Years ago, physical security directors almost unanimously refused to connect access control and closed-circuit television systems to IT networks.
Networks supposedly offered a way to avoid the high cost of running coaxial cable through a building. Absolutely not, said most security directors. Security devices must run in closed systems. Networks (set up by building owners and tenants in multi-tenant buildings) are wide open to hackers and criminals.
A few years ago, security directors relented and began connecting intelligent access-control boards, which manage the flow of data between access-control readers and head end access-control computers, and video cameras to the network. The reason: budgetary constraints. Tying systems together using existing network cabling eliminated costs for cable and cable installation dedicated to the physical security system.
It turned out that the old timers were right. Hanging physical security devices on networks could cause problems.
“The company network is connected to the outside world, and if there are any vulnerabilities in a network system – in the firewall, for instance – then the physical security system can be opened up,” says Jim Litchko, senior IT security expert with Kensington, MD-based Cyber Security Professionals.
It’s a double-edged sword. If the firewall can be penetrated to get to the physical security system, the physical security system – cameras and access-control readers connected to intelligent boards, which connect to the network – can be used to get into the company data stored on the network.
This problem is several years old, and has, by and large, been solved with new network technologies. In particular, says Litchko, networks that encrypt IT and physical security data flowing through networks solve the physical security side of the problem.
Of course, encryption isn’t perfect. The news is filled with spectacular examples of cyber criminals breaking into supposedly secure networks and stealing credit card and other financial data despite encryption.
While encryption doesn’t solve all of IT security’s problems, it does seem to take care of physical security devices on the network. “You could figure out how to unlock the front door over an encrypted network, but you could get in a lot faster with a sledge hammer,” says Jim Coleman, president of Atlanta-based Operational Security Systems.
In other words, encryption makes it so difficult to hack a network-based physical security system that cyber crooks will probably go elsewhere.
Which doesn’t mean you can now use networks to tie together physical security devices whenever you want. You have to consider at least two more issues: older physical security technology and wireless technology.
Old Physical Security Systems
While newer intelligent boards and surveillance cameras communicate with signals that have been encrypted, older physical security systems did not typically use encryption.
“Legacy physical security systems were never designed to operate on anything other than a closed network,” continues Coleman. “When network technology arrived, you couldn’t hook security devices to networks because each operated with different data formats. Eventually, vendors began building terminal adaptors that could link TCP/IP networks with serial devices, like intelligent access-control panels.
“However, those older intelligent panels didn’t have the processing power to encrypt access control data. Hackers could use sniffers and figure out the commands to unlock doors.”
In fact, many buildings are still equipped with older physical security technologies that may be operating over networks without encryption. Those systems probably need to be inspected to determine whether they’re secure or not.
Wireless Cameras and Readers
“If you deploy cameras and other security devices on a wireless network, and it isn’t encrypted, you’re vulnerable to attack,” Litchko notes. “I’ve seen wireless systems that IT directors have neglected to encrypt. I’ve also seen systems in which the encryption has been turned off.”
How easy is it to get into unencrypted wireless systems? When you sign onto your wireless system at home, how many other wireless modems pop up on the menu? Chances are, you can select one or two of them and sign on without using a password. They aren’t encrypted.
In other words, if someone wanted to trick a wireless physical security system or hack into the corporate network through unencrypted wireless physical security cameras or card readers, it would be easy.
Experts say that encrypting network data and physical security data that travels on the network fixes the physical security problems. For many systems, basic encryption may suffice. Networks and facilities dealing with highly sensitive intellectual property or other sensitive data probably need the strongest encryption available.
Michael Fickes is a freelance writer and owner of Fickes & Co. Inc., a Baltimore publishing firm with experience in the security industry.