In an earlier blog I wrote about a then up-coming teleconference about the use of biometrics for enterprise security. Unfortunately, I missed the teleconference, but I understand that it was pitched more at corporate and IT management decision makers than at the people that would be affected in a chemical security situation. I recently ran across an article in Government Computer News that provides some more useful information about how to choose a biometric system. There is a lot of information in the article and it lends itself as a good introduction about how such a biometric access control system could be used as part of a security plan for a chemical manufacturing facility.
A variety of electronic control systems are extensively used by the chemical manufacturing industry. In almost every case where these systems are employed, they are going to end up being identified as a security critical system when the facility does their Security Vulnerability Assessment (SVA). As such the facility will have to address the security of such systems in their Site Security Plans (SSP). While a great deal of the security emphasis will be placed on restricting outside (i.e. off-site) access to these systems, there is also going to have to be a hard look at key board access in Control Rooms and offices on-site.
Most facilities probably use some form of log-on access to their controlsystems. When the computer or workstation is turned on a log-on screen familiarto most corporate computer users requires the operator to enter a user name and password before the system will allow access to the control system. In most control rooms work stations are passed from shift to shift with no change in log-on. Even where an on-coming shift is required to re-log the work station onto the system most systems do not require the operator to re-log on to the workstation after a period of absence from the key board. This means that there is only limited keyboard level security on the control systems.
Additionally there are usually multiple people on the facility engineering and maintenance staffs that have varying levels of access to the control system outside of the control room. These people usually turn on their computer (and log-on) when they arrive at work and turn off their computer when they leave for the day. While some people program their system to require that they re-log onto the system after anything more than a brief absence, it is not unusual to find a live screen (and keyboard) in multiple locations in office areas at the manufacturing facility. Many of these computers have some level of access to the control system.
Most people in a chemical manufacturing environment see nothing wrong with this type of access control to their vital control systems. They reason that the only people with physical access to the keyboards are employees or trusted contractors so there is not a security issue involved. What they do not realize is that security professionals are more worried about insider attacks or insider assisted attacks than they are about attacks committed solely by outsiders. This a reason that one of the risk-based performance standards that DHS will require to be addressed in the facility’s SSP deals with background checks on all personnel with access to critical security areas in the facility.
There are a couple of different ways that a facility can deal with this keyboard security issue. First they could physically secure the keyboards so that only specifically designated personnel would be able to have unaccompanied access to the rooms in which the keyboards were located. Another way would be to electronically limit access to the keyboards. Finally a third way would be to electronically limit access to specific security related actions within the control system. Each of these methods could provide adequate security under the proper conditions, and each of these methods could be based on biometric access controls.
The advantages and disadvantages of these access control systems are more complex than can be dealt with in a single blog so I will look at these varying systems in more detail in future blogs. Each facility will have to determine which system or combination of systems is most appropriate for their situation.
Posts
No comments:
Post a Comment