Physical Security and IT

Resources
Brian Hunt
Physical Security Specialist
State of Nevada
Department of Information Technology
Office of Information Security

Introduction

Physical security defined as: Physical measurers, polices,

and procedures to protect an organizations electronic
information systems, facilities/buildings and equipment
from unauthorized access, natural and environmental
hazards.

How is this accomplished:

Physical Security is accomplished by performing an

assessment of the facility/building and the surrounding
premises.

Physical security enhancements should be considered

during the budget process. Consideration of alternative
funding sources should be taken into account such as
Homeland Security Grant Funding, One Shot
Appropriations from governing bodies and Capital
Improvement Projects (CIP)

During new construction Physical security should be

taken into account during the budgeting process

Physical security designs should be performed by a

qualified professional regarding the topology and
architecture of the systems and how they will integrate

Physical security installations should be performed by a

manufacturer certified/authorized dealer

Physical Security Assessments

Examples of questions to ask when performing a

Physical Security Assessment:

What are you protecting? Determining what you are

protecting will determine the amount of security you
will place on the information and/or facility

Is the facility located in a high crime area?

Do you own or lease/rent the facility?

Is the facility a multiunit or multiple tenant facility?

Is the facility designed for the type of environment the

work will be performed? (IE. Power, structure,
communications, HVAC and fire suppression)

Evaluation of Assets and Data

What is the net worth of the assets to be guarded

How much would it cost your organization to overcome a

catastrophic loss of data or property

Implementing physical security measures worth the cost of

the data or property

Perform an impact statement to determine if the cost of

implementing physical security measures is cost effective
or prohibitive.

Physical Security Domains

There are a number of ways to subdivide physical security,

to simplify we have divided Physical Security into five
parts.

Part I: Perimeter protection and outer structure

Part II: Access Control & Closed Circuit Television (CCTV)

Part III: Power

Part IV: Heating, ventilation and Air Conditioning (HVAC)

Part IV: Life safety

Part I: Perimeter protection and

outer structure
Facility may require a perimeter fencing:

Chain link fence should be at least 11 gauge steel.

Common installation, easy to climb or cut for entry

Concrete masonry unit (CMU), One of the strongest

installations, offers privacy, very expensive

Wrought iron fencing, offers great protection, very

expensive.

Box steel welded fence construction, Architecturally

acceptable, offers great protection, offers very little
privacy and expensive

Nevada National Guard

Perimeter protection

Are barriers located onsite of the facility:

Physical barriers such as fences and walls deter

intruders and restrict visibility into the premises

Inspect barriers for deterioration

Nevada National Guard

Nevada Highway Patrol Southern

Command

Outer Structure

Windows are conducive to forced entry:

Windows have the highest vulnerability to forced entry

The location and characteristics of windows needs to

be inspected

Doors that have windows should not be within a 40

proximity to the door lock

Windows that are less than 18 feet from the ground are
the most vulnerable since they are easily accessible
from the building exterior

Outer Structure

Facility doors should be constructed of material that

will discourage breakage:

Steel or Solid wood doors, not hollow core doors

Doors that are constructed of glass, should be

inspected for glass type such as tempered glass, wire
mesh or safety glass

Outer Structure

Ensure door strikes and strike plates are adequate

and properly installed:

Door strikes should be secured and properly fastened

Door strike protectors should be installed on doors that

require protectors or exterior doors

Inspect doors with exterior hinges that may be in a

sensitive area of exposure:

Normally doors that open out are the issue

Door that open out are easier to compromise

Outer Structure

Door frames should be strong and tight to prevent

forcing/spreading:

Inspect door frame to ensure the frame is plumb and

level

Ensure fasteners are tight and properly installed

Door locks should be in good repair:

Inspect for rust or deterioration

Inspect for proper operation

Outer Structure

Door locks should include a dead bolt with 1-inch

throw:

Measure the depth of the deadbolts

Inspect door frames to ensure frame can support

deadbolt force

Exterior areas should be free from concealing

structures or landscaping:

Inspect for "pony walls"

Inspect for over grown landscaping next to external

windows

Outer Structure

visitors should be required to sign in:

Require a visitors log

Require visitors identification badges

Have an attendant oversee the visitors log

Review the visitors log periodically

Outer Structure

Escort facility visitors:

Create a policy on escorted and unescorted

visitors

Provide different color identification badges for

escorted and unescorted visitors

Require visitors to turn in identification badges

after visit

Part II: Security Access Control

and Closed Circuit Television

Access control systems are typically a

scalable management solution
encompassing complete access control,
advanced event monitoring and
administration auditing. Access control
systems typically involve a central server or
host for control and monitoring.

Basic Access Control:

Remote capability to lock and unlock doors

Audit log of who and when personnel utilized a door

Audit log when a door has been forced or help open

Capability to restrict or remove access to specific

person or group

Monitoring of room occupancy by intrusion-detection

systems

Access Control Selection Criteria:

What manufacture of system to purchase

How many facilities attached to the access control

system

How do you communicate with the access control

system

How many card holders will you have

Who will administrate the system

What type of card technology to use (FIP 201

compliance)

Access Control and the Nevada

Access System (NAS)
Security Access Control System for the State of
Nevada:

Software House CCURE 800

Infinite facilities as required world wide

TCP/IP preferred and main communication utilized,

RS232/485, Modem and cellular

250,000 cardholders (Expandable to 5000,000)

Facility based administration or global administration

Card technology is proximity (FIPS 201 compliance

migration)

Nevada Access System (NAS)

NAS is a scalable security management solution

encompassing advanced access control and high scale
event monitoring

Nevada Access Systems main hub or server is a Software

House CCURE 800 which provides users with scalable
access control solution that allows functionality and
increased capacity as the system needs grow

CCURE 800 is a complete integration solution with

unlimited application

Nevada Access System (NAS)

CCURE 800 is a complete integration solution that reaches

beyond traditional security, it provides integration with
critical business applications including: Closed Circuit
Television (CCTV) and Digital Video Management systems
(DVMS) other integration applications include:

Fire Alarms

Intercoms

Burglar alarms

Environmental building controls

Crystal reporting

Time management or time tracking software

Nevada Access System (NAS)

Network capabilities for the CCURE 800 client work

stations and iSTAR controllers can be placed directly an
existing networks and transmitted across SilverNet and
multiple WANs statewide

Open Architecture Support. The CCURE 800 ensures

universal support and enormous flexibility. As such,
CCURE 800 interacts with industry standards database,
video recorders and cameras, and networks

CCURE 800 is a complete integration solution with

unlimited application

Nevada Access System (NAS)

CCURE 800 Foundation Security Features:

Event and Alarm Monitoring

Database Partitioning

Windows 2000 professional, Windows server 2003,

Window XP Professional for servers

Open journal data format for enhanced reporting

Automated personnel import

Wireless reader support

Nevada Access System (NAS)

CCURE 800 advanced Security Features:

CCTV Integration

Enhanced monitoring with split screen views

Escort management

Card holder access events

Single subscriber Email and paging

Open journal data format for enhanced reporting

ODBC support

Benefits of the Nevada Access

System (NAS)
Benefits of the Nevada Access System:

Access control, audit, and convenience through the use of

one access control card

Computer workstations, technical systems and door locks

will have access control with audit capabilities, and
convenience with a single access control card or state
issued identification card. This approach eliminates the
need for quantities of mechanical keys and a reduction of
passwords an individual has to carry or memorize

Benefits of the Nevada Access

System (NAS)

Standardizing of employee identification, recognition and

verification statewide

NAS will provide a mainstay for access control support and

technical assistance through out career and life cycles of
systems

CCURE 800 based users groups statewide to provide

support among Departments, Agencies, Counties and other
Municipalities

Closed Circuit Television and Digital

Video Management Systems

Closed Circuit Television (CCTV) and Digital Video

Management System (DVMS) has taken many advances
over the years. The evolution of CCTV is an interesting
history that combines the entertainment industry,
consumer electronics and CCTV. None of the three are a
combination we put together, but there is a strong parallel
that has moved the industry to where it is today

History of Closed Circuit Television

Systems

The original CCTV systems were built using equipment

intended for the use of the broadcast industry and
industrial television

Cameras were large

Expensive

Required high energy consumption

Required frequent maintenance

History of Closed Circuit Television

Systems

As a result of the high expense and the need to change

tubes in the equipment coupled with the heat generated by
the equipment, service calls and service technicians made
for a lucrative business. The high expense of CCTV
installation and the cost of servicing the equipment made it
possible for only the wealthy to afford such systems since
the cost of installation and maintenance out weighted the
cost of the assets to be protected for most

In the mid-60s, CCTV started to evolve as an industry. Two

inventions facilitated this change and allowed the cost of
installation and the maintenance of CCTV systems to
become an affordable option. The Pan, Tilt and Zoom
(PTZ) was invented along with the motorized lens. The PTZ
function allowed the camera to move up, down and side to
side. The motorized lens allowed remote control of zoom.
Focus and iris adjustment. These inventions reduced the
number of cameras required to cover an area

History of Closed Circuit Television

Systems

In the consumer electronic market, amateur video taping,

movie rentals and the mass production and use of the
video cassette recorder (VCR) become less expensive and
lightweight. Soon the two technologies merged creating
the camera and recorder or what we know today as the
Camcorder

In the late 80s a mass market of products began to

dramatically reduce prices and improvements in quality
and availability. What was once enjoyed by the wealthy
was now made affordable and available to the general
public and industry

Designing a Closed Circuit television

Systems
When designing a usable Closed Circuit Television System
(CCTV) it does not take an expert to design a system.
Some of the most usable CCTV system have been
designed by individuals that said time and time again I do
not know anything about this, but shouldnt we.. If you
take a common sense approach based on specific
applications and needs of your organization the basic
placement of cameras can be accomplished keeping in
mind cameras are like people they only can see what
people can see

Designing a Closed Circuit television

Systems
System use, Security or surveillance:

Security is defined as watching objects or items

Surveillance is defined as watching people

Will operators manage the system:

Operators will be required for surveillance

The potential for large storage may be required for

security or the watching of objects or items
(recommended seven days of storage)

Designing a Closed Circuit television

Systems
Cameras selection and locations, indoors or
outdoors:

PTZ or fixed cameras

Indoor cameras are used, are they covert or in plain site

Outdoor cameras are used, what is your outdoor

climate

Storage of video:

Hard drive storage or the network storage

Video cassette recorder

Closed Circuit Television Systems

Designs

Common short comings of many CCTV systems

Not enough cameras

Cameras installed incorrectly or incorrect cameras

installed for application

No operator

Not enough storage or improper media for storage

Improperly trained personnel

Neglected or improperly maintained systems to include

cameras, power supplies, VCRs, DVRs, software
application and network connection

IT concerns for Closed Circuit

Television Systems

Network traffic for IP cameras

Network traffic with the Integration of CCTV and access

control

Improperly trained personnel

Storage of video on site with specific hard drives or

network storage

Transfer of video files via email

The downloading of updates for windows based DVRs

The potential of viruses on windows based DVRs

Part III: Power

Does the facility have multiple services from the
power company

Primary and secondary service in case of power loss

Secondary services (if available) require a device called

Tie-breaker in the electrical service main

Power Conditioning

One to one transformer for power conditioning

Main service(s) over-current protection, is it fused or

manual/auto reset breaker

Main service should be protected by adequate Ground

Fault protection

Electrical systems dedicated to computer systems the

main electrical service and distribution panels should
have an isolated ground (IE. Orange receptacles)

Are the use of K rated transformers for harmonics

instituted within your facilities

Back Up Power Generators

What is the intended use of the generator (emergency

lighting, Computers or back up of the facility)

Generator should be sized for the load

Back up generators should be tested weekly, monthly

or annually

All generator should have strict maintenance schedules

with work performed by generator mechanics/specialist

Back Up Power Uninterrupted

Power Supply (UPS)

What is the intended use of the UPS

Is the UPS sized for the load

UPS 5 KVA or great are they Standby or in use type

(Standby UPSs usually do not have power conditioners)

What is the maintenance schedule for the UPS

Is the UPS surge factor greater than 1.15

UPS should include a feature to alarm when a low battery
condition exists

UPS should have remote alarm panels located in server

rooms and security/maintenance office

Part IV Heating, ventilation and Air

Conditioning (HVAC):
Is the facility equipped with the proper HVAC system

Is the HVAC system sized for the current occupancy

and heat/cooling load

Was the HVAC system designed with electronic

equipment in mind (heat load and humidity)

Does the HVAC system connect to an environmental

control system or direct digital control (DDC)

Who provides programming and support for the HVAC

application if the system is controlled by DDC

Is the HVAC application on the network and is it

network dependant to operated

Heating, ventilation and Air

Conditioning in server rooms:
Server rooms and remote communication closets
should have proper and separate HVAC Systems:

Inspect HVAC system to ensure separate heating and

cooling controls are within server rooms and
telecommunications closets

Within server rooms and telecommunication closets are

high and low temperature warning mechanism present

Are HVAC filters changed on a regular basis

Is the HVAC system serviced on a periodic basis

Is the HVAC system for server rooms and

telecommunications closets on a back up generator

Part V Life Safety:

Fire Alarms

Does the facility have a fire alarm system

Fire alarm system are required by law to be periodically

test (Annually)

Manual pull stations and horn/strobes must be located

near the exits

Fire alarm system should attached to a UL approved

monitoring service

A representative from your organization should be for

the administration of the fire alarm system

Fire Suppression:

Does the facility have a fire sprinkler system

Fire sprinkler system are required by law to be

periodically tested (Annually, inspection tag looped on
main valve)

Fire sprinkler system spray heads shall not have any

object within eighteen inches (18) from the spray head
vertically and two (2) feet horizontally

Server rooms should have an emergency power shut

off switch at the exit doors to shut down power in the
event a water fire suppression system is activated
within the room

Fire Extinguishers:

Does the facility have fire extinguishers

Fire extinguishers should be periodically tested

(annually licensed and certified personnel)

Where are the fire extinguishers located and are they

depicted on an emergency evacuation plan

Personnel should receive training on fire extinguisher

use. A quick reference below would be the word PASS

Pull
Aim
Squeeze
Sweep

Integrator Challenges and IT

Resources:
Challenges that face many security integrators is the lack of
administrative authority on a network (for good reason) and
the lack of understanding of a network or the dynamics of
an organizations network
Key questions to ask an integrator when a system is to be
installed:

Will the system and application require administrative

rights on a machine or the network

How does the system communicate. (TCP/IP, RS

232/485, modem etc.)

Does the system require a software application? If so,

how many client/nodes are allowed

Who will retain the software and software license

Integrator Challenges and IT

Resources:

How much bandwidth will be consumed by the system

or application

How much data storage will be required for the system

Is the system capable of running if the application

loses communication

Will the integrator retain an administrative account on

the system

Will the integrator have an remote connection to the

system, during and after the project

What is the recommended specifications of the host or

server machine

Management and Planning of IT

Based Physical Security
Discussing the challenges ahead:

The challenges that face many organizations currently, is

finding a balance between Physical Security personnel
with knowledge of IT systems and physical security
solutions that are IT based dependant.

The relationship of physical security IT systems requiring

IT knowledge and background verse physical security is
eighty/twenty (80/20). Eighty percent physical security and
twenty percent IT system based background knowledge.

Many IT organizations assume the responsibility of an IT

based physical security system understanding
approximately twenty percent of the system.

Access Control and the State of

Nevada
Challenges for the State:

Through shared resources such as the Nevada Access

System IT organizations on a statewide level can assume
the responsibility of an IT based physical security system
with greater understanding and support .

Challenges ahead such as Federal Identification Process

Standard 201 (FIPS 201) and the Real ID Act, shared
resources will become invaluable to the success of our
statewide programs.

Currently no one person or organization has the answers,

with constant changing standards and never ending
technology it is nearly impossible to keep up. I invite each
of you to join together to assist in the progress of physical
IT security allowing for consistency statewide.

Physical Security and IT

resources
Brian Hunt
Physical Security Specialist
State of Nevada
Department of Information Technology
Office of Information Security
(775) 684-7349 Office
(775) 687-1155 Fax
bhunt@doit.nv.gov