Proceedings of the Cyber Warfare Workshop

National Surveillance Security

B. K. U. R. Nawaratne(090348E)*, D. A. U. Nanayakkara(090342F), J. L. P. R. Perera(090372V), M. M. A. D. S. Mannapperuma(090318M) and C. Mangaleswaran(090317J) University of Moratuwa, Katubedda, Moratuwa, Sri Lanka E-Mails: Rashmika : razmik89@gmail.com; Asitha : daun07@gmail.com ; Pasindu : perera.pasindu@gmail.com ; Dioda : dioode@gmail.com ; Chaamini : chaam222@gmail.com * Author to whom correspondence should be addressed; Tel.: +94-0717-808-444

Abstract: This paper focuses on the security constraints faced by the National Surveillance infrastructure in Sri Lanka. National surveillance system is an important revolution that integrates all critical national infrastructures to monitor the nationwide security by preventing human and animal trafficking, accident monitoring, etc. The paper context is bounded only to system and security requirements of the National Surveillance system. The general security model for the protection of the system is designed and presented in the paper. Keywords: Security, Surveillance, National, CCTV, Critical, Infrastructure

1. Introduction Ensuring national security is one of the most important responsibilities of a government of any nation. Every nation has a national security model which encompasses different security requirements for different domestic core values. As national security challenges have become more complex, governments are looking to devise an appropriate security framework architecture which can protect national core values from external threats. A national surveillance system is one of such security models which can be implemented to ensure national security by integrating all national critical infrastructures. 2. Background

The scope of this paper is on national surveillance system of Sri Lanka based on CCTV (Closed Circuit Television) technology and sensing technologies. Hence we will primarily analyze the CCTV surveillance system implemented in Colombo as well as the communication system which is implemented along the national critical infrastructures island wide. Currently Sri Lanka Police has deployed CCTV cameras on vital locations in Colombo city and nearby suburban areas. In addition they are using mobile surveillance units to monitor the national security. All the video data captured by the surveillance cameras are transmitted via a high speed IP-VPN to the central control room. The CCTV cameras deployed are capable of capturing videos at any time of the day and the central control room can control (pan, tilt and zoom-PTZ) one camera at each location. The cameras are fitted with veri-focal lenses to capture sharp images. And the mobile units use mobile 3G technologies to transmit data. Since currently the wired surveillance is implemented in the country we mainly focus on that in this paper. Central control room has a video wall, video servers, a control desk, recording equipment, and LAN equipment. Video wall displays all the input from the cameras through LCD monitors and using the control desk the surveillance team on duty can control the cameras and select desired camera input and archive footages if needed. The system is capable of handling power failures. All the cameras are powered via UPS. And the central control room equipment is powered by an on-line uninterrupted power supply provided by two UPS devices connected in parallel redundant mode. And the system is controlled by a video management software that can handle multiple video feeds simultaneously and store data and control cameras. The system has the functionalities such as automatic number plate recognition (ANPR) and facial recognition (FR). But the system is not connected to proper databases to use the ANPR and FR features (the CCTV cameras are capable of providing data to accommodate these features) The current system is a small scale implementation of what the paper discusses. The system is limited to few CCTV cameras deployed on Colombo and nearby suburban areas and the surveillance system implemented in high security zones of the country. But to reap the benefits of modern technology to implement a better nationwide surveillance system, the systems of individual authorities cannot work in isolation. National critical infrastructure like airports, harbors where people get into and out of the country should also be covered. With the scaling up of the system architectural, security and cohesion issues arise. Also error prone transmission methods like mobile 3G technologies should be used with care. And the for better facial recognition systems the Police department databases should be connected to the national surveillance grid. The issues concerning implementing these systems and

recommendations on how to implement a secure nationwide surveillance system will be discussed in next sections. 3. System Analysis The national surveillance system consists of hardware and software solutions. For the system to work properly, they needs there are number of quality standards to be met and different processes the system should go through. This section describes the hardware and software aspects of the system and the physical resources needed to complete the project.

Figure 1. (a) Communication Design of the Surveillance System This is the overall design architecture of the system. System will consist of network of CCTV cameras on urban cities which are interconnected using 3G or EDGE technology (In the current system, wireless technology is not yet implemented. Fibre Channel communication lines are used) to a central control station. It will also be connected to the public network via firewall and will be keeping records of the video feed. Main server will keep video feed of the most recent week. Past data will be backed up on databases and after 3 months it will be taped in archives.

3.1 Fixed Camera Locations Urban locations will be identified and will be provided with fixed high resolution, night vision cameras with zoom capability. They will also contain a flash memory for temporary network breakdowns up to 6 hours. Cameras will be connected to the main network using 3G or EDGE technology and should work with 230V 50hz power source which can be easily supplied. All the camera units should be weather-resistant, full 25x optical zoom and wide angle. Camera should be capable both automatic and manual focusing. It should also be controlled from the base station remotely. 360 degree motion should be supported and should be segmented to 16 equal positions to control from the base station. 3.2 Video Streaming, Transmission and Communication Main medium of communication among cameras and main station is via mobile network. 3G network is essential while EDGE network is preferred. To setup a dedicated and reliable connection contacting the service providers and make any arrangement is preferred. A private VPN is built upon the public network for authenticity. 3.3 Control Station Control Station consists of following items which will be the base station to control the cameras. It will issue commands to cameras to rotate and zoom as needed. 3.3.1 Video Wall A segmented display of all the camera feeds is displayed on a single wall to view the overall status of cameras. Series of wall mounted border less LCD TVs will be used. They should be interconnected and should be capable of display as a single display. 3.3.2 Main Video Server Main Video Servers route the video feed within the control station. As the project scales more servers will be needed. Main server will cache the video feed of the most recent week for playback facilities on the control station. Then the data will be archived. 3.3.3 Recording equipment Since the camera will be directly connected to the VPN no additional devices needs to be applied to record on the front end. But due to unreliability of the network each camera will be capable of recording 6 hours of the video feed on the camera itself in case of a network failure.

4. Security Analysis As discussed in the System Analysis we saw that there are critical components and extremely critical data are being transported and stored within the system. The data and information on government departments, military, power plants, financial institutions and hospitals will be major part of those critical data. If those entities got attacked, many aspects of the country would be in danger. Ultimately the entire nations security would be in danger. Furthermore the privacy of the individuals of the nation would also be in critical state. Thus providing security for the National Surveillance System is extremely important. Initially we will introduce the security requirements for the National Surveillance System. Then we will proceed with introducing a security model for the surveillance system. Moreover, recommended implementation mechanisms for the model will be introduced in the paper. 4.1 Confidentiality Confidentiality is a main security requirement for the National Surveillance System. Prevention of unauthorized disclosure of information is meant by confidentiality and this is required due to both secrecy and privacy of the critical data maintained in the system. As an example we are using the surveillance system in a financial institute. And we will be monitoring the infrastructure of the institute. In case the system is attacked and the surveillance data withholds by the attacker, the entire financial institutes security status would be in danger. Thus secrecy of the surveillance data is very important. Another aspect of the National Surveillance System is using CCTV to monitor the public transportation infrastructure. If the data is withheld by any unauthorized party, the privacy of citizens of the country could be in danger. Thus securing privacy of the system is essential security requirement. 4.2 Integrity Unauthorized modification or alteration of the national surveillance information should not be allowed. Integrity of the data should be preserved. That is mainly because most of the security related decisions are taken based on the information acquire from the surveillance system. If any deceitful alteration is committed by an unauthorized party, then the decisions which are taken by the authorized parties will be inaccurate. With the erroneous decisions the nation could end up in a critically dangerous situation. 4.3 Availability For national surveillance system to serve its purpose, the information must be available for the authorized parties whenever it is needed. That means the store, process, control and

communication of the information should be function properly. Simple the security system of should prevent unauthorized withholding of data. 4.4 Authenticity The system must ensure that the data and communications are genuine. Validation of both parties involved in a communication is important. Therefore in transactions and uses of the system, it must prove that the user is the one whom the user claims to be. 4.5 Security model Design of the Security Model for the National Surveillance System should be composed of several aspects. The major security aspect should be the physical security. If the physical security of the system is breached, all the software security mechanism would be inadequate. Thus we have to make sure that the system gets a maximum physical security. 4.5.1 Physical Security Physical security can be described as the measures that are taken to deny access to unauthorized personnel from physically accessing the building, surveillance resource or stored information. We use defense in depth [1] physical security model for the purpose of physical security model for the National Surveillance System protection. The fundamental concept of physical security is a combination of; 1. 2. 3. 4. Deter Delay Detect Deny

According to the model, we have to discourage the intruders or attackers in committing unauthorized accesses to the system. We can deter the unauthorized persons by instilling doubt or fear of the consequences of the situation. When constructing media releases of the system, the public should make aware of the high security aspects (of course in less detail) and serious consequences of it. Ultimately general public (including potential attackers) should aware of that it is difficult, risky and costly to even attempt an intrusion. Then it requires delaying any potential attack. The security model implementation should take necessary actions in delaying any potential attack to the system. In case of a physical attack is about to occur, the security model should identify the potential attack. And then it should take necessary action to prevent it.

Passive physical security is the next aspect of the introduced security model. Access to the facility or the building should be monitored and controlled. For an example doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, walls, security guards should be monitored 24 hours. Furthermore the concept of separation of concerns (duties) should be implemented with the model. Separation of duties ensures that an individual cannot complete a critical task by himself. For an example the monitoring and storing the archive data should not be done by a single person, but it should go through a procedure which composed of hierarchy of employees. Also these roles and responsibilities must be separated from one another. The most likely attack type which can occur for the national surveillance system is a software based security breach. With a software based security breach, it is relatively challenging to identify the attacker or to identify the occurrence of an attack. Thus unauthorized access is highly likely to happen on the national surveillance network infrastructure. 4.5.2 Software based security We introduce a security model for the national surveillance system in this paper. The model we introduce is influenced from Bell-La-Padulla security model and BiBa Security model. In this model there are five major components. 1. 2. 3. 4. 5. Objects Subjects Security Classification Security Functions Security Properties

Objects are the system resources. The information acquired from various surveillance components of the system are classified as the objects of the security model. The subjects are the users of the system. From the administrator to the system maintainer are classified as the subjects. 4.5.2.1 Security Classifications After the classification of subjects and objects we should recognize the value of information and define appropriate procedures and protection requirements for the information and critical resources used for the national surveillance system. All information within the system is not equal and thus they do not need the same degree of protection. This requires information to be classified according to a security classification. The security policy for security classification should compose of security labels and should define the criteria for information to be assigned a particular label. Also should list the required security controls for each classification type.

The security classification should be constructed according to the sensitivity of the information. For an example if we take the CCTV video footage from a main road, it is not much critical as the sensing information of the National Bank or the Department of Defense. Thus the latter information (National Bank and the Department of Defense) should give a higher classification field relative to the normal video footage of a main road. In the security model we introduce, the following security classification is followed. They are in the hierarchical order from bottom to top. 1. 2. 3. 4. Top Secret Confidential Restricted General

The inside information of bank treasury, defense department or information on highly critical infrastructure are given the classification of Top Secret. Then the general CCTV information on main roads will be given Restricted security classification. In a similar sense we can allocate security classification for all the information and resources of the national surveillance system. Checking the security clearance should be adhering to the security classification. All the subjects and the objects will be given a security classification label. And when a subject needs to access any of the objects, he should authenticate using his security clearance for the proceedings. 4.5.2.2. Security Functions The security functions allow allocating security classification for the subjects and objects. There are three security functions for the security model we introduce for the system. 1. 2. 3. Fs: S->L Gives the maximum security level each subject can have Fc: S->L Gives the current security level of each subject Fo: O->L gives the classification for all the objects

In the first function we allocate the maximum security level a subject can have. Therefore no subject can have a higher level security classification level than that at any moment of life time. The second function will allocate the current security level for a subject. And the third function will allocate the security classification level for objects. 4.5.2.3. Security Properties The security properties will define the main concept of the model. Here we consider two security properties for this model.

1.

The Simple Security Property: A subject at a given security level may not read an object at a higher security level. That is, read up is not allowed. As an example, a subject with Restricted security label is not allowed to access an object (resource) with Confidential or Top Secret security label. This property will ensure the confidentiality of the national surveillance system. The Star Property: Except for the subjects with Top Secret security clearance, no other subject can write to any of the data. That is, if a subject is written or modifying the data, he should be having a security level of Top Secret. This property will ensure the integrity of the national surveillance system.

2.

4.5.3 Access Control Access to protected information (objects) must be restricted to people (subjects) who are authorized to access the information. This requires that mechanisms be in place to control the access to protected information. Thus we use a Role Based model to control the access mechanism of the surveillance system. The roles will be same as the security classifications introduced above. The identification of the subjects will be done by subject id (employee ID). The authentication using the thumb print and retina scan of the subjects and a password of minimum 16 characters (combination of uppercase, lowercase and non-alpha numeric characters). This is called two factor authentications. After subject has been identified and authenticated, it must be determined what access level it should be granted. Thus a capability list on Role based will be used for the authorization. Here we implement a Mandatory access control approach. Thus access is granted or denied basing upon the security classification assigned to the object and the subject. 4.6 Cryptography In the prevailing surveillance system the data is transferred via Optical Fiber cables. (3G and Edge Wireless technologies are proposed) Thus the data can be threatened by the methods of interruption, intersection and modification when the data is travelling in the network. Therefore we must model security measures to prevent security threats on the network itself. For the security model we introduce, we use cryptography mechanism. This will transform the critical information into a form that renders it unusable for the unauthorized parties. Symmetric Key cryptography method will be used for the communication of the National Surveillance System.

In the information producing end we encrypt the data using the shared key of the sub-system. At the surveillance end we can decrypt the encrypted data using the shared private key of the sub-system. Therefore on the transportation of data, even the data is accessed by unauthorized parties, the confidentiality of the data will not be compromised. To ensure the reliability of the secret key, it will be changed in every 7 days. Here we have to concern about the length and the strength of the encryption key. Since the encryption will happen at the sensor end it would be impractical to use highly sophisticated encryption device at the sensing end. Therefore feasibility study should be done before the implementation of the cryptography devices for the surveillance system. 5. Conclusions Since the complexity in ensuring national security has increased over time a national surveillance system is required for Sri Lanka. It should be implemented in a way which can enable the government to track all critical national infrastructures with error prone mechanisms (Both security and system requirements) as suggested in the paper. Though the system has been implemented in a small scale in Colombo with few CCTV cameras, expanding that to a nationwide system integrating all critical national infrastructures will require high initial cost and maintenance cost to ensure the system is working reliably. Thus a feasibility study should be carried out to ensure the viability of the system in Sri Lankan context. Acknowledgement Authors of this paper are grateful to Dr. Chandana Gamage and Dr. Shantha Fernando for the support they have provided to achieve the objectives of this research paper. We are also like to share our gratitude with the Sri Lanka Police Department for providing public details on National Surveillance system which is implemented in Sri Lanka.

References 1. S. Northcutt, Security Laboratory: Defense in Depth Series 2007, http://www.sans.edu/research/security-laboratory/article/311, Access: 28.02.2012 D. Gollmann. Computer Security, 2nd Ed.; Publisher: Wiley, India, 2007; ISBN: 81-265-0690-3 Network Security, http://www.windowsecurity.com/uplarticle/4/part1.pdf [Online] Access: 02.03.2012 Access Control, Access Control using Security Labels & Security Clearance, http://www.isode.com/whitepapers/security-labels-clearance.html [Online] Access: 01.03.2012 CCTV Implementation in Sri Lanka, Dayata Kirula Guide, Sri Lanka Police Department.

2.

3.

4.

5.