By April Pottorff, FAIA with T.J. Rogers
Remember when Programmable Logic Controllers (PLCs) with Graphic Annunciation Panels were cutting edge in jail security electronics? The PLCs integrated all the various systems and devices so they communicated with one another – cameras, intercoms, door controls – it was all the rage. Those floor plan graphics on a membrane board with colorful lights a glow were the best thing since sliced bread. The control officer answered an incoming intercom call, viewed the smiling face of an officer that automatically appeared on the Closed Circuit Television (CCTV) call-up monitor, and, then pressed the door graphic button - and voila! - The door opened.
Next up, the fully integrated PLC system traded out the hardboard, Graphic Annunciation Panels for touch screen technology aka Graphical User Interface system or GUIs [goo-ee] as they are affectionately referred. The same concept as its predecessor, but, now the building floor plan appeared as a colorful, customized diagram on a computer screen.
Then we said “goodbye VCRs” and “hello DVRs”. The transition from analog to digital simplified CCTV footage retrieval and storage and vastly improved the quality of surveillance imagery. What’s not to love! But, as we all know technology development is kinetic – it is constantly changing and never ceases to evolve. The evolution of jail security electronic systems over the course of the past three decades is impressive … a non-stop pursuit to maximize staff efficiency, enhance system flexibility, and manage security.
Before we move on to the latest and greatest – do you know what steadfast principle all of the systems mentioned above had in common?
……..All the integrated security electronic components communicated across a dedicated and isolated pathway – never to be intermingled with another system. Also, because the system relied on Cat-5 cable and a low voltage cable plant, a jail’s maintenance personnel managed the backbone infrastructure. Between maintenance personnel, an officer with strong computer skills and an instinct for how computers worked, and a security electronics service contract jail management maintained strict control over the security electronic system.
So in 2015 is Internet Protocol (IP) based technology an emerging trend in security electronic systems for jails and correctional facilities? No - that is so 2005. The emerging, or more appropriately, unresolved trend is an operational one and derives from the IP-based security electronic systems.
Un-principled principle
My career in jail planning and design started 22 years ago and from protégé to principal – a couple of cardinal rules applied to every jail project in which I worked:
1. Every penetration of the security perimeter required an interlock sallyport/secure vestibule; and,
2. The security electronic system operated over a dedicated backbone, isolated from any other network that might pose a penetrable threat to the viability of the jail security electronic system.
Both were non-negotiable, rigid principles. The emergence of IP-based security electronic systems compromises principle #2 - a concept that I, eight years later, still struggle to embrace without thorough discussion and a full vetting process. Every time I read an article that another bank, corporation, or government entity was hacked I wonder how a jail will remain immune when, in so many cases, the security electronic systems no longer reside on an isolated, standalone system.
While designing a new jail 2007, I experienced what I thought at the time was an anomaly but was in fact the infancy of principle #2’s demise.
This particular county has a central County IT department that manages administrative IT networks and security systems for all county buildings. The new jail presented an opportunity for County IT to govern and administer the new jail security electronics. When planning the new jail’s integrated security systems, County IT insisted on IP-based camera systems in the new jail regardless of the expertise offered by our seasoned detention security electronic consultant. County IT’s point of reference was a couple of white papers and that they had installed IP-based camera system in other county (office) buildings. This is where County IT’s inexperience with integrated security systems in jail environments became apparent. They were correct, the technology had been in the general market place for several years, but, the introduction of technologies into correctional environments tends to lag that of the general marketplace. At the time we were designing said new jail, IP-based surveillance systems in correctional environments were just emerging - new enough that the costs were still at a premium, a premium that the project budget could not support. The end result was a digital based system with the infrastructure in place so the County can transition to IP-based technology with ease.
After we crossed that hurdle the next and most surprising part of the security planning discussion took place. County IT needed administrative rights and access to the jail security electronic system. That was a new one for me – a total contradiction to principle number 2. The sheriff’s department accepted the idea before my security electronic consultant and I wrapped our heads around the concept. After a great deal of vetting and dialogue, County IT has administrative access to the jail system.
Eight years later my firm, working with our security consultant Accurate Controls on a project in in the southeast I have Déjà vu – the same exchanges and vetting process is taking place with the client. In a conversation with T.J. Rogers of Accurate Controls I learned that the IP-based security systems come with inherent deviations from the “principles” associated with security electronic systems in jail. I invited T.J. to offer his insights:
Why the deviations?
The advancements in technology and the introduction of IP-based surveillance systems have resulted in the County IT management personnel taking on the role of directing security electronic system design decisions vs the sheriff or jail administration.
The reason this is the case is because the County IT staff are often already involved with the video management system for other County facilities most likely office buildings, maintenance buildings or other less security critical facilities. The systems for other county buildings were most likely selected for reasons other than security such as low bid, simple recording or limited viewing. Once the IT staff is familiar with a particular system, it is human nature to assume that the County should standardize on this one system.
The challenge
County IT Departments understand IP camera technology, but may not understand the requirements for implementing the technology into an integrated detention system application. There are hundreds of different IP Video Management Software (VMS) providers currently on the market, but, only a few have provisions that allow the integration necessary for a detention system application. As a result, design teams are often required to specify an IP Video Management Software that has never been integrated into a detention control system.
IT Departments are directing design teams to share security systems and video management system networks with administrative networks. The client takes on inherent risks when they direct a design consultant to use untested software, and, when they allow individuals outside of the jail or sheriff organization to access the system.
The risks
When contemplating whether or not to grant administrative access to County IT departments each sheriff or jail administrator must ask:
- “Who, outside of my designated officers, has access to the system and the content within the system?” For example, who can access and view live and recorded video? In one such case, an IT intern with limited security clearance or experience was able to access sensitive video and information. Such a scenario raises the question of “how do these situations affect a jail’s ability to comply with PREA standards? Does it violate an inmate’s civil and/or constitutional rights”?
- Do personnel outside of the jail or sheriff department have back door access to the security systems? Many PLC and SCADA systems are left with default passwords and settings installed. This makes it very easy for a hacker that gains access to the system to take over control of the system without much effort. Also, all PLC’s run some type of operating system. They are not as well-known as Windows, Linux, or OSX, but these PLC operating systems contain the same types of bugs and vulnerabilities as any common operating system. The Stuxnet attack, which became known in 2010, demonstrated how a virus that spread on an infected flash drive was able to gain control of a Siemens PLC. Now opening up the PLC/SCADA system to the entire internet makes it that much easier for a hacker with some determination, to get control of the system.
- Do the systems that the County IT department standardizes across all county buildings offer the best functionality, redundancy, or most cost effective solution for an integrated jail system? If they system has never been used in an integrated detention application will it actually work? What will the cost be to get to work? If it does not work, is the Owner prepared to go back to the drawing board to design the system around software that does work?
The technology prevalent in our correctional marketplace today presents issues and raises concerns related to security and inmate rights, both of which requires in-depth examination and vetting before they are accepted as the norm or best practice.
____________________________________________________
April Pottorff, FAIA is a principal with CGL RicciGreene
T.J. Rogers is president of Accurate Controls
Article originally published in the 2015 November/December (Volume 18, Number 7) edition of Correctional News under the title of “Changes in Security Electronics”.
(Return to the cover of the 2016 AAJ Journal Q1 issue)