information security technical report 12 (2007) 8084

available at www.sciencedirect.com

www.compseconline.com/publications/prodinf.htm

Risks due to convergence of physical security systems and information technology environments
E. Eugene Schultz
High Tower Software, 26970 Aliso Viejo Pathway, Aliso Viejo, CA 92656, United States

abstract
The areas of physical security and information technology (IT) are often if not usually worlds apart. The same is true for physical security and IT security; in most organizations separate functions for physical security and IT security exist. Because these functions are in place and because they at least in part achieve their goals, management tends to perceive that major risks they try to mitigate are being addressed. Convergent security risks in physical security systems and information technology (IT) are, however, almost without exception overlooked. Physical security systems and devices, process control systems, and IT infrastructures are being integrated without sufcient consideration of the security risks that the increasing intermingling of these systems and infrastructures introduces. Serious security-related incidents due to unmitigated physical convergence risks are starting to occur. Adequately dealing with the convergence problem requires organizations to implement multiple solutions. 2007 Elsevier Ltd. All rights reserved.

1.

Introduction

Physical security systems have become commonplace in workplace and other settings. Lobbies of ofce buildings and banks frequently have closed circuit TVs that record who enters and exits. Electronic access control systems such as systems that work in connection with RFID chips, smart cards, and biometric devices are becoming more widely deployed. Few of todays workplace settings are without alarm and sensor systems. When these systems and devices were rst developed, they were almost without exception standalone. Deploying them was relatively easy; they needed to be placed in the appropriate location (often mounted on a wall), wired, and plugged in. Today much has changed. Most physical security systems are now distributed systems consisting of components such as sensors that are physically separated from other components such as central processors. Networks are

also almost without exception now used to connect these physically disparate components. At the same time, information technology (IT) infrastructures have grown immensely. These infrastructures now routinely include large numbers of workstations, servers, network devices, and networks that not only connect internal hosts and devices to each other, but also provide intranet and extranet connectivity. In many respects IT infrastructures have become so massive and dynamic that they are functionally out of control; network administrators are typically unable to keep up with the many changes that occur almost incessantly in networks. A network map that is current at one particular point in time is likely to become out of date in only a few hours. The primary purpose of this paper is to initiate a dialogue between information security professionals and physical security and process control managers concerning security risks

E-mail address: eeschultz@sbcglobal.net 1363-4127/$ see front matter 2007 Elsevier Ltd. All rights reserved. doi:10.1016/j.istr.2007.06.001

information security technical report 12 (2007) 8084

81

regarding the introduction of physical security and process control systems within an organizations network. This dialog is intended to lead to identication of these risks and their magnitude as well as to recommendations for managing these risks.

2.

Related work

Many papers addressing threats and risks to physical security and other systems such as SCADA (supervisory control and data acquisition) systems have been published over the years. Recognition of security risks resulting from convergence between physical security and other systems with IT environments is, however, just beginning to occur. As such, few publications about this problem currently exist. The rst paper mentioning this problem was written by the National Research Council, which pointed out that a regional transmission grid failure could happen if damage or destruction to critical components of the grid resulted in a cascading malfunction of interconnected components (National Research Council, 2002). Security incidents were mentioned as a potential cause of damage or destruction. A paper by Mehdizadeh presented a case for converging logical and physical security and made recommendations concerning how to do so, although it did not specically address the issue of vulnerabilities resulting from the convergence of physical security and other systems with IT infrastructures (Mehdizadeh, 2003). The Alliance for Enterprise Security Risk Management published an analysis of the physical convergence problem and recommendations for dealing with it (Alliance for Enterprise Security Risk Management, 2006). Schultz wrote a short analysis of the same problem designed to give information security professionals a high level view of the physical convergence problem (Schultz, 2006).

Despite the reality that some degree of logical overlap exists between physical security and IT (and also IT security), these functions tend to be very much separate from each other. Physical security is often a separate group that reports to a senior executive, whereas IT is usually a self-contained organization under a chief information ofcer (CIO). Physical security and IT security are typically also very disparate functions. If a physical security function that manages most physical security risks to the point that thefts of physical assets and incidents involving unauthorized physical access are few, senior management tends to feel that physical security is under control. The same applies to IT and IT security if computing and networking work reasonably well and if no major information security-related incidents occur, senior management is likely to feel that these areas are under control. Senior management is, however, likely to overlook an extremely important area convergent security risks in physical security systems and IT infrastructures. Security-related risks associated with deploying systems and devices used to boost physical security and to support process control are increasing because progressively more they are connected to mainstream networks. Systems and devices used for physical security and process control have for the most part not been all that conducive to security in the rst place. This was originally not much of a problem they were simple, isolated, and protected by physical security measures. The fact that these systems and devices are now being connected to networks has increased security risks to the point that costly and disruptive security-related incidents could easily result. An attacker can, for example, either locally or remotely target the systems and devices. The potential for unauthorized local access is nothing new, but the potential for unauthorized remote access now exists because these systems and networks have become connected to organizations networks, networks that interface with the Internet, intranets, and extranets. Unfortunately, these new risks are too often overlooked.

3.

The problem

Physical security systems are almost always under the purview of a physical security function that is charged with assessing and mitigating risks in large part resulting from the necessity of allowing physical access to employees, contractors, and visitors. This kind of function is usually managed and staffed by individuals who have had training and experience in law enforcement. At the same time, however, even though physical security systems have evolved considerably to the point that they are now sophisticated computing systems connected to networks, physical security staff members are not likely to have much training and knowledge in computing and networking, let alone information security. The IT function is responsible for ensuring that the infrastructure and components necessary for processing, storing and distributing information are in place and operating efciently. IT staff have considerable knowledge concerning computing, networking, and programming. Some of them, especially system and network administrators, are likely to have training and experience in information security, but they often know virtually nothing about physical security and physical security systems.

4.

Convergent risks

A variety of security-related risks result from the convergence of physical security and other systems and IT environments. These include:  Tampering with or disabling physical security and process control systems. Perpetrators may be able to not only locally access these special systems, but they may also be able to remotely access them (e.g., from the Internet). With access to these systems, perpetrators may be able to bypass physical access controls, or open and shut doors in facilities, or cause physical security and process control systems to shut down or function improperly to the point that they result in dangerous working conditions. The fact that many physical security and process control systems still have crude and ineffective security controls that are in effect legacy mechanisms from previous decades when they were not connected to networks is particularly noteworthy in this context. If systems have poor security, but threat levels

82

information security technical report 12 (2007) 8084

are minimal, the overall risk is small. If on the other hand systems have poor security, but threat levels are much higher due to widespread connectivity, the overall risk is considerably higher. Using unauthorized access to physical security or other systems to gain unauthorized access to systems, devices, applications, and databases within the network. Physical security and other systems are not the only potential victims of attacks that capitalize upon vulnerabilities that result from convergence. Attackers can gain unauthorized access to physical security and other systems to attack assets and resources elsewhere in the network. Using unauthorized access to physical security or other systems to gain unauthorized access outside of the network. Unauthorized access to physical security and other systems can also result in ability to attack assets and resources outside of an organizations network. The potential result is liability to lawsuits initiated by victims of such attacks and a much greater potential for loss of reputation because of the publicity surrounding such incidents. Denial of service attacks. A wide variety of denial service attacks can be launched from inside or outside of the network to which physical security and other systems are connected. Once again, physical security and other systems could be the targets of such attacks, or they could be the points from which these attacks originate. Data and credential capture attacks such as snifng and keystroke logging attacks. Network access originating from physical security and other systems or from anywhere else in the network could be used to glean information entered or sent across the network. Such information includes data that users enter. Additionally, attackers could harvest authentication and authorization credentials and then use them to gain access to systems (including physical security systems) and applications throughout the network. Identity thefts could also result if attackers were able to glean social security or credit card numbers. Integrity attacks. With unauthorized access to networks to which physical security and other systems connect, an attacker could launch integrity attacks against these systems in which data recorded by cameras and access control devices could, for example, be deleted, thereby erasing evidence that could otherwise be used to identify and prosecute physical intruders. Additionally, the integrity of systems, devices, applications, and databases within the network could be damaged by an attacker who gained access to the network by exploiting vulnerabilities in physical security and process control systems.

5.

Case studies

Two case studies that are very different from each other serve as excellent examples of how the convergence of physical security and other systems with IT infrastructures has resulted in unmanaged security risks.

5.1.

Case study 1

The MS Blaster worm, which infected over a million Windows systems in 2003, infected Windows-based plant process control systems at certain power plants in the Northeast US. These power plants were part of the national power grid structure. Many of the systems had not been patched for the vulnerability that MS Blaster exploited. When systems became infected, they spewed massive amounts of trafc in an effort to infect other systems, causing a severe network slowdown that adversely affected their performance. Power outages in the Northeast and Canada resulted. The systems functionality depended on network connectivity, thus exposing them to convergence-related security risks.

5.2.

Case study 2

It is thus important to realize that risks that result from vulnerabilities due to convergence between physical security and other systems and the IT environment are multi-directional. Vulnerabilities in physical security and process control systems can be used to gain unauthorized access to, damage, and/or disrupt these systems as well as other systems and devices within the network. Vulnerabilities in systems and devices within the network can also be used to gain unauthorized access to, damage, and/or disrupt physical security and other systems as well as other systems and devices connected to the network.

The UK has issued more than three million passports that incorporate RFID chip technology in response to a US requirement that travelers to the US from countries participating in the US visa waiver program either have such passports or apply for a US visa. The RFID chips contain the holders personal identity information and a digital representation of the holders physical features. The passports are protected by 3DES encryption, the key for which is derived from the passport number, the holders birthdate, and the passport expiration date, all of which are in cleartext and can easily be read by a variety of devices. The UKs passport program has come under considerable re because once the passport number, birthdate, and expiration date are obtained, breaking the 3DES key is not difcult. Although information security professionals have identied a major vulnerability in the RFID chip-based passports, sadly they have overlooked a security-related issue that is at least as important. The new passports must be read by special readers that display biometric and other information to immigration ofcials. The readers are connected to special airport networks that connect a large number of computers and devices used by government agencies and airport personnel, thereby introducing a large number of security-related risks. Someone could, for example, launch a denial of service attack against these networks, making immigration ofcials unable to process incoming travelers who are not US citizens. A clever perpetrator could also remotely alter a readers output such that a notorious terrorist could easily pass the hi tech passport checking process.

6.

Recommendations

The problem of convergence between physical security and other systems and IT infrastructures has a huge potential

information security technical report 12 (2007) 8084

83

impact on organizations around the world. Responding appropriately is thus imperative. The following recommendations provide guidance concerning how to respond:  Gather knowledge. It is impossible to respond appropriately to the physical convergence problem without knowing exactly what it is. A good starting point in learning more about the problem is to understand the technology in special systems such as physical security systems the computer-related functionality, whether network connectivity is built in and if so, what type(s) and how much, how and how easily the systems can be accessed (locally and remotely), the types of security mechanisms that are incorporated into the systems, how resilient the systems are, the types of data within the systems that can be accessed, and more.  Conduct risk analyses in which risks resulting from convergence between physical security and other systems and the IT environment are identied. Risk analysis is the beginning point of building an effective information security practice. Resources that could be affected by the convergence problem and the value of these services to an organization must rst be identied. Vulnerabilities that could be exploited as well as threats that could manifest themselves and the likelihood of each must also be identied. Regularly conducting penetration tests that target physical security and other systems from points around the network to which they are connected and as well other systems and devices within the network from physical security and other systems should be an integral part of the risk assessment effort.  Communicate the problem to senior management and the audit function. Senior management needs to know about the convergence problem because of its potential egregious impact upon an organizations business and operations. Having senior management understand the problem and its consequences will also increase the likelihood that it will provide resources for countering the problem. Auditors, too, need to become aware of the problem so that they can include convergence-related issues in audits they conduct. Audit ndings often provide huge impetus for change.  Develop policy provisions that address convergence issues. An organizations information security policy is the embodiment of high level requirements to which managers, technical personnel, and all users are expected to conform. Convergencerelated issues are different in numerous respects from mainstream security issues; policy provisions for addressing the former are thus often necessary. At a minimum, one provision should state that each component of physical security and other systems needs to meet the minimum security standards required for connecting to the network.  Design, implement and test appropriate security measures. Appropriate security measures needed to address convergence-related risks will vary across different settings and organizations. Some of the necessary measures are technical. Insulating components of physical security systems from the rest of the network by placing these components in dedicated subnets that are not proximal to subnets in which critical business and other servers are located and then placing a rewall at the entrance to the subnet(s) to which these components connect is one such measure.

Requiring that levels of auditing on special systems be increased and that audit logs be carefully inspected every day is also appropriate. Improving physical and personnel security is still another effective security measure to address convergence-related risks.  Integrate physical and logical security. As Mehdizadeh advocates, physical and logical measures need to be integrated wherever possible if they are to be maximally effective. Adhering to this principle would also go a long way in addressing physical convergence risks. Many of the risks to physical systems are logical in nature, and many of the risks to logical systems are physical. Developing closer working relationships between the physical security and information security functions within an organization would provide an excellent way to identify and implement ways of integrating physical and logical security.  Establish a dialogue with vendors concerning the problem. Many of the vulnerabilities in special systems such as physical security systems are the direct result of vendors having designed and built these systems under the presumption that they would be standalone systems. Security features that are normally built into other systems are thus often missing in these special systems. Additionally, functionality in such systems has expanded over time; with greater functionality invariably come more ways for perpetrators to successfully attack systems. Finally, although functionality has expanded, security functionality generally has not expanded proportionally. It is extremely important, therefore, to establish a dialog concerning the physical convergence problem with vendors. Vendors need to become aware of physical convergence-related security issues and need also to be pressured into improving security functionality and eliminating the vulnerabilities in their products that exacerbate convergence-related risks.

7.

Conclusion

We are in many ways looking at the tip of the iceberg when it comes to physical convergence-related security issues. Although an uncomfortably wide gap between the level of security controls currently in place and the security controls that are needed to adequately reduce risk exists, this gap will inevitably only become larger over time. It is imperative, therefore, that organizations start carefully looking at the physical convergence problem and then create a realistic action plan for addressing it. At the same time, there has been little if any research on the physical convergence problem. Research funding agencies would be well-advised to start soliciting research proposals in this area and to provide funding to researchers who appear capable of delivering promising research results related to ways of effectively identifying and mitigating physical convergence-related security risks. As the National Research Council asserted, special systems as well as other types of systems connected to the same networks provide a target rich environment for would-be evildoers. Research can and will provide answers to many of the issues that must be addressed.

84

information security technical report 12 (2007) 8084

references

Alliance for Enterprise Security Risk Management. Convergent security risks in physical security systems and IT intrastructures. Available from: <http://www.isaca.org/ ContentManagement/ContentDisplay.cfm?ContentID 29115>; 2006.

Mehdizadeh Yahya. Convergence of logical and physical security. Available from: <www.sans.org/reading_room/whitepapers/ authentication/1308.php>; 2003. National Research Council. Making the nation safer: the role of science and technology in countering terrorism. Washington, DC: National Academies Press; 2002. Schultz Eugene. Special systems: overlooked sources of security risk? Comput Secur 2006;25(3):155.