In the wake of 9/11, the Federal Government’s secure-the-fort, big idea was to create an identity credential for all federal employees and contractors. Homeland Security Presidential Directive (HSPD)-12 set it all in motion. Today, we know the smartcard-based credential that arose from HSPD-12 as the Personal Identity Verification (PIV) card.

The PIV card is meant to give employees/contractors physical access to federal facilities and logical access to federal information systems. While using a PIV card for logical access has been largely successful and compliant with HSPD-12, implementing PIV-based, physical access control systems (PACS) has been much more difficult to conquer. As a result, HSPD-12 compliance for PACS has largely eluded the Federal Government. The noncompliance reasons are many, but there is now hope for fully achieving HSPD-12’s mandates.

Interoperability with any agency’s PIV

Beyond Passports, PIV cards represent the only other open-standards-based, multi-vendor-supported, identity credential program on the planetAll Executive Branch employees and long-term contractors, including the entire Department of Defense, have been issued PIV cards. This has been true since 2013. Beyond Passports, PIV cards represent the only other open-standards-based, multi-vendor-supported, identity credential program on the planet.

It seems so simple, where employees/contractors previously used their proximity card to open a federal facility door or go through a turnstile, they should now be able to use their PIV card. However, HSPD-12 took the PIV requirement one step further – compliant PACS must be interoperable with any agency’s PIV. This introduced an entire magnitude of additional complexity.

A compliant, interoperable, PIV-based PACS should work like this: an authorised employee (or contractor) presents a PIV card (contact or contactless) to a card reader to enter whichever federal agency building they have reason to be. Over the last 14 years, in all but a very few cases, the lack of PACS’ HSPD-12 compliance has prevented this from happening.

Secure credential policy

Today, less than 1% of the Federal Government’s PACS are HSPD-12-compliant. At most federal facilities, especially those outside the National Capitol Region, a noncompliant PACS works like this: an authorised employee (or contractor) presents a proximity (‘prox’) badge to a proximity card reader to enter his or her agency’s facility. At the fraction of federal facilities with upgraded PACS that work with PIV cards, virtually all such PACS fail to properly use a minimum number of PIV security features before granting access – let alone interoperate with a PIV card from any other agency.

Active government solicitations are issued for new, non-compliant, proximity-based systems that perpetuate the delay to HSPD-12 complianceNew federal initiatives frequently suffer from having no policy to enforce their roll-out. That isn’t the case with PACS compliance. Policies have been in place for so long that newer policies like Office of Management and Budget (OMB) M-11-11 (February 3, 2011) remind everyone what the policies said in 2004 and 2006. This year, OMB publicised its proposed OMB M-18-XX (Draft), which will replace M-11-11. OMB M-18-XX’s (Draft) main PACS thrust is, once again, to ensure that everyone understands what the Federal Government’s secure credential policy is. It hasn’t changed since 2004.

It would be tempting to say that PACS technology isn’t mature, but that isn’t the case. In 2013, the Federal Government revamped the PACS portion of the FIPS 201 Evaluation Program and, since that time, all PACS on the General Services Administration’s (GSA) Approved Products List are 100% compliant and interoperable. Yet, on any given day, active government solicitations are issued for new, non-compliant, proximity-based systems that perpetuate the delay to HSPD-12 compliance.

The usual suspects, policy and technology, are not the culprits for this epic delay.

An authorised employee presents a proximity badge to a proximity card reader to enter his or her agency’s facility
An authorised employee presents a PIV card to a card reader to enter whichever federal agency building they have reason to be

Difficulties in adopting HPSP-12 compliance for PACS

  • Standards – The Federal Government’s approach to standards is to avoid a great deal of specificity. It’s an unspoken tenet that federal standards must be flexible, promote innovation and avoid disadvantaging any participating market segment. The opposite is true if your goal is interoperability: nearly every detail must be specified. Consider the standards-based success story of chip-based credit cards. When was the last time you used a credit card and it didn’t work? Interoperability failures are nearly unheard of. If you look at the hundreds of volumes of technical specifications that cover minute aspects of every component in credit cards and payment terminals, you quickly realise why it works so well. Nothing is left to chance, nothing is a variable, and there is no optionality.

The Good News: Work to increase viability through deep scrutiny has progressed in recent years. The GSA APL PACS Testing Lab, set up in 2013, annually tests credentials from all PIV issuers against all GSA-approved PACS. This testing has significantly reduced interoperability failures at federal facilities.

  • Collaboration – In the past, physical access practitioners from federal agencies rarely collaborated, unlike their logical access counterparts. This is also true for PACS procurement decision-makers across agencies and facilities.

The Good News: In 2018, an agency trend has emerged where finally physical access, physical security and IT practitioners have begun sitting down to discuss their shared responsibilities. We have already begun to see coordinated budget requests between IT and Security with enterprise architectures positioning PACS as an enterprise service on the network.

  • Scale – The Federal Government owns so many buildings that they can’t be counted. Google doesn’t know how many there are and neither does any one government official.
  • Variability – A significant percentage of facilities have unique aspects making a one-size-fits-all approach infeasible.

The Good News: Mature consulting services can now help agencies marry federal requirements with their unique environments to develop robust PACS enterprise architectures. As we see this occurring more and more frequently, a repeatable, achievable, systems-based upgrade of all PACS may be on the horizon.

Active government solicitations are issued for new, non-compliant, proximity-based systems that perpetuate the delay to HSPD-12 compliance
The GSA APL PACS Testing Lab annually tests credentials from all PIV issuers against all GSA-approved PACS
  • Provenance – In many cases, different groups own different parts of a single facility, not all of whom might be subject to, or wish to interoperate with, a high-assurance compliant PACS. For example, GSA manages facilities for Legislative and Judicial tenants who aren’t subject to HSPD-12. Policy dictates that GSA manage the PACS for the front doors of these facilities should be HSPD-12-compliant, despite the fact that these tenants likely don’t have credentials that work with this technology. Sure, these tenants could commercially obtain a PIV-I credential, but almost none have.
  • Economics – It’s difficult for agencies to create their annual security budget requests when HPSD-12 PACS upgrades are in scope, because so many unknowns exist at each facility. To assess the cost, the time to complete, and the facility’s existing equipment inventory, it would be logical for an agency to hire a contractor with PACS expertise to perform a site assessment. Having to do capital planning for an assessment phase in advance of making the annual budget request for the PACS upgrade creates a never-ending cycle of delay. Especially at agencies with multi-year capital planning requirements. Many agencies, trying to avoid this delay cycle, have fallen prey to doing site assessments themselves. This results in their integrators doing their walk-throughs after the contract is awarded. This is the leading cause of PACS upgrade cost overruns.
  • Dependence on the agency’s IT department – Historically, PACS have been deployed on dedicated networks and are rarely ever connected to the enterprise, let alone the Internet. High-assurance PACS that validate credentials from other agencies must now communicate with many different systems on an enterprise network and over the Internet – so much so that the Federal Government reclassified PACS as IT systems.

The Good News: With collaboration increasing between Physical Security Officers (PSOs) and Chief Information Officer (CIOs), we expect this to improve in due course.

  • Resistance to change – This is a classic human factors challenge, and it’s a big one. PSOs have spent decades achieving their positions. PIV-based PACS could not be more different from the technologies that proceeded it, and such radical change is often resisted. When the value proposition is clear, change is adopted more readily. But security value isn’t easily measured or observed. It is often said that the best performance review for a PSO is to note that nothing happened. And when something does happen, it is necessarily kept quiet so the risk can be remediated without calling attention to the vulnerability in the interim. To date, the value proposition of moving to PIV-based PACS has been entirely based on policy (without corresponding funding in most cases) and through the shock value of white hat hackers, showing how easily most proximity badges can be cloned. This is not the stuff of change agents.

 

PACS have been deployed on dedicated networks and are rarely ever connected to the enterprise
PIV-based PACS could not be more different from the technologies that proceeded it, and such radical change is often resisted

Are these challenges a unique situation?

No, these PACS challenges are not unique. Cybersecurity initially faced many of the same challenges that federal PACS face today. By 2000, the Federal Government recognised its urgent need to improve cybersecurity practices across its computing infrastructure and issued many policies that required agencies to improve. Improvement was sparse and inconsistent. GSA Schedules were set up to help agencies buy approved products and services to assist them, but this too produced lacklustre results.

The Federal Government found that the best cybersecurity results occurred when enforced at the time an agency commissioned a system

Congress enacted the Federal Information Security Management Act of 2002 (FISMA) (now amended by the Federal Information Security Modernization Action of 2014). FISMA mandates an Authority To Operate (ATO) accreditation process for all information systems. The Federal Government found that the best cybersecurity results occurred when enforced at the time an agency commissioned (vs. purchased) a system.

FISMA and ATO accreditation has been highly successful when implementing new systems. These cybersecurity requirements are the closest thing that the Federal Government has to the ‘PIV Police’ today. However, the PIV requirements in FISMA and ATOs currently apply to only logical access for information systems.

The proposed OMB M-18-XX (Draft) mentions that a FISMA PACS overlay to NIST SP 800-53 is forthcoming. The intent of the PACS overlay is to use the army of ATO accrediting officials in the Federal Government and enable them to assess implemented PACS as fit for purpose. This is the first time an enforcement approach has been brought forward that could reasonably succeed.

How long for HSPD-12 compliance?

We know that it won’t take another 14 years to achieve HSPD-12 compliance. Pockets of compliance are popping up. Compliant procurements do exist, and the state of PACS across the Federal Government is better in 2018 than in any previous year. Progress to date has been at a constant rate. The question is: what would take for progress to occur at an exponential rate instead? A major attack or compromise involving PACS would certainly hasten upgrades, but let’s hope that’s not the solution.

The energy distribution sector has been riding a wave of security upgrade demands to retrofit their facilities across the U.S.

The energy distribution sector, under nearly constant Advanced Persistent Threat attacks, has been riding a wave of security upgrade demands to retrofit their facilities across the U.S. The potential threat exists for Federal Government facilities as well.

Looking into the federal PACS-compliance crystal ball, we’re beginning to see the faint outline of a multi-faceted campaign of education, budgetary oversight and accreditation of PACS that will ultimately see us past the tipping point. Consider though, at the current rate of PACS enablement, a 50% compliance rate is still far in the future.

When that day arrives, the PIV card form factor may no longer be the key that fits that future lock. (Are you already using a mobile device’s Bluetooth interface to open the door to your office building?) Taking decades to perform a technology upgrade is the aging elephant in the room no one talks about. By the time critical mass is achieved with an upgrade facing these many challenges, there are typically compelling reasons to start over again with the next generation of technology. That cycle may well prove to be the Federal Government’s biggest PACS challenge of all.

Download PDF version Download PDF version

Author profile

Jeff Nigriny President and Founder, CertiPath

In case you missed it

Crossing the divide - automating security processes across physical, business and IT domains
Crossing the divide - automating security processes across physical, business and IT domains

Security is a critical requirement for all organisations. Getting security right involves the correct mix of people, processes and technology working together. However, many enterprise companies don’t look at the full mix that encompasses information security, and instead split their physical security and business continuity teams away from their IT security departments. According to research by ASIS, around half (52 per cent) of companies have converged two or three out of their physical, IT security and business continuity teams together, with the majority of those opting to bring together their continuity and physical security teams. Of those that have not brought teams together, around 70 per cent have no plans to do so. It's Important to bring all department's security together The reason for this is that cybersecurity is perceived as having a more specialist role within the business and that this prevents companies from bringing their departments together. However, while IT security has its own specialist requirements and skills, it should not be looked at alone. Businesses are looking at how to manage risk more effectively across all their operations, and they have problems when their teams are siloed and don’t have the full picture. The Cybersecurity and Infrastructure Security Agency (CISA) has developed its own guide to this area, based on the growth of the Internet of Things and more connected devices entering both homes and businesses, so this will continue to grow in importance. The rise of automation The pace of change that companies face today, coupled with the impact of the COVID-19 pandemic, means that more organisations are moving to digital services and automating their operations as much as they can. Security is no exception here - according to our research on security and automation, 75 percent of companies say they would need an additional three or more analysts in place to deal with all their incoming alerts in the same day, while 83 percent say their teams face ‘alert fatigue.’ IT security teams are drowning in data, but they feel unable to cope - yet at the same time, they will have to work more closely with other departments as well. Automation is necessary to deal with all these problems, but it should not be looked at in isolation. While IT security teams are keen to invest in automation using technologies like Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR), these investments can be used across both physical and IT security. As IT security teams invest in automation, they can adapt and extend their approach to help risk management and security in the physical world as well. The best approach to be successful around this is to look at areas where real-world and IT security challenges cross over for businesses. To adopt this approach successfully involves understanding business processes better. Fraud detection processes Automation involves using data and analytics to improve how a process operates from beginning to end, including where IT and technology is used to support physical interactions or activities. A good example of this would be a bank’s fraud detection process, where multiple digital and physical transactions have to be monitored and investigated. Bringing together different teams - physical security, business continuity, risk management and IT security - is about how to protect the whole organisation against risk. While the most well-known area for fraud investigation would be credit card transactions, there are multiple different types of transactions to track, from national and international wire transfers to prepaid phone cards and other prepaid cards that can be used for credit purchases. Each of these will have its own workflows and requirements to investigate a transaction, This can include looking at whether transactions are false positives or need further investigation, which is based on a mix of digital documentation for online purchases and physical data from in-person transactions. At the same time, the sophisticated nature of fraud can mean there is a large IT component to any investigation. Members of the IT security team may need to be involved alongside the anti-fraud department. While this investigation is necessary, it pulls analysts away from cybersecurity tasks, which can be especially frustrating where false positives are concerned. Instead, automating the investigation process can help. Consolidating Physical, IT and risk management By consolidating processes and automating the workflow, this pulls physical, IT and risk management together in a smarter and more efficient manner. It also improves productivity for an anti-fraud team as they can remove false positives from the workflow and get automated support for IT analysis. If the team needs more human insight, they can bring this in where they need it rather than requiring it for every investigation. While anti-fraud is one example of where this kind of convergence and collaboration is required, there are other use cases. For instance, industrial control and manufacturing applications that run production lines around the clock are frequently targeted for attacks, either to steal vital data or to disrupt business operations. This crosses over from the realm of IT into the world of operational technology, where systems are very different and the systems used may have been in place for years, even decades. Bringing together different teams - physical security, business continuity, risk management and IT security - is about how to protect the whole organisation against risk. By working together, teams can be more efficient rather than working in their respective silos. This involves better use of data across those teams, which will rely on more automation to be efficient. Using SOAR, security analysts and business risk professionals can cut the amount of time needed to respond to potential problems, reducing the impact and remediating faster. At the same time, it reduces the waste associated with false positives and manual work. The emphasis here should be on how to support the business with better security - by consolidating processes and working more effectively, security teams across the organisation can achieve that goal.

Dahua Technology’s video and access control solution enhances safety in Empresa Panamena de Alimentos food company’s facilities
Dahua Technology’s video and access control solution enhances safety in Empresa Panamena de Alimentos food company’s facilities

Dahua Technology is a globally renowned video-centric smart IoT solutions and services provider. Based on technological innovations, Dahua Technology offers end-to-end security solutions, systems, and services, in order to create value for city operations, corporate management, and consumers. Dahua Technology has designed a video surveillance and control solution for a popular Panamanian Food Company - Empresa Panamena de Alimentos (EPA). Dahua’s security solution Empresa Panamena de Alimentos is a renowned company in the processed food industry in Panama, Central America. It was founded in 2012 and owns production plants and warehouses in the capital city, as well as agencies around the country. EPA’s products, including all kinds of cookies, coffee, and pasta, are already important parts of consumers’ day-to-day life. With the prevailing COVID-19 pandemic risks, EPA needed a system to sustain efficient management and operation, over their staff and facilities. Implementing multiple access controls in the facilities As a food company, the operations of the company need to be under caution, especially during the pandemic As a food company, the operations of the company need to be under caution, especially during the pandemic. It was necessary to implement multiple access controls in the facilities. With multiple plants located around the nation and accelerated growth, a centralised monitoring system for all equipment, alert management and user reports was needed. The solution, applied at EPA’s facilities, integrates various electronic security systems under a single platform and was evaluated based on the company’s needs. ANPR, AI-based cameras and access control systems “Currently, 480 Dahua devices have been arranged. Among them are different models of cameras, access control systems, and automatic number plate recognition products. AI-based cameras enhance the level of personnel protection. Everything is monitored by a DSS Express server in the main plant,” said Luis Araujo, the Manager of Infrastructure and Telecommunications of the Secutec Panama. Every day, more than 800 employees enter EPA facilities nationwide, the access control system allows a faster and safer automated entry of the staff and their cars. Access controllers and Pro Network Video Recorders Besides, three Pro Network Video Recorders (NVR5864-4KS2) were also adopted Apart from automatic number plate recognition (ANPR) devices, more than 20 access controllers (ASI7213X-T1) were installed in main offices for temperature monitoring and attendance management. Besides, three Pro Network Video Recorders (NVR5864-4KS2) were also adopted. With a powerful processor, they have the capability of 4K resolution processing and high definition recording quality. Perimeter protection and access control In Dahua Technology’s security solution, perimeter protection and access control are both realised. “We have had Dahua equipment for 7 years. It is a brand that has been of great help to our safety. It has contributed to continuous and steady operations throughout the COVID-19 pandemic,” said Guillermo Figueroa, EPA’s Safety and Control Manager. Javier Rodríguez, Secutec Panama’s Operations Manager, valued the quality and technology of Dahua’s solution, which has been ‘key’ for the development of their projects, the support and accompaniment to the brands that are planned to be developed. Trust in Dahua Technology’s solution “We are very proud that our teams are here for EPA and that companies, like EPA and Secutec, trust Dahua Technology. We continue to innovate to offer solutions that help companies to work in a safer and smarter way,” said Fermín Osorio, an Engineer at Dahua Technology Ltd.

Everbridge Control Center deployed by G4S to accelerate Abu Dhabi Global Market Square’s physical security digital transformation
Everbridge Control Center deployed by G4S to accelerate Abu Dhabi Global Market Square’s physical security digital transformation

The Abu Dhabi Global Market Square (ADGMS), located on Al Maryah Island, in the United Arab Emirates capital, Abu Dhabi, is a high-profile, architecturally compelling business and hospitality hub. Many of the most globally prestigious companies inhabit the buildings, in the award-winning financial centre. Abu Dhabi Global Market Square ADGMS also hosts frequent international dignitaries and large-scale public events, including the Abu Dhabi national New Year’s fireworks display. Abu Dhabi Global Market Square was the first project in the UAE, to achieve LEED Core and Shell (LEED-CS) Gold pre-certification, by the US Green Building Council (USGBC). The Abu Dhabi Global Market Square (ADGMS) consists of: 450,000 sq. m of office space, a lavish retail section and luxury business hotel offerings, 4 Grade-A commercial office towers with 30 floors each, 4 km waterfront promenade, Over 2,000 cameras, and Over 1,000 doors. Unconnected security systems and situational awareness gaps Because of its iconic status, the Abu Dhabi Global Market Square faces many unique challenges to security, including: Political pressure - Because of ADGMS’s status and frequent high-profile international visitors, any disruption to operations - be it natural disaster, activism, terror or other critical events, could cause issues on a national scale. Protection for VIPs - Regular visits from prestigious VIPs, such as sheikhs, the royal family, and global business leaders, elevates security risks and the need for executive protection. Unobtrusive security - ADGMS is a public space with tenanted offices, meaning that security must be robust, but unobtrusive and follow all global data, and privacy regulations. Physical location - Being situated on an island is an extra security risk, complicating the ability to enter and exit the space, during planned and unplanned critical events or emergencies. Architecture - The buildings in ADGMS are mostly glass, with many levels, making it difficult to secure. Previously, a number of systems were deployed to help with security and life safety, such as CCTV, access control, fire detection, and building management. However, these were not connected and left gaps in situational awareness, which ADGMS found unacceptable. In light of the above challenges, ADGMS building managers felt it essential to harden security, across the market square, within these buildings and in connecting areas. Risk intelligence & integrated control of physical assets Martin Grigg, Principal Consultant and Project Lead for PTS Middle East was selected to design and oversee the project Abu Dhabi Global Market Square approached PTS Middle East (PTS Consulting Group Ltd.), a multi-national security and digital transformation consultancy, which carried out the threat, risk and vulnerability assessment, designed the mitigation measures, and provided oversight of the installation and commissioning of the entire system. They were also tasked with ensuring that the system met the operational requirements and was fit for purpose, and proportional to the risks, faced by ADGMS. Martin Grigg, Principal Consultant and Project Lead for PTS Middle East was selected to design and oversee the project, right from concept to completion. Everbridge Control Center deployed Following the assessment, G4S, a British multi-national risk consultancy company, headquartered in the United Kingdom, was selected to deliver the project, based on its experience in helping secure many of the region’s most prestigious locations. G4S is also a global partner with Everbridge, and together, they have secured people, assets and infrastructure for numerous organisations. G4S selected Everbridge Control Center to integrate and manage all the technology, which is coming into their Security Command Centre (SCC). Everbridge Risk Center was also deployed to provide real-time threat intelligence to ADGMS. Critical issues solved by Everbridge technology: Consolidation of four control rooms into one, reducing the office space needed for security - This premium space is now free and able to be re-purposed as rentable office space, Reduction of man guarding costs, as fewer resources are needed to secure the facility, Real-time situational awareness allows for reduced risk, accelerated response times and keeps stakeholders informed, Everbridge Control Center provides event driven, unified interface and automated SOP presentation, Everbridge technology provides flexibility to adapt, as requirements change, Reduction in time taken to identify a security incident and resolve it, Intelligence from the facial recognition systems is proactively used to welcome friends and identify known criminals, Risk intelligence to identify events, such as sandstorms, allows ADGMS to act faster, enabling them to reduce the risk to people and operations, and Automated reporting capabilities save huge amounts of time and resources - A report that took 20 minutes can now be automated in seconds.