|
Physical access control should not be overlooked
Eurosmart’s recommendations for NIS 2 and the EU proposal on critical entities
During the past few years, the EU discussion on critical entities has been focused on cybersecurity. There are good reasons for this: critical entities increasingly rely on digitalisation and cyber-threats are constantly on the rise.
However, in a newly published paper, Eurosmart demonstrates that the possibility of a physical attack against an IT system should not be overlooked. The trend nowadays is towards hybrid attacks, whereby a malicious actor uses a flaw in a physical system to carry out a cyber-attack. For instance, an intruder might steal an employee’s badge to enter the building of a company and subsequently break into the server room.
Therefore, it remains essential to carefully control who can access the premises of critical entities, including digital infrastructures. National cybersecurity agencies themselves, such as ANSSI, already give particular importance to this matter.
In this paper, Eurosmart argues that physical access control should be better addressed both in NIS 2 and the proposal on the resilience of critical entities. NIS 2, in particular, covers the physical security aspects of digital infrastructures but does not mention access control at any point in the legislation.
Eurosmart also gives concrete recommendations on security certification of access control devices (e.g., badges, terminal equipment).
Please see below our full position paper.
|
