| https://sm.asisonline.org/Pages/Supply-Chain-Company-Makes-Access-Control-a-Priority.aspx | Supply Chain Company Makes Access Control a Priority | GP0|#69b4a912-eafa-43d2-b6a4-8aed47f69245;L0|#069b4a912-eafa-43d2-b6a4-8aed47f69245|Security Technology;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>Transportation Impact is a privately held company named to the Inc. 5000 list by Inc. magazine five times. The company aims to reduce supply chain costs for cli- ents in multiple vertical markets. The company, based in Emerald Isle, North Carolina, works for clients to reduce shipping costs through small package and freight negotiation, as well as with its state-of-the-art transportation management system. The company employs a team of 70 people in two modern office buildings in North Caro- lina. The safety and security of the company's dedicated employees and infrastructure is a priority for Transportation Impact. Company executives knew it was time to invest in an access control system to protect employees. </p><p>Transportation Impact's corporate headquarters resides in a four-story building with the bottom two floors housing executive offices and conference rooms and the top two floors housing a restaurant and bar that is open to the public.</p><p>The biggest challenge the company faced in sharing a building was that members of the public commonly walked in on private meetings taking place in conference rooms while looking for the restaurant. Having the public enter Transportation Impact's office at will was not only a disruption, it was also a security risk for employees and for private information and systems. It was imperative that the conference room and executive areas were safeguarded from unauthorized access.</p><p>The company needed an access control solution that was simple to administer across multiple buildings, could handle the addition of geographically dispersed locations, and provided users with a con- venient method to access the buildings. Transportation Impact consulted security integrator, Electronic Solutions of Green- ville, North Carolina.</p><p>Electronic Solutions had been working with Transportation Impact for several years and understood the company's needs. Ron Snyder, president of Elec- tronic Solutions and an ISONAS certified partner, suggested the ISONAS Pure IP access control solution in the fall of 2016, starting with a pilot program for ISO- NAS's new RC-04 reader-controller, all managed from the ISONAS software, Pure Access Cloud.</p><p>Transportation Impact was one of the first companies to use the new hardware product and provide feedback on the functionality and usability of the system. In addition, it was one of the first to take advantage of the Pure Mobile credentials from ISONAS. "The ISONAS solution is easy to install and it offers a simple solution, which only requires an ISONAS reader-controller and a CAT 5 cable for power and data," Snyder says.</p><p>One key challenge that drove Transportation Impact and Electronic Solutions to choose ISONAS was the need for convenient access for their users. After installing the system, Transportation Impact provided key fobs to employees to use with the system.</p><p>Unfortunately, many of the key fobs were lost, which resulted in employees propping open doors, circumventing the security and effectiveness of the access control solution. With the number of lost key fobs, Transportation Impact needed to find a way to incor- porate access control into their employees' normal everyday practices. The ISONAS Pure Mobile credential allowed them to take the convenience of their mobile phone to the next level. The Bluetooth Low Energy feature of the Pure IP hardware family (RC-04) eliminated the need for a physical card or key fob and allowed a mobile device to act as an access card.</p><p>With the simplicity of Pure Mobile in combination with Pure Access, there was no need to install additional software, purchase additional licenses to enroll mobile credentials, or acquire a bank of credentials. The RC-04 hardware and Pure Access software are ready to use with the ISONAS Pure Mobile credentials right out of the box. An employee at Transportation Impact downloads the Pure Mobile appli- cation to his or her phone, presents it to a reader-controller, and the facility adminis- trator associates that mobile phone to the user's profile.</p><p>"We were looking for an easy-to-use access control solution that allowed access with the touch of a button and we found it," says Norm Pollock, vice president of information technology at Transportation Impact. "In addition to having mobile access, we really liked having the ability to automate on a schedule and set the doors to lock and unlock during certain times of the day all from the Pure Access Cloud software."</p><div><p>Transportation Impact has 11 ISONAS RC-04 reader-controllers installed across two office buildings, all administered from the Pure Access Cloud software, giving access from anywhere at any time. Pure Access Cloud eliminated the need for any additional onsite network infrastructure and provided full administra- tive and management power of the access control system from any device. Now the company can assign users to the system; establish access schedules, events, and holidays; prevent doors from being propped open; and eliminate surprise visits from the public. With nine doors secured in the corporate headquarters and two installed in a second building on the front and back doors, Transportation Impact is ready for business.</p></div><p>With plans for a third office building in the works, Transportation Impact can easily add additional doors to its access control system now and in the future.</p><p> <em>Monique Merhige is president of Infusion Direct Marketing and Advertising, Inc.</em></p> | | |
| https://sm.asisonline.org/Pages/Lost-in-Transit.aspx | Lost in Transit | GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>It was a busy morning in December 2017 as a woman boarded the London Underground's Central Line service. While she was on the train, Malcolm Schwartz, 19, also boarded. He approached her and exposed himself, pressing into her.</p><p>The next month, Schwartz boarded the Underground again and assaulted two women, touching and pressing himself against them inappropriately. Later in January, Schwartz once again rode the Underground and stood closely behind a woman, touching her inappropriately as the train traveled through London.</p><p>All four women reported their experiences to the police, and the British Transport Police's Sexual Offences Unit was able to use their reports to trace Schwartz. He was apprehended and pleaded guilty to four counts of sexual assault. </p><p>"Schwartz's behavior was perverse," said DC Thomas O'Regan from the police's Sexual Offences Unit in a press release. "Over a two-month period of time, he traveled on busy Central Line trains assaulting women for his own sexual gratification. His conduct was outrageous, and I am pleased we were able to catch him."</p><p>As part of the punishment for his crimes, Schwartz is now banned from using the London Underground and Docklands Light Railway network and prohibited from sitting next to women traveling alone that he does not know.</p><p>"This complex case demonstrates the true value in reporting unwanted sexual behavior to police," O'Regan said. "The victims each provided us with clear accounts of what happened, enabling us to clearly identify Schwartz as the perpetrator. Reports such as theirs help us catch offenders and ensure that justice is delivered."</p><p>But just a few years earlier, those reports might not have been made. A 2013 survey by Transport for London (TfL)—London's transit authority—found that one in 10 of its customers experienced unwanted sexual behavior while using the system. Yet, 90 percent of those individuals did not report the incidents to the police.</p><p>TfL's findings mirrored a wider trend in transit security—that unwanted sexual behavior is pervasive, and few victims ever report the incidents to the authorities. These incidents can also act as barriers for women who want to use public transit but feel unsafe doing so.</p><p>"The lack of personal security, or the inability to use public transport without the fear of being victimized—whether on public transport, walking to or from a transit facility or stop, or waiting at a bus, transit stop, or station platform—can substantially decrease the attractiveness and thus the use of public transit," according to the Global Mobility Report, published by the World Bank partnership Sustainable Mobility for All in 2017. </p><p><em>Security Management</em> took a look at how two major transportation systems are addressing sexual harassment and unwanted sexual behavior in their systems in an effort to increase reporting and catch perpetrators.</p><h4>The London Approach</h4><p>TfL is responsible for the daily operations of London's transportation network and managing London's main roads. Its system includes the London Underground, London Buses, Docklands Light Railway, London Overground, TfL Rail, London Trams, London River Services, London Dial-a-Ride, Victoria Coach Station, Santander Cycles, and the Emirates Air Line.</p><p>The system serves more than 8.8 million people, according to its most recent annual report, with 31 million services provided. It has more than 12,000 CCTV cameras and 3,000 officers from the British Transport Police and Metropolitan Police Service that are dedicated to policing its network to keep customers safe. </p><p>Additionally, its frontline police officers and TfL on-street enforcement officers have received training and briefing on tackling unwanted sexual behavior on public transportation.</p><p>Senior Operational Policy Manager of Compliance, Policing, and On-Street Services Mandy McGregor says TfL knew that sexual offences were widely underreported in society in general and thought this might also be the case for public transportation in London.</p><p>In 2013, Tfl conducted its first safety and security survey, which asked people if they had experienced unwanted sexual behavior in the past and if they reported it. Unwanted sexual behavior included staring, groping, rubbing, masturbating, ejaculating, flashing, and taking up-skirt photos with covert cameras.</p><p>"Unwanted sexual behavior is anything that makes you uncomfortable," McGregor says. "You don't have to prove that it was a criminal offense or intentional to report it, we can investigate that for you."</p><p>After the survey was conducted and analyzed, TfL found that one in 10 people had experienced unwanted sexual behavior, but of those victims 90 percent did not report it to authorities.</p><p>To better understand why people weren't reporting these incidents, TfL conducted further research into the survey and discovered four main barriers to reporting.</p><p>The first was normalization, McGregor says, explaining that "some of these behaviors have become so prevalent in society that they have become normalized and are often seen as a social nuisance rather than a more serious problem."</p><p>The second barrier was internalization, a coping mechanism that can be used both in the moment and after an incident occurs.</p><p>"The experience is unpleasant, but threat of escalation often means that people don't respond in the moment; they either ignore it or pretend not to hear it," she explains.</p><p>The other barriers were lack of awareness of the reporting process and a lack of credibility, McGregor says.</p><p>"Very few people believed that reporting an unwanted sexual behavior will result in justice, as they perceived there to be a low chance of the perpetrator being caught," she explains.</p><p>Using these insights, TfL crafted a campaign designed to overcome these barriers to reporting by showing that reports matter and will be investigated. The campaign, called "Report it to Stop it," was rolled out on posters, social media, videos, and case studies. It encourages people to report instances of unwanted sexual behavior on public transport through a variety of means, including calling a dedicated criminal reporting line, texting 61016, or speaking directly to a police officer or TfL staff.</p><p>Since its release in April 2015, the campaign films and case studies have been watched more than 35 million times on YouTube. McGregor says the campaign has also reached young people through educational sessions in schools and universities.</p><p>"In its first year in the market, the campaign had a 59 percent recognition rate amongst its target audience and 64 percent of people agree that they are likely to consider reporting," she adds. </p><p>Since the campaign was implemented, TfL has seen a "significant increase" in reports of unwanted sexual behavior in the system. For instance, roughly one year after the campaign was released, TfL saw a 36 percent increase in the number of reported instances.</p><p>"Between April and December 2015, 1,603 reports were made to the police, compared to 1,117 in the same period in 2014," TfL said in a press release. "These reports resulted in a 40 percent increase in arrests for offenses, including rubbing, groping, masturbation, leering, sexual comments, indecent acts, or the taking of photographs without consent."</p><p>"It's also helped trigger a national dialogue on sexual harassment—raising awareness that unwanted sexual behavior should never be accepted as part of the everyday lives of women and girls," McGregor says. </p><p>TfL continues to use the "Report it to Stop it" campaign, which McGregor says will continue to evolve until TfL feels that unwanted sexual behavior has been "stamped out" of the network.</p><p>"Every report the police receive helps to build a picture of the offender, so they can be caught and brought to justice," she explains. "Since we launched the 'Report it to Stop it' campaign, we've seen a large increase in the number of people feeling confident to report and, in turn, higher numbers of reports, arrests, and conviction rates."</p><h4>The D.C. Approach</h4><p>In 1976, an interstate compact created the Washington Metropolitan Area Transit Authority (Metro) to develop a regional transportation system that would serve the Washington, D.C., area. </p><p>Metro now has 91 stations across 117 miles of track, and 1,500 Metrobuses that serve a population of approximately 4 million people in a 1,500-square mile jurisdiction spread across Maryland, Virginia, and Washington, D.C.</p><p>Metro also has a sworn police force that investigates crimes, including sexual harassment, that occur on the transit system. Personnel are aided by a robust camera system. Transit police and frontline staff receive special training to handle reports of sexual harassment in the system. </p><p>"Frontline employees are the ones that interact most with the customers, and typically if an officer is not around, we encourage people to report an incident to a Metro employee," says Sherri Ly, spokesperson for Metro. "It's important that our frontline employees also have that training and understanding, when they are dealing with customers reporting incidents of harassment."</p><p>In 2015, Metro—like TfL before it—began to suspect that instances of sexual harassment were underreported on its system. To assess the situation, it partnered with Collective Action DC and Stop Street Harassment to conduct its first comprehensive transit safety survey.</p><p>Metro wanted to find out "how do reports of harassment on our system compare to other public transportation?" Ly says. "And what we found was that it's comparable to what we see nationwide."</p><p>Through the effort, Metro found that roughly 20 percent of surveyed people had experienced sexual harassment on public transportation—women were three times more likely than men to experience sexual harassment. Of those incidents, 77 percent of people never reported them.</p><p>Metro also found that 41 percent of survey participants were familiar with its antiharassment awareness campaign at the time. Those who were familiar with it were twice as likely to report an incident of harassment.</p><p>Taking these findings into account, Metro once again partnered with Collective Action DC and Stop Street Harassment to create a new sexual harassment awareness campaign for its system. The new campaign uses the slogans "You have a right to speak up" and "You deserve to be treated with respect."</p><p>The idea behind the campaign is that everyone who rides Metro deserves to be treated with respect, Ly says. "And we want people to know that anyone who feels that they've been the victim of harassment should report that incident."</p><p>The campaign also features a diverse group of individuals, designed to reflect Metro's diverse ridership—men, women, and members of the LGBTQ community, from various ethnic backgrounds.</p><p>"We wanted to be inclusive," Ly explains. "Harassment doesn't just impact one race, one gender. Everyone, regardless of what your background is, deserves to ride the system and be treated with respect."</p><p>In addition to creating a new awareness campaign, Metro also created the option for individuals to report sexual harassment incidents and remain anonymous.</p><p>"With harassment and sexual harassment, a lot of times people might be uncomfortable reporting those and having to give their name, so this is a way for someone who wants to remain anonymous to report through our portal, and we will still investigate those claims," Ly adds.</p><p>Individuals can now report incidents via Metro's Web portal, email, text, or in person at a Metro station to any frontline employee or police officer. </p><p>Following the rollout of the campaign in 2017, Ly says Metro has seen an increase in the number of sexual harassment incidents reported. There were 61 reported incidents to its sexual harassment portals in 2017, compared to just 37 the previous year, according to Metro's Semi-Annual Security Report. Of those incidents, 34 were harassment, 16 were criminal nonsexual incidents, and 11 criminal incidents—down from 16 in 2016.</p><p>"We think it's a good thing that we are seeing more and more people reporting, but at the same time you're seeing the number of incidents that rise to the level of criminal declining because we're also sending a message to those that might think about doing some like this that it's not okay," Ly says. "We're putting them on notice—that we take these things seriously, and that if a crime has occurred, we will investigate and hopefully find the person responsible." </p> | | |
| https://sm.asisonline.org/Pages/A-Safety-Strategy-on-Campus.aspx | A Safety Strategy on Campus | GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>In March 2013, a student at the University of Central Florida (UCF) was poised to carry out a gun attack in Tower 1, a dormitory that hosts 500 students. He planned to pull the fire alarm, then start shooting his classmates as the building was evacuated. When it came time to carry out the attack, however, his weapon jammed. As responding officers closed in, he took his own life. </p><p>While security cameras at the Orlando-based university captured the incident, first responders were unable to view video during the situation because it was hosted on a local server and getting to the recorder would possibly put them in harm's way. Similarly, during the investigative period, the building was locked down, and the video could not be accessed. </p><p>In the immediate aftermath of the active shooter situation, it took more than eight hours to get in touch with the person in charge of the video management system for the building, says Jeff Morgan, director of security and emergency management for UCF. The sworn campus police department ended up having to confiscate the local network recording device as evidence. </p><p>The active shooter situation, which highlighted the limitations of the campus video infrastructure, helped the university realize it was time to reevaluate its security technologies. "We knew we were one weapon jam away from our own Virginia Tech here at UCF," he says, referring to the April 2007 massacre that resulted in the death of 32 people in Blacksburg, Virginia. "That's when we realized we needed someone to come in and fix it. We can't have folks without access to those cameras when needed, and not being able to get a hold of people in the middle of the night." </p><p><strong>Strategy. </strong>The department decided to hire a subject matter expert from the security world–someone who could bring in a mix of technologies that were scalable for the growing campus and user-friendly.</p><p>In December 2014, UCF hired Joseph Souza, CPP, PSP, as its assistant director of security. Souza says he was immediately interested in integrating the university's disparate video systems into one platform. </p><p>"We had 58 different camera servers run mostly by IT across the university, and there were no standards on how the camera systems were run," Souza notes. "There was no standardization on what cameras were purchased, recording resolution, frame rate, duration, or retention." </p><p>The access control system was also in need of an upgrade, he adds. "We had several different access control systems, several different key systems; none of that had been consolidated in any way." </p><p>Part of the security team's solution was to hire coordinators for both the camera and access control systems. The two hires were university employees who came from the IT department. "They had strong IT backgrounds but also security experience, so for me it was the best possible fit, because both technologies rely heavily on IT," Souza explains. </p><p>The security team began partnering with the UCF IT department to benchmark new products before buying them—a practice that continues. "That's something we do constantly," he says. "We evaluate new products, we establish and approve product lists, and then that allows us to implement cameras and access control for new construction." </p><p>Souza has helped his department get involved in construction projects on campus so that security is integrated from the start. "We've been involved at the ground level of planning and design," he says. "We attend the weekly meetings with the construction team and we make sure that all the security products are put in all the proper places with security in mind." </p><p>One such project is the university's new downtown campus in the Paramore district of Orlando. UCF is partnering with Valencia College to build an academic center, which will have a housing facility, parking garage, utility plant, public safety building, and academic structure. The security and emergency management teams were involved in the planning, design, and now construction of those buildings on the new campus. </p><p>The downtown district is being revitalized, and Souza notes that the project is not without its challenges. In the leadup to the campus groundbreaking, UCF partnered with Orlando Police, Orange County public schools, and Orange County emergency managers to increase security in the area. Together, they worked to expand contract security and police presence, as well as cameras and emergency call towers. </p><p>"It is already paying dividends, as our staff and students appreciate the additional security presence," Souza says, "and we have seen a decline in the nefarious activity in that area."</p><p><strong>Video management.</strong> After the active shooter incident, UCF wanted to upgrade to one platform that could manage video across the entire campus. This would make upgrading units easier as well. </p><p>"In the past, we had a few hundred folks that had access to cameras, and if we needed to push an update or a patch, we had to go through every individual computer," Morgan explains. "We had disparate servers throughout the campus…a lot of them were reaching end-of-life, so we knew eventually we'd have to do an consolidation effort." </p><p>UCF put out a call for proposals to vet various video management system vendors, and brought in the finalists for panel-style question and answer sessions. </p><p>In April 2017, the university chose Pivot3's hyperconverged infrastructure (HCI) platform, which uses VMS software from Milestone. "Pivot3 stuck out far and above everyone else's capabilities for what we wanted to do," Souza says. </p><p>The Pivot3 HCI platform consolidates servers, storage, and client workstations into one solution managed from a single administrative interface. It took UCF two months to migrate its old recordings from its various VMS servers to the new system, and completed the project in July 2017. The system has redundancy built-in, so that if hardware failure occurs, previously recorded video is protected. With several research projects and laboratories across campus, this type of data protection is crucial. </p><p>"On the maintenance side, if cameras go down, cameras need work, or lightning strikes–whatever it is–it's a lot easier for us to see what's down and repair it as soon as possible, with everything all in one platform," Morgan notes. </p><p>The university also has to abide by certain privacy requirements for some of its research and education initiatives. "We have a lot of applications where the cameras are used to help people train to be counselors," Souza notes, "and we have labs with cadavers where medical research is conducted." With Pivot3 HCI, the video server environment can be segmented to isolate those cases, and privacy rules can be applied. </p><p>Every user with access to video now undergoes training. "By and large, we no longer allow servers to export video," Souza says, noting that keeping a lid on video access helps the university better protect its students. "We put very tight policy around that, and training, to make sure our university isn't going to end up on a news story for misuse of surveillance systems," he says. The university limits exporting privileges to campus police and other law enforcement.</p><p><strong>Cameras.</strong> With the new video infrastructure, surveillance has become a more user-friendly experience, Morgan says. The campus is better equipped to deal with any situation that may arise, from emergencies to everyday activities at a large university, because there is a single login to watch cameras across the entire campus. </p><p>The advantages of the new system recently came to light when campus police were tracking two suspicious individuals moving across school grounds. "When they traversed from one building to another part of the campus, we could stay in one logged-in environment, versus trying to log into two or three different areas to try to track them," Morgan says. "The new system has made a huge change in response, and a big impact on investigations." </p><p>The new system offers integrated mapping that displays available cameras in a specific location. "Now [officers] can just look at a campus map, click on a building, see what cameras are there, and click on that camera to pull it up," Morgan adds. "So you don't have to memorize where the cameras go." </p><p>In two to three years, UCF plans to expand its inventory to more than 3,000 cameras, including a greater number at the new downtown campus, which will be managed on the Pivot3 platform. The university has a mix of cameras from Axis and Oncam Grandeye. </p><p>One area where security has recently expanded camera coverage is Spectrum Stadium, where the UCF Knights play football. "We work every football game, including tailgating leading up to the game and post-game, to make sure there are no incidents," Souza says. Recently, 43 additional cameras were placed in and around the stadium, which holds 45,000 people. </p><p>The school partners with a company called CSC for event security at the football games. "When an incident happens, we're right on it with surveillance," he says. "We can do situational awareness, whether it's a fight or a medical incident. We're proactively monitoring the crowd for anything that's going on." </p><p>The last two years, UCF has played host to the Florida Cup, an international soccer tournament. Souza says the enhanced situational awareness is invaluable at that event. "It's a more excitable crowd, they are really excited about soccer, so they bring in the smoke bombs and get into fights in the parking lot, and fights in the stadium," he notes. </p><p>UCF was also able to take full advantage of the upgraded cameras during the 2016 U.S. presidential campaign, when then-Republican candidate Donald Trump visited campus, as well as then-President Barack Obama, who was campaigning for Democratic candidate Hillary Clinton. "We partnered with the U.S. Secret Service…we were also working with all of our law enforcement partners who worked with the candidates, helping them and giving them awareness of what was going on," Souza says. </p><p><strong>Access control. </strong>In addition to the video server and camera upgrades, the university wanted to enhance several aspects of its access control system, including provisioning and deprovisioning of cards. Souza is leading an effort with IT and human resources for granting and revoking card access for students, faculty, and staff. </p><p>The campus is in the midst of a project to tie the HR directory to the access control system, "so we can have provisioning and deprovisioning of employees that ties them to their academic semesters, hiring and termination, or retirement of employees," Souza notes. </p><p>Smart cards for students and faculty and card readers were also upgraded. "Our form of access control was magnetic stripe readers, now it's HID iClass" Souza says, which are contactless cards that are swiped in front of a door reader. "Not relying on magnetic stripe is a huge benefit." </p><p>The university has a contract guard force responsible for locking and unlocking buildings that are not automatically controlled. They also check to ensure the buildings that are automatically locked and unlocked are properly secured. </p><p><strong>Outlook. </strong>UCF has several ongoing security initiatives that it hopes to expand in the future, including its drone program, which was a major asset to the school during two recent hurricanes. UCF purchased a DJI Phantom Pro 4 drone and accessories, and used the vehicle to assess pre- and post-hurricane damage during Matthew in 2016 and Irma in 2017. The drone images were combined with data from cameras and access control systems to paint a holistic picture of how the storms affected the campus. </p><p> "After the storm, we provided our facilities damage assessment team with immediate images of damages across all of our campuses, then flew drones the day after the storm to get high resolution images of the overall damage to buildings, as well as debris and fallen trees," Souza explains. </p><p>The school has a student intern, certified by the U.S. Federal Aviation Administration, who pilots the drone and trains others who seek certification. "We want to use drones for security and emergency management, but also use them safely and securely, with no privacy concerns being violated or safety issues with them crashing into people or things," Souza says. "We're reaching out to many different universities and public entities, drone companies, and drone detection companies to try to form a base on what drones for education programs looks like."</p><p>This spring, UCF finished renovating a media briefing room into its new global security operations center (GSOC). The security team actually rode out Hurricane Irma in 2017 in the center, before construction was finished. The school included the word "global" because security can keep track of students and faculty who participate in programs abroad. </p><p>The GSOC has a large video wall that projects news, weather, pertinent alarms, and allows for control of digital signage across campus. There is also a conference room for briefings. </p><p>"We have the ability to track pinpoints on a map, track itineraries…and [use] a mass notification system to reach out to those students in whatever country for whatever incident may arise, whether it's a student that's sick, a large natural disaster, or terrorist attack," Souza notes. </p><p>Although the 2013 active shooter incident did not result in disaster for UCF, Morgan iterates that it spurred them on to make positive changes at the university, all of which ultimately strengthen its security posture. "We said, 'Okay, let's do what we need to do and be proactive–and let's try not to be reactive," Morgan says. "Now we have experts that can help us put the right solutions in the right places." </p> | | |
| https://sm.asisonline.org/Pages/Taking-Off.aspx | Taking Off | GP0|#69b4a912-eafa-43d2-b6a4-8aed47f69245;L0|#069b4a912-eafa-43d2-b6a4-8aed47f69245|Security Technology;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>The year 2016 marked a surge in excitement surrounding how unmanned aerial vehicles (UAVs), or drones, could be used commercially. Amazon had just made its first product delivery by drone. Countries began passing drone regulation measures in response to the availability of UAVs and in anticipation of continued industry growth. Re- search institutes predicted spending on drones to double by 2020; the security industry was expected to be one of the top adopters of drone technology.</p><p>But, despite the hype, security practitioners have been hesitant to adopt the technology and fully integrate it into their security programs.</p><p>"Interest level is off the charts," says Lew Pincus, senior vice president of system solutions at Hoverfly. "There's a lot of new technology, but also that doubt when it's new—security directors tend to be averse to new technology and taking on new risks that are unknown."</p><p>A combination of the seemingly endless possibilities of drone technology, the overwhelming task of acquiring a drone, gaining buy-in, creating operating procedures, and following federal regulations may be giving the security industry pause.</p><p>There's also a lingering perception that UAVs are intimidating, futuristic technology that's meant to take the place of security officers and more traditional security technology. Pincus encourages security managers to consider drones not as an automated instrument meant to replace personnel, but as another tool in their security toolbox, much like cameras or video analytics.</p><p>"I really see it in all sorts of applications, but not replacing security guards as much as augmenting them," Pincus explains. "You still need a response component."</p><p>And, just like any other piece of equipment in the workplace, training is imperative for a successful—and efficient—rollout of a new program, says Josh Olds, cofounder and vice president of operations at the Unmanned Safety Institute. This is especially true for drones flown in the United States, where the U.S.</p><p>Federal Aviation Administration (FAA) has a longstanding set of regulations dictating how aircraft are flown.</p><p>"In this particular industry, it's not just a piece of equipment, it's being flown in the national airspace, which is regulated by the FAA and presents a whole new complexity to the operation," Olds says. "If for some reason an individual isn't properly trained and improperly uses the technology, you can be looking at serious injury, or privacy and ethics violations."</p><p>Olds has a background as a commercial pilot and uses that knowledge to train organizations on how to use drones and properly merge the technology into their operations. Like Pincus, he has seen some hesitation from the security industry to embrace drones.</p><p>"I think a lot of the hesitation comes from the reality that there is a new liability that is being taken on," Olds says. "There's a big facet of this industry that is worried about the risks that come with operating unmanned aircraft. When you're talking about the ability to fly an aircraft that weighs 55 pounds—that's a significant system. If that were to fall out of the sky, it poses a major hazard."</p><p>Despite such concerns, Olds and Pincus agree that the benefits outweigh the challenges of integrating drones into a security organization.</p><p>"The ability to see and get actionable intelligence in the air above where security is being done is very exciting and new to the industry," Pincus says. "And with respect to the active shooter threats at concerts and events—I think the Las Vegas shooting put the spotlight on how vulnerable outdoor events and spectator sports are. Having an eye in the sky has become important for public safety."</p><p>Olds says that the key to successfully integrating a drone into an existing safety ecosystem is establishing a strong foundation.</p><p>"If you build the right foundation from the start, a program becomes easily scalable," Olds says. "In the security sector, there are a lot of different aircraft that meet different needs. It's important to understand the business use case, what you're going to use the equipment for, and being able to scale from that." </p><p>Pincus agrees, noting that planning for how to integrate a drone into a security program should begin before the vehicle is purchased.</p><p>"Setting up a program requires putting all the pieces together of purchasing the right kind of drone—do you need a free-flying drone or a tethered one?" Pincus says. "What is the overall goal, what are you trying to do with a drone? You need to do a review of your site security plan and figure out where UAVs fit into that plan by assessing the threatscape."</p><p>Pincus recommends using case management reports, crime statistics, and other data to determine what kind of drone is needed, whether it's a free-flying drone that can be used periodically along a perimeter to check for anomalies, or a static, persistent aerial view for long stretches of time. Whether or not the drone can be integrated into the existing security operations center should also be considered, he says.</p><p> Another aspect of building a strong program foundation involves in-depth training, which covers far more than just how to operate the equipment, Olds notes.</p><p>"We look at training from an aviation perspective—it's like ground school, you get them educated on airspace, weather, and different facets that affect the operations of the aircraft," Olds explains. "But then you have to train them on the ability to use their crew, the ability to make decisions while in flight—what are the emergency procedures? Education is key to implementation—and that's not even talking about the physical, hands- on training."</p><p>Once a security program has purchased the drone that best fits their needs and has undergone training, the next hurdle is becoming FAA compliant. The agency enacted regulations for drones that include obtaining certificates of authorization to operate the drone. An organization may need to obtain waivers from the FAA, including allowances to fly at night, beyond line of sight, or near airports.</p><p>Olds acknowledges that being FAA compliant may feel restricting to security managers who want to use them in those situations that require waivers.</p><p>"The true business use of this application of technology is beyond line of sight or other situations that require waivers. and all the FAA is trying to do is make sure that if a company is implementing this technology in a more complex way—which brings on more risks and hazards—that they are doing it in as safe a way as possible," Olds says.</p><p>Olds urges security directors to consider FAA's larger role in maintaining the national airspace, and the challenges that come with creating regulations for a rapidly growing industry with a wide array of applications and technology.</p><p>"What the FAA has done is take a stairstep approach to regulations in the industry," Olds explains. "The waiver process that is in place to ensure that when an organization says they're going to fly at night, or beyond line of sight, FAA is able to say, 'How are we going to ensure the safety of manned traffic that is already existing in that airspace?'"</p><p>Pincus says he believes federal UAV regulations will continue to evolve as more industries adopt the technology. Tools such as video analytics, facial recognition, and data collection that are currently used in integrated surveillance systems could be placed onboard the drone, allowing it to analyze situations—and sound the alarm—in real time.</p><p>"There's some of that type of soft- ware available, but it will become more important to tie it in to video management systems and security operations or alarm centers," Pincus explains. "That's where I see the industry going." </p> | | |
| https://sm.asisonline.org/Pages/Scanning-the-Schoolyard.aspx | Scanning the Schoolyard | GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>Relationships between students and campus law enforcement have been key to establishing an environment of safety and security at Delaware Valley School District, which encompasses 200 square miles in northeastern Pennsylvania.</p><p>"Kids have come to the police officers…and told them about potential threats that we've been able to curtail before they've happened," says Christopher Lordi, director of administrative services for the district.</p><p>About eight years ago, the rural district decided to employ its own sworn police force and hired five officers, including a chief of police. It has since added a sixth.</p><p>"Having a police force not only gives us a presence of an armed person to counteract any issues that we may have, but it also allows us to create relationships with students," Lordi says. </p><p>The officers are a presence on the three campuses that make up the district. They may be found teaching and conducting Internet safety classes and anti-drug programs. </p><p>"Not only are they our first line of defense, but they're also relationship builders, and they create positive environments where kids will feel comfortable to come and tell them things," Lordi says.<img src="/ASIS%20SM%20Callout%20Images/0618%20Case%20Study%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:246px;" /> </p><p>Still, the officers and faculty can't be everywhere at once when incidents do occur, which is why the district installed a camera and video management system (VMS) about 10 years ago. </p><p>"It doesn't matter how many administrators you have, how many teachers you have, how many officers you have," Lordi notes. "They can't be everywhere at once, so the cameras allow us to be in those places when somebody can't." </p><p>As the original cameras and VMS were becoming outdated, Delaware Valley's board was supportive of purchasing a new system. The district worked with integrator Guyette Communications of Plymouth, Pennsylvania, and chose the Vicon Valerus VMS system, as well as approximately 400 cameras, also from Vicon. Installation began in March 2017 and ended just before the new school year began in August. </p><p>The cameras, the majority of which are the 3 megapixel IQeye Alliance dome model, were installed inside and outside of the district's eight buildings. The Vicon Cruiser domes with 30x optical zoom were purchased for the parking lots to better read license plate numbers. Campus police have access to a license plate database, so no license plate recognition software is needed, but Vicon does integrate with such software should customers need that feature. </p><p>In addition to feeding into a central video server at a district-wide monitoring station, each building has its own local recording capability and stores video for a set number of days. </p><p>Delaware Valley is expanding a career and technical education wing, which includes 25,000 square feet of classrooms and workspace. The school plans to install more cameras there. </p><p>The district police force is responsible for managing the VMS, and each officer has a hardwired PC monitoring station to view video feeds. Campus police also have access to footage via iPhones purchased by the district and use them to see what's going on at their campuses. </p><p>"When we need to view something quickly our officers can go right on their iPhones and view it right from there, which is handy if you don't have the ability to get back to your computer," Lordi says. </p><p>Giving all officers access to the entire district's camera feeds was also crucial. "We did that for backup purposes," he says. "If anything were to happen on one of the campuses, all of the officers—after they secure their buildings—can go on and be the eyes and ears for our officers on those other campuses."</p><p>Soon after the cameras were installed, the new system led to the capture of a thief. In the spring of 2017, when a laptop went missing, the video was reviewed in the general time frame that the incident occurred. It revealed an employee going into an administrative office with a garbage bag, then coming back out. </p><p>"We could zoom in, and you could see that the bag was significantly larger when the employee came out," Lordi notes, adding that the old camera system would not have been clear enough to identify the culprit. The footage was turned over to local police, who apprehended the employee. That person has since resigned. </p><p>The detail captured by the cameras also helped solve an incident in the parking lot. Lordi notes that the main campus is in a high-traffic area, which can attract unwanted activity. </p><p>"We were able to pull the license plate from one person that had an incident on campus...and track the person down," Lordi explains. "It just provides another layer of security, so we know who's on the campus and what time they leave the campus."</p><p>While the district currently hands footage over to law enforcement after the fact, it's working on a memorandum of understanding with local police and hopes to establish a network that allows police to view video from the campuses live. "We're currently working on a strategy to get them involved beforehand," Lordi says. </p><p>With the combination of its police force and the camera system, Delaware Valley has seen a significant reduction in incidents on campus. </p><p>"When our officers first started we had something like 200 to 250 incidents that our administrators were dealing with; I think last year we had 36," he says. </p><p>The Valerus VMS and cameras give campus police and administrators peace of mind about their ability to solve incidents, and ultimately keep students safe. </p><p>"It allows us to feel secure knowing that it's going to be on camera if someone doesn't view or witness it live," Lordi says. "We can always view it on the cameras later." </p><p><em>For more information: Dee Wellisch, dwellisch@vicon-security.com, www.vicon-security.com, 631.952.2288.</em></p> | | |
| https://sm.asisonline.org/Pages/Attacks-on-the-Record.aspx | Attacks on the Record | GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>It was, in the opinion of some experts, a long overdue action. But it finally came. On March 15, 2018, the U.S. federal government issued sanctions against Russia for its interference in the 2016 U.S. elections and malicious cyberattacks on critical infrastructure.</p><p>"The administration is confronting and countering malign Russian cyber activity, including their attempted interference in U.S. elections, destructive cyberattacks, and intrusions targeting critical infrastructure," said U.S. Treasury Secretary Steven T. Mnuchin in a statement. "These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia."</p><p>The sanctions targeted five entities and 19 individuals for their roles in these activities and prohibit U.S. persons from engaging in transactions with them. Mnuchin also said that the department intends to impose additional Countering America's Adversaries Through Sanctions Act (CAATSA) sanctions to hold Russian government officials and oligarchs accountable.</p><p>The economic penalties are an attempt to punish Russians for their role in various forms of cyberactivity, including the NotPetya attack, which the White House and the British government have attributed to the Russian military.</p><p>NotPetya "was the most destructive and costly cyberattack in history," Mnuchin said. "The attack resulted in billions of dollars in damage across Europe, Asia, and the United States, and significantly disrupted global shipping, trade, and the production of medicines. Additionally, several hospitals in the United States were unable to create electronic records for more than a week."</p><p>The sanctions were also in response to the efforts of Russian government cyber actors in targeting U.S. government entities and critical infrastructure—including energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors—since at least March 2016. </p><p>Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, says that the United States should be "very concerned" about these attacks.</p><p>"For one, they could cause prolonged electrical outages and blackouts because our electrical grid infrastructure lacks sufficient redundancy to sustain these attacks," Bilogorskiy explains. "In the worst-case scenario, cyberattacks on nuclear power plants could cause them to explode and cost human lives."</p><p>One example of a near-worst-case scenario was the recent incident targeting Schneider's Triconex controllers at Saudi Arabia's power plants. A cyberattack hit its systems, Bilogorskiy says. It was intended to cause an explosion, but an error in the attack's computer code caused it to fail.</p><p>To educate network defenders on how they can reduce the risk of similar malicious activity in their networks, the U.S. Department of Homeland Security (DHS) and the FBI released a joint technical alert detailing Russia's campaigns to target critical infrastructure. </p><p>"DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities' networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks," the alert said. "After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to industrial control systems (ICS)."</p><p>The alert split Russia's activity into two categories for victims: intended targets and staged targets. Russia targeted peripheral organizations, such as trusted third-party suppliers with less-secure networks, that the alert calls staging targets.</p><p>"The threat actors used the staging targets' networks as pivot points and malware repositories when targeting their final intended victims," the alert explained. DHS and the FBI "judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the 'intended target.'"</p><p>Compromising these networks involved conducting reconnaissance, beginning with publicly available information on the intended targets that could be used to conduct spear phishing campaigns.</p><p>"In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information," the alert said. "As an example, the threat actors downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background."</p><p>After obtaining information through reconnaissance, the threat actors weaponized that information to launch spear phishing campaigns against their targets that referred to control systems or process control systems. These campaigns tended to use a contract agreement theme that included the subject "AGREEMENT & Confidential," as well as PDFs labeled "document.pdf."</p><p>"The PDF was not malicious and did not contain any active code," the alert said. "The document contained a shortened URL that, when clicked, led users to a website that prompted the user for email address and password."</p><p>The phishing emails also often referenced industrial control equipment and protocols and used malicious Microsoft Word attachments—like résumés and curricula vitae for industrial control systems personnel—to entice recipients to open them.</p><p>Additionally, the hackers used watering holes to compromise the infrastructure of trusted organizations to reach their intended targets.</p><p>"Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure," the alert said. "Although these watering holes may host legitimate content developed by reputable organizations, the threat actors altered websites to contain and reference malicious content."</p><p>The threat actors were then able to collect users' credentials that would allow them to log in to their profiles elsewhere. They also used this access to compromise victims' networks where they were not using multifactor authentication.</p><p>"To maintain persistence, the threat actors created local administrator accounts within staging targets and placed malicious files within intended targets," according to the alert.</p><p>Once the attackers had gained access to their intended targets, they used that access to infiltrate workstations and servers on corporate networks that contained data on control systems within energy generation facilities. The attackers also copied profile and configuration information for accessing ICS systems. </p><p>This method of compromise is not new and has been demonstrated in cyberattacks on the corporate sector over the past few years, says Tom Patterson, chief trust officer at Unisys.</p><p>"Just as with the Target cyber breach several years ago, they first attacked supply chain partners, which are often less protected, and then used their access to compromise the actual target company," Patterson explains.</p><p>The level of access the attackers were able to gain is concerning, Patterson adds, because it could potentially give them the ability to disrupt functions of critical infrastructure, such as providing heat in the winter. </p><p>"Since many of these ICS devices are connected to corporate networks in today's enterprise, and oftentimes they are older devices built on insecure operating systems, this gives the threat actors and their political or economic masters the ability to disrupt or destroy systems at the push of a button," Patterson says.</p><p>Brian Harrell, CPP, former operations director of the Electricity Information Sharing and Analysis Center and director of critical infrastructure protection programs at the North American Electric Reliability Corporation (NERC), agrees with Patterson that these kinds of attacks are not new.</p><p>What is new, says Harrell—now president and CSO of the Cutlass Security Group—is that the United States is choosing to acknowledge and attribute the activity, publicly, to Russia. </p><p>"While attribution is often difficult, nation-state actors like Russia likely have the most interest in compromising industrial control networks, not to necessarily take anything, but to prove they can access our systems and cause us to feel unsettled," he explains. </p><p>While the U.S. government has taken the approach to name and shame, Harrell says he thinks its unlikely that the public actions will deter Russia's behavior.</p><p>"Unfortunately, the current DHS alert, legal indictments, sanctions, or public shaming will not have any effect on Russian cyber intrusions," he adds. "However, we must continue to increase pressure until they change their behavior and become a responsible member of the international community."</p><p>In the meantime, the FBI and DHS recommend that network administrators review their IP addresses, domain names, file hashes, and other signatures that were provided in their alert. The agencies also recommended adding certain IP addresses cited in the alert to their watch lists.</p><p>"Reviewing network perimeter netflow will help determine whether a network has experienced suspicious activity," according to the alert. </p><p>The two agencies also compiled a list of 28 actions for network administrators to take in response to Russia's activity, including monitoring virtual private networks for abnormal activity, deploying Web and email filters, and segmenting critical networks and control systems from business systems and networks.</p><p>"What DHS is recommending, at the end of the day, are properly built ICS networks, monitored so organizations can detect attacks and are plugged into external threat intelligence, with incident response plans and board-level strategic roadmaps," Patterson says.</p> | | |