ID management gets physical

Last November, a revised document from an interagency working group laid out the following scenario, illustrating one of the biggest technical challenges for agencies complying with Homeland Security Presidential Directive-12:A government employee receives a smart card that lets him into his building. Eventually, he's assigned to a project in another state and needs access to that facility using the same ID. Then his work takes him to a separate agency where, with proper authorization, his card should allow him through that door, too.But today, that can't happen. And making it happen will be a significant undertaking, one that will require careful planning, wholesale infrastructure upgrades and changes in the way agencies manage security.The Physical Access Interagency Interoperability Working Group has prepared Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems. The document should help agencies integrate what has commonly been the quintessential stovepipe system'building access security'with an overall personal identity verification architecture that bridges physical- and logical-access control within and among disparate agencies.'PIV is going to do a lot for pushing [smart-card] technology forward and getting the physical-access guys to come on board,' said Mike Butler, chief of smart-card programs in the Defense Department's Common Access Card Office.Perhaps the first and most basic challenge facing agencies is the fact that physical-access control systems are islands unto themselves. Physical security usually is handled by a different group'trained in 'guns and badges,' as experts describe it'from the people who handle information technology.Physical-access control systems will have to become network-based if they're to deliver on the promise of HSPD-12.'More and more IT departments are getting involved with these systems,' said Michael Regelski, vice president of engineering at Lenel Systems Inter- national Inc. of Rochester, N.Y.Lenel has worked on physical security for various agencies, including NASA, which Regelski says is furthest along in integrating physical- and logical-access control.But if it comes down to a turf battle, the need to keep bad guys out of a building could trump smart-card access to network resources.'Between the physical and the IT organizations, the ones who have the upper hand in many agencies are the physical, because they have the authority to issue badges today,' said Jeremy Grant, vice president for enterprise solutions for Maximus Inc. of Reston, Va. 'As a result, a lot of agencies are really looking at logical access only as an application that can be supported on the card.'Experts say physical-security staffs don't have a lot of experience with IT and are understandably nervous about putting their systems on a network. When physical-access control systems ride on an IP network, they become vulnerable to hackers, viruses and other security risks.Authsec Inc., a security consulting company in Columbia, Md., has run vulnerability scans on a variety of physical-access control systems, and every one had vulnerabilities.'Vendors don't live in [the network] world and aren't used to worrying about vulnerabilities in their products,' said senior vice president Dallas Bishoff. 'It's not that the risk can't be controlled. The door control panels have operating systems and are susceptible to viruses and need to be patched. But most PACS are not treated as IT procurements and are not subject to certification and accreditation.'In fact, access control cards from one vendor typically work only with that company's readers, which typically only work with the same company's control panels.Moving to IP and the standards developed by the National Institute of Standards and Technology should change that and open physical-access control systems so they can talk to other parts of the security infrastructure, such as an identity management system.'Four or five years from now, physical-security networks that run off the office network will be common,' Butler said. 'Then you can start doing things like make sure a person can't log onto a network unless you know they came through the door.'There will always be situations where, for security reasons, a physical-access control system can't link to an IP network, but those will be exceptions to the rule.Once an agency has a strategy for integrating its physical and IT security operations, there's the matter of actually getting their physical-access control systems to comply with NIST's Federal Information Standard Publication-201. And because there are so many proprietary systems floating around, the job is big.'A lot of the physical-access community hasn't woken up to what HSPD-12 really means and how obsolete a lot of their stuff is going to be,' Grant said.The crux of the problem, put simply, is that many of the card readers and control panels guarding agency doors can't read the information that will be contained in future PIV cards.Under HSPD-12 and FIPS-201, the main identifier on a PIV card will be the Federal Agency Smart Credential Number, which can be up to 32 bits or 25 bytes, based on the encoding technique.'You can't shove that much information through the control panels of a lot of legacy access systems,' Grant said.There has been talk of an interim solution under which systems accept truncated smart-credential data, but it's an imperfect solution that would effectively reduce the amount of unique information required to access a building. What's more, according to Regelski, while truncation might be a passable solution within a facility, it would make cross-facility interoperability harder because it could lead to duplication among shortened ID numbers.Experts agree that virtually all card readers in operation today for physical security have to be replaced. Whether agencies will have to replace the control panels that handle those readers and the back-end systems that operate the entire PACS, will depend on what's currently in place.'You can replace existing readers to accommodate the new card,' Regelski said, 'and as long as the systems can interpret the output'and the majority of them can'you should be able to take the PIV credential and use it on your existing infrastructure.'However, he cautioned, even some legacy back ends can't handle the data requirements of FIPS-201.In addition, Bishoff warned, today's physical-access control systems weren't designed to handle cryptographic keys, nor have they been through FIPS-140-2 testing, which validates cryptographic modules for use in government.Just as in a large-scale IT infrastructure upgrade or consolidation, the extent of a physical-access overhaul will hinge on an agency's ability to document all its components. Security systems are often procured on a site-by-site basis, or even building-by-building, making it difficult to get a handle on what's out there.'Most agencies do not know how many systems they've got, because they were all locally acquired and there's no central inventory,' Bishoff said. 'The most bizarre case we saw was a building with five physical-access control systems. Three of them were within 30 feet of each other, and they were all three independent systems.'And because we're talking about large numbers of readers and possibly control panels at many different buildings, agencies will need a strategy for cutting over to a new system while still allowing unfettered access through the old.'You can't replace all your existing readers in one shot,' Regelski said. 'You need a strategy. It could be multiple cards or new cards with old tokens embedded.''We need to do triage here,' Butler said. 'If we've got some place up in Maine out in the woods where 300 people work and they're using a magnetic stripe system today, and maybe they just upgraded it, why would we waste the taxpayers' money on someplace like that until it really makes sense, business case-wise, to replace a system like that?'Butler said the Office of the Secretary of Defense just got a new security system that doesn't support the contactless smart card described in PIV specifications. But when the department gets its new contactless smart cards, it will still encode the contactless side and employees will carry two cards in the same holder during the transition. DOD also plans to have thousands of employees using a PIV card starting in April.The good news is that despite all the effort that must go into upgrading to meet HSPD-12 mandates, the move to an integrated security infrastructure could save agencies money. Authsec did an analysis for a large agency and found that if the agency had gone with a FIPS-201-type security strategy, it would have saved $32 million in 2005.'FIPS-201 and HSPD-12 create the opportunity for dollar savings,' Bishoff said, 'but it's going to be real expensive to get there.'And it won't happen overnight. Said DOD's Butler, 'We're going to be doing this six years from now.'