For years, we’ve been finding unsecured flaws in legacy IP physical security systems. These errors are always related to not keeping IT and information security in the loop as they were specified, purchased and installed. As a result, these IP systems sit on the network waiting for a rouge insider or malicious outsider to exploit. In effect, anyone on the network can simply load up a web browser, connect to the video or access device (either directly or to the central management console) and then control, reconfigure or reset them at will.
Apparently, mismanagement of networked physical security systems is widespread. For instance, according to a recent story in the LA Times (http://lat.ms/uoaJHb) LAPD had numerous network cameras that were broken or never even hooked up.
Network-based video and access control systems are no different than any other IT host or application set up. Before design, purchase and installation occurs, an owner should step back and think through current information security policies and standards. Most importantly, never assume that an IT consultant or the IT staff has properly planned to secure the physical security systems. We believe the “someone else will take care of that” approach may put everyone in a real bind should a serious security intrusion occurs. Acknowledging that physical security systems are made secure using the same means as logical security is critical to reducing risk vulnerabilities.