Physical Security and IT ResourcesBrian Hunt Physical Security Specialist

State of Nevada Department of Information TechnologyOffice of Information Security

Introduction

Physical security defined as: Physical measurers, polices, and procedures to protect an organizations electronic information systems, facilities/buildings and equipment from unauthorized access, natural and environmental hazards.

Physical Security is accomplished by performing an assessment of the facility/building and the surrounding premises.

Physical security enhancements should be considered during the budget process. Consideration of alternative funding sources should be taken into account such as Homeland Security Grant Funding, One Shot Appropriations from governing bodies and Capital Improvement Projects (CIP)

During new construction Physical security should be taken into account during the budgeting process

Physical security designs should be performed by a qualified professional regarding the topology and architecture of the systems and how they will integrate

Physical security installations should be performed by a manufacturer certified/authorized dealerHow is this accomplished:

Physical Security Assessments Examples of questions to ask when performing a Physical Security Assessment:

What are you protecting? Determining what you are protecting will determine the amount of security you will place on the information and/or facility

Is the facility located in a high crime area?

Do you own or lease/rent the facility?

Is the facility a multiunit or multiple tenant facility?

Is the facility designed for the type of environment the work will be performed? (IE. Power, structure, communications, HVAC and fire suppression)

What is the net worth of the assets to be guarded

How much would it cost your organization to overcome a catastrophic loss of data or property Implementing physical security measures worth the cost of the data or property

Perform an impact statement to determine if the cost of implementing physical security measures is cost effective or prohibitive.

Evaluation of Assets and Data

There are a number of ways to subdivide physical security, to simplify we have divided Physical Security into five parts.

Part I: Perimeter protection and outer structure

Part II: Access Control & Closed Circuit Television (CCTV) Part III: Power

Part IV: Heating, ventilation and Air Conditioning (HVAC)

Part IV: Life safety Physical Security Domains

Part I: Perimeter protection and outer structureFacility may require a perimeter fencing:

Chain link fence should be at least 11 gauge steel. Common installation, easy to climb or cut for entry

Concrete masonry unit (CMU), One of the strongest installations, offers privacy, very expensive

Wrought iron fencing, offers great protection, very expensive.

Box steel welded fence construction, Architecturally acceptable, offers great protection, offers very little privacy and expensive

Nevada National Guard

Are barriers located onsite of the facility:

Physical barriers such as fences and walls deter intruders and restrict visibility into the premises

Inspect barriers for deterioration

Perimeter protection

Nevada National Guard

Nevada Highway Patrol Southern Command

Windows are conducive to forced entry:

Windows have the highest vulnerability to forced entry

The location and characteristics of windows needs to be inspected

Doors that have windows should not be within a 40 proximity to the door lock

Windows that are less than 18 feet from the ground are the most vulnerable since they are easily accessible from the building exteriorOuter Structure

Facility doors should be constructed of material that will discourage breakage:

Steel or Solid wood doors, not hollow core doors

Doors that are constructed of glass, should be inspected for glass type such as tempered glass, wire mesh or safety glass

Outer Structure

Ensure door strikes and strike plates are adequate and properly installed:

Door strikes should be secured and properly fastened

Door strike protectors should be installed on doors that require protectors or exterior doors

Inspect doors with exterior hinges that may be in a sensitive area of exposure:

Normally doors that open out are the issue

Door that open out are easier to compromise

Outer Structure

Door frames should be strong and tight to prevent forcing/spreading:

Inspect door frame to ensure the frame is plumb and level

Ensure fasteners are tight and properly installed

Door locks should be in good repair:

Inspect for rust or deterioration

Inspect for proper operation

Outer Structure

Door locks should include a dead bolt with 1-inch throw:

Measure the depth of the deadbolts

Inspect door frames to ensure frame can support deadbolt force

Exterior areas should be free from concealing structures or landscaping:

Inspect for "pony walls"

Inspect for over grown landscaping next to external windowsOuter Structure

visitors should be required to sign in:

Require a visitors log

Require visitors identification badges

Have an attendant oversee the visitors log Review the visitors log periodically

Outer Structure

Escort facility visitors:

Create a policy on escorted and unescorted visitors

Provide different color identification badges for escorted and unescorted visitors

Require visitors to turn in identification badges after visitOuter Structure

Part II: Security Access Control and Closed Circuit Television Access control systems are typically a scalable management solution encompassing complete access control, advanced event monitoring and administration auditing. Access control systems typically involve a central server or host for control and monitoring.

Remote capability to lock and unlock doors

Audit log of who and when personnel utilized a door

Audit log when a door has been forced or help open Capability to restrict or remove access to specific person or group

Monitoring of room occupancy by intrusion-detection systems

Basic Access Control:

What manufacture of system to purchase

How many facilities attached to the access control system

How do you communicate with the access control system

How many card holders will you have

Who will administrate the system

What type of card technology to use (FIP 201 compliance) Access Control Selection Criteria:

Security Access Control System for the State of Nevada:

Software House CCURE 800

Infinite facilities as required world wide

TCP/IP preferred and main communication utilized, RS232/485, Modem and cellular

250,000 cardholders (Expandable to 5000,000)

Facility based administration or global administration

Card technology is proximity (FIPS 201 compliance migration) Access Control and the Nevada Access System (NAS)

NAS is a scalable security management solution encompassing advanced access control and high scale event monitoring

Nevada Access Systems main hub or server is a Software House CCURE 800 which provides users with scalable access control solution that allows functionality and increased capacity as the system needs grow

CCURE 800 is a complete integration solution with unlimited applicationNevada Access System (NAS)

CCURE 800 is a complete integration solution that reaches beyond traditional security, it provides integration with critical business applications including: Closed Circuit Television (CCTV) and Digital Video Management systems (DVMS) other integration applications include:

Fire Alarms

Intercoms

Burglar alarms

Environmental building controls

Crystal reporting

Time management or time tracking software

Nevada Access System (NAS)

Network capabilities for the CCURE 800 client work stations and iSTAR controllers can be placed directly an existing networks and transmitted across SilverNet and multiple WANs statewide

Open Architecture Support. The CCURE 800 ensures universal support and enormous flexibility. As such, CCURE 800 interacts with industry standards database, video recorders and cameras, and networks

CCURE 800 is a complete integration solution with unlimited applicationNevada Access System (NAS)

CCURE 800 Foundation Security Features:

Event and Alarm Monitoring

Database Partitioning

Windows 2000 professional, Windows server 2003, Window XP Professional for servers

Open journal data format for enhanced reporting

Automated personnel import

Wireless reader supportNevada Access System (NAS)

CCURE 800 advanced Security Features:

CCTV Integration

Enhanced monitoring with split screen views

Escort management

Card holder access events

Single subscriber Email and paging

Open journal data format for enhanced reporting ODBC supportNevada Access System (NAS)

Benefits of the Nevada Access System:

Access control, audit, and convenience through the use of one access control card

Computer workstations, technical systems and door locks will have access control with audit capabilities, and convenience with a single access control card or state issued identification card. This approach eliminates the need for quantities of mechanical keys and a reduction of passwords an individual has to carry or memorize

Benefits of the Nevada Access System (NAS)

Standardizing of employee identification, recognition and verification statewide

NAS will provide a mainstay for access control support and technical assistance through out career and life cycles of systems

CCURE 800 based users groups statewide to provide support among Departments, Agencies, Counties and other MunicipalitiesBenefits of the Nevada Access System (NAS)

Closed Circuit Television and Digital Video Management Systems Closed Circuit Television (CCTV) and Digital Video Management System (DVMS) has taken many advances over the years. The evolution of CCTV is an interesting history that combines the entertainment industry, consumer electronics and CCTV. None of the three are a combination we put together, but there is a strong parallel that has moved the industry to where it is today

The original CCTV systems were built using equipment intended for the use of the broadcast industry and industrial television Cameras were large

Expensive

Required high energy consumption

Required frequent maintenanceHistory of Closed Circuit Television Systems

As a result of the high expense and the need to change tubes in the equipment coupled with the heat generated by the equipment, service calls and service technicians made for a lucrative business. The high expense of CCTV installation and the cost of servicing the equipment made it possible for only the wealthy to afford such systems since the cost of installation and maintenance out weighted the cost of the assets to be protected for most

In the mid-60s, CCTV started to evolve as an industry. Two inventions facilitated this change and allowed the cost of installation and the maintenance of CCTV systems to become an affordable option. The Pan, Tilt and Zoom (PTZ) was invented along with the motorized lens. The PTZ function allowed the camera to move up, down and side to side. The motorized lens allowed remote control of zoom. Focus and iris adjustment. These inventions reduced the number of cameras required to cover an areaHistory of Closed Circuit Television Systems

In the consumer electronic market, amateur video taping, movie rentals and the mass production and use of the video cassette recorder (VCR) become less expensive and lightweight. Soon the two technologies merged creating the camera and recorder or what we know today as the Camcorder

In the late 80s a mass market of products began to dramatically reduce prices and improvements in quality and availability. What was once enjoyed by the wealthy was now made affordable and available to the general public and industry History of Closed Circuit Television Systems

When designing a usable Closed Circuit Television System (CCTV) it does not take an expert to design a system. Some of the most usable CCTV system have been designed by individuals that said time and time again I do not know anything about this, but shouldnt we.. If you take a common sense approach based on specific applications and needs of your organization the basic placement of cameras can be accomplished keeping in mind cameras are like people they only can see what people can see Designing a Closed Circuit television Systems

System use, Security or surveillance:

Security is defined as watching objects or items

Surveillance is defined as watching people

Will operators manage the system: Operators will be required for surveillance

The potential for large storage may be required for security or the watching of objects or items (recommended seven days of storage)

Designing a Closed Circuit television Systems

Cameras selection and locations, indoors or outdoors:

PTZ or fixed cameras

Indoor cameras are used, are they covert or in plain site Outdoor cameras are used, what is your outdoor climate

Storage of video:

Hard drive storage or the network storage

Video cassette recorder

Designing a Closed Circuit television Systems

Common short comings of many CCTV systems Not enough cameras

Cameras installed incorrectly or incorrect cameras installed for application

No operator

Not enough storage or improper media for storage Improperly trained personnel

Neglected or improperly maintained systems to include cameras, power supplies, VCRs, DVRs, software application and network connectionClosed Circuit Television Systems Designs

Network traffic for IP cameras

Network traffic with the Integration of CCTV and access control

Improperly trained personnel

Storage of video on site with specific hard drives or network storage

Transfer of video files via email

The downloading of updates for windows based DVRs

The potential of viruses on windows based DVRs

IT concerns for Closed Circuit Television Systems

Part III: Power Does the facility have multiple services from the power company

Primary and secondary service in case of power loss

Secondary services (if available) require a device called Tie-breaker in the electrical service main

One to one transformer for power conditioning

Main service(s) over-current protection, is it fused or manual/auto reset breaker

Main service should be protected by adequate Ground Fault protection

Electrical systems dedicated to computer systems the main electrical service and distribution panels should have an isolated ground (IE. Orange receptacles)

Are the use of K rated transformers for harmonics instituted within your facilities Power Conditioning

What is the intended use of the generator (emergency lighting, Computers or back up of the facility)

Generator should be sized for the load

Back up generators should be tested weekly, monthly or annually

All generator should have strict maintenance schedules with work performed by generator mechanics/specialistBack Up Power Generators

What is the intended use of the UPS

Is the UPS sized for the load

UPS 5 KVA or great are they Standby or in use type (Standby UPSs usually do not have power conditioners)

What is the maintenance schedule for the UPS

Is the UPS surge factor greater than 1.15UPS should include a feature to alarm when a low battery condition exists

UPS should have remote alarm panels located in server rooms and security/maintenance office

Back Up Power Uninterrupted Power Supply (UPS)

Part IV Heating, ventilation and Air Conditioning (HVAC): Is the facility equipped with the proper HVAC system

Is the HVAC system sized for the current occupancy and heat/cooling load

Was the HVAC system designed with electronic equipment in mind (heat load and humidity)

Does the HVAC system connect to an environmental control system or direct digital control (DDC)

Who provides programming and support for the HVAC application if the system is controlled by DDC

Is the HVAC application on the network and is it network dependant to operated

Server rooms and remote communication closets should have proper and separate HVAC Systems:

Inspect HVAC system to ensure separate heating and cooling controls are within server rooms and telecommunications closets

Within server rooms and telecommunication closets are high and low temperature warning mechanism present

Are HVAC filters changed on a regular basis

Is the HVAC system serviced on a periodic basis

Is the HVAC system for server rooms and telecommunications closets on a back up generatorHeating, ventilation and Air Conditioning in server rooms:

Part V Life Safety:Fire Alarms

Does the facility have a fire alarm system

Fire alarm system are required by law to be periodically test (Annually)

Manual pull stations and horn/strobes must be located near the exits

Fire alarm system should attached to a UL approved monitoring service

A representative from your organization should be for the administration of the fire alarm system

Does the facility have a fire sprinkler system

Fire sprinkler system are required by law to be periodically tested (Annually, inspection tag looped on main valve)

Fire sprinkler system spray heads shall not have any object within eighteen inches (18) from the spray head vertically and two (2) feet horizontally

Server rooms should have an emergency power shut off switch at the exit doors to shut down power in the event a water fire suppression system is activated within the room

Fire Suppression:

Does the facility have fire extinguishers

Fire extinguishers should be periodically tested (annually licensed and certified personnel)

Where are the fire extinguishers located and are they depicted on an emergency evacuation plan

Personnel should receive training on fire extinguisher use. A quick reference below would be the word PASS

PullAimSqueezeSweep Fire Extinguishers:

Challenges that face many security integrators is the lack of administrative authority on a network (for good reason) and the lack of understanding of a network or the dynamics of an organizations network Key questions to ask an integrator when a system is to be installed:

Will the system and application require administrative rights on a machine or the network

How does the system communicate. (TCP/IP, RS 232/485, modem etc.)

Does the system require a software application? If so, how many client/nodes are allowed

Who will retain the software and software license Integrator Challenges and IT Resources:

How much bandwidth will be consumed by the system or application

How much data storage will be required for the system

Is the system capable of running if the application loses communication

Will the integrator retain an administrative account on the system

Will the integrator have an remote connection to the system, during and after the project

What is the recommended specifications of the host or server machineIntegrator Challenges and IT Resources:

Management and Planning of IT Based Physical SecurityDiscussing the challenges ahead:

The challenges that face many organizations currently, is finding a balance between Physical Security personnel with knowledge of IT systems and physical security solutions that are IT based dependant.

The relationship of physical security IT systems requiring IT knowledge and background verse physical security is eighty/twenty (80/20). Eighty percent physical security and twenty percent IT system based background knowledge.

Many IT organizations assume the responsibility of an IT based physical security system understanding approximately twenty percent of the system.

Access Control and the State of Nevada Challenges for the State:

Through shared resources such as the Nevada Access System IT organizations on a statewide level can assume the responsibility of an IT based physical security system with greater understanding and support .

Challenges ahead such as Federal Identification Process Standard 201 (FIPS 201) and the Real ID Act, shared resources will become invaluable to the success of our statewide programs.

Currently no one person or organization has the answers, with constant changing standards and never ending technology it is nearly impossible to keep up. I invite each of you to join together to assist in the progress of physical IT security allowing for consistency statewide.

Physical Security and IT resources Brian Hunt Physical Security Specialist

State of NevadaDepartment of Information TechnologyOffice of Information Security(775) 684-7349 Office(775) 687-1155 Faxbhunt@doit.nv.gov

*