When Physical Security Meets Information Technology
When Physical Security meets Information Technology: Cameras, Building Management Systems, Access Control, and more
Whenever the topic of security appears for information technology personnel, one often thinks of firewalls, anti-virus, SIMS, and much more. However, increasingly IT departments are now in charge of systems that were once segmented. IP Cameras, Access Control for doors/gates, log entry/exit systems, and building management systems, which manage HVAC and lighting controls are a normal part of the IT infrastructure. Therefore, besides the role of integrator what other role should IT take?
The first is to make sure IT has a seat at the table. For large organizations, this can be the CISO and for smaller organizations, the CIO or dedicated IT manager. For security to be functional it simply cannot mirror what has happened in the past. It needs to take a new, active, and progressive role in the organization. Take for example, an access control system which manages door security. Before the days of technology, keys were handed out to employees who needed access and if a key was lost, the entire building needed rekeyed. Now if an access control system were implemented, you can still pass out key cards/fobs, etc. but maybe now you give them specific hours/days for which they can access the building. You can even go as far as to ascertain reason codes for off hour access. Therefore, its critical IT be seated at the table to discuss these functions, otherwise the technology chose the organization, the organization did not choose the technology.
Another need is to ensure your organization has a security framework (NIST, NERC, ISO, etc.) in place. Although discussing security frameworks can be its own lengthy process, the selection and implementation of a framework will ensure any physical security you put in place has the required safeguards for rollout. The problem here is not necessarily which framework an organization chooses, but rather verifying any physical security you have in place now matches those same security protocols.
Always make sure IT has a seat at the table, a security framework has been chosen, and policies and procedures are created for those systems
The next step is to work with your stakeholders and ensure you create a policy for those physical systems whether they be cameras, building management systems, or access control systems. As a CIO, I have implemented several large scale IP Camera systems. The issue was not setting up servers, but rather who would have access and at what level. With a traditional analog camera system, all footage simply went to tape and once needed it was reviewed. However, these new camera systems can isolate which cameras which personnel have access to at a particular time. Other options such as what access rights should they have. Should the staff be able to digitally move the camera, perform playback, export video, etc.? All of these options requires a detailed policy not only to protect IT, but to protect the organization. A policy concerning a building management system is generally of paramount importance as well. Now that facilities management staff can change temperature and lighting of buildings from their office does not mean policies should not be followed. At one college, a building management system was installed and there was fluctuations with heating/cooling. Unbeknownst to many, two separate technicians were changing settings based on separate employees requests. Once again, just because someone can do it, does not mean they should. Procedures and policies still must be followed.
Ensure the IT staff and the respective department managing that particular application have an agreement about what IT can and cannot access. For example, just because IT has the capability to potentially access every camera, safeguards should be in place so that does not necessarily happen. No one would ever imagine IT making a change in the budget simply because they had physical access to the financial server, so other changes in HVAC systems, access control, and camera systems should not happen in that function either.
Once you get all the paperwork and policies out of the way, ensure your infrastructure is built properly for all of these systems. For example, IP camera systems can be tricky, but the planning on your backbone and your infrastructure is key. Although there is no single approach, make sure your network has the capacity and bandwidth to install multiple cameras with multiple HD streams going to a server. Ensuring a reliable 10gb or enhanced backbone may be the preferred method. Consider segmenting your camera system onto a separate VLAN to keep it from the other networks. Once the network is configured, verify your server is setup properly and has adequate disk storage. Hopefully, a discussion about the retention of data occurred well before the purchase of any hardware. Whatever method you use to calculate, always go higher. I have never installed a camera system based on what was being installed initially. Always plan farther than the initial rollout. Even when a camera system is installed or replaced, IP camera additions are easy, but ensuring you have the hard disk to retain that data is difficult. In addition, make sure the clients that access that camera system also have adequate processing power on their PC to view those images, otherwise, the best laid camera system will look terrible to your end user. Scaling for access control and building management systems can be equally complex. Deciding whether separate VLAN’s or networks need to take place is important and whether the BACnet (building automation and control network) protocol is or how it is run is crucial to building that infrastructure. Once those systems are in place, do not forget how those systems will be backed up and how remote access will be accomplished for those vendors working on the systems. No one wants an HVAC contractor to breach their network similar to what happened to Target so deciding whether a VPN, SSL VPN, or other secure method for remote access is a requirement.
Overall, when physical security meets information security, the two categories are not separate, but should be combined to create a holistic approach to solutions for your organization. Always make sure IT has a seat at the table, a security framework has been chosen, and policies and procedures are created for those systems. The processes described above won’t necessarily be linear, you may create a policy, choose a system, and then go back and alter the policy. That process is fine as long as you take a 360 approach to implementing those solutions and not only look at all the angles but revisit them, not once, but continually just like any other security methodology.