Thursday, September 6, 2007

Keyboard physical security

As I mentioned in my earlier blog, one of the ways to control on-site access to the electronic control systems at a chemical manufacturing facility is to physically control access to the keyboards on computers and workstations that provide access to that system. This type security system usually appears to be the easiest to implement, but can be very complex operationally and frequently meets with the most opposition.

 

The first thing that must be done is to determine what computers and workstations have operational access to the control system. If the system has been established for a period of time, this system access inventory may turn up a surprising number of computers at the facility that have been allowed access to the control system over the years. Once the inventory of keyboards has been done, management will need to review the list of users to make sure that access is limited to those who actually require access for routine completion of their duties; then access should be reduced to just those that need it.

 

The Facility Security Officer (FSO) should keep a list of the people authorized access to the control system and add their names to the list of personnel that require background checks. One of the risk-based performance standards that DHS will require high-risk chemical facilities to address in their Site Security Plan (SSP) will be a personnel surety program {Section 27.230(12)} that provides for background checks for personnel authorized unaccompanied access to security critical areas of the facility. DHS will assist in the clearing of personnel against known and suspected terrorist lists, but each facility will be responsible for selecting, implementing, and justifying the level of other checks required.

 

Provisions then need to be made to physically secure access to those keyboards attached to computers or workstations with access to the control system. Effectively this means that only those people on the authorized access list should be able to get unaccompanied access to those keyboards. The simplest method is to keep the keyboards locked up in some manner. For computers in a cubicle or open bay where people who are not on the authorized access list also work, the keyboard will have to be locked in a desk drawer or container when it is not in use. This is probably easiest with wireless keyboards. Where the computer or workstation is in a room that is only accessible to authorized users, the keyboards may be kept out in the open, but the doors/windows to the room must be kept locked when no authorized user is present.

 

Where keyed locks are used to secure the keyboards or control rooms a key control system needs to be established. While there are a variety of systems available for key control they all have a couple of general procedures in common. First one person (usually the FSO) is responsible for maintaining the system and its records. That person has a lockable container for storing the master key set and any keys not currently in use; it is probably a good idea to have a current list of authorized users in the same container. Each person that requires a key, and is authorized unaccompanied access to the keyed area, is required to sign for each key issued. Regular and periodic, physical-inventories of all keys need to be conducted and documented. Provisions have to be made for changing locks any time a key is lost. Finally, a documented procedure and inspectable files go a long way to convincing an inspector that you have a workable and reasonably secure key control system.

 

A biometric access control system can be used in place of keyed locks to limit access to keyboards or control rooms. Most of the systems described in the GCN article can provide adequate security for such areas. Most of the requirements for a proper key control system also apply to a biometric access control system; except that the requirement to maintain keys and conduct periodic key inventories may not be required. Any reputable supplier of these systems can assist an organization in establishing the controls for the system and preparing the necessary documentation and records requirements.

 

Training is a key component to any access control system. All personnel working in the facility need to understand the need for controlling unaccompanied access to security critical areas and understand what those areas are. Personnel that are not authorized unaccompanied access need to understand that it is not a lack of trust that prohibits them from entering one of these areas by themselves, but rather the fact that their jobs do not require that they have unaccompanied access to some areas of the facility. Personnel with unaccompanied access clearance need to know what their responsibilities are in allowing other people into restricted areas and controlling their actions while they are in that area.

 

Finally, management in general, and the FSO in particular, need to establish a mechanism to ensure that the procedures are being followed. Management should include these access procedures in their periodic audit process. Each level of management in the facility should be responsible conducting and recording audits of the access procedures on a regular basis. The FSO should include in his daily walk around checklist a requirement to watch at least one person enter each restricted area in the facility to ensure that the procedures are being followed.

 

Using physical security procedures to limit access to security critical control systems is usually the low cost alternative if keyed lock systems are employed. These procedures do require a significant level of management interest to ensure that the procedures are not being bypassed in the name of expediency or efficiency.Bypassing any security procedure is a bad idea, but with the extent that automation is being employed in the chemical industry, not limiting access to the electronic control systems provides a very large hole through which potential terrorists can drive home their attacks.

No comments:

 
/* Use this with templates/template-twocol.html */