Annotated Bibliography

a v a i l a b l e a t w w w . s c i e n c e d i r e c t . c o m

w w w . c o m p s e c o n l i n e . c o m / p u b l i c a t i o n s / p r o d i n f . h t m

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 8 0 – 8 4

Risks due to convergence of physical security systems and information technology environments

E. Eugene Schultz

High Tower Software, 26970 Aliso Viejo Pathway, Aliso Viejo, CA 92656, United States

a b s t r a c t

The areas of physical security and information technology (IT) are often if not usually

worlds apart. The same is true for physical security and IT security; in most organizations

separate functions for physical security and IT security exist. Because these functions are

in place and because they at least in part achieve their goals, management tends to per-

ceive that major risks they try to mitigate are being addressed. Convergent security risks

in physical security systems and information technology (IT) are, however, almost without

exception overlooked. Physical security systems and devices, process control systems, and

IT infrastructures are being integrated without sufficient consideration of the security risks

that the increasing intermingling of these systems and infrastructures introduces. Serious

security-related incidents due to unmitigated physical convergence risks are starting to oc-

cur. Adequately dealing with the convergence problem requires organizations to imple-

ment multiple solutions.

ª 2007 Elsevier Ltd. All rights reserved.

1. Introduction

Physical security systems have become commonplace in

workplace and other settings. Lobbies of office buildings and

banks frequently have closed circuit TVs that record who

enters and exits. Electronic access control systems such as

systems that work in connection with RFID chips, smart cards,

and biometric devices are becoming more widely deployed.

Few of today’s workplace settings are without alarm and sen-

sor systems. When these systems and devices were first

developed, they were almost without exception standalone.

Deploying them was relatively easy; they needed to be placed

in the appropriate location (often mounted on a wall), wired,

and plugged in. Today much has changed. Most physical secu-

rity systems are now distributed systems consisting of com-

ponents such as sensors that are physically separated from

other components such as central processors. Networks are

also almost without exception now used to connect these

physically disparate components.

At the same time, information technology (IT) infrastruc-

tures have grown immensely. These infrastructures now rou-

tinely include large numbers of workstations, servers,

network devices, and networks that not only connect internal

hosts and devices to each other, but also provide intranet and

extranet connectivity. In many respects IT infrastructures

have become so massive and dynamic that they are function-

ally out of control; network administrators are typically un-

able to keep up with the many changes that occur almost

incessantly in networks. A network map that is current at

one particular point in time is likely to become out of date in

only a few hours.

The primary purpose of this paper is to initiate a dialogue

between information security professionals and physical se-

curity and process control managers concerning security risks

E-mail address: [email protected] 1363-4127/$ – see front matter ª 2007 Elsevier Ltd. All rights reserved. doi:10.1016/j.istr.2007.06.001

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 8 0 – 8 4 81

regarding the introduction of physical security and process

control systems within an organization’s network. This dialog

is intended to lead to identification of these risks and their

magnitude as well as to recommendations for managing these

risks.

2. Related work

Many papers addressing threats and risks to physical security

and other systems such as SCADA (supervisory control and

data acquisition) systems have been published over the years.

Recognition of security risks resulting from convergence be-

tween physical security and other systems with IT environ-

ments is, however, just beginning to occur. As such, few

publications about this problem currently exist. The first

paper mentioning this problem was written by the National

Research Council, which pointed out that a regional transmis-

sion grid failure could happen if damage or destruction to

critical components of the grid resulted in a cascading mal-

function of interconnected components (National Research

Council, 2002). Security incidents were mentioned as a poten-

tial cause of damage or destruction. A paper by Mehdizadeh

presented a case for converging logical and physical security

and made recommendations concerning how to do so, al-

though it did not specifically address the issue of vulnerabil-

ities resulting from the convergence of physical security and

other systems with IT infrastructures (Mehdizadeh, 2003).

The Alliance for Enterprise Security Risk Management pub-

lished an analysis of the physical convergence problem and

recommendations for dealing with it (Alliance for Enterprise

Security Risk Management, 2006). Schultz wrote a short

analysis of the same problem designed to give information

security professionals a high level view of the physical conver-

gence problem (Schultz, 2006).

3. The problem

Physical security systems are almost always under the pur-

view of a physical security function that is charged with

assessing and mitigating risks in large part resulting from

the necessity of allowing physical access to employees, con-

tractors, and visitors. This kind of function is usually managed

and staffed by individuals who have had training and experi-

ence in law enforcement. At the same time, however, even

though physical security systems have evolved considerably

to the point that they are now sophisticated computing sys-

tems connected to networks, physical security staff members

are not likely to have much training and knowledge in com-

puting and networking, let alone information security.

The IT function is responsible for ensuring that the infra-

structure and components necessary for processing, storing

and distributing information are in place and operating effi-

ciently. IT staff have considerable knowledge concerning

computing, networking, and programming. Some of them,

especially system and network administrators, are likely to

have training and experience in information security, but

they often know virtually nothing about physical security

and physical security systems.

Despite the reality that some degree of logical overlap ex-

ists between physical security and IT (and also IT security),

these functions tend to be very much separate from each

other. Physical security is often a separate group that reports

to a senior executive, whereas IT is usually a self-contained

organization under a chief information officer (CIO). Physical

security and IT security are typically also very disparate func-

tions. If a physical security function that manages most phys-

ical security risks to the point that thefts of physical assets

and incidents involving unauthorized physical access are

few, senior management tends to feel that physical security

is under control. The same applies to IT and IT security – if

computing and networking work reasonably well and if no

major information security-related incidents occur, senior

management is likely to feel that these areas are under con-

trol. Senior management is, however, likely to overlook an

extremely important area – convergent security risks in phys-

ical security systems and IT infrastructures. Security-related

risks associated with deploying systems and devices used to

boost physical security and to support process control are in-

creasing because progressively more they are connected to

mainstream networks.

Systems and devices used for physical security and process

control have for the most part not been all that conducive to

security in the first place. This was originally not much of

a problem – they were simple, isolated, and protected by phys-

ical security measures. The fact that these systems and de-

vices are now being connected to networks has increased

security risks to the point that costly and disruptive secu-

rity-related incidents could easily result. An attacker can, for

example, either locally or remotely target the systems and de-

vices. The potential for unauthorized local access is nothing

new, but the potential for unauthorized remote access now

exists because these systems and networks have become con-

nected to organizations’ networks, networks that interface

with the Internet, intranets, and extranets. Unfortunately,

these new risks are too often overlooked.

4. Convergent risks

A variety of security-related risks result from the convergence

of physical security and other systems and IT environments.

These include:

� Tampering with or disabling physical security and process control systems. Perpetrators may be able to not only locally access

these special systems, but they may also be able to remotely

access them (e.g., from the Internet). With access to these

systems, perpetrators may be able to bypass physical access

controls, or open and shut doors in facilities, or cause phys-

ical security and process control systems to shut down or

function improperly to the point that they result in danger-

ous working conditions. The fact that many physical secu-

rity and process control systems still have crude and

ineffective security controls that are in effect legacy mecha-

nisms from previous decades when they were not con-

nected to networks is particularly noteworthy in this

context. If systems have poor security, but threat levels

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 8 0 – 8 482

are minimal, the overall risk is small. If on the other hand

systems have poor security, but threat levels are much

higher due to widespread connectivity, the overall risk is

considerably higher.

� Using unauthorized access to physical security or other systems to gain unauthorized access to systems, devices, applications, and

databases within the network. Physical security and other sys-

tems are not the only potential victims of attacks that capi-

talize upon vulnerabilities that result from convergence.

Attackers can gain unauthorized access to physical security

and other systems to attack assets and resources elsewhere

in the network.

� Using unauthorized access to physical security or other systems to gain unauthorized access outside of the network. Unauthorized

access to physical security and other systems can also result

in ability to attack assets and resources outside of an organ-

ization’s network. The potential result is liability to lawsuits

initiated by victims of such attacks and a much greater

potential for loss of reputation because of the publicity sur-

rounding such incidents.

� Denial of service attacks. A wide variety of denial service at- tacks can be launched from inside or outside of the network

to which physical security and other systems are connected.

Once again, physical security and other systems could be

the targets of such attacks, or they could be the points

from which these attacks originate.

� Data and credential capture attacks such as sniffing and keystroke logging attacks. Network access originating from physical se-

curity and other systems or from anywhere else in the net-

work could be used to glean information entered or sent

across the network. Such information includes data that

users enter. Additionally, attackers could harvest authenti-

cation and authorization credentials and then use them to

gain access to systems (including physical security systems)

and applications throughout the network. Identity thefts

could also result if attackers were able to glean social secu-

rity or credit card numbers.

� Integrity attacks. With unauthorized access to networks to which physical security and other systems connect, an at-

tacker could launch integrity attacks against these systems

in which data recorded by cameras and access control

devices could, for example, be deleted, thereby erasing evi-

dence that could otherwise be used to identify and prose-

cute physical intruders. Additionally, the integrity of

systems, devices, applications, and databases within the

network could be damaged by an attacker who gained ac-

cess to the network by exploiting vulnerabilities in physical

security and process control systems.

It is thus important to realize that risks that result from

vulnerabilities due to convergence between physical security

and other systems and the IT environment are multi-direc-

tional. Vulnerabilities in physical security and process control

systems can be used to gain unauthorized access to, damage,

and/or disrupt these systems as well as other systems and

devices within the network. Vulnerabilities in systems and de-

vices within the network can also be used to gain unautho-

rized access to, damage, and/or disrupt physical security

and other systems as well as other systems and devices con-

nected to the network.

5. Case studies

Two case studies that are very different from each other serve

as excellent examples of how the convergence of physical se-

curity and other systems with IT infrastructures has resulted

in unmanaged security risks.

5.1. Case study 1

The MS Blaster worm, which infected over a million Windows

systems in 2003, infected Windows-based plant process con-

trol systems at certain power plants in the Northeast US.

These power plants were part of the national power grid struc-

ture. Many of the systems had not been patched for the vul-

nerability that MS Blaster exploited. When systems became

infected, they spewed massive amounts of traffic in an effort

to infect other systems, causing a severe network slowdown

that adversely affected their performance. Power outages in

the Northeast and Canada resulted. The systems’ functional-

ity depended on network connectivity, thus exposing them

to convergence-related security risks.

5.2. Case study 2

The UK has issued more than three million passports that in-

corporate RFID chip technology in response to a US require-

ment that travelers to the US from countries participating

in the US visa waiver program either have such passports

or apply for a US visa. The RFID chips contain the holder’s

personal identity information and a digital representation of

the holder’s physical features. The passports are protected

by 3DES encryption, the key for which is derived from the

passport number, the holder’s birthdate, and the passport ex-

piration date, all of which are in cleartext and can easily be

read by a variety of devices. The UK’s passport program has

come under considerable fire because once the passport

number, birthdate, and expiration date are obtained, break-

ing the 3DES key is not difficult. Although information secu-

rity professionals have identified a major vulnerability in

the RFID chip-based passports, sadly they have overlooked

a security-related issue that is at least as important. The

new passports must be read by special readers that display

biometric and other information to immigration officials.

The readers are connected to special airport networks that

connect a large number of computers and devices used by

government agencies and airport personnel, thereby intro-

ducing a large number of security-related risks. Someone

could, for example, launch a denial of service attack against

these networks, making immigration officials unable to pro-

cess incoming travelers who are not US citizens. A clever per-

petrator could also remotely alter a reader’s output such that

a notorious terrorist could easily pass the hi tech passport

checking process.

6. Recommendations

The problem of convergence between physical security and

other systems and IT infrastructures has a huge potential

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 8 0 – 8 4 83

impact on organizations around the world. Responding appro-

priately is thus imperative. The following recommendations

provide guidance concerning how to respond:

� Gather knowledge. It is impossible to respond appropriately to the physical convergence problem without knowing exactly

what it is. A good starting point in learning more about the

problem is to understand the technology in special systems

such as physical security systems – the computer-related

functionality, whether network connectivity is built in and

if so, what type(s) and how much, how and how easily the

systems can be accessed (locally and remotely), the types

of security mechanisms that are incorporated into the sys-

tems, how resilient the systems are, the types of data within

the systems that can be accessed, and more.

� Conduct risk analyses in which risks resulting from convergence between physical security and other systems and the IT environ-

ment are identified. Risk analysis is the beginning point of

building an effective information security practice. Re-

sources that could be affected by the convergence problem

and the value of these services to an organization must

first be identified. Vulnerabilities that could be exploited

as well as threats that could manifest themselves and

the likelihood of each must also be identified. Regularly

conducting penetration tests that target physical security

and other systems from points around the network to

which they are connected and as well other systems and

devices within the network from physical security and

other systems should be an integral part of the risk assess-

ment effort.

� Communicate the problem to senior management and the audit function. Senior management needs to know about the con-

vergence problem because of its potential egregious impact

upon an organization’s business and operations. Having

senior management understand the problem and its conse-

quences will also increase the likelihood that it will provide

resources for countering the problem. Auditors, too, need to

become aware of the problem so that they can include con-

vergence-related issues in audits they conduct. Audit find-

ings often provide huge impetus for change.

� Develop policy provisions that address convergence issues. An organization’s information security policy is the embodiment

of high level requirements to which managers, technical per-

sonnel, and all users are expected to conform. Convergence-

related issues are different in numerous respects from

mainstream security issues; policy provisions for addressing

the former are thus often necessary. At a minimum, one pro-

vision should state that each component of physical security

and other systems needs to meet the minimum security stan-

dards required for connecting to the network.

� Design, implement and test appropriate security measures. Ap- propriate security measures needed to address conver-

gence-related risks will vary across different settings and

organizations. Some of the necessary measures are techni-

cal. Insulating components of physical security systems

from the rest of the network by placing these components

in dedicated subnets that are not proximal to subnets in

which critical business and other servers are located and

then placing a firewall at the entrance to the subnet(s) to

which these components connect is one such measure.

Requiring that levels of auditing on special systems be in-

creased and that audit logs be carefully inspected every

day is also appropriate. Improving physical and personnel

security is still another effective security measure to ad-

dress convergence-related risks.

� Integrate physical and logical security. As Mehdizadeh advo- cates, physical and logical measures need to be integrated

wherever possible if they are to be maximally effective.

Adhering to this principle would also go a long way in

addressing physical convergence risks. Many of the risks

to physical systems are logical in nature, and many of the

risks to logical systems are physical. Developing closer

working relationships between the physical security and in-

formation security functions within an organization would

provide an excellent way to identify and implement ways

of integrating physical and logical security.

� Establish a dialogue with vendors concerning the problem. Many of the vulnerabilities in special systems such as physical se-

curity systems are the direct result of vendors having

designed and built these systems under the presumption

that they would be standalone systems. Security features

that are normally built into other systems are thus often

missing in these special systems. Additionally, functionality

in such systems has expanded over time; with greater func-

tionality invariably come more ways for perpetrators to

successfully attack systems. Finally, although functionality

has expanded, security functionality generally has not ex-

panded proportionally. It is extremely important, therefore,

to establish a dialog concerning the physical convergence

problem with vendors. Vendors need to become aware of

physical convergence-related security issues and need also

to be pressured into improving security functionality and

eliminating the vulnerabilities in their products that exacer-

bate convergence-related risks.

7. Conclusion

We are in many ways looking at the ‘‘tip of the iceberg’’ when

it comes to physical convergence-related security issues. Al-

though an uncomfortably wide gap between the level of secu-

rity controls currently in place and the security controls that

are needed to adequately reduce risk exists, this gap will inev-

itably only become larger over time. It is imperative, therefore,

that organizations start carefully looking at the physical con-

vergence problem and then create a realistic action plan for

addressing it.

At the same time, there has been little if any research on

the physical convergence problem. Research funding agencies

would be well-advised to start soliciting research proposals in

this area and to provide funding to researchers who appear

capable of delivering promising research results related to

ways of effectively identifying and mitigating physical con-

vergence-related security risks. As the National Research

Council asserted, special systems as well as other types of

systems connected to the same networks provide a target

rich environment for would-be evildoers. Research can and

will provide answers to many of the issues that must be

addressed.

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 8 0 – 8 484

r e f e r e n c e s

Alliance for Enterprise Security Risk Management. Convergent security risks in physical security systems and IT intrastructures. Available from: <http://www.isaca.org/ ContentManagement/ContentDisplay.cfm?ContentID¼ 29115>; 2006.

Mehdizadeh Yahya. Convergence of logical and physical security. Available from: <www.sans.org/reading_room/whitepapers/ authentication/1308.php>; 2003.

National Research Council. Making the nation safer: the role of science and technology in countering terrorism. Washington, DC: National Academies Press; 2002.

Schultz Eugene. Special systems: overlooked sources of security risk? Comput Secur 2006;25(3):155.