The HSPD-12 opportunity
<@VM>PIV II requires more than just buying hardware
- By Brad Grimes
- Feb 09, 2006
"A lot of the physical access community hasn't woken up to what HSPD-12 means and how obsolete a lot of their stuff is going to be," ? Jeremy Grant, Maximus Inc.
Ask a market analyst to estimate the size of the integration opportunity presented by Homeland Security Presidential Directive 12 and you can hear a hint of "you've got to be kidding" behind the non-answer. And you will get a non-answer, because no one knows how massive the job of integrating physical and logical access security across federal agencies will be. But they say it will be huge.
"Let's put it this way," said Alan Webber, senior analyst at Forrester Research. "The only thing in the next 10 years besides this integration that might have a bigger dollar value is probably the enterprise resource planning systems that [agencies] are putting in place."
HSPD-12 poses such significant opportunities for integrators because it poses such significant challenges for agencies. And many of the incumbents ? the companies that build physical access control systems to protect government facilities ? are facing a brand-new reality.
"A lot of the physical access community hasn't woken up to what HSPD-12 means and how obsolete a lot of their stuff is going to be," said Jeremy Grant, vice president for enterprise solutions at Reston, Va., integrator Maximus Inc.
But they're about to.ONE GIANT STEP
Webber and others agree that overhauling physical security, the quintessential stovepipe system, will be the first major step in building HSPD-12-compliant systems. Expanding security controls to enable them to handle access to computer resources as well as physical security will be a future integration project.
Not surprisingly, much of the focus both in and out of government is on how HSPD-12 affects what's already installed. Last November, the Physical Access Interagency Interoperability Working Group revised a document called "Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems." And earlier in the fall, industry trade group the Smart Card Alliance put out its own guidance: "An Overview of the Impact of FIPS 201 on Federal Physical Access Control Systems." (Federal Information Processing Standard 201, published by the National Institute of Standards and Technology, describes the specifications that HSPD-12 systems must meet.)
"The physical access security industry has been anxious to see FIPS 201 implemented," said Randy Vanderhoof, executive director of the Smart Card Alliance. "Every government agency has some type of physical access system in place now, so it's going to require a lot of change."
Perhaps the most basic challenge is that physical access control systems usually have been islands unto themselves. PACS vendors usually have built proprietary systems that lock customers into their products and services. Access control cards from one vendor typically work only with that company's readers, which typically work only with the same company's control panels.
The practice is becoming increasingly irksome to users. Mike Butler, chief of smart-card programs in the Defense Department's Common Access Card Office, described a panel discussion with PACS vendors at a recent conference. During the question-and-answer period, attendees asked when the companies would open up their products to let them communicate with other systems.
The vendors' response, Butler said: "Not for the next 10 years if they can help it, because that maintains their proprietary lock on the programs."
Moving to IP systems and FIPS 201 will change that.SECURITY CONCERNS
But not all security systems are closed, and most modern PACS support IP connections.
One systems integrator cited Amag Technology Inc. of Torrance, Calif., and Lenel Systems International Inc. of Rochester, N.Y., as PACS vendors that sell highly customizable systems. Amag helped the Interior Department build its first integrated smart-card security system. Lenel has done smart-card work with several agencies, including NASA.
But there are other reasons that PACS vendors and their customers haven't rushed to open physical security systems to larger networks. Usually, physical security is handled not by those with IT oversight, but by a group trained in "guns and badges," as experts describe it. Because these individuals typically have little experience with IT, they're nervous about putting physical access controls on a network.
"They look at you like you're crazy," Grant said. When physical security systems ride on an IP network, they become vulnerable to hackers, viruses and other risks. And so far, because most of their systems haven't been integrated, PACS vendors haven't worried about bulletproofing their products.
Authsec Inc., a security consulting company in Columbia, Md., has run vulnerability scans on several physical access control systems and, according to the company, every system had vulnerabilities.
"If you change an environment, you generally inherit risk, and it's not that the risk can't be controlled," said Dallas Bishoff, Authsec's senior vice president. "The door control panels have operating systems and are susceptible to viruses and need to be patched. But most PACS are not treated as IT procurements and are not subject to certification and accreditation. Vendors don't live in [the network] world and aren't used to worrying about vulnerabilities in their products."
Michael Regelski, vice president of engineering at Lenel Systems, said his company has offered centralized administration of physical and logical access for several years. There hasn't been widespread adoption, he said, because most organizations don't have a logical security infrastructure in place that can take advantage of it.
Despite that fact, Regelski said, more than 80 percent of the company's physical security deployments are network-based and ready to handle converged systems.
"If you know what you're doing on a network, there are so many ways to secure the devices. It's a matter of being properly architected," he said.
But much of today's physical access infrastructure doesn't comply with NIST's specifications for HSPD-12. Under FIPS 201, the main identifier on a Personal Identity Verification card will be the Federal Agency Smart Credential Number, or FASC-N, which can be up to 32 bits or 25 bytes, based on the encoding technique.
"You can't shove that through a lot of legacy access systems," Grant said.
An interim solution in which systems accept truncated FASC-N data has been suggested, but it's an imperfect solution: It effectively reduces the amount of unique information required to access a building. Truncation might be a passable solution within a facility, but because it could lead to duplication among shorter ID numbers, cross-facility interoperability would be more problematic.
Security experts agree on one point: Virtually all physical security card readers operating today will have to be replaced. Whether agencies have to change the control panels that handle those readers or the back-end systems that operate the entire physical access control systems will depend on what's in place.
"You can replace readers to accommodate the new cards ? and as long as the systems can interpret the output ? and the majority of them can ? you should be able to take the PIV credential and use it on your existing infrastructure," Regelski said.
However, he said, even some legacy back-end systems can't handle the data requirements of FIPS 201.
In addition, Bishoff said, today's physical access control systems weren't designed to handle cryptographic keys, nor have they been through FIPS 140-2 testing, which validates cryptographic modules for use in government.
"In a lot of cases, some of the vendors' products can't be upgraded, and they'll have to forklift the whole thing," Bishoff said.THE BUSINESS OF HSPD-12
So who's going to get the business? Forrester's Webber said when the big HSPD-12 contracts start rolling out, likely in 2008, PACS vendors such as Amag and Lenel likely will be subcontractors to large integrators such as Computer Sciences Corp., Northrop Grumman Corp. and Science Applications International Corp.
"This is definitely going to have to be a team situation," he said.
Dwayne Pfeiffer, principal engineer for civilian agencies at Northrop Grumman IT, said his group has close ties with PACS vendors and maintains a solution center in Reston, Va., where it continuously tests smart cards and access control systems for government conformance.
But integrators need to pay attention to the details of HSPD-12 contracts, lest they become embroiled in a quagmire in which undocumented systems appear seemingly out of nowhere and throw a project off track.
Just as in any large-scale IT upgrade or consolidation, such as the Navy-Marine Corps Intranet, the extent of a physical access overhaul will hinge on an agency's ability to identify what's in place.
"Most agencies do not know how many systems they've got, because they were all locally acquired and there's no central inventory," Bishoff said. "The most bizarre case we saw was a building with five physical access control systems. Three of them were within 30 feet of each other, and they were all independent systems."
Integrators also will have to help formulate a migration plan. Because of the large numbers of readers and possibly control panels at many different buildings, project teams will need a strategy for cutting over to a new system while allowing unfettered access through the old.
"You can't replace all your existing readers in one shot," Regelski said. "You need a strategy. It could be multiple cards or new cards with old tokens embedded."
Last December, SmartNet Inc. of Frederick, Md., finished transitioning the Air Force Institute of Technology at Wright-Patterson Air Force Base to a new physical security system designed to support both the current Defense Department Common Access Card and the future contactless personal identity verification card. Keith Wilson, SmartNet's vice president of operations, said the company did the work in phases.
"We did new buildings first because we didn't have to transition the security systems," Wilson said. "Once the new buildings proved out, were connected and everything was working, we transitioned or replaced the components of the system."
The SmartNet deployment covers 148 doors in five buildings. The company expects to start integrating FIPS 201-prescribed fingerprint biometrics in April.
The good news for government is that despite all the effort that must go into upgrading systems to meet HSPD-12 mandates, the move to an integrated security infrastructure could save money. Authsec did an analysis for a large agency and found that if the agency had gone with a FIPS 201 security strategy, it would have saved $32 million in 2005.
"FIPS 201 and HSPD-12 create the opportunity for savings," Bishoff said, "but it's going to be real expensive to get there."
And that could be the rub.
"Congress is being pretty stingy," Webber said. "A lot of people can't see through the trees to how they're going to be able to pay for this. ... This has the potential to be a huge mess."
Brad Grimes is an assistant managing editor with Government Computer News. He can be reached at email@example.com.Now that agencies have ? hopefully ? met requirements for part one of the Personal Identity Verification program, the clock is ticking to the Oct. 27 deadline for part-two compliance.
Agencies must have systems in place by then to begin issuing the interoperable smart ID cards mandated by Homeland Security Presidential Directive-12. Technical specifications for the cards and the data they will contain are being developed, and products are only beginning to be certified against Federal Information Processing Standard 201. In the meantime, here are some things agencies can consider as they plan for the second phase of PIV:
- Enrolling thousands of workers, many of them scattered across the country, is not a trivial issue. Thought must be given to getting these employees to the enrollment system or getting a system to remote workers.
- Back-end systems will have to be in place to hold the data being gathered for use with PIV cards. These systems need to be interoperable with other systems so the data can be used.
- HSPD-12 does not specify how the new cards are to be used, but leveraging the technology will require enabling IT applications and physical access control systems. Without this, PIV will be just another photo ID.
- PIV cards are all about security; they must be tamper-resistant and difficult to counterfeit. Security features that go beyond basic requirements for the cards are available, and could be considered to meet an agency's specific needs. "There is a lot of technology behind these cards that you can employ that is not incorporated in the standards," said Mike Gibbons, lead of Unisys Corp.'s enterprise security practice.
- A biometric specification calls for including two index fingerprints on the card. What about those without two index fingers? Provisions should be made for alternate biometric features and systems to authenticate them.
- Decide which facilities pose the highest risk and plan to secure them first.
- Plan to implement the system modularly, so pieces can be added or upgraded when needed.
? William Jackson