Bell Canada's security is up to the challenge

Jul 1, 2000 12:00 PM, ACCESS CONTROL & SECURITY SYSTEMS INTEGRATION STAFF

It is a challenge the likes of which not too many security professionals have had to face. When the Canadian Radio and Television Commission (CRTC) deregulated the Canadian telecommunications industry in 1997, it didn't just open competition in the area of communications. Bell, Canada's largest communications provider, had to allow its competitors to connect to the Bell network. Deregulation also meant that space had to be allotted for competitors, their people and equipment, to co-locate inside Bell facilities.

"Overnight we went from a monopoly that worked vigorously to protect our networks and facilities to sharing with our competitors. The challenge we faced was in learning how to work with our competitors while continuing to prosper with these companies inside our walls," says Ron Thurston, Bell's section manager for physical security and access control.

However, it didn't take long for the company to realize that deregulation was one of the best things that could have happened to the telecommunications industry in Canada. In the past, Bell was primarily known as the local phone company for Quebec and Ontario with limited opportunities for growth. Deregulation opened up the world.

Rethinking the business Deregulation forced Bell to examine how it did business in every part of the company, to an even greater extent in the area of security, which now plays a leading role in redefining the company. Bell has more than 40,000 employees and 1,500 facilities. Prior to deregulation, physical access and security were local responsibilities rather than a central one and there were no real audit trails.

"We had about 900 installed access control readers on a variety of local systems and many facilities were manned by security technicians," recalls Thurston. "We knew we had to replace these local systems as they were non-Y2K compliant - reason enough to rethink and replace much of our security infrastructure. Because of other social- and business-related areas, we sought to refine our thinking well beyond a simple 'box swap'."

The development of digital and optical technologies also provided additional incentive for Bell to change. Such innovations greatly improved Bell's capabilities to deliver services with more reliability and at less cost.

"Although the new technological developments clearly enhanced our business, they also imposed new concerns for security," says Thurston. "First, they take up far less space which increased our vulnerability per square foot. Secondly, the freed-up space became attractive to paying tenants. Since the regulators mandated that some of these tenants be our competitors, we had to redefine our role from one of just focusing on controlled access to facilities to also include controlling access within facilities.

"Clearly, we had to continue to protect our employees and assets within each facility, but now we also had to assume responsibility for protecting our tenants as well. And we had to do so in a cost-effective, non-intrusive manner.

Bell management decided that security's core mission was to provide secure physical access and a safe workplace to both its internal and external clients.

"We wanted to know who was in any building and secured area at any given time and to have an audit trail," says Thurston. "It was important to retain and expand the responsibility of the local Bell managers and the co-locator manager especially when it came to determining who was allowed access to their building and areas. Equally important was managing access and ensuring that any individual manager would not be able to grant access to another manager's secure area. We had to define the core mission and ensure it was implemented."

The core businesses that Bell maintains requires that there be many facilities and buildings. The company is responsible for determining how many facilities are required, deciding where they are to be located and selecting what ongoing capabilities these facilities must provide.

The actual construction and base operations of these facilities, while critical processes, are not part of the company's core business. To ensure that all requirements are met, these non-core critical processes are carried out by others but managed by the company.

The same is true for security. "We not only had to select a system that met our requirements, but more importantly we needed to put in place an infrastructure to get it installed and operational in a very short time frame," says Thurston. "We had to find people with the expertise in many areas and manage the process. These were not core skills, and so we decided to form alliances with people to perform these critical processes to our standards and expectations."

The challenge By the end of 2001, Bell expects to have more than 5,000 access points installed and operational with more than 40,000 badge holders. It will be one of the largest access control operations in the world, and one of the most complex: Roughly 20 percent of these access points will be for co-locators that are not Bell employees.

Even more daunting was the replacement of 900 non-Y2K compliant readers before the end of 1999. Some 1,700 new access points were installed in locations occupied by Bell employees and co-locators.

"The worst thing we could have done was to rush into the technical implementation stage," says Thurston. "Instead, we spent the rest of 1997 after deregulation and most of 1998 determining what we wanted to accomplish in terms of physical access and how we wanted to accomplish it."

Putting the team together Nexacor Realty Management Inc. is the largest integrated facility service management company in Canada, currently managing space totaling 85 million square feet. Nexacor manages 25 million square feet of real estate for Bell in Canada.

Nexacor was given a mandate for the Bell security project: to coordinate all engineering drawings, cost estimations, contractor activity, site management and commissioning. Thurston and his team would manage the process.

"Nexacor provides Bell access monitoring and servicing 24 hours a day, seven days a week, through our International Standards Organization registered call center and a facilities monitoring center," says Antoine Boiridy, Nexacor project manager.

Frisco Bay Industries Ltd. was selected by the security team to perform physical installation, training, commissioning and maintenance of the Casi-Rusco access control system.

"Frisco Bay was selected because we did not want to deal with multiple integrators," says Thurston. "We wanted a single source of responsibility in finding the necessary expertise and in managing the equipment and installation process."

In 1998, all agreements were signed and the installation of the system's "headend" was completed. However, the physical installation of the 1,700 access points could not begin until April of 1999, a mere eight months before it had to be fully operational because of Y2K. There was no margin for error and no time to work out the bugs before year-end.

A key success factor was to simplify the project, says Ron Waxman, vice chairman of Frisco Bay. "We worked very closely with Ron, Antoine and their staffs to reduce the countless potential door configurations for the 1,700 access points to just 16 basic templates." The installation used Rutherford door hardware.

The strategy also simplified the project for Bell and Nexacor. The requirements for every point (including mounting heights, for example) was identified and included in the drawings. Simplifications also helped when it came to directing staff and subcontractors to perform the work as the customer directed, among other advantages.

"Because we knew exactly what components were needed for each access point, we could preorder the components for assembly and testing before sending them to the job sites," says Waxman. "For example, at our office we pre-mounted, on backplates, all control panels configured for a particular closet, along with all other circuits and wiring. So when we shipped to the site the technician only had to drill four holes to mount everything and then connect the wires from the access points to the pre-wired board. This enabled quick, foolproof installations with minimal customer inconvenience."

Dominique Mimeault, vice president of operations at Frisco Bay, was assigned to be the permanent interface and single point of responsibility to Thurston and Boiridy in implementing what Waxman calls "one of the most complex and fast-tracked access control projects in the history of North America."

"Dominique assembled a team which included dedicated professional project managers in Quebec and Ontario. At one point in 1999, the team consisted of more than 100 Frisco Bay and subcontractor personnel. Again, the preplanning and simplification paid huge dividends. We only had to train technicians to install the 16 basic templates, not only reducing training time but improving [training]."

With the team and plan in place, actual installation began in earnest. The security team designed a new Casi-Rusco access card with a proprietary hologram to make counterfeiting nearly impossible and completed picture-taking and badge-issuance to more than 40,000 Bell employees, contractors and co-locator personnel in six weeks.

All 1,700-access points were installed by Frisco Bay and were brought on-line to be monitored by Nexacor in less than eight months.

Other suppliers to the Bell Canada installation include: Altronix, power supplies; Medeco, key switches; Sentrol, contacts; Simplex, blue pull stations.

"The operation has a number of checks, balances and redundancies built into the process to insure that everything continues to run smoothly," says Thurston. "For example, Nexacor cannot give permission for someone to enter a secure area (they can only monitor), only area managers can give permission. The system's computers are hot redundant and are in different physical locations. In the unlikely event an alarm is not responded to by our center in a specified time, it is automatically 'bumped' to Bell's access control center for response and resolution. And we have a full audit trail for everything that happens."

"While we may not be one of the five or ten largest companies in the world, we will have one of the five or ten largest physical access control operations," he continues. "We take physical security and safety very seriously. Beyond that, we believe we will have established the infrastructure and process to bring our services to our growing base of subsidiaries in a very cost-effective manner."

In the early days of the personal computer industry, there were many competing operating systems vying for the right to be considered the "de facto" standard for the industry. Now, although there are still other choices, the name Windows has become synonymous with the PC, and few people other than high-end users are even aware there are other "choices."

The security systems industry is in a position akin to the early days of personal computing. There are many choices, but is there a standard? Here are the players:

Microsoft Windows. The "800-pound gorilla" of computer operating systems. Estimates indicate that nearly 50 percent of network servers are running on NT. Windows 95 and 98 run almost 90 percent of the world's PCs. Windows CE is becoming a popular choice for handheld devices.

Unix. A popular system for running large network operations and the primary competitor for Windows NT. It allows different types of systems to share and use data. Because Unix is written in C rather than assembly language, it's relatively easy for a computer vendor to get Unix up and running on their systems.

Linux. Pronounced LIH-nucks, it's seen by many as the most popular alternative to Windows NT for use by network servers. Created by Linus Torvalds, it is considered a descendant of the UNIX operating system. Linux has an open source code available on the Internet or from vendors.

Towering 17 stories above downtown Dallas, the Federal Reserve Bank is a massive pillar of Indiana limestone gleaming under the hot Texas sun. Inside, the Dallas Fed occupies more than a million square feet dedicated to the financial operations for Texas, northern Louisiana, and southern New Mexico. Streaming through this temple of the American economy is daily traffic of nearly 16,000 employees and visitors.

Beneath their feet is the country's second largest currency vault. Forming a basement nearly five stories tall, it holds a mass of money that - if stacked in a single pile - would reach 17 miles high. Guarding the vault is an automated security system featuring video, a seismic monitor, and heat and motion detectors.

Charged with protecting both money and people is the Fed's senior officer for facility operations, Kermit Harmon. A former design engineer, he is in the midst of an upgrade of the facility's computer and security systems and has some definite ideas about "open architecture" in security systems.

"I was planning to put in the most futuristic system available - complete with open architecture," remarked Harmon. "I say open architecture or open protocol with a system standard architecture that's well documented and non-proprietary. Then I could use off-the-shelf hardware and have options for software from more than one vendor. That's really where I'm headed right now."

The Dallas Fed's path to open architecture wasn't an easy one, however.

"Many times proprietary technology has been abused," he said recently. "Many companies rely on the stranglehold they have on their customers who are locked into proprietary security systems rather than allowing competition."

Harmon doesn't like proprietary access control systems, and as the top security officer for the Dallas Fed, he did something about it.

"We've done two things here at the bank," he said. "First, we built a stronger first-line of support in-house by broadening the knowledge base of our own people. We know the security system from hardware to software. All normal repairs and changes in software features, including reconfiguration, can be done in-house."

Harmon and his staff acted as their own contractors in the recent upgrade, which included making the system Y2K compliant. "We did our own work, farming out sections of it that required specialized expertise. Our outside sub-contractors worked alongside our in-house staff."

"We must have the very highest level of security in and around our facility, yet be as friendly to the public as possible," Harmon said "We have to perform a balancing act."

"The Dallas Fed must maintain a state-of-the-art operation which allows us to know about any potential threats," he said. "It's layered like any high security facility. The further you go, the checks performed for access control increase. You begin layering not only the picture, but also the card and you add other biometric characteristics integrated with it to gain access."

Harmon says at this point the Fed has an open system with only a few remaining proprietary field panels, which will be replaced. The rest of his access control system is open architecture. The fact that the Fed's staff did so much of the work itself says a lot about the movement to open architecture.

In a wired, technologically-dependent world, destructive computer viruses could become the ultimate threat.

Hurtling through the ethereal world of cyberspace via unprotected e-mail packets are viruses with names such as I LOVE YOU or its more malevolent successor, NEWLOVE. These viruses, sometimes known as worms, have brought down computer networks from Asia to America, and caused damage estimated into the billions. While news stories have focused on the damage viruses have wrought on Microsoft Windows NT-driven networks, little has been said of the threat to security systems. Given the drive to achieve open architecture defined by some as Windows NT, the devices that control access are increasingly being run on the same, or parallel networks, that are vulnerable to attack.

How vulnerable are security systems? While virus attacks on corporate networks have received wide coverage, an eerie silence hangs over the question of access control.

"I think security directors are out of touch," opines one company security director who asked not to be identified. "They're not worried about it and they think it's just for the rest of the company, but that's not true. It has potential for affecting all of us, but there seems to be an attitude among the directors that it's an IT problem. I don't think that's correct."

Increasingly, technology-savvy security directors are worrying about the potential threat of computer viruses to their systems, even if they haven't had to contend with one yet.

"We haven't had any viruses that have hit any of our security systems," says George Temidis, security director for IBM. "We're concerned that they seem to be getting more and more sophisticated and they could become a problem in the future. We get updates on anti-virus software very, very often. That seems to be doing a great job of keeping us protected."

In addition to anti-virus software, security directors are building other walls to protect their systems.

"The number one thing to do is to keep all areas under constant surveillance and keep the LAN for the security system completely isolated from other computers," says Kermit Harmon, senior officer for facility operations at the Federal Reserve Bank of Dallas.

The Fed has established layered security and strict separation of the security system from the rest of the computer network andfrom the outside.

"We get requests from vendors who want to do a modem link to our bank, but we won't ever allow a link from the outside," he says.

Cloistering the network provides protection against the headline-grabbing threats.

"Most of the viruses lately seem to be focused on e-mail, and I think that's probably why we haven't been hit," says Temedis. "The security systems typically don't have an e-mail entry. They're attached to our network. To attack a security system, a virus would have to travel using a TCP/IP doorway rather than the e-mail doorway."

Still, others suggest that viruses represent a substantial threat to systems run on NT networks.

"Just as the virus comes through and buckles the knees of the computer industry, it's going to do the same thing to the security systems with NT products only," says Mark Castillo, IT director with the Orange County Sanitation District. "Other products which use more proprietary software such as (Casi Rusco's) Picture Perfect and Unix-based systems, won't be affected. They don't have a pipe to come through. They don't get any information from the networks because they're on a proprietary network. They're on their own."

While outsiders like the Philippine high school student who created the I LOVE YOU virus may not represent a potent security threat, many see a greater danger in the guy working in the next cubicle.

"We have to be vigilant of floppy disks brought in by employees into our network from the outside world," says Castillo. "An employee or a consultant comes in with his own laptop and software, starts up on our network, and all of a sudden he has a virus and it's off into our network."

On-site education of employees can be a key strategy in making sure an outside virus is not inadvertently introduced into the network. Employees should know that they must be careful about bringing software or programs from outside and loading them onto their work stations. Nothing should be introduced without first being carefully scanned by the IT department.

In addition to protecting against innocent mistakes, the security department must also guard against the employee who deliberately seeks to harm his employer.

"Just as an employee might come in and shoot a few of his fellow co-workers out of revenge, he might bring down the network," says Castillo. "It has happened on a few occasions throughout the industry as we get more sophisticated and technology-based. You won't hear about it very much because companies are too embarrassed to say anything. You hear it through the grapevine."

To protect against employee sabotage, Harmon says, it is critical to watch for the signs of a disgruntled employee. For example, when someone is terminated, the security department should immediately reclaim the employee's access badge and escort him to the door.

"It's a mistake to allow someone to wander around the building after he has been terminated and perhaps give him the opportunity to damage some part of the system," says Harmon.

The bottom line for today's security directors: Make sure there are no loose ends on the company's network, says Castillo.

"If you're putting in a network-based, NT based system, which will run with other office networks on one LAN, then make sure that your security system can close itself off from the rest of the network," he advises. "You have to be very careful how you set it all up."

Clearly, today's security chief has to be as concerned with the security of his computer system as with physical security issues.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue