Years
ago, physical security directors almost unanimously refused to connect
access control and closed-circuit television systems to IT networks.
Networks
supposedly offered a way to avoid the high cost of running coaxial
cable through a building. Absolutely not, said most security directors.
Security devices must run in closed systems. Networks (set up by
building owners and tenants in multi-tenant buildings) are wide open to
hackers and criminals.
A
few years ago, security directors relented and began connecting
intelligent access-control boards, which manage the flow of data
between access-control readers and head end access-control computers,
and video cameras to the network. The reason: budgetary constraints.
Tying systems together using existing network cabling eliminated costs
for cable and cable installation dedicated to the physical security
system.
It turned out that the old timers were right. Hanging physical security devices on networks could cause problems.
“The
company network is connected to the outside world, and if there are any
vulnerabilities in a network system – in the firewall, for instance –
then the physical security system can be opened up,” says Jim Litchko,
senior IT security expert with Kensington, MD-based Cyber Security
Professionals.
It’s
a double-edged sword. If the firewall can be penetrated to get to the
physical security system, the physical security system – cameras and
access-control readers connected to intelligent boards, which connect
to the network – can be used to get into the company data stored on the
network.
This
problem is several years old, and has, by and large, been solved with
new network technologies. In particular, says Litchko, networks that
encrypt IT and physical security data flowing through networks solve
the physical security side of the problem.
Of
course, encryption isn’t perfect. The news is filled with spectacular
examples of cyber criminals breaking into supposedly secure networks
and stealing credit card and other financial data despite encryption.
While
encryption doesn’t solve all of IT security’s problems, it does seem to
take care of physical security devices on the network. “You could
figure out how to unlock the front door over an encrypted network, but
you could get in a lot faster with a sledge hammer,” says Jim Coleman,
president of Atlanta-based Operational Security Systems.
In
other words, encryption makes it so difficult to hack a network-based
physical security system that cyber crooks will probably go elsewhere.
Which doesn’t
mean you can now use networks to tie together physical security devices
whenever you want. You have to consider at least two more issues: older
physical security technology and wireless technology.
Old Physical Security Systems
While newer intelligent boards and surveillance cameras communicate
with signals that have been encrypted, older physical security systems
did not typically use encryption.
“Legacy
physical security systems were never designed to operate on anything
other than a closed network,” continues Coleman. “When network
technology arrived, you couldn’t hook security devices to networks
because each operated with different data formats. Eventually, vendors
began building terminal adaptors that could link TCP/IP networks with
serial devices, like intelligent access-control panels.
“However, those older intelligent panels didn’t have the processing
power to encrypt access control data. Hackers could use sniffers and
figure out the commands to unlock doors.”
In
fact, many buildings are still equipped with older physical security
technologies that may be operating over networks without encryption.
Those systems probably need to be inspected to determine whether
they’re secure or not.
Wireless Cameras and Readers
“If you deploy cameras and other security devices on a wireless
network, and it isn’t encrypted, you’re vulnerable to attack,” Litchko
notes. “I’ve seen wireless systems that IT directors have neglected to
encrypt. I’ve also seen systems in which the encryption has been turned
off.”
How
easy is it to get into unencrypted wireless systems? When you sign onto
your wireless system at home, how many other wireless modems pop up on
the menu? Chances are, you can select one or two of them and sign on
without using a password. They aren’t encrypted.
In other words, if someone wanted to trick a wireless physical security
system or hack into the corporate network through unencrypted wireless
physical security cameras or card readers, it would be easy.
Experts
say that encrypting network data and physical security data that
travels on the network fixes the physical security problems. For many
systems, basic encryption may suffice. Networks and facilities dealing
with highly sensitive intellectual property or other sensitive data
probably need the strongest encryption available.
Michael
Fickes is a freelance writer and owner of Fickes & Co. Inc., a
Baltimore publishing firm with experience in the security industry.