Physical Security and IT Resources

Brian Hunt Physical Security Specialist

State of Nevada Department of Information TechnologyOffice of Information Security

Introduction

Physical security defined as: Physical measurers, polices, and procedures to protect an organizations electronic information systems, facilities/buildings and equipment from unauthorized access, natural and environmental hazards.

Physical Security is accomplished by performing an assessment of the facility/building and the surrounding premises.

Physical security enhancements should be considered during the budget process. Consideration of alternative funding sources should be taken into account such as Homeland Security Grant Funding, “One Shot Appropriations” from governing bodies and Capital Improvement Projects (CIP)

♦ During new construction Physical security should be taken into account during the budgeting process

♦ Physical security designs should be performed by a qualified professional regarding the topology and architecture of the systems and how they will integrate

♦ Physical security installations should be performed by a manufacturer certified/authorized dealer

How is this accomplished:

Physical Security Assessments

Examples of questions to ask when performing a Physical Security Assessment:

♦ What are you protecting? Determining what you are protecting will determine the amount of “security” you will place on the information and/or facility

♦ Is the facility located in a high crime area?

♦ Do you own or lease/rent the facility?

♦ Is the facility a multiunit or multiple tenant facility?

♦ Is the facility designed for the type of environment the work will be performed? (IE. Power, structure, communications, HVAC and fire suppression)

What is the net worth of the assets to be guarded

How much would it cost your organization to overcome a catastrophic loss of data or property

Implementing physical security measures worth the cost of

the data or property

Perform an impact statement to determine if the cost of implementing physical security measures is cost effective or prohibitive.

Evaluation of Assets and Data

There are a number of ways to subdivide physical security, to simplify we have divided Physical Security into five parts.

Part I: Perimeter protection and outer structure

Part II: Access Control & Closed Circuit Television (CCTV)

Part III: Power

Part IV: Heating, ventilation and Air Conditioning (HVAC)

Part IV: Life safety

Physical Security Domains

Part I: Perimeter protection and outer structure

Facility may require a perimeter fencing:

♦ Chain link fence should be at least 11 gauge steel. Common installation, easy to climb or cut for entry

♦ Concrete masonry unit (CMU), One of the strongest installations, offers privacy, very expensive

♦ Wrought iron fencing, offers great protection, very expensive.

♦ Box steel welded fence construction, Architecturally acceptable, offers great protection, offers very little privacy and expensive

Nevada National Guard

Are barriers located onsite of the facility:

♦ Physical barriers such as fences and walls deter intruders and restrict visibility into the premises

♦ Inspect barriers for deterioration

Perimeter protection

Nevada National Guard

Nevada Highway Patrol Southern Command

Windows are conducive to forced entry:

♦ Windows have the highest vulnerability to forced entry

♦ The location and characteristics of windows needs to be inspected

♦ Doors that have windows should not be within a 40” proximity to the door lock

♦ Windows that are less than 18 feet from the ground are the most vulnerable since they are easily accessible from the building exterior

Outer Structure

Facility doors should be constructed of material that will discourage breakage:

♦ Steel or Solid wood doors, not hollow core doors

♦ Doors that are constructed of glass, should be inspected for glass type such as tempered glass, wire mesh or safety glass

Outer Structure

Ensure door strikes and strike plates are adequate and properly installed:

♦ Door strikes should be secured and properly fastened

♦ Door strike protectors should be installed on doors that require protectors or exterior doors

Inspect doors with exterior hinges that may be in a sensitive area of exposure:

♦ Normally doors that open out are the issue

♦ Door that open out are easier to compromise

Outer Structure

Door frames should be strong and tight to prevent forcing/spreading:

♦ Inspect door frame to ensure the frame is plumb and level

♦ Ensure fasteners are tight and properly installed

Door locks should be in good repair:

♦ Inspect for rust or deterioration

♦ Inspect for proper operation

Outer Structure

Door locks should include a dead bolt with 1-inch throw:

♦ Measure the depth of the deadbolts

♦ Inspect door frames to ensure frame can support deadbolt force

Exterior areas should be free from concealing structures or landscaping:

♦ Inspect for "pony walls"

♦ Inspect for over grown landscaping next to external windows

Outer Structure

visitor’s should be required to sign in:

♦ Require a visitor’s log

♦ Require visitor’s identification badges

♦ Have an attendant oversee the visitor’s log

♦ Review the visitor’s log periodically

Outer Structure

Escort facility visitor’s:

♦ Create a policy on escorted and unescorted visitor’s

♦ Provide different color identification badges for escorted and unescorted visitor’s

♦ Require visitor’s to turn in identification badges after visit

Outer Structure

Part II: Security Access Control and Closed Circuit Television

Access control systems are typically a scalable management solution encompassing complete access control, advanced event monitoring and administration auditing. Access control systems typically involve a central server or host for control and monitoring.

♦ Remote capability to lock and unlock doors

♦ Audit log of who and when personnel utilized a door

♦ Audit log when a door has been forced or help open

♦ Capability to restrict or remove access to specific

person or group

♦ Monitoring of room occupancy by intrusion-detection systems

Basic Access Control:

♦ What manufacture of system to purchase

♦ How many facilities attached to the access control system

♦ How do you communicate with the access control system

♦ How many card holders will you have

♦ Who will administrate the system

♦ What type of card technology to use (FIP 201 compliance)

Access Control Selection Criteria:

Security Access Control System for the State of Nevada:

♦ Software House C•CURE 800

♦ Infinite facilities as required world wide

♦ TCP/IP preferred and main communication utilized, RS232/485, Modem and cellular

♦ 250,000 cardholders (Expandable to 5000,000)

♦ Facility based administration or global administration

♦ Card technology is proximity (FIPS 201 compliance migration)

Access Control and the Nevada Access System (NAS)

NAS is a scalable security management solution

encompassing advanced access control and high scale event monitoring

Nevada Access System’s main hub or server is a Software House C•CURE 800 which provides users with scalable access control solution that allows functionality and increased capacity as the system needs grow

C•CURE 800 is a complete integration solution with unlimited application

Nevada Access System (NAS)

C•CURE 800 is a complete integration solution that reaches beyond traditional security, it provides integration with critical business applications including: Closed Circuit Television (CCTV) and Digital Video Management systems (DVMS) other integration applications include:

♦ Fire Alarms

♦ Intercoms

♦ Burglar alarms

♦ Environmental building controls

♦ Crystal reporting

♦ Time management or time tracking software

Nevada Access System (NAS)

Network capabilities for the C•CURE 800 client work

stations and iSTAR controllers can be placed directly an existing networks and transmitted across SilverNet and multiple WAN’s statewide

Open Architecture Support. The C•CURE 800 ensures universal support and enormous flexibility. As such, C•CURE 800 interacts with industry standards database, video recorders and cameras, and networks

C•CURE 800 is a complete integration solution with unlimited application

Nevada Access System (NAS)

C•CURE 800 Foundation Security Features:

♦ Event and Alarm Monitoring

♦ Database Partitioning

♦ Windows 2000 professional, Windows server 2003, Window XP Professional for servers

♦ Open journal data format for enhanced reporting

♦ Automated personnel import

♦ Wireless reader support

Nevada Access System (NAS)

C•CURE 800 advanced Security Features:

♦ CCTV Integration

♦ Enhanced monitoring with split screen views

♦ Escort management

♦ Card holder access events

♦ Single subscriber Email and paging

♦ Open journal data format for enhanced reporting

♦ ODBC support

Nevada Access System (NAS)

Benefits of the Nevada Access System:

Access control, audit, and convenience through the use of one access control card

Computer workstations, technical systems and door locks will have access control with audit capabilities, and convenience with a single access control card or state issued identification card. This approach eliminates the need for quantities of mechanical keys and a reduction of passwords an individual has to carry or memorize

Benefits of the Nevada Access System (NAS)

Standardizing of employee identification, recognition and verification statewide

NAS will provide a mainstay for access control support and technical assistance through out career and life cycles of systems

C•CURE 800 based users groups statewide to provide support among Departments, Agencies, Counties and other Municipalities

Benefits of the Nevada Access System (NAS)

Closed Circuit Television and Digital Video Management Systems

Closed Circuit Television (CCTV) and Digital Video Management System (DVMS) has taken many advances over the years. The evolution of CCTV is an interesting history that combines the entertainment industry, consumer electronics and CCTV. None of the three are a combination we put together, but there is a strong parallel that has moved the industry to where it is today

The original CCTV systems were built using equipment intended for the use of the broadcast industry and industrial television

♦ Cameras were large

♦ Expensive

♦ Required high energy consumption

♦ Required frequent maintenance

History of Closed Circuit Television Systems

As a result of the high expense and the need to change tubes in the equipment coupled with the heat generated by the equipment, service calls and service technicians made for a lucrative business. The high expense of CCTV installation and the cost of servicing the equipment made it possible for only the wealthy to afford such systems since the cost of installation and maintenance out weighted the cost of the assets to be protected for most

In the mid-60’s, CCTV started to evolve as an industry. Two inventions facilitated this change and allowed the cost of installation and the maintenance of CCTV systems to become an affordable option. The Pan, Tilt and Zoom (PTZ) was invented along with the motorized lens. The PTZ function allowed the camera to move up, down and side to side. The motorized lens allowed remote control of zoom. Focus and iris adjustment. These inventions reduced the number of cameras required to cover an area

History of Closed Circuit Television Systems

In the consumer electronic market, amateur video taping, movie rentals and the mass production and use of the video cassette recorder (VCR) become less expensive and lightweight. Soon the two technologies merged creating the camera and recorder or what we know today as the “Camcorder”

In the late 80’s a mass market of products began to dramatically reduce prices and improvements in quality and availability. What was once enjoyed by the wealthy was now made affordable and available to the general public and industry

History of Closed Circuit Television Systems

When designing a usable Closed Circuit Television System (CCTV) it does not take an “expert” to design a system. Some of the most usable CCTV system have been designed by individuals that said time and time again “I do not know anything about this, but shouldn’t we….”. If you take a common sense approach based on specific applications and needs of your organization the basic placement of cameras can be accomplished keeping in mind cameras are like “people” they only can see what “people” can see

Designing a Closed Circuit television Systems

System use, Security or surveillance:

♦ Security is defined as watching objects or items

♦ Surveillance is defined as watching people

Will operators manage the system:

♦ Operators will be required for surveillance

♦ The potential for “large” storage may be required for security or the watching of objects or items (recommended seven days of storage)

Designing a Closed Circuit television Systems

Cameras selection and locations, indoors or outdoors:

♦ PTZ or fixed cameras

♦ Indoor cameras are used, are they covert or in plain site

♦ Outdoor cameras are used, what is your outdoor

climate

Storage of video:

♦ Hard drive storage or the network storage

♦ Video cassette recorder

Designing a Closed Circuit television Systems

Common short comings of many CCTV systems

♦ Not enough cameras

♦ Cameras installed incorrectly or incorrect cameras installed for application

♦ No operator

♦ Not enough storage or improper media for storage

♦ Improperly trained personnel

♦ Neglected or improperly maintained systems to include cameras, power supplies, VCR’s, DVR’s, software application and network connection

Closed Circuit Television Systems Designs

♦ Network traffic for IP cameras

♦ Network traffic with the Integration of CCTV and access control

♦ Improperly trained personnel

♦ Storage of video on site with specific hard drives or network storage

♦ Transfer of video files via email

♦ The downloading of updates for windows based DVR’s

♦ The potential of viruses on windows based DVR’s

IT concerns for Closed Circuit Television Systems

Part III: Power

Does the facility have multiple services from the power company

♦ Primary and secondary service in case of power loss

♦ Secondary services (if available) require a device called “Tie-breaker” in the electrical service main

♦ One to one transformer for power conditioning

♦ Main service(s) over-current protection, is it fused or manual/auto reset breaker

♦ Main service should be protected by adequate Ground Fault protection

♦ Electrical systems dedicated to computer systems the main electrical service and distribution panels should have an isolated ground (IE. Orange receptacles)

♦ Are the use of “K” rated transformers for harmonics instituted within your facilities

Power Conditioning

♦ What is the intended use of the generator (emergency lighting, Computers or back up of the facility)

♦ Generator should be sized for the load

♦ Back up generators should be tested weekly, monthly or annually

♦ All generator should have strict maintenance schedules with work performed by generator mechanics/specialist

Back Up Power Generators

♦ What is the intended use of the UPS

♦ Is the UPS sized for the load

♦ UPS 5 KVA or great are they Standby or in use type (Standby UPS’s usually do not have power conditioners)

♦ What is the maintenance schedule for the UPS

♦ Is the UPS surge factor greater than 1.15♦ UPS should include a feature to alarm when a low battery

condition exists

♦ UPS should have remote alarm panels located in server rooms and security/maintenance office

Back Up Power Uninterrupted Power Supply (UPS)

Part IV Heating, ventilation and Air Conditioning (HVAC):

Is the facility equipped with the proper HVAC system

♦ Is the HVAC system sized for the current occupancy and heat/cooling load

♦ Was the HVAC system designed with electronic equipment in mind (heat load and humidity)

♦ Does the HVAC system connect to an environmental control system or direct digital control (DDC)

♦ Who provides programming and support for the HVAC application if the system is controlled by DDC

♦ Is the HVAC application on the network and is it network dependant to operated

Server rooms and remote communication closets should have proper and separate HVAC Systems:

♦ Inspect HVAC system to ensure separate heating and cooling controls are within server rooms and telecommunications closets

♦ Within server rooms and telecommunication closets are high and low temperature warning mechanism present

♦ Are HVAC filters changed on a regular basis

♦ Is the HVAC system serviced on a periodic basis

♦ Is the HVAC system for server rooms and telecommunications closets on a back up generator

Heating, ventilation and Air Conditioning in server rooms:

Part V Life Safety:Fire Alarms

♦ Does the facility have a fire alarm system

♦ Fire alarm system are required by law to be periodically test (Annually)

♦ Manual pull stations and horn/strobes must be located near the exits

♦ Fire alarm system should attached to a UL approved monitoring service

♦ A representative from your organization should be for the administration of the fire alarm system

♦ Does the facility have a fire sprinkler system

♦ Fire sprinkler system are required by law to be periodically tested (Annually, inspection tag looped on main valve)

♦ Fire sprinkler system spray heads shall not have any object within eighteen inches (18”) from the spray head vertically and two (2) feet horizontally

♦ Server rooms should have an emergency power shut off switch at the exit doors to shut down power in the event a water fire suppression system is activated within the room

Fire Suppression:

♦ Does the facility have fire extinguishers

♦ Fire extinguishers should be periodically tested (annually licensed and certified personnel)

♦ Where are the fire extinguishers located and are they depicted on an emergency evacuation plan

♦ Personnel should receive training on fire extinguisher use. A quick reference below would be the word PASS

♦ Pull♦ Aim♦ Squeeze♦ Sweep

Fire Extinguishers:

Challenges that face many security integrators is the lack of administrative authority on a network (for good reason) and the lack of understanding of a network or the dynamics of an organizations network

Key questions to ask an integrator when a system is to be installed:

♦ Will the system and application require administrative rights on a machine or the network

♦ How does the system communicate. (TCP/IP, RS 232/485, modem etc.)

♦ Does the system require a software application? If so, how many client/nodes are allowed

♦ Who will retain the software and software license

Integrator Challenges and IT Resources:

♦ How much bandwidth will be consumed by the system or application

♦ How much data storage will be required for the system

♦ Is the system capable of running if the application loses communication

♦ Will the integrator retain an administrative account on the system

♦ Will the integrator have an remote connection to the system, during and after the project

♦ What is the recommended specifications of the host or server machine

Integrator Challenges and IT Resources:

Management and Planning of IT Based Physical Security

Discussing the challenges ahead:

The challenges that face many organizations currently, is finding a balance between Physical Security personnel with knowledge of IT systems and physical security solutions that are IT based dependant.

The relationship of physical security IT systems requiring IT knowledge and background verse physical security is eighty/twenty (80/20). Eighty percent physical security and twenty percent IT system based background knowledge.

Many IT organizations assume the responsibility of an IT based physical security system understanding approximately twenty percent of the system.

Access Control and the State of Nevada

Challenges for the State:

Through shared resources such as the Nevada Access System IT organizations on a statewide level can assume the responsibility of an IT based physical security system with greater understanding and support .

Challenges ahead such as Federal Identification Process Standard 201 (FIPS 201) and the Real ID Act, shared resources will become invaluable to the success of our statewide programs.

Currently no one person or organization has the answers, with constant changing standards and never ending technology it is nearly impossible to keep up. I invite each of you to join together to assist in the progress of physical IT security allowing for consistency statewide.

Physical Security and IT resources

Brian Hunt

Physical Security Specialist

State of Nevada

Department of Information Technology

Office of Information Security

(775) 684-7349 Office

(775) 687-1155 Fax

bhunt@doit.nv.gov