But there are other reasons that PACS vendors and their customers haven't rushed to open physical security systems to larger networks. Usually, physical security is handled not by those with IT oversight, but by a group trained in guns and badges, as experts describe it. Because these individuals typically have little experience with IT, they're nervous about putting physical access controls on a network.
"They look at you like youre crazy," Grant said. When physical security systems ride on an IP network, they become vulnerable to hackers, viruses and other risks. And so far, because most of their systems haven't been integrated, PACS vendors haven't worried about bulletproofing their products.
Authsec Inc., a security consulting company in Columbia, Md., has run vulnerability scans on several physical access control systems and, according to the company, every system had vulnerabilities.
"If you change an environment, you generally inherit risk, and it's not that the risk cant be controlled," said Dallas Bishoff, Authsecs senior vice president. "The door control panels have operating systems and are susceptible to viruses and need to be patched. But most PACS are not treated as IT procurements and are not subject to certification and accreditation. Vendors don't live in [the network] world and aren't used to worrying about vulnerabilities in their products."
Michael Regelski, vice president of engineering at Lenel Systems, said his company has offered centralized administration of physical and logical access for several years. There hasn't been widespread adoption, he said, because most organizations don't have a logical security infrastructure in place that can take advantage of it.
Despite that fact, Regelski said, more than 80 percent of the company's physical security deployments are network-based and ready to handle converged systems.
"If you know what you're doing on a network, there are so many ways to secure the devices. Its a matter of being properly architected," he said.
But much of today's physical access infrastructure doesn't comply with NISTs specifications for HSPD-12. Under FIPS 201, the main identifier on a Personal Identity Verification card will be the Federal Agency Smart Credential Number, or FASC-N, which can be up to 32 bits or 25 bytes, based on the encoding technique.Â You can't shove that through a lot of legacy access systems, Grant said.
An interim solution in which systems accept truncated FASC-N data has been suggested, but it's an imperfect solution: It effectively reduces the amount of unique information required to access a building. Truncation might be a passable solution within a facility, but because it could lead to duplication among shorter ID numbers, cross-facility interoperability would be more problematic.
Security experts agree on one point: Virtually all physical security card readers operating today will have to be replaced. Whether agencies have to change the control panels that handle those readers or the back-end systems that operate the entire physical access control systems will depend on whats in place.
"You can replace readers to accommodate the new cards and as long as the systems can interpret the output and the majority of them can you should be able to take the PIV credential and use it on your existing infrastructure," Regelski said.
However, he said, even some legacy back-end systems can't handle the data requirements of FIPS 201.Â In addition, Bishoff said, today's physical access control systems weren't designed to handle cryptographic keys, nor have they been through FIPS 140-2 testing, which validates cryptographic modules for use in government.
"In a lot of cases, some of the vendors products can't be upgraded, and they'll have to forklift the whole thing," Bishoff said.
THE BUSINESS OF HSPD-12
Dwayne Pfeiffer, principal engineer for civilian agencies at Northrop Grumman IT, said his group has close ties with PACS vendors and maintains a solution center in Reston, Va., where it continuously tests smart cards and access control systems for government conformance.
But integrators need to pay attention to the details of HSPD-12 contracts, lest they become embroiled in a quagmire in which undocumented systems appear seemingly out of nowhere and throw a project off track.
Just as in any large-scale IT upgrade or consolidation, such as the Navy-Marine Corps Intranet, the extent of a physical access overhaul will hinge on an agency's ability to identify whats in place.