NIST SP 800-53 PE

ISO 27002:2022 kontroļu tēmas Četras ISO 27002:2022 kontroļu tēmas. Fiziskās kontroles (7. nodaļa, 14 kontroles) ir izceltas. ISO/IEC 27002:2022 - 4 kontroļu tēmas Organizatoriskās nodaļa 5 · 37 kontroles Personāla nodaļa 6 · 8 kontroles Fiziskās nodaļa 7 · 14 kontroles ← šī sadaļa Tehnoloģiskās nodaļa 8 · 34 kontroles ISO 27001 Pielikums A.7 atspoguļo šīs 14 fiziskās kontroles · NIST SP 800-53 ekvivalents - PE saime
ISO 7.1
Physical security perimeters

Defined perimeters around areas with sensitive information.

ISO 7.2
Physical entrance

Entry control, visitor register and accompanying.

ISO 7.3
Provision of offices, premises and equipment

Physical protection and arrangement of sensitive spaces.

ISO 7.4
Physical security monitoring

Continuous surveillance (CCTV, alarms, magazines).

ISO 7.5
Protection against physical and environmental risks

Fire, floods, earthquake, civil unrest, etc.

ISO 7.6
Working in safe areas

Rules and supervision for working in sensitive premises.

ISO 7.7
Clean table and clean screen

Documents and screens are not left unattended.

ISO 7.8
Location and protection of equipment

Equipment shall be so positioned as to minimise risks.

ISO 7.9
Security of assets outdoors

Protection of laptops, mobile devices outside the office.

ISO 7.10
Media

Storage media circulation, storage and transport.

ISO 7.11
Support Utilities

Electricity, cooling, water - continuity.

ISO 7.12
Cable safety

Protection of power and data cables against damage/hearing.

ISO 7.13
Maintenance of equipment

Planned maintenance to maintain availability and integrity.

ISO 7.14
Safe disposal or reuse

Safe deletion of media before discarding/re-use.

NIST SP 800-53 - PE family

Physical and Environmental Protection: PE-2 (access mandates), PE-3 (access control), PE-6 (monitoring), PE-8 (visitor log), PE-13 (fire protection), PE-14 (temperature/humidity), PE-15 (water), PE-18 (component location).

NIS2 and MK 397

The risk management measures of Article 21 of the NIS2 (EU 2022/2555) include the security of the physical environment, access control and asset management. Latvian Cabinet Regulations No. 397 sets minimum requirements, including physical protection of critical resources.

Other relevant standards

PCI DSS Requirement 9 (physical access to card data), ISO 27001 Annex A.7 (audit reference) and NIST SP 800-116 (for PIV/PACS card access control).

Compliance in Latvia - main requirement MK 397: Cabinet Regulations No.397 is the binding regulation in Latvia, which determines what must be done (in the national cybersecurity framework, implementing the NIS2). Implementing Regulation (EU) 2024/2690 and GDPR complement the requirements. International standards (ISO 27001/27002, COBIT, SABSA, TOGAF, NIST) provide a recognised auditable method for their implementation.

Atbilstības slāņi - no ES tiesībām līdz ieviešanai Trīs slāņi: ES tiesiskais pamats (NIS2, Īstenošanas regula 2024/2690, GDPR), Latvijas saistošā prasība MK 397, un starptautiskie ieviešanas standarti (ISO, COBIT, SABSA, TOGAF, NIST). No prasības līdz ieviešanai: MK 397 nosaka KO, standarti - KĀ ES TIESISKAIS PAMATS NIS2 direktīva (ES) 2022/2555 Īstenošanas regula (ES) 2024/2690 GDPR (ES) 2016/679 transponē nacionāli MK noteikumi Nr. 397 - Latvijas saistošā prasība KO obligāti jāizdara · nacionālais kiberdrošības tiesiskais ietvars ievieš ar atzītiem standartiem STARPTAUTISKIE IEVIEŠANAS STANDARTI - KĀ ISO 27001 / 27002 COBIT SABSA TOGAF NIST CSF / 800-53

MK 397 determines the result required by law. The international standard is a verifiable way to achieve it - without it compliance remains declarative.

MK 397 - National requirement

Latvia's binding regulation sets minimum requirements for physical and environmental safety for critical resources. Implementation is based on ISO 27002 Chapter 7 and NIST SP 800-53 PE - they give specific areas, controls and inspections.

Implementing Regulation (EU) 2024/2690

The Annex requires environmental and physical security measures: protection against physical and environmental threats, control of access to premises and security of support infrastructure (electricity, cooling) - ISO 27002 Chapter 7 controls.

GDPR - media

Physical access to and secure destruction of data media (NIST SP 800-88) is part of the protection of personal data (GDPR). A stolen or discarded disk with data is a data protection breach like a network intrusion.

Attacks and countermeasures

Physical threats and their controls

Tailgating un mantrap Pa kreisi tailgating - divi cilvēki iziet ar vienu badge. Pa labi mantrap ar divām bloķētām durvīm ielaiž pa vienam. Tailgating vs. mantrap (sluzas) Tailgating / piggybacking badge ✓ bez badge → seko līdzi Mantrap / sluzas viens badge = viena persona ārējās iekšējās abas durvis nekad nav vaļā reizē
Tailging
Follow open doors

An unauthorised person shall enter by proxy.

√ mantrap, turnips, notification, security
Badge / RFID cloning
Copying cards

Weak encrypted RFID cards are read and cloned.

Encrypted maps, PIN+Bedge, biometric
Shoulder surfing
Viewing over the shoulder

Reading passwords/PINs from screen or keyboard.

√ privacy screens, clean screen, location
Dumpster diving
Waste disposal

Disposal of documents and media without destruction.

7.14)
Evil mad
Unsupervised device

Temporary physical access modifies the installation.

PDE, Secure Boot/TPM, seals, safes
Theft/loss
Loss of devices and carriers

Laptops, discs and phones disappear or are stolen.

encryption, remote deletion, inventory
Lock picking
Circumvention of mechanical locks

Weak locks open without a key.

quality locks, electronic control, magazines
TEMPEST
Electromagnetic leakage

Interception of signals from cables/screens.

√ shielding, cable safety (7.12), zoning

Environment, Utilities and Carriers

Safe disposal of environmental control and media

Datu centra vides kontroles Serveru skapis centrā ar četrām vides kontrolēm - barošana, dzesēšana, ugunsdzēsība un ūdens noplūdes atklāšana. Vides un utilītu kontroles (ISO 7.5 · 7.11) Serveru skapis pieejamība = drošības mērķis Barošana UPS + ģenerators redundance (A/B) Dzesēšana HVAC · temperatūra mitruma kontrole Ugunsdzēsība inertā gāze · detektori VESDA agra atklāšana Ūdens / noplūde noplūdes sensori paaugstinātas grīdas

Availability is security: environmental and utility control (ISO 7.5, 7.11) protects the availability of information - a feed, cooling or fire incident is as serious as an attack. Cables shall be individually protected (ISO 7.12).

SP 800-88 · Clear
Logical deletion

Rewriting with standard commands - protects against simple renewal. The carrier remains usable.

SP 800-88 · Purge
In-depth deletion

Cryptographic quenching, tasting or built-in safe terrace - the data is not renewable even in the laboratory.

SP 800-88 · Destroy
Physical destruction

Shredding, incineration, melting - for the highest classification. The carry can no longer be used.

Physical-Cyber Convergence

Modern access control (PACS), IP cameras and BMS systems are in the network - the same is the surface of the attack. Segment them from the production network, update the software and do not use default passwords.

Transmission of media (ISO 7.10/7.14)

Carriers shall be labeled, controlled, stored safely and destroyed after NIST SP 800-88. The method of erasure is consistent with the classification of the data higher class, a more stringent method.