Premises Liability

Archive for Premises Liability

The Importance of Security Consultants in Designing Effective Security Systems

Posted by Zack Hamm on July 17, 2023

In an ever-evolving world with increasing security concerns, it has become imperative for businesses and organizations to prioritize the implementation of robust security systems. However, choosing the right approach and ensuring an effective security setup is not always straightforward. A renewed trend that was prevalent a couple of decades ago was for integrators to offer “consulting and design services’. Often, businesses rely on security integrators to design and install their security systems, and for certain size projects that makes sense. Why hire an outside consultant to design a small retrofit project? While security integrators play a crucial role, there are significant benefits to involving a security consultant in the design process. In this article, we will explore the virtues of using a security consultant and highlight examples of where security installers have fallen short or encountered conflicts of interest.

Unbiased Expertise: A security consultant brings a unique perspective and unbiased expertise to the table. Unlike security integrators who are often affiliated with specific brands or manufacturers, security consultants have a broader understanding of the security landscape and can offer impartial advice. Their experience in assessing risks and designing comprehensive security strategies ensures that the resulting system is tailored to the specific needs of the organization. We don’t sell or install anything, and thus have no particular preference for what products the client may choose to consider for their project. That doesn’t mean we won’t make recommendations about their requested choices (see our past articles about our strong feelings on putting corporate security data in the cloud or using NDAA banned products). The short version: if your consultant receives remuneration from a manufacturer or vendor for the products they specify, find another consultant.
Conflict of Interest: One of the key concerns when relying solely on security integrators is the potential for conflicts of interest. Integrators may be motivated to prioritize their own profit margins or partner relationships over the best interests of the client. This can lead to compromised system designs, subpar equipment selection, or inadequate coverage. You may be sold a particular brand or product line because there is a sales goal incentive being pushed by management or the manufacturer. Worse, it is not uncommon for integrators to unload poor selling product or superseded parts in order to clean up their inventory. This is fine if the client is aware and accepts the product (presumably for a discount), but sometimes it is done without their knowledge. By involving a security consultant, businesses can mitigate these conflicts and ensure that their security system is designed with their unique requirements in mind.
Prevent Poor Project Management: Integrators will often bake in “project management” and “system check out” line item fees in their proposals, claiming to offer project management and punch list services for their own installation phase. This is very much like having the fox watch the hen-house. In one recent case, we saw a project where a vendor substituted the installed camera

Poor project management and no punch list results in poor installations.

models with inferior (cheaper) models AFTER they received the bid award and purchase order. The client didn’t catch it, but we did during project field inspections. Never let the integrator perform their own punch list and acceptance testing.
Post Installation Documentation: Trying to get as-built documentation is often another problem. While almost nobody likes doing as-built drawings, their value should never be underestimated. Ask anyone who has done a retrofit project without them. If the client does not hold back a percentage of payment until all punch list items are complete and all as-built documentation is submitted, then the likelihood of that work ever being done without further consideration can be very low. Too, often the integrator will simply take the original design drawings and update them slightly (or not at all) and turn them in as the as-built documentation. That is insufficient. Good as-built documents include the original equipment list (mfr/model, qty, serial #s, IP addresses, power, etc) and locations, riser diagrams, installation details, as well as the point-to-point wiring and configuration details for every piece of installed equipment. If the vendor uses a tool like System Surveyor or Fieldwire, ask for the full report to be printed to PDF and included in the as-built documentation. (You may also want to request they delete the data being stored on the cloud if your organization has data retention policies that concern this situation).
Comprehensive Risk Assessment: Security consultants conduct thorough risk assessments to identify potential vulnerabilities and areas of concern. This includes evaluating physical vulnerabilities, assessing technological risks, and analyzing procedural weaknesses. By considering these factors during the design phase, consultants can develop an integrated security system that addresses identified risks, ultimately providing greater protection against potential threats. This may include out-of-scope items that may not be viable under the current project funding, but can be provided to the client so the cost can be projected under future budgets or other projects which can resolve the issue.
Future-Proofing: Security systems should be adaptable and scalable to meet evolving security requirements. Integrators might focus solely on immediate needs, potentially overlooking future expansion or technological advancements that may be outside the scope of their work or capabilities. Security consultants, however, take a holistic approach by considering the long-term goals and growth plans of the organization. This ensures that the security system is flexible and can accommodate future upgrades or changes without significant disruptions or additional costs.

While security definitely integrators play a critical role in the installation of security systems, involving a security consultant during the design and project management phases offers numerous advantages. Their unbiased expertise, ability to identify vulnerabilities, and focus on long-term planning can significantly enhance the effectiveness of a security system. By avoiding conflicts of interest and addressing potential pitfalls, businesses can ensure a comprehensive and robust security solution tailored to their specific needs.

Remember, investing in the services of a security consultant is an investment in the long-term safety and security of your organization. Don’t leave the design of your security system to chance—seek the guidance of an expert to achieve the peace of mind you deserve.

Posted in: Access Control, CPTED, Premises Liability, Security Consulting, Security Technology, Vulnerability Analysis

Leave a Comment (0) →

Vatican’s Security Dilemma: Dahua Cameras and the Potential Risks

Posted by Zack Hamm on July 3, 2023

The Vatican City, the spiritual and administrative headquarters of the Roman Catholic Church, is an iconic destination visited by millions of tourists and worshipers each year. With its priceless artworks, historic buildings, and religious significance, protecting the Vatican’s security is of paramount importance. During a recent tour, we noted that the Vatican has implemented a security system featuring Dahua cameras, a leading Chinese manufacturer, for their VMS platform. However, the adoption of Dahua cameras has raised concerns regarding potential security risks. In this article, we explore the utilization of Dahua cameras in the Vatican and the associated challenges.

A Dahua PTZ camera installed on the exterior wall of the Vatican City.

Dahua Cameras: Advanced Surveillance Technology

Dahua Technology is a well-known Chinese company specializing in the production of surveillance equipment, including security cameras, recorders, and software. Their products are widely used around the world, known for their affordability. Dahua cameras incorporate cutting-edge technologies like facial recognition, high-resolution imaging, and intelligent analytics, enabling comprehensive monitoring and analysis of security footage.

The Vatican’s Decision to Deploy Dahua Cameras

Given the Vatican’s stature as a symbolic and historical landmark, ensuring security is a complex undertaking. In an effort to enhance their surveillance capabilities, the Vatican opted to implement Dahua cameras in various locations, including public areas, museums, and the St. Peter’s Square. The decision to deploy Dahua cameras was likely driven by their advanced features, wide product range, and competitive pricing (The only other dominant international CCTV brand evident around Rome was Avigilon).

Security Risks Associated with Dahua Cameras

The following are at least some of the obvious identified risks associated with the Vatican’s choice to deploy Dahua hardware:

Data Security Concerns: One of the major concerns with the use of Dahua cameras is the potential for data breaches and unauthorized access. There have been reports suggesting that Dahua cameras may have security vulnerabilities (perhaps government sponsored or otherwise) that could be exploited by malicious actors. Any vulnerabilities in the software or firmware of the camera system could potentially expose sensitive footage and compromise the safety of the Vatican and its visitors. There are many examples of previous breaches easily found on the internet to demonstrate the potential damage for this kind of exposure.
Surveillance Backdoors: There have been allegations that certain Chinese-made surveillance equipment, including Dahua cameras, may have built-in “backdoors.” These backdoors could potentially allow unauthorized access or remote control of the cameras, leading to a breach of privacy and security. Although Dahua has addressed some of these concerns by releasing firmware updates, the risk remains a significant consideration and there is some uncertainty in the industry if ALL of the backdoors have actually been removed.
Geopolitical Implications: The utilization of Chinese-made surveillance technology raises geopolitical concerns. The Vatican’s decision to rely on Dahua cameras might inadvertently involve the Vatican in geopolitical controversies, considering the Chinese government’s influence over its technology companies. This situation could have diplomatic implications and potentially impact the Vatican’s relationship with other countries. While the Vatican is a sovereign country and is not subject to the US NDAA as some entities may be in this country, there well may be implications and consequences in foreign relations with NATO or EU countries that do have these types of protective legislative measures in place.
Installation methods: During our tour of the Vatican interior we noted that the cameras were installed using surface mount brackets and then plugged into a CAT5 jack located near the

Interior Dahua camera plugged into data jack noted during tour of Vatican

camera location. In at least two cases, it would have been trivial for a (tall) person to simply unplug the camera from the jack or even cut the category cable to disable the camera.

Mitigating the Risks

So what should the Vatican do, if anything, to mitigate the risks of having Chinese government backed security equipment with history of known flaws in the firmware and architecture? Given the resources available to the Vatican, our recommendation would be to hire a professional consulting firm to do a risk assessment on the installed VMS platform and recommend a replacement with a brand manufactured by a reputable company with a good performance record and advanced features needed by a prestigious venue such as the Vatican. Short of that, other additional measures that should be considered are as follows:

Rigorous Cybersecurity Measures: The Vatican should implement robust cybersecurity protocols, including regular firmware updates, network segregation, and encryption. Conducting regular security audits and penetration testing can help identify and address vulnerabilities promptly. All security cameras should be on a separate physical network or VLAN that is not routable to the internet, with network intrusion detection systems IDS features implemented on the network switches and routers.
Diversification of Suppliers: The Vatican could explore diversifying its camera suppliers to reduce the risks associated with dependence on a single manufacturer. Adopting a multi-vendor approach would provide more options and potentially enhance security by selecting cameras from different sources. This can have implications itself in terms of spare parts inventory, and camera configuration and firmware management headaches by having multiple vendors with multiple models. Using a major brand manufacturer such as Axis, Hanwha, Avigilon, or Bosch would ensure there are enterprise class tools available to manage these aspects.
Enhanced Collaboration: Collaborating with cybersecurity experts, both internally and externally, would help the Vatican stay informed about potential threats and implement appropriate countermeasures. Engaging with experts in the field can ensure the continuous monitoring and evaluation of the security system.
Installation Standards: The Vatican should develop and apply security equipment and installation standards that should be implemented for all existing and new security devices. All devices should be vandal resistant where possible, and all cabling should be protected in conduit or other protected raceway to prevent vandalism or sabotage. Camera devices should have a minimum mounting height and standard for field of view and focal length based upon the objective and purpose. Advanced analytic methods should be implemented for object detection and classification, facial recognition, license plate recognition, and other intelligent video analytic technologies such as people counting, loitering, object removal, object identification, line crossing, etc.

Conclusion

The Vatican’s decision to adopt Dahua cameras reflects its commitment to improving security and safeguarding its treasures. However, it is important to acknowledge the potential security risks associated with using this technology. The Vatican should diligently address these risks by implementing robust cybersecurity measures, considering alternative suppliers, and maintaining an ongoing dialogue with cybersecurity experts. By doing so, the Vatican can strive to strike a balance between utilizing advanced surveillance technology and mitigating potential security vulnerabilities, ensuring the protection of its spiritual and historical significance for generations to come.

Tags: cybersecurity, Dahua, IP Cam, NDAA, Vatican

Posted in: CPTED, IP Video, New Equipment and Gadgets, Premises Liability, Security Technology, Vulnerability Analysis

Leave a Comment (0) →

Playing Around with the PinPoint Survey Application using Amazon Data

Posted by Zack Hamm on November 14, 2022

We put together a quick demo of the PinPoint Survey Application using some public data scraped from the web for all the US Amazon sites. The equipment names and photos are all generated, so don’t get too excited about thinking there are real Amazon security equipment details being posted on the web.

Some of the reporting features are turned off, but the overall objective was to show off the speed and utility of the site data and geospatial mapping capabilities for relating sites and equipment within those sites.

Using the application from a tablet, you can use the built-in GPS to map the device lat/lon data to the database, along with any photos, notes, and punch list information that might be relevant. This is particularly useful for large external sites like ports, refineries, mines/quarries, or power generation/transmission facilities.

GIF Movie of PinPoint Survey Application using demonstration data for Amazon sites

PinPoint Survey Application Short Demo

Posted in: Access Control, Application Development, CPTED, Premises Liability, PSIM, Security Consulting, Security Technology, Vulnerability Analysis

Leave a Comment (0) →

Video Surveillance System Best Practices – The Right Way to Use CCTV

Posted by Zack Hamm on August 20, 2017

One of the most common questions we are asked by clients when starting a new project is if they should use Closed Circuit Television (CCTV) cameras for video surveillance.

As we work the the programmatic stage of the project, we try to apply some industry best practices with the client on HOW the cameras will be used on the property. Here’s a quick rundown on some of the concepts we try to apply:

Identify the purpose of the system and the objective of the surveillance. This should be a detailed statement that originates in the project’s Basis of Design document. The objectives should be detailed and achievable. For example, “providing a view of the entire parking lot” is not a good performance objective, while “identifying the license plates of each vehicle entering or leaving the lot, along with a digital time-date identifier” is an effective performance objective.
Minimize the number of cameras in the system. While this obviously has an impact on the initial cost of installation, it also enables the owner to utilize the system more effectively with fewer personnel and technical resources. It helps to reduce the overall operating and maintenance costs as well. A side benefit is that it encourages the system designer to “task” the cameras.
“Task” each camera. Cameras must be placed so that each camera has a dedicated field of view. The field of view should be directly related to one of the performance objectives. Once a field of view has been defined, a camera and lens that meet the general performance requirements for the task can be specified. As with Item #1 above, the purpose of each camera should be identified in the design documents.
Avoid new or unproven technologies. Select equipment and a system topology that uses proven technologies. The shift in video cameras from analog cameras that use coaxial cable for NTSC composite video signals to IP cameras that use Cat 5e or Cat 6 data cable is an example of a technology that was slow to be adopted, but has proven itself to be a reliable improvement. On the other hand, owners who have adopted unusual technologies, such as 360º digital PTZ cameras that require special software to render a viewable image, sometimes find that they are locked into a platform that may not be supported long term. A helpful analogy is to consider cameras to be similar to telephones. A good design allows the cameras to be replaced or upgraded as required while continuing to use the same cabling and infrastructure.
Invest more heavily in the cabling and infrastructure than you might otherwise. The infrastructure that serves the cameras includes cabling, power cabling, power supplies, fiber-optic conductors, adapters, and hardware. The main components of the infrastructure should last at least 20 years or more. Cameras, however, will last significantly less than that period. Therefore, be sure to invest wisely in the basics, as they will outlast three camera generations or more.
Maintain the system properly after installation. Ongoing maintenance after the initial installation is a critical component of an effective surveillance system. One of the key issues in a wrongful death lawsuit brought against Sumitomo, Inc., for a murder that occurred at their Research Triangle Park, NC, site in the early 1990s was whether or not certain video cameras were operational at the time of the incident. While it is doubtful that a malfunctioning camera would have been a significant contributing factor, it was nonetheless an issue that was uncovered during the discovery phase. The camera had been out of order for at least six months and the defendant produced work orders for the repair. Unfortunately, some of the work orders had been delayed by a facilities manager who kept putting the repairs off until a later budget period. An owner cannot be expected to guarantee that all parts of a system will be operational at all times, but it is expected that repairs will be made in a timely manner and that the owner exercises due care.
Develop a written Appropriate Use and Retention policy for archived video. A surprising number of owners do not have any written policy regarding the appropriate use and retention of recorded video. A proper policy should be developed in conjunction with corporate counsel and should conform to the records retention policy of the organization. The policy should specify for what purposes the video images may be used and what type of authorization is necessary to access or copy them. It should identify them as to the appropriate level of confidentiality. It should specify what constitutes inappropriate use and what disciplinary action may be taken if personnel violate the policy. And, as with all such policies, it should be disseminated to the personnel who have access to the video to ensure they are aware of their responsibilities.
Archived video should not be retained beyond the specified retention period without proper authorization. Archived video is a company record and may be subject to discovery or subpoena. Once the retention period, which is usually 30 days for most applications, has expired, the video should be deleted. Corporate counsel can provide guidance on what would constitute a duty to retain specific video in connection with an incident or ongoing investigation, but video should never be retained beyond the limit specified. We are aware of at least two instances in the past in which an owner has been asked to go through ALL videocassettes in their possession because an employee stated to an attorney that they “sometimes” kept some of the video for other purposes. This is an expensive and time-consuming process and usually doesn’t produce anything of value.
Leverage technology where it makes sense. Using software technologies that are easily applied or even come included with the IP camera or Video Management System (VMS) can increase the overall effectiveness of your surveillance system and your security operation. While one-off, proprietary hardware technologies might be so unique they are not supported later, software technologies are usually less painful to resolve if they don’t work as desired. Software technologies like Axis Technologies’ “ZipStream” video compression or video analytics features such as face detection or autotracking are a more recent inclusions to camera and VMS software that can improve the effectiveness of video surveillance by making your operation more efficient and capturing and storing meaningful video clips instead of empty scenes that offer no value.
Be sure you can record audio. Many IP cameras come with audio microphones and recording capability built in. Before you deploy these types of cameras with audio enabled, check with Corporate counsel to make sure that you are not violating any state or local statues prohibiting the recording of audio on your premises. Some shy away completely from audio recording because of a broad interpretation of 18 U.S. Code § 2511, otherwise known as the Wiretap Act, which states that it is illegal to intentionally or purposefully intercept, disclose, or use the contents of any wire, oral, or electronic communication through the use of a “device”. While video is not specifically mentioned in the statute, and a camera is not specifically mentioned as a “device”, it certainly fits a broad interpretation. When in doubt, don’t record audio; but if permitted, audio recording can significantly enhance the evidentiary benefits of video surveillance.

There are many factors to consider when laying out a video surveillance system, but applying the above principles when considering the scope and size of your CCTV system will help avoid some of the of the more common problems and pitfalls that can arise from poor planning.

Posted in: Premises Liability, Security Technology

Leave a Comment (0) →

The Impact of Closed Circuit Television

Posted by Zack Hamm on December 29, 2016

Almost 30 years ago when I was first entering the security industry, closed circuit television (CCTV) cameras weren’t terribly different from the cameras that were being used to for movie and television production. They were smaller, typically had less resolution and no audio, but the basic principles were the same. Charged Coupled Device (CCD) cameras were fairly new, and if you wanted low light performance, you were resigned to use tube cameras. Yes, tubes. As in vacuum tubes. Tube cameras actually used a vacuum tube for the imager, and the tradeoff for low light sensitivity was a shorter life span, higher power requirements, and reduced reliability. Later, Complementary metal–oxide–semiconductor (CMOS) cameras came into play and helped overcome some of the limitations of both tube and CCD technologies.

Vidicon Imaging Tube for Old Style CCTV Camera

Since then, digital Internet Protocol (IP) cameras have come into play. These newer cameras offer increased light sensitivity, much higher resolution, and new enhancements like video analytics and flexible communications options.

While all of these advancements make for better security, the most important enhancements are the video analytics and IP communications. These two technology advances increase the likelihood of detecting activity and being able to monitor and record that activity from almost any location.

For most small and medium sized businesses or municipalities, the thought of a comprehensive video management system seems not only unnecessary, but impractical from a monitoring and timely intervention standpoint. “Video cameras don’t stop crimes, all they do is record it”, we often hear. This is not necessarily true. CCTV video serves three important roles in security:

Deterrence – Sometimes just the sight of a video camera will deter criminal activity from ever happening in the first place. Because being watched means being held accountable, this is a strong enticement for on premises security cameras. No, this doesn’t mean adding “dummy cameras” is a good idea. In fact, installing dummy cameras can make matters worse in premises liability cases for incidents occurring on your property.

Detection – Having all of the campus CCTV cameras monitored in a single location allows for an operator to spot potential negative events during or even prior to them actually happening. IP enabled cameras offer increased detection capability in two ways; first they allow for cameras to be placed anywhere within the corporate network infrastructure (or even further away via hybrid cabling or wireless networking), and second they permit remote monitoring from anywhere there is network or internet access, including smart phones and tablets. This allows for remote monitoring and recording at an off-site or contract monitoring facility, and also allows the ability to feed recorded or live events to first responders almost in real-time. It also means that cameras can be located just about anywhere in your corporate footprint, including on-board vehicles.

Assessment – Being able to discern what, where, and when something is happening on camera is critical to determining how to respond to a particular event, and also aids in evidentiary requirements for later prosecution. With the advent of video analytics, that can now be taken a step further with things like video motion detection, face detection, traffic movement, object removal, and facial recognition. These tools increase the reliability of the observer (or recording device) to actually capture useful video information for use in timely intervention or for evidence in prosecution. For example, with the right software, imagine a disgruntled employee situation where the former employee’s photo is setup to trigger an alert if the video system “recognizes” his face when he tried to re-enter the campus. The authorities can be notified and other emergency precautions can be taken much sooner than previously possible.

Each one of these roles is an important piece to the overall security strategy for a business or government entity, and when used with common sense security practices like Crime Prevention through Environmental Design (CPTED) and other industry best practices, CCTV video becomes a powerful tool to both deter, detect, and defend both persons and property in a timely and effective manner.

Posted in: CPTED, Premises Liability, Security Consulting, Security Technology

Leave a Comment (0) →