Friday, August 22, 2008

Electronic Security Networks

Last week John Honovich posted an interesting article on this web site dealing with the value of megapixel camera. The article is informative and provides some links to interesting camera views of actual cameras in the field. The article is well worth reading by any security manager looking a installing or adding to a video security system.


One of the things that I like about John’s site is that he provides a forum for reader feedback and discussion. It provides for alternative view points other than just John’s. It also provides an easy way to ask for additional information and clarification.


Security Networks


On this particular article there was a response by a reader, Monk. Among other things Monk noted:


  • “I'd love to hear what people, in particular IT folks, are saying about these new cameras. It seems they will either be VERY excited about it, due to the control they can have over Security Resources, OR, they will completely be against the possibility, and Security will be forced to install and support their own LAN for the purpose of the new cameras...”

Monk’s comment brought an odd thought to my devious mind. As more and more security systems, including video monitoring, are put into place, they seem to be connected to the company computer network. That network may be used for communications links between sensors/cameras and a central monitoring station, or sharing security observation/detection information with various corporate entities. This is much the same thing that has been done with SCADA systems.


One of the complaints that we have seen about SCADA systems is that, through their interconnections with the corporate network, these systems have become vulnerable to outsider penetration and control. If that is true for SCADA systems, would it not also be true for security networks? Wouldn’t someone who was preparing to attack a high-risk chemical facility want to be able to see, or control, what that facility’s security staff sees?


Isolation of Security Networks


 With this in mind I posted a question to John’s site that asked if these IP video systems shouldn’t be isolated from corporate networks. There was a pretty quick and informative reply from John. I’ll post part of his reply here (for the complete discussion see the bottom of the page of the earlier referenced article):


  • As a matter of fact, many IP video surveillance systems are being deployed on dedicated LANs separate from the general IT LAN. I do not know nor can I reliably estimate a percentage breakdown of dedicated versus converged. However, I know with customers I work with this is fairly common.”

There are, of course, arguments that can be made for connecting security systems to the corporate network. It provides for easy central oversight of the security systems and provides for information sharing with management. Likewise, information flow from corporate to security through the network can provide for inbound and outbound shipping verification and verification of employee identification from other corporate sites.


In short, there is no hard or fast rule to answer the question about connecting security (or SCADA) systems to the corporate network. What is certain is that the decision needs to be carefully made and appropriate safeguards need to be put into place to control to limit information access and system control.


Site Security Plan


The security of electronic security systems needs to be addressed in the site security plan (SSP) for the facility. It should be dealt with in the same manner as the SCADA system. The system connections need to be defined and the access controls need to be delineated and verified, preferably by a separate security consultant from the one that had the system installed. Any of the changes that are made to the network or security system need to be thoroughly reviewed, and if possible, tested before the change goes live.


A bright shiny new security system can be the key to protecting the high-risk chemical facility from a terrorist attack. Unfortunately, if that system is inadequately protected against outside access and compromise, that same system may provide the tech savy terrorist the keys to a successful attack on the facility.

1 comment:

Anonymous said...

Hi PJ,

Great observations on the site security plan.  I agree. One of the practical challenges I still see is the interaction between IT and security organizations. While it's not necessarily a technical issue, it can become a practical issue to coordinate these two departments working together.  Have you seen or heard such issues?



/* Use this with templates/template-twocol.html */