1998: SECURITY SCARE
Can We Trust Technology? Can We Trust Ourselves?
Any facility manager knows today's security technology is developing at an amazingly rapid pace. In fact, many of the highly advanced security systems now on the market were relatively unheard of as recently as one decade ago. While this may seem like good news, such warp speed progress isn't without its downside. Such ambitious advances bring new, complex challenges to those professionals charged with managing or operating the technology.
Anyone who has ever struggled to program a VCR or panicked over a "crashed" computer knows the human relationship with technology can often be an uneasy one. And when things go wrong, the question then arises: who is to blame--the technology or the person charged with managing the technology? It's a tough issue, but when it comes to facility security breaches, the risks are too great to be ignored.
A DESIGN FLAW?
A recent problem with a card access system illustrates just how potentially serious this issue can be. The case first caught public attention when a New York Times article examined an alleged design flaw in the Receptors card access system used in many airports in the United States and Great Britain. The article stated that such a flaw "could make...these sites vulnerable to terrorists or computer intruders...." ("Design Flaw in Security Systems Leaves Airports Vulnerable to Terrorists, Officials Say," February 8, 1998.) Yet R. Dale Williams, president of Rancho Cordova, CA-based Receptors, believes the main problem lies not with his company's product, but rather with the way in which end users administer and operate it.
The system in question is currently installed in airports and other high-risk environments including correctional facilities, military sites, and federal government buildings. The alleged flaw was discovered at an unnamed facility during a routine security audit conducted by MSB Associates, a San Mateo, CA-based network and database engineering consulting company. (The Receptors system had been in place in the facility for approximately four years.)
According to Mark Seiden, a principal at MSB Associates, "...the problem stood out as enough of a risk area that we decided to explore it in depth....That exploration revealed several design problems, including means for intruders to attack the system if the dialup modem or LAN-connected features were used."
Seiden believes that successful attackers can alter the system to allow such security breaches as unauthorized access or unlocking of doors. He adds that the system provides no means of detecting some varieties of such alterations. He warns "...this product, as delivered by the vendor, is particularly risky if it is installed on any sort of company local area network (LAN) or with any modem connection. For example, if put on the Internet or on a university LAN, it would likely become a target pretty quickly."
OR HUMAN ERROR?
Williams, in a letter to Receptors' customers, strongly denounced both the New York Times article and claims made by MSB Associates. "That article contained misinformation, misquotations, wrong assumptions, and huge leaps down a path of fiction," he wrote on February 22, 1998. "...Neither the consultant who originated the story nor the New York Times reporter who reported the story had any knowledge of Receptors' airport security systems. The Receptors customer itself does not believe the software is flawed and is still comfortable with the Receptors system...."
To clarify the source of the problem, Williams explains the means by which he believes the system was compromised. "The audited company informed us that the consultant was given free range of the site for one day. The consultant picked the lock to an unmonitored door that led to the office containing the badging system. The badging work station had been left logged-on to the host with a level eight password (the highest operating level). That allowed the consultant free access to the entire system...."
Seiden acknowledges "the work station was...locked in a room with ordinary commercial security. However," he adds, "[the computer] was not left logged in. We read the Receptors manual, which provided us with what we needed to log in....In addition, when we looked at the work station's hard disk, we saw a usable password. As it turns out, we didn't even need the manual...."
WHEN SOMEONE DROPS THE BALL
The argument between Receptors Inc. and MSB Associates will likely rage on for some time, but the situation begs a much larger question. As the Times article mentions, "...The failure to detect the problem...in so many supposedly secure sites underscores the risks inherent in the increasingly widespread reliance on computers and computer networks for security once performed by mechanical locks and human guards...." In other words, has technology failed humans or have humans failed to use technology properly?
Williams believes he knows the answer. "...If a consultant can pick a lock on a door that is not monitored, sit down at a work station that the operator did not log off, have or gain access to working cards and to the system's password, then publicly place blame on the manufacturer's software, we all have a problem. It is our opinion that there is no system on the market that could have prevented this situation...."
Even Seiden agrees that most security systems on the market have vulnerabilities. "There is no basis for belief that the Receptors product is any worse than those of any other vendor of access control systems," he says.
Fms may be wondering if all security systems are so critically flawed. Roy Bordes, president of Orlando, FL-based The Bordes Group, Inc., a systems design/engineering firm, doesn't think so. He believes the risks of relying on high-tech systems for security are very small.
Bordes feels that, when used properly, today's systems do offer a higher degree of security. "When access control first came out, everything operated through computers," he says. "There were problems everyone had in the early days when computers crashed."
Today, using knowledge based on experience, manufacturers have the ability to place controls on their products to ensure maximum security. Bordes refers to a feature called "distributive intelligence" which is included in most newer card access systems.
Bordes believes the Receptors situation could have been avoided by using encryption to create a one-way chain of communication from the panel to the computer. "The panel calls the computer. The computer does not call the panel." Therefore, changes in the system can't be made through the computer.
Seiden agrees. "The components [in Receptors' system] communicate with each other without cryptographic authentication. This means that the wires between them need to be secured," he says.
But system encryption--or the lack thereof--may be only one contributing factor to the Receptors' controversy. Bordes feels part of the problem, at least when it comes to the company's airport installations, is rooted in a more basic issue--dollars. He says, "The FAA [Federal Aviation Administration] is too cheap to buy...." an appropriate system for its facilities. When it comes to an important issue like security--especially in airport installations--compromising quality for cost can be a dangerous decision.
THE TECHNOLOGY TAKE OVER
Despite Bordes assurance that today's technology includes safeguards that can help ensure the integrity of a system, the backlash is that some organizations may rely too heavily on the technology alone. Thus, all factors should be carefully weighed by fms when choosing a high-tech system--including the degree of human responsibility. "The risk [in reliance on high-tech security alone] is the idea that you're not looking at [security programming] holistically," says Jerry Guibord, director of strategic consulting at Encino, CA-based full service security firm Pinkerton. "The technology piece is only one element. You cannot rely on just one piece...."
Guibord points out that if the human element isn't factored into the equation, the technological integration could be compromised. He says, "80% of the threat to any type of information or access control system comes from within, from an employee who has access...."
Williams agrees. He says that certain problems reported about his firm's systems were "failure[s] of the system operator...and not a shortcoming of the system....The computer cannot know until a human being tells it of the status change."
MSB's Seiden also associates many technical difficulties on human failure. He says the reason his company was the first to inspect Receptors' system closely after so many years of use "has to do with the 'dumbing down' of people that occurs when a computer is involved in many systems. It takes on a life of its own, and what it does--and how well it does it--is obscured behind layers upon layers of hardware and software, much of which is simply not inspectable at reasonable cost, nor by people with ordinary skills...."
BE A CONTROL FREAK
What can fms do to prevent their systems from getting mired down in layers of add ons and unnecessary accessories (especially to the point where systems take on lives of their own)? As technological progress continues its rapid pace, those who haven't done so already will need to redefine their roles as responsible high-tech users.
James Van Houten, CPP, chairman of the board of the Arlington, VA-based American Society for Industrial Security (ASIS), an industry trade association, argues that, in order to live up to their obligations, security and facility professionals must "be prepared to take on new and greater challenges as this rapidly changing environment [of security technology] continues to transform."
According to the numbers, more fms are buying complex security systems. According to 1996 statistics compiled by Leading Edge Reports, a Commack, NY-based market research firm, American businesses spent more than $500 million on electronic access control equipment. These numbers are expected to approach close to the $1.5 billion mark by the year 2004.
Clearly, fms will continue to rely on electronic systems to keep their facilities safe to a certain degree. However, they must also recognize that no system is foolproof. Fms can't allow themselves to be lulled into a false sense of security (literally).
In the scramble to outfit facilities with top-of-the-line security systems, are fms losing track of the need for proper training on these complex systems? Do they fully understand their own responsibilities regarding this state-of-the-art technology?
Indeed, these high-tech systems require vigilance and conscientious training. Even the most state-of-the-art equipment will not take care of itself. The ultimate responsibility lies with its human operators.
Williams points out, "...manufacturers have no control over how our systems are used or misused. The ultimate implementation and administration of the system is the responsibility of the user. It's how you operate the system. There's not much we can do if [end users don't] safeguard the system. There's a balance there that has to happen. It has to be technology and it has to be people."
To strike that balance, Guibord recommends educating employees on the possible consequences of improper security system administration. "Awareness is a major piece [of a comprehensive security system]," he says. "When employees see something wrong, they [need to] recognize that this can cause havoc with the company."
Provide A Sounding Board
Once staff members know they need to identify a problem, "they must be given the means to communicate..." their concerns. Guibord advocates hiring "degreed professionals who are trained in soliciting information in an objective way...." to assist employees in defining problems and interpreting their causes and effects.
|Many of our technical problems have "...to do with the 'dumbing down' of people that occurs when a computer is involved in many
systems. It takes on a life of its own, and what it does--and how well it does it--is obscured behind layers of hardware and
Clearly, humans have the upper hand in the technology game, they just have to learn how to play it to their advantage. No matter how advanced technology becomes, human controls will always be necessary. And as long as fms are in charge of security systems, they need to take action that reflects the depth and scope of those responsibilities.
Marirose Krall is a contributing editor to Today's Facility Manager magazine.