Transcript Physical Security

Physical Security and IT
Resources
Brian Hunt
Physical Security Specialist
State of Nevada
Department of Information Technology
Office of Information Security
Introduction
Physical security defined as: Physical measurers, polices,
and procedures to protect an organizations electronic
information systems, facilities/buildings and equipment
from unauthorized access, natural and environmental
hazards.
How is this accomplished:

Physical Security is accomplished by performing an
assessment of the facility/building and the surrounding
premises.

Physical security enhancements should be considered
during the budget process. Consideration of alternative
funding sources should be taken into account such as
Homeland Security Grant Funding, “One Shot
Appropriations” from governing bodies and Capital
Improvement Projects (CIP)
♦
During new construction Physical security should be
taken into account during the budgeting process
♦
Physical security designs should be performed by a
qualified professional regarding the topology and
architecture of the systems and how they will integrate
♦
Physical security installations should be performed by
a manufacturer certified/authorized dealer
Physical Security Assessments
 Examples of questions to ask when performing a
Physical Security Assessment:
♦
What are you protecting? Determining what you are
protecting will determine the amount of “security” you
will place on the information and/or facility
♦
Is the facility located in a high crime area?
♦
Do you own or lease/rent the facility?
♦
Is the facility a multiunit or multiple tenant facility?
♦
Is the facility designed for the type of environment the
work will be performed? (IE. Power, structure,
communications, HVAC and fire suppression)
Evaluation of Assets and Data

What is the net worth of the assets to be guarded

How much would it cost your organization to overcome a
catastrophic loss of data or property

Implementing physical security measures worth the cost of
the data or property

Perform an impact statement to determine if the cost of
implementing physical security measures is cost effective
or prohibitive.
Physical Security Domains
There are a number of ways to subdivide physical security,
to simplify we have divided Physical Security into five
parts.

Part I: Perimeter protection and outer structure

Part II: Access Control & Closed Circuit Television (CCTV)

Part III: Power

Part IV: Heating, ventilation and Air Conditioning (HVAC)

Part IV: Life safety
Part I: Perimeter protection and
outer structure
 Facility may require a perimeter fencing:
♦
Chain link fence should be at least 11 gauge steel.
Common installation, easy to climb or cut for entry
♦
Concrete masonry unit (CMU), One of the strongest
installations, offers privacy, very expensive
♦
Wrought iron fencing, offers great protection, very
expensive.
♦
Box steel welded fence construction, Architecturally
acceptable, offers great protection, offers very little
privacy and expensive
Nevada National Guard
Perimeter protection
 Are barriers located onsite of the facility:
♦
Physical barriers such as fences and walls deter
intruders and restrict visibility into the premises
♦
Inspect barriers for deterioration
Nevada National Guard
Nevada Highway Patrol Southern
Command
Outer Structure
 Windows are conducive to forced entry:
♦
Windows have the highest vulnerability to forced entry
♦
The location and characteristics of windows needs to
be inspected
♦
Doors that have windows should not be within a 40”
proximity to the door lock
♦
Windows that are less than 18 feet from the ground are
the most vulnerable since they are easily accessible
from the building exterior
Outer Structure
 Facility doors should be constructed of material that
will discourage breakage:
♦
Steel or Solid wood doors, not hollow core doors
♦
Doors that are constructed of glass, should be
inspected for glass type such as tempered glass, wire
mesh or safety glass
Outer Structure
 Ensure door strikes and strike plates are adequate
and properly installed:
♦
Door strikes should be secured and properly fastened
♦
Door strike protectors should be installed on doors that
require protectors or exterior doors
 Inspect doors with exterior hinges that may be in a
sensitive area of exposure:
♦
Normally doors that open out are the issue
♦
Door that open out are easier to compromise
Outer Structure
 Door frames should be strong and tight to prevent
forcing/spreading:
♦
Inspect door frame to ensure the frame is plumb and
level
♦
Ensure fasteners are tight and properly installed
 Door locks should be in good repair:
♦
Inspect for rust or deterioration
♦
Inspect for proper operation
Outer Structure
 Door locks should include a dead bolt with 1-inch
throw:
♦
Measure the depth of the deadbolts
♦
Inspect door frames to ensure frame can support
deadbolt force
 Exterior areas should be free from concealing
structures or landscaping:
♦
Inspect for "pony walls"
♦
Inspect for over grown landscaping next to external
windows
Outer Structure
 visitor’s should be required to sign in:
♦
Require a visitor’s log
♦
Require visitor’s identification badges
♦
Have an attendant oversee the visitor’s log
♦
Review the visitor’s log periodically
Outer Structure
 Escort facility visitor’s:
♦
Create a policy on escorted and unescorted
visitor’s
♦
Provide different color identification badges for
escorted and unescorted visitor’s
♦
Require visitor’s to turn in identification badges
after visit
Part II: Security Access Control
and Closed Circuit Television
Access control systems are typically a
scalable management solution
encompassing complete access control,
advanced event monitoring and
administration auditing. Access control
systems typically involve a central server or
host for control and monitoring.
Basic Access Control:
♦
Remote capability to lock and unlock doors
♦
Audit log of who and when personnel utilized a door
♦
Audit log when a door has been forced or help open
♦
Capability to restrict or remove access to specific
person or group
♦
Monitoring of room occupancy by intrusion-detection
systems
Access Control Selection Criteria:
♦
What manufacture of system to purchase
♦
How many facilities attached to the access control
system
♦
How do you communicate with the access control
system
♦
How many card holders will you have
♦
Who will administrate the system
♦
What type of card technology to use (FIP 201
compliance)
Access Control and the Nevada
Access System (NAS)
 Security Access Control System for the State of
Nevada:
♦
Software House C•CURE 800
♦
Infinite facilities as required world wide
♦
TCP/IP preferred and main communication utilized,
RS232/485, Modem and cellular
♦
250,000 cardholders (Expandable to 5000,000)
♦
Facility based administration or global administration
♦
Card technology is proximity (FIPS 201 compliance
migration)
Nevada Access System (NAS)

NAS is a scalable security management solution
encompassing advanced access control and high scale
event monitoring

Nevada Access System’s main hub or server is a Software
House C•CURE 800 which provides users with scalable
access control solution that allows functionality and
increased capacity as the system needs grow

C•CURE 800 is a complete integration solution with
unlimited application
Nevada Access System (NAS)

C•CURE 800 is a complete integration solution that reaches
beyond traditional security, it provides integration with
critical business applications including: Closed Circuit
Television (CCTV) and Digital Video Management systems
(DVMS) other integration applications include:
♦
Fire Alarms
♦
Intercoms
♦
Burglar alarms
♦
Environmental building controls
♦
Crystal reporting
♦
Time management or time tracking software
Nevada Access System (NAS)

Network capabilities for the C•CURE 800 client work
stations and iSTAR controllers can be placed directly an
existing networks and transmitted across SilverNet and
multiple WAN’s statewide

Open Architecture Support. The C•CURE 800 ensures
universal support and enormous flexibility. As such,
C•CURE 800 interacts with industry standards database,
video recorders and cameras, and networks

C•CURE 800 is a complete integration solution with
unlimited application
Nevada Access System (NAS)
C•CURE 800 Foundation Security Features:
♦
Event and Alarm Monitoring
♦
Database Partitioning
♦
Windows 2000 professional, Windows server 2003,
Window XP Professional for servers
♦
Open journal data format for enhanced reporting
♦
Automated personnel import
♦
Wireless reader support
Nevada Access System (NAS)
C•CURE 800 advanced Security Features:
♦
CCTV Integration
♦
Enhanced monitoring with split screen views
♦
Escort management
♦
Card holder access events
♦
Single subscriber Email and paging
♦
Open journal data format for enhanced reporting
♦
ODBC support
Benefits of the Nevada Access
System (NAS)
Benefits of the Nevada Access System:

Access control, audit, and convenience through the use of
one access control card

Computer workstations, technical systems and door locks
will have access control with audit capabilities, and
convenience with a single access control card or state
issued identification card. This approach eliminates the
need for quantities of mechanical keys and a reduction of
passwords an individual has to carry or memorize
Benefits of the Nevada Access
System (NAS)

Standardizing of employee identification, recognition and
verification statewide

NAS will provide a mainstay for access control support and
technical assistance through out career and life cycles of
systems

C•CURE 800 based users groups statewide to provide
support among Departments, Agencies, Counties and other
Municipalities
Closed Circuit Television and Digital
Video Management Systems
Closed Circuit Television (CCTV) and Digital Video
Management System (DVMS) has taken many advances
over the years. The evolution of CCTV is an interesting
history that combines the entertainment industry,
consumer electronics and CCTV. None of the three are a
combination we put together, but there is a strong parallel
that has moved the industry to where it is today
History of Closed Circuit Television
Systems

The original CCTV systems were built using equipment
intended for the use of the broadcast industry and
industrial television
♦
Cameras were large
♦
Expensive
♦
Required high energy consumption
♦
Required frequent maintenance
History of Closed Circuit Television
Systems

As a result of the high expense and the need to change
tubes in the equipment coupled with the heat generated by
the equipment, service calls and service technicians made
for a lucrative business. The high expense of CCTV
installation and the cost of servicing the equipment made it
possible for only the wealthy to afford such systems since
the cost of installation and maintenance out weighted the
cost of the assets to be protected for most

In the mid-60’s, CCTV started to evolve as an industry. Two
inventions facilitated this change and allowed the cost of
installation and the maintenance of CCTV systems to
become an affordable option. The Pan, Tilt and Zoom (PTZ)
was invented along with the motorized lens. The PTZ
function allowed the camera to move up, down and side to
side. The motorized lens allowed remote control of zoom.
Focus and iris adjustment. These inventions reduced the
number of cameras required to cover an area
History of Closed Circuit Television
Systems

In the consumer electronic market, amateur video taping,
movie rentals and the mass production and use of the
video cassette recorder (VCR) become less expensive and
lightweight. Soon the two technologies merged creating
the camera and recorder or what we know today as the
“Camcorder”

In the late 80’s a mass market of products began to
dramatically reduce prices and improvements in quality
and availability. What was once enjoyed by the wealthy
was now made affordable and available to the general
public and industry
Designing a Closed Circuit television
Systems
When designing a usable Closed Circuit Television System
(CCTV) it does not take an “expert” to design a system.
Some of the most usable CCTV system have been
designed by individuals that said time and time again “I do
not know anything about this, but shouldn’t we….”. If you
take a common sense approach based on specific
applications and needs of your organization the basic
placement of cameras can be accomplished keeping in
mind cameras are like “people” they only can see what
“people” can see
Designing a Closed Circuit television
Systems
 System use, Security or surveillance:
♦
Security is defined as watching objects or items
♦
Surveillance is defined as watching people
 Will operators manage the system:
♦
Operators will be required for surveillance
♦
The potential for “large” storage may be required for
security or the watching of objects or items
(recommended seven days of storage)
Designing a Closed Circuit television
Systems
 Cameras selection and locations, indoors or
outdoors:
♦
PTZ or fixed cameras
♦
Indoor cameras are used, are they covert or in plain site
♦
Outdoor cameras are used, what is your outdoor
climate
 Storage of video:
♦
Hard drive storage or the network storage
♦
Video cassette recorder
Closed Circuit Television Systems
Designs

Common short comings of many CCTV systems
♦
Not enough cameras
♦
Cameras installed incorrectly or incorrect cameras
installed for application
♦
No operator
♦
Not enough storage or improper media for storage
♦
Improperly trained personnel
♦
Neglected or improperly maintained systems to include
cameras, power supplies, VCR’s, DVR’s, software
application and network connection
IT concerns for Closed Circuit
Television Systems
♦
Network traffic for IP cameras
♦
Network traffic with the Integration of CCTV and access
control
♦
Improperly trained personnel
♦
Storage of video on site with specific hard drives or
network storage
♦
Transfer of video files via email
♦
The downloading of updates for windows based DVR’s
♦
The potential of viruses on windows based DVR’s
Part III: Power
 Does the facility have multiple services from the
power company
♦
Primary and secondary service in case of power loss
♦
Secondary services (if available) require a device called
“Tie-breaker” in the electrical service main
Power Conditioning
♦
One to one transformer for power conditioning
♦
Main service(s) over-current protection, is it fused or
manual/auto reset breaker
♦
Main service should be protected by adequate Ground
Fault protection
♦
Electrical systems dedicated to computer systems the
main electrical service and distribution panels should
have an isolated ground (IE. Orange receptacles)
♦
Are the use of “K” rated transformers for harmonics
instituted within your facilities
Back Up Power Generators
♦
What is the intended use of the generator (emergency
lighting, Computers or back up of the facility)
♦
Generator should be sized for the load
♦
Back up generators should be tested weekly, monthly
or annually
♦
All generator should have strict maintenance schedules
with work performed by generator mechanics/specialist
Back Up Power Uninterrupted
Power Supply (UPS)
♦
What is the intended use of the UPS
♦
Is the UPS sized for the load
♦
UPS 5 KVA or great are they Standby or in use type
(Standby UPS’s usually do not have power conditioners)
♦
What is the maintenance schedule for the UPS
♦
Is the UPS surge factor greater than 1.15
UPS should include a feature to alarm when a low battery
condition exists
♦
♦
UPS should have remote alarm panels located in server
rooms and security/maintenance office
Part IV Heating, ventilation and Air
Conditioning (HVAC):
 Is the facility equipped with the proper HVAC system
♦
Is the HVAC system sized for the current occupancy
and heat/cooling load
♦
Was the HVAC system designed with electronic
equipment in mind (heat load and humidity)
♦
Does the HVAC system connect to an environmental
control system or direct digital control (DDC)
♦
Who provides programming and support for the HVAC
application if the system is controlled by DDC
♦
Is the HVAC application on the network and is it
network dependant to operated
Heating, ventilation and Air
Conditioning in server rooms:
 Server rooms and remote communication closets
should have proper and separate HVAC Systems:
♦
Inspect HVAC system to ensure separate heating and
cooling controls are within server rooms and
telecommunications closets
♦
Within server rooms and telecommunication closets are
high and low temperature warning mechanism present
♦
Are HVAC filters changed on a regular basis
♦
Is the HVAC system serviced on a periodic basis
♦
Is the HVAC system for server rooms and
telecommunications closets on a back up generator
Part V Life Safety:
Fire Alarms
♦
Does the facility have a fire alarm system
♦
Fire alarm system are required by law to be periodically
test (Annually)
♦
Manual pull stations and horn/strobes must be located
near the exits
♦
Fire alarm system should attached to a UL approved
monitoring service
♦
A representative from your organization should be for
the administration of the fire alarm system
Fire Suppression:
♦
Does the facility have a fire sprinkler system
♦
Fire sprinkler system are required by law to be
periodically tested (Annually, inspection tag looped on
main valve)
♦
Fire sprinkler system spray heads shall not have any
object within eighteen inches (18”) from the spray head
vertically and two (2) feet horizontally
♦
Server rooms should have an emergency power shut
off switch at the exit doors to shut down power in the
event a water fire suppression system is activated
within the room
Fire Extinguishers:
♦
Does the facility have fire extinguishers
♦
Fire extinguishers should be periodically tested
(annually licensed and certified personnel)
♦
Where are the fire extinguishers located and are they
depicted on an emergency evacuation plan
♦
Personnel should receive training on fire extinguisher
use. A quick reference below would be the word PASS
♦
♦
♦
♦
Pull
Aim
Squeeze
Sweep
Integrator Challenges and IT
Resources:
Challenges that face many security integrators is the lack
of administrative authority on a network (for good reason)
and the lack of understanding of a network or the dynamics
of an organizations network
Key questions to ask an integrator when a system is to be
installed:
♦
Will the system and application require administrative
rights on a machine or the network
♦
How does the system communicate. (TCP/IP, RS
232/485, modem etc.)
♦
Does the system require a software application? If so,
how many client/nodes are allowed
♦
Who will retain the software and software license
Integrator Challenges and IT
Resources:
♦
How much bandwidth will be consumed by the system
or application
♦
How much data storage will be required for the system
♦
Is the system capable of running if the application loses
communication
♦
Will the integrator retain an administrative account on
the system
♦
Will the integrator have an remote connection to the
system, during and after the project
♦
What is the recommended specifications of the host or
server machine
Management and Planning of IT
Based Physical Security
Discussing the challenges ahead:

The challenges that face many organizations currently, is
finding a balance between Physical Security personnel with
knowledge of IT systems and physical security solutions
that are IT based dependant.

The relationship of physical security IT systems requiring
IT knowledge and background verse physical security is
eighty/twenty (80/20). Eighty percent physical security and
twenty percent IT system based background knowledge.

Many IT organizations assume the responsibility of an IT
based physical security system understanding
approximately twenty percent of the system.
Access Control and the State of
Nevada
Challenges for the State:

Through shared resources such as the Nevada Access
System IT organizations on a statewide level can assume
the responsibility of an IT based physical security system
with greater understanding and support .

Challenges ahead such as Federal Identification Process
Standard 201 (FIPS 201) and the Real ID Act, shared
resources will become invaluable to the success of our
statewide programs.

Currently no one person or organization has the answers,
with constant changing standards and never ending
technology it is nearly impossible to keep up. I invite each
of you to join together to assist in the progress of physical
IT security allowing for consistency statewide.
Physical Security and IT
resources
Brian Hunt
Physical Security Specialist
State of Nevada
Department of Information Technology
Office of Information Security
(775) 684-7349 Office
(775) 687-1155 Fax
[email protected]