When Physical Security Meets Information Technology
Whenever the topic of security appears, one often thinks of firewalls, anti-virus, SIMS, and much more. However, increasingly IT departments are now in charge of systems that were once segmented. IP Cameras, Access Control for doors/gates, log entry/ exit systems, and building management systems which manage HVAC, and lighting controls are a normal part of the IT infrastructure. Therefore, besides the role of integrator what other role should IT take?
The first is to make sure IT has a seat at the table. For large organizations, this can be the CISO and for smaller organizations, the CIO or dedicated IT manager. For security to be functional, it simply cannot mirror what has happened in the past. It needs to take a new, active, and progressive role in the organization. Take for example, an access control system which manages door security. Before the days of technology, keys were handed out to employees who needed access and if a key was lost, the entire building needed rekeyed. Now if an access control system was implemented, you can still pass out key cards/fobs, etc. But maybe now you give them specific hours/ days for which they can access the building. You can even go as far as to ascertain reason codes for off hour access. Therefore, its critical IT be seated at the table to discuss these functions.
Another need is to ensure your organization has a security framework (NIST, NERC, ISO, etc.) in place. Although discussing security frameworks lengthy, the selection and implementation of a framework will ensure any physical security you put in place has the required safeguards for rollout. The problem here is not necessarily which framework an organization chooses, but rather verifying any physical security you have in place now matches those same security protocols.
Always make sure IT has a seat at the table, a security framework has been chosen, and policies and procedures are created for those systems
The next step is to work with your stakeholders and ensure you create a policy for those physical systems whether they be cameras, building management systems, or access control systems. As a CIO, I have implemented several large scale IP Camera systems. The issue was not setting up servers, but rather who would have access and at what level. The new digital camera systems can isolate which cameras which personnel have access to at a particular time. There are other options such as what access rights should they have. A policy concerning a building management system is generally of paramount importance as well. Now that facilities management staff can change temperature and lighting of buildings from their office does not mean policies should not be followed.
Ensure the IT staff and the respective department managing that particular application have an agreement about what IT can and cannot access. For example, just because IT has the capability to potentially access every camera, safeguards should be in place so that does not necessarily happen.
Once you get all the paperwork and policies out of the way, ensure your infrastructure is built properly for all of these systems. For example, IP camera systems can be tricky, but the planning on your backbone and your infrastructure is key. Although there is no single approach, make sure your network has the capacity and bandwidth to install multiple cameras with multiple HD streams going to a server. Consider segmenting your camera system onto a separate VLAN to keep it from the other networks. Once the network is configured, verify your server is setup properly and has adequate disk storage. Whatever method you use to calculate, always go higher. Always plan farther than the initial rollout. Even when a camera system is installed or replaced, IP camera additions are easy, but ensuring you have the hard disk to retain that data is difficult. In addition, make sure the clients that access that camera system also have adequate processing power on their PC to view those images, otherwise, the best laid camera system will look terrible to your end user. Scaling for access control and building management systems can be equally complex. Deciding whether separate VLANs or networks need to take place is important and what the BACnet (building automation and control network) protocol is or how it is run is crucial to building that infrastructure. Once those systems are in place, do not forget how those systems will be backed up and how remote access will be accomplished for those vendors working on the systems.
Overall, when physical security meets information security, the two categories are not separate, but should be combined to create a holistic approach to solutions for your organization. Always make sure IT has a seat at the table, a security framework has been chosen, and policies and procedures are created for those systems. The processes described above won’t necessarily be linear, you may create a policy, choose a system, and then go back and alter the policy. That process is fine as long as you take a 360 degree approach for implementing those solutions and not only look at all the angles but revisit them, not once, but continually just like any other security methodology.