Widespread adoption of IP network-based solutions within the physical security industry is creating an increasing interdependency upon an infrastructure, which in most cases is owned and operated by a department outside of physical security. This mirrors current and historical trends within video conferencing and voice communication systems. The challenge for these systems, and security executives overseeing them, is to understand the choke points, the quality of service requirements and the backup operations that are in place. If these areas are not well understood the possibility increases for minor infrastructure issues to create cascading service interruptions to a facility, or worse an entire organization. As an industry, we are building upon these technical complexities and creating interdependencies and vulnerabilities that could go unrecognized until a major failure occurs.
Infrastructure Assurance
Waiting for a disaster before taking action is not an acceptable strategy. We have a responsibility as an industry to develop a set of security best practices that increase our competency and capabilities with IP networking technologies. These best practices should focus on developing new risk management processes that define policies regarding infrastructure assurance. These processes of assurance should include:
|
Prevention
Prevention of network service outages is a critical component to include in the planning and design of physical security systems and interdependent network infrastructure. If these systems are not designed with the intention of preventing downtime, vulnerability is introduced that places increased importance on other risk management processes. New IP network-based physical security systems are frequently selected without a competent physical security system designer conducting infrastructure analysis. In addition, slow growth in the number of designers with these capabilities is outpaced by increased marketplace adoption of new technologies. This situation is creating a gap, which only time and experience can fill. Short-term strategies, such as partnering with IT departments will help, but physical security must be vigilant about identifying and understanding how the IP network design impacts the physical security systems and operations.
Mitigation
Mitigation of network service outages is more than preparing for the next accident or natural disaster. Physical security operations must develop strategies covering IP network assurance by integrating the management, monitoring and maintenance performed by network owners and operators with that of the physical security systems. Unplanned service interruptions are typically either a result of poor management and maintenance procedures, or a lack of communication. Change management procedures must be designed and implemented across departmental lines to facilitate transparency, information sharing and strict management controls.
Incident Management
Management of network service outage incidents, and resulting communications with physical security operations, are critical to quickly uncovering the root cause of the interruption. This enables both departments to prepare a proper incident response. Without integrated incident management processes between network infrastructure and physical security owners and operators, a lot of wasted resources can be spent trying to recover.
Recovery
Recovery of network service outages must be planned in advance to minimize the impact on physical security. If a recovery plan with well-defined procedures is not followed, time and resources will be lost trying to determine root cause and ownership of the problem. Important system checks must be developed to identify the outage impact, the expected length of the outage and the interdependent security operations, which are impaired.
Shared Responsibility
Rising complexity and interdependence create new vulnerabilities, shared threats and shared responsibilities between IP network owners and operators and those in the physical security department. The industry must develop the capability to apply end-to-end, or system-wide, analysis with defined responsibilities. This should include policies covering service accountability and preservation of reserve capacity. Network Convergence plus new technologies, produces better security services at lower costs and increase operational efficiency. However, in order to realize the benefits of convergence, we must assure that the network infrastructure is capable of supporting physical security.