Ray Bernard, PSP, CHS-III, is a leading security consultant and author, who over 26 years has led many noteworthy security projects for international airports, nuclear disarmament facilities, sports stadiums, water districts, energy utilities, hotels, manufacturing plants and multiple-tower high-rise facilities (www.go-rbcs.com). Follow him @RayBernardRBCS
I recently heard a security system end-user describe a situation where a video camera had stopped transmitting video, and when she went to check the camera’s settings, the password she had been using no longer worked. The installer had changed the camera passwords and had failed to notify her. She could not answer to her boss as to the condition of the cameras. It was unsettling to think that camera settings may have changed without her knowledge.
Per many end-user reports, the state of password management for security systems and devices ranges from good to not good to very bad. Mostly it is “not good,” and the question below is unfortunately a common one:
Q: The company maintaining our security systems uses the same field technician log-ons on all systems and devices installed by the company — I was told that our passwords (and those of their other customers) were not changed. They have also been using a subscription-based remote access management service to access our systems remotely, which also uses common passwords. We didn’t know that this access was even in place. Is this a cause for concern?
A: You are right to be concerned about this from many perspectives. When you realize that a single inappropriate video clip appearing on YouTube could be a job-ending event, it is not only a cause for concern but a cause for immediate action.
Company-wide installer passwords for customer installations was a security and control systems vulnerability long before the arrival of the internet, but in earlier times it required physical presence in a control room or equipment closet to accomplish system access. Now that our systems and devices are networked, and because those networks are much less secure than most believe, it is a serious vulnerability.
Additionally, my colleagues and I commonly find security system servers and devices — including cameras — accessible from conference room network connections. We have been able to call up camera interfaces in browsers and view video without a password being required on more occasions than you might imagine.
Do You Know Where Your Passwords Are?
Many security practitioners are in the situation where they cannot provide acceptable answers to one or more of these questions:
- Who is responsible for managing passwords for security systems and devices?
- Where is the record of authorized users kept?
- Are there emergency log-ons in place, stored in an appropriate location that is recorded in a Disaster Recovery/Business Continuity plan?
- Who audits password management?
- Are device and server passwords sent “in the clear” or over a secure connection?
- How frequently are password audits performed?
- What are the password audit criteria (such as a factory default password check, and a written password management policy or procedure)?
- Are third-party hosted services used to provide remote access?
- Is the default for remote access “disabled” until an actual need to use it arises?
- Do password management and remote access practices comply with IT policy on managing access to the organization’s critical systems?
- Where is device authentication (whereby devices must authenticate themselves to be allowed on the network) on the IT network technology roadmap, and at what point will that be applied to security system devices?
Increasing Number of System and Device Log-ons
As networked cameras and card readers proliferate, the number of system and device log-ons is increasing dramatically. Even small- and medium-size organizations can have a significant number of log-ons to manage. For example, in a 50-camera system with live monitoring, each camera should have separate log-ons for setup and maintenance, viewing, camera control (such as PTZ control), and administration (such as adding and deleting users, and system settings). It is easy for password management to become lax without specific policy to specify it, appropriate network security to enforce it, and standard practice to maintain it.
Existing network access management technology can be put to good use for protecting physical security systems, and leading companies have extended their good information security practices to cover networked physical security systems. Standalone deployments can benefit from good network security practices as well, and they are always feasible to implement.
Download a helpful guidance document on access management for electronic physical security systems from the Global Security Operations 2015 event website: www.GSOEvents.com/password-guidance.
Note: Write to Ray about this column at ConvergenceQA@go-rbcs.com.
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is also a member of the Subject Matter Expert Faculty of the Security Executive Council (SecurityExecutiveCouncil.com).