Security Professionals involved in the acquisition and deployment of security equipment have more to add to their checklists these days. How so? As the devices we use to secure facilities have improved over the last two decades, these same devices have also introduced new security challenges. A misstep today has the potential to sideline your security program in ways you never would have imagined just a few years ago. Let’s take a closer look at the areas of concern.
The complete Voice of Security article is available to Members Only.
If you are a Member, please login below:
First, we’ll briefly look at security equipment and how it has changed over the last couple of decades.
Still in use today and a great example of a standalone security device, we have the Detex ECL-230 Exit Control Lock. This device is among the most simplistic of security devices and goes back many years. Completely self-contained, it is a battery operated alarm that secures a door from outside access, but allows inside egress in the event of an emergency. This Detex security device is a good example of the simplistic end of the security equipment spectrum. Certainly it still has its place in a security toolkit, and of course it is not completely without need of attention—as regular checking of the battery and integrity of the locking mechanism (along with continued proper installation to the door and door frame) are needed. But, all in all, consider this device as our example of “old school” security.
From there we are going to fast forward a bit through other types of systems in use for security equipment, touching on just a few. Our goal is to get to the other end of the spectrum—publicly accessible networked security devices. But first, let’s look at another piece of security equipment still widely in use.
Burglar alarm systems historically have been one of two types—local or monitored. A local system generally consisted of a control panel tied into building power and backed up by a battery. From the control panel, wiring runs to field devices including door switches, motion detectors, sirens, keypads, and other system devices. An alarm event would occur when a field device was activated on an armed system—triggering the siren or other notification components. The goal of a local system is often to draw attention to the breach and/or scare off the intruders.
A monitored system is configured exactly the same, but uses a phone line dialer to transmit the notification of the alarm to a central station or other monitoring point—where action, including calling local authorities for response, can take place.
Of course today there are many varieties of burg systems—and most security professionals know the days of a monitored system over POTS (Plain Old Telephone Service) phone lines are numbered as everything moves digital. But for this history lesson on the changing nature of security equipment, we use the example to show that your security checklist for burg systems like these had to include a “walk test” to verify device functioning—and for a monitored system, should include a dialer test. But, all in all, the systems are quite simplistic with all wiring dedicated, one power source, a battery, and that was about it—and protecting the phone line for a monitored system.
Video Surveillance Cameras have evolved. At many a facility it is still common to see cameras that are not recording any activity and are nothing more than a signal running back to a monitor in a back office—used to watch a shipping dock or restaurant lobby. In a similar sense we have Card Access Systems that, in their earliest and simplest stages, are nothing more than replacements for keys in some facilities as they are issued without regard for any settings for policies, rules, auditing, or schedules.
Today’s Equipment & Challenges
This article, however, is designed to move beyond all of those core systems (which still make up the overwhelming majority of all installed systems) and move into the rapidly evolving side of this security equipment. Much of what I have outlined thus far has been focused on standalone, local, non-integrated systems. While they must be managed by Security Professionals, they certainly pose far fewer risks than the systems the industry has steadily been moving to in the last decade.
But today’s Security Professionals have to get much more involved in managing facility security equipment. And, importantly, they also need to be more involved in equipment that may not be seen as security equipment, but poses a security risk to the organization.
In other words, we have TWO issues here, but both are tied together. We have security equipment that has become integrated into facilities in such ways that very little of it in newer systems is considered “standalone.” Most of it is now networked—either on the facility LAN, company WAN, or even based remotely in a cloud environment. This applies to even our most basic security systems, such as: burglar alarm systems, video surveillance systems, and card access control systems.
Additionally, we have the second issue—devices, or applications, that are not often thought of as security devices or applications, but that may pose security risks to our companies. The latest item in the news that is a great example of falling into this category is an ethernet switch posing a major security risk. In this case, the company is RuggedCom and they are a maker of IT switches and routing equipment that they market as being “Industrially hardened, mission critical, with advanced cyber security built in.” However, what was found and reported to the company nearly a year ago, was that the intentionally created “backdoor” (summarizing: a backdoor is a method to circumvent security or authentication on IT devices or applications—they can take a variety of forms). The backdoor was a factory username and password instructions that would always work to control the device. In effect, anyone who learned of this information could control this device. This device, being an IT Switch, effectively would give access to an entire network if breached in this fashion. As you might imagine, having IT equipment that doesn’t have proper security protocols is a big deal.
What About Your Equipment?
So, the message is; as Security Professionals, you do have to be looking at these systems in ways you may not have considered in the past. The issue of cyber security has become a huge concern. Certainly, this entire article is super-simplified for any IT Security members reading it, but it is intentionally so for so many others. Cyber security is where the “new” intruders—not the intruders whom you’ve protected against for years with video surveillance and alarm systems—are now coming from. You have to look at intrusion threats in an entirely different manner today.
They are coming from every direction. Even while writing this article, I was notified of an “urgent” security threat to software I am using in a business endeavor. As a result, this article is a day late in being completed as all my efforts had to focus on taking actions to mitigate my own business risk. This is how deep the cyber security issue has become—where so many aspects of business are being touched by it—and it is making the work of Security Professionals take on many new dimensions.
Consider your own security equipment in this light. Think about the software for your DVR or your VMS for your video surveillance. Think about the Access Control system you use for your facilities.
I suspect that many vendors have backdoors in their equipment—and with so much of that equipment (such as your video surveillance and access control) now being connected to the network we are sure to learn of more factory “backdoors” like the one mentioned earlier from RuggedCom. While I’m no IT security expert, I think we’ll find that a need to access networked devices when credentials are lost will require physical presence and manipulation at the device—not merely running a remote program.
But, back to your own security equipment, such as your video surveillance system. I can tell you it is not unusual for security integrators to install systems and set them up to be remotely accessed for support purposes (often without end user knowledge). How does that fit into your security program? Do you allow it? Do you know if it’s happening?
My own thought is that most cases of remote support should require some interaction from the customer when it comes to authentication. In other words, you need a mechanism to ensure YOU control when remote access is allowed and when it is not—I would advocate that it be opened up for an incident and removed after the incident.
There is little need to give an integrator or manufacturer unfettered access to your Video Surveillance Network—which, depending on the system, may include giving them administrative access to your entire network. And the reasons for my concern are many. Not just the security integrator perspective, but even more so the concern that if a remote support tunnel is set up and waiting for a connection, it is one more vulnerability that a hacker can find and exploit in ways that may affect a great deal more than just your video surveillance network.
In a similar vein, many security integrators offer a “service” for your card access systems. The integrator offers to create credentials, schedules, and rules for new employees and remotely accesses your card access system to do this. Again, just like the Video Surveillance example above, even if sold to you as a service, the ability for anyone to remotely access your network without you first taking an action to allow it, has become a very large risk.
The long and short of this article is to suggest that Security Professionals need to be thinking along these lines when it comes to managing security equipment. The equipment has changed and so has its implementation and integration.
With that has come risks we may think belong to the IT department. I question that line of thought and this article has been designed for you to also question it—not just for the security equipment and devices you’ve always been directly involved in managing. You now need to also consider those “other” elements of your facility that are used by other departments (largely IT, but not exclusively). Those devices, systems, and applications are filled with security risks and Security Professionals need to get involved in seeing that these risks are addressed.