The Physical-Logical Access Interoperability (PLAI) spec focuses on passing of location data from a PACS to remote systems to better secure logical access transactions.
Boiled down, the idea is to tell other systems that an individual is present at a facility using data from the access control system. The cyber community has been considering this location-centric data from a mobile device’s GPS capability, but the PACS world is recognizing that it can also come from a physical access control system.
If I check into my office building, the PACS knows I am there. The trick is sharing that knowledge with other approved systems.
A white paper from the Physical Security Interoperability Association (PSIA) details the organization’s evolving specification for doing just this, and building the capability into physical and logical security solutions.
In the paper, How a Standard Interface Heightens Cybersecurity Measures using Location Data, the PLAI spec is defined as adding a “plus 1” to the traditional three authentication factors. This adds ‘some place you are’ to the traditional factors of ‘something you have, something you know, and something you are.’
Here is how PLAI works
When an individual attempts to login to a secure service that should only be allowed from within the site, the service sends an industry standard HTTP GET request to the PACS system, in essence inquiring about the individual’s presence within the facility. The PACS response of absent or present is used as an additional required factor for login. It alone would not be sufficient – the secure service would still require credentials, passwords, biometrics, etc. – but it would be a mandatory item.
In this way, critical functions that should only be performed within a facility would be further protected from remote hacking attempts.
In the paper, the PSIA provides an example that was demonstrated at a recent industry conference. PLAI was used to secure the “activating or changing of an industrial control parameter” — such as shutting down a component in a facility on the power grid – by verifying the user was physically present at the site using data from the physical access control system.
The PSIA contends that key industry sectors – power and gas companies, transportation and airports, government agencies and military facilities – can benefit by adding location as an authentication factor before granting access to highly-sensitive controls.
They suggest access control systems that incorporate the PLAI spec can offer “a cost-efficient and scalable approach to integrate PACS and logical systems.”
Read the white paper from PSIA.