A Growing Threat
Critical infrastructures look to ID cards for enhanced protection
n the United States, people encounter
a perpetual tradeoff between freedom
and security. The nation depends on a
complex system of critical infrastructures
to maintain a high quality of life and
the freedoms enjoyed every day. New
threats to security have these organizations
taking a second look at their vulnerabilities,
however, scrambling to minimize disruption
and to maintain the integrity of
their operations.
In the past, national security was perceived
as the role of government. Today,
Department of Homeland Security efforts
to protect critical infrastructures from
physical attack are a shared responsibility
of the public and private sectors, as well as
individual citizens.
Prime Targets
Critical infrastructures are generally prepared
for natural disasters, which are often
predictable days in advance. Terrorist
attacks, however, are new and immediate,
requiring a different mindset and different
levels of preparedness. With proper design,
management and operation, organizations
can reduce their risks, often without significant
investment.
The National Strategy for the Physical
Protection of Critical Infrastructures and
Key Assets report, published by the Bush
administration in 2003, identifies the
industry segments and key assets that
would disrupt the safety, security or economy
of the United States if compromised.
They include agriculture and food, water,
public health, emergency services, the
defense industrial base, telecommunications,
energy, transportation, banking and
finance, chemicals and hazardous materials,
postal and shipping, national monuments
and icons, nuclear power plants,
dams, government facilities and commercial
key assets.
These industry segments are being
encouraged by the government to adopt
security plans. Some already have a base
level of security, but others are just beginning.
DHS introduced the national infrastructure
protection plan in 2006 to provide
structure between public sector and private
industry initiatives, but because there are
no standards for most utilities, each must
determine for itself an effective security
program.
Broad Security Solutions
In the past, security meant a combination
of guards, guns and gates. Today, organizations
seek the broadest possible solution to
integrate all elements of an operation, from
access control to logical security. In many
cases, this starts with a simple ID card.
Access control is often the main reason
utilities and critical infrastructures introduce
ID card systems. The Wisconsin State
Laboratory of Hygiene, a public health and
environmental laboratory, performs bioterrorism
testing of materials such as anthrax.
Prior to Sept. 11, 2001, anyone could enter
the building, located in the middle of the
University of Wisconsin campus. Now,
anyone who needs access to the lab must
show an authorized ID card. Ensuring that
only legitimate cardholders have access to
protected areas enables all employees to
enjoy greater freedom.
Transportation is another area that plays
a vital role in the U.S. infrastructure, and it
was designed to be open and accessible.
However, an upset here can cause a ripple
effect felt nationwide, so after 9/11, it was
the first area to receive increased attention.
The FAA required every airport in the
United States to revalidate identification
cards for all employees, ensuring all of the
ID cards used at airports were active and up
to date. For Los Angeles International
Airport, which saw 67 million passengers
that year, this meant creating 44,300 new
badges, which were produced in-house by
two employees with Fargo Professional
series card printers.
Today, the focus has shifted to ports.
TWIC is being phased in at 12 high-risk
ports throughout the country, starting with
enrollment in October at the Port of
Wilmington, Del. TWIC cards are tamperresistant
biometric credentials for as many
as 750,000 employees who need unescorted
access to ports and vessels.
DHS set aside $400 million to help
fund port security initiatives, including
money for the ID cards. While a good
start, this ID card is basically a photo ID,
indicating that a person has passed a background
check. What’s missing is any integration
with systems at the port facilities
themselves, many of which are operated
independently. Most ports are vast and
sprawling with multiple access points.
Many have railroads running throughout,
adding yet another layer of vulnerability.
Many transportation companies operate
under tight budgets. For example, Metro
Transit, a unit of Minneapolis/St. Paul’s
Metropolitan Council, considered cost
effectiveness when it bought a printer to
produce its ID cards. Bringing inside the
production of its 20,000 yearly Metropass
cards for bus and light rail transit improved
the security of the cards and saved the
organization money.
Adding Logical Security
Preventing unwanted and unauthorized
entry to buildings and grounds is a primary
objective of critical infrastructure security
systems, but these organizations also need
to protect their internal networks. The
growth of the Internet and advances in wireless technology have increased the
power, and the vulnerability, of computer
networks and IT architectures, leaving data
and infrastructures at risk. Today, employees
and customers have the necessary tools
to damage computer systems or steal individual
identities around the clock and from
virtually any location. Traditional password
systems, which can be stolen, copied
or forgotten, are being replaced with
sophisticated authentication systems, many
of which start with an ID card.
While critical infrastructures have yet to
adopt ID cards widely for network security,
the trend is moving in this direction. ID
cards, especially those with smart card technology,
can provide single-use access or
administrative control, which is especially
appealing to critical infrastructures with
expansive facilities or complex IT systems.
Security and privacy often go hand in
hand, especially in the healthcare marketplace.
HIPAA encourages healthcare facilities
to implement electronic systems and
mandates that these systems guarantee privacy
and security of patient information. As
a result, more healthcare organizations are
using smart cards, proximity cards and biometrics
to secure their computer networks.
The Right Technology
Organizations today can choose from a
wide range of ID card technology to fit
their security needs, from visual ID cards
to those with embedded biometrics. Most
choose something in the middle.
Magnetic stripes and bar codes are inexpensive
methods of encoding text onto a
card and collecting critical data. Magnetic
stripes contain digital data, such as access
privileges, employment history or background
information, that is transferred onto
the card by special encoders. A reader translates
the data for computer processing, and
bar codes provide access to more complete
information in a secondary database.
Smart cards use internal microprocessors
or memory chips with non-programmable
logic to manipulate information—much like
a miniature computer. This enables organizations
to incorporate multiple applications
and functions into one smart card, thus justifying
the slightly higher cost.
Many critical infrastructures still have a
low level of perceived threat and thus have
not adopted the robust security offered by
smart cards. They could learn a lesson from
how schools have maximized the benefits of
these cards, often combining multiple functions
onto one card. Students at the 3,200-
student Everglades High School in Florida,
for example, have been using ID cards for
school identification for about 12 years.
Four years ago, the staff added a smart chip
to its cards, enabling debit card privileges in
vending machines, the media center and at a
number of other student activities. EHS students
can even purchase yearbooks and
prom tickets with their ID cards. The goal is
to become a cashless campus.
At one New York high school, substitute
teachers must carry a smart card containing
a microprocessor chip embedded with their
Social Security number and certain
encrypted security codes. The smart card
program is tied into the criminal justice
system, providing immediate confirmation
of criminal violations. Special attention is
paid to individuals with a criminal history.
Critical infrastructures that want to take
security programs to another level can add
holographic solutions to their ID cards to
prevent them from being counterfeited.
Options range from economical foilstamped
holographic seals to custom holographic
overlaminates with hidden micro
text, sophisticated flip images that appear
to be animated or pseudo color that
changes when the card is tilted.
Biometrics represents the ultimate in
authentication and, as a result, can be the
most expensive addition to ID cards. Iris
scans and palm prints are powerful security
tools. In a few years, this technology will be
more commonplace, but for now, it is used
primarily by critical infrastructures threatened
by the greatest amount of disruption if
attacked. For example, the Department of
Defense is matching biometric data stored
on its 4 million common access cards with a
live image from a biometric sensor.
Responding to Disasters
Critical infrastructures are sometimes better
at responding to disaster than preparing
for it, and ID cards are an important part of
a disaster management program. Following
Hurricane Katrina, ID cards were used to
credential evacuees and provide them with
some form of personal identification,
which also helped the Salvation Army
maintain security in the temporary shelters.
Evacuees also were able to receive their
Social Security payments and cash checks.
Often during a disaster, first responders
from federal, state and local agencies work
together in a single command structure to
credential people quickly and authorize
access to certain areas. The need for a clear
and constant tracking system is critical. The
first responder authentication cards, compliant
with HSPD-12 and FIPS 201, identify
first responders at the scene of an incident,
enabling them to move in and out of secured
areas. The cards allow physical access into
buildings, logical access to networks, incident
command and control, and property and
firearms accountability.
Preparing for the Unthinkable
Applications exist today for in-house production
of ID cards that fit almost any budget.
Funding also is available to help offset
costs. Having a localized system gives
organizations the flexibility needed to create
an ID system that is relevant to their facility.
People want to know that critical infrastructures
are taking every precaution to
preserve the safety and continued operation
of this nation. Visible ID cards provide
small but tangible
assurance.