Protecting against chemical, biological and Y2K threats

May 1, 1999 12:00 PM, AMIT REIZES, DONALD CHUNG, and PATRICK WARD

Several locations of a Washington, D.C., federal agency are highly susceptible to chemical and biological attack and are unaware of Y2K-related threats to the integrity of their access control computer systems. Such was the outcome when a team of security professionals was asked to assess the susceptibility of the sites to attacks from chemical and biological agents, and to assess the Year 2000 readiness of the access control computer systems. The assessment of the federal sites focused on the introduction of chemical or biological agents via the heating, ventilation and air conditioning (HVAC) systems and the resistance of the access control computer system to Year 2000 (Y2K) malfunctions. Since the access control computer system is self-contained and has no external (e.g., Internet) connections, threats from the introduction of malicious viruses were not considered.

While private companies are less likely to suffer terrorist attacks, Scientech Security Services, Gaithersburg, Md., which performed the government assessment, says any building with public access could become a public target. The 1993 bombing of the World Trade Center in New York, the 1995 Sarin gas attack on the Tokyo subway system and the 1995 bombing of the federal building in Oklahoma City are examples of terrorists targeting public-access facilities. (For a guide to the threats considered in the study, see Tables 1A and 1B, page 32).

Chemical and biological vulnerabilities Chemical and biological agents can be used effectively as weapons. They are called the "poor man's weapon of mass destruction," because, unlike nuclear weapons, they are relatively easy to produce, hide and deploy.Plausible chemical and biological scenarios considered by the assessment team included the following: - Immunized terrorists visit a facility that is open to the public. They are carrying anthrax powder in bags designed to make the individuals appear slightly overweight. They scatter the powder as they make their way through the public areas, emphasizing distribution in areas near ventilation registers. Anthrax spores quickly enter the heating, ventilation and air conditioning (HVAC) systems and are distributed throughout the facility, contaminating employees as well as the public. Casualties would be estimated at about 50 percent of the building's occupants.- Extremists, disguised as facility site support contractors, bring drums of chemical agents labeled "cleaning agents" into maintenance areas of a facility. The extremists are dressed in coveralls and are equipped with commercial dust filters (or have already taken the antidote specific for the chemical agent being used). They release the chemical agents from the drums in the vicinity of HVAC air-handling systems, such that the systems help distribute and recirculate the vapors. - A small vial of liquid, powdered chemical or biological agent is tossed into a facility's air-handling supply ducts, which may be located within easy reach of passersby. Or, chemical or biological agents are introduced into the external water supply to a facility at various locations.

Latent Y2K defectsThe plausible Y2K scenario considered by the assessment team was that the facility considers that the access control computer system is completely Y2K compliant, and does nothing more to assure resistance to Y2K malfunctions. To date, those in charge of safeguarding mission-critical computer systems from Year 2000 malfunctions have focused primarily on older computer systems and components. This is because older systems include hardware containing computer chips with two-digit date algorithms. For example, when the date changes from 1999 to 2000, the two digits in the algorithm change from 99 to 00, which the computer reads as out of sequence, causing malfunction.The newest systems consist of hardware components that have solved this problem. However, a potentially bigger problem exists because of problems with the operating system software and applications. What most people do not realize is that nearly all Windows operating systems have prerequisite patches or fixes. Of the four versions of Windows 95 available (A, B, C and Plus), three of the versions require the replacement of the WINFILE.EXE and COMMAND.COM files. In Windows 98, the comctl32.dll file needs to be replaced. In Windows NT 4.0, Service Pack and several Hot Fixes need to be installed or the operating system does not correctly recognize the year 2000 as a Leap Year. The same problem exists in the Microsoft office suites. For example, Office 95 needs two files replaced, and Office 97 requires a service patch. To make things even more complicated, it is certain that not all patches have been discovered. Periodically, as more Y2K problems are identified, new fixes will be added to the Microsoft prerequisite list.Problems are magnified by the common perception that new computers have no Y2K problems.

Failure to install required updates and service patches usually will not prevent computers from booting or cause an immediate crash on Jan. 1, 2000. In many cases, a missing patch will impact only a specific function. For example, an unpatched Windows NT 4.0 frustrates a user's ability to access the system on Feb. 29, 2000. For some, this glitch is merely a nuisance and may go unnoticed. However, an access control security system using Windows NT 4.0 could malfunction. While the Y2K hardware malfunction affects mostly older PCs, the operating system and office suite application glitches will require service patches or upgrades for nearly every PC. This is a time-consuming process that will require identification and resolution, computer by computer. Service patches are available free at the Microsoft Web site, www.microsoft.com/technet/year2k/product/product.htm

The security director's role With the help of facility management and engineers, the security director can conduct a systematic chemical and biological threat assessment of the facility HVAC system and domestic water supply. These surveys can be fairly simple, consisting of inspection walk-throughs. The objective is to take note of equipment conditions and configurations, storage of materials and supplies, and typical operations that could be related to the introduction of chemical or biological agents into the HVAC or water supply systems. If the access control, intrusion detection or closed-circuit television systems are controlled by computers or LAN networks, the security director can conduct a systematic Y2K threat assessment of these systems before known troublesome dates are encountered. Table 2 identifies potential risk scenarios and includes recommendations for significant - yet relatively inexpensive - protection.Recently, President Clinton proposed $2.8 billion to safeguard the nations infrastructure against domestic, non-military threats, including attacks with chemical and biological agents.We concur with the President's call to arms. We believe that increased vigilance and preparedness are essential to the nation's survival.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue