Ari's title for this post is fitting.
Why aren't there cameras on all of the operator touch-points of the system, both mechanical and computer? Are the operator audit trails really sufficient? Most, but not all, lack important detail.
I'm continually amazed when I review systems, to see a lack of audit trail controls, lack of two-person controls, and so on. Often the design process is weak, likely scenarios aren't designed for or tested for, and the system starts off with significant vulnerabilities.
In one of the article photos you can see a web-cam on the touch-screen. Is that for GoToMeeting video use, chatting with your friends on breaks, or does the system record who is at the console when operator actions are taken?
The same photo also shows the computer CPU box on the desktop right next to the monitor, keyboard and mouse. I'll bet the USB ports aren't locked down. Forget about the fact that you could unlock doors and cells and then walk away with the control console!
Although I've only been involved in a few after-the-fact investigations for jail/prison incidents, each time the supposed "glitch" was operator intentional subterfuge. In one situation, a computer savvy police officer would manually delete transactions from the access control system's database, to erase records of access to the evidence locker. Evidence and drugs were was disappearing with no apparent cause. Video (at that time) was on VCR tapes, which were doctored and had no chain of custody or truly secure physical storage.
I'm definitely not saying all systems are highly vulnerable, but I am saying that not all systems are sufficiently secure.
The first "computer glitch" should have triggered a serious system examination and a correction of system and process vulnerabilities.
Back in the DOS access control system days, it was common for security officers in office buildings or parking lots to reboot the access control software computer (under the desk of the reception or security counter) to run game software on the midnight shift. Mysteriously, alarms were not being received by the computer during the middle of the night shift! These situations were easily found and documented by logging boot-ups and installing TSR software that would take periodic screen shots.
In the days of Windows 3.1 when DDE (Dynamic Data Exchange) was all the rage for access control software, it was fun to use DDE Spy to capture and then play back the "unlock door" commands, and demo for the vendor sales people that it was possible to unlock doors without their Windows software running, or even installed!
But there are often operator-level and process-level vulnerabilities with system deployments, and I rarely see these addressed.
