Vulnerabilities
Rachel Derr
Abstract
This chapter outlines how physical security systems and other physical security elements can assist in the protection of an organization by minimizing the vulnerabilities that threaten the target. The chapter discusses how physical threat monitoring, employee background checks, human guarding, technology, and a basic emergency action plan can assist in this process.
Keywords
intrusion; deter; detect; assess; respond; delay; networks; physical threat; theft; sabotage; Closed Caption Television (CCTV); emergency action plan (EAP); threat level; CBRNE; evacuation
Physical Security Systems
Physical security systems are the most common type of protective measure. If deterrence fails, the security system must be able to detect illegal intrusions from strangers as well as unauthorized intrusions by employees. An intrusion is unauthorized entry into a secure facility or database. The security system must then attempt to achieve its other objectives of delay, assess, and respond.
To assess properly, you will need to list the components of your security systems that your organization has (Tables 8.1 and 8.2).
Table 8.2
Sample Security System Component Matrix
| People | Policies | Equipment |
| Security officers | Emergency plans | Access control |
| Employees | Access control | Barriers |
| Visitors | Post orders | Cameras or CCTV |
| Operating hours | Lights | |
| Locks | ||
| Weapons |
If deterrence fails, the physical security system should detect the intrusion. If that fails, it should delay the intruder with physical, electronic, or human barriers. While delaying the intruder, the security system should provide accurate information, either overtly or covertly, so that the security team can assess the situation and initiate the proper response. Security systems must respond to every intrusion to be effective. The response protocol is dependent on the facility, the criticality of the asset, the security system, and the response capabilities of the facility.
The design or modification of a security system should address one or more of the give objectives of a security system. As a security system is developed or enhanced, cost–benefit analysis should be based on the objective of the security system.
Although it might be easy to select deterrence as the most important objective, some intruders will not be deterred. Consequently, it is important to consider all objectives when recommending design modifications or upgrades, realizing that any weakness could become the Achilles heel of the facility.
Physical Threat Monitoring
Sometimes we spend so much time worrying about cyber attacks that we forget about the basic problem of physical threats. There are many types of physical threats that must be factored into a security program, including theft, sabotage, human error, and environmental disruption.
When implementing a physical threat monitoring system, an enterprise must deploy sensors in sensitive areas and along likely attack paths, capture all available information that can help identify the specific problem, and develop a system that can aggregate this information and distill it into salient details that must be acted upon.
A number of organizations’ weakest points are their data or networks. However, long before there was anything called “cyber terrorism,” there was terrorism. Before there were software bugs, there were bugs getting caught in computers. Long before there were software errors, there was human error. The virtual world is not safe, but the physical world has the right of first refusal on risk, if only for the more drastic downsides.
Computers and networks are taking over enterprises, becoming ubiquitous as they infiltrate our primary business processes to the point where these systems are crucial to the success of the organization. This growth in physical infrastructure as well as its growing significance to an organization has created the need to protect the systems themselves not only from cyber attacks but also from the physical attacks that can be perpetrated against them.
A number of parties play a role in physical threat monitoring. Security departments have played a traditional role in protecting all of the assets in an enterprise. The facilities group ensures that the physical plant runs smoothly and reacts to environmental concerns. Information security professionals protect the data and system usage that is increasing in value. Each of these constituencies has a stake in the success of any protection plan. How they work together and leverage technology to protect technology is key.
Technology and Physical Security Blended: A Layered Approach
As we build smarter software, we increase its value. The need to protect the software application and its data is obvious, but there is another side of smarter software: it can be put to use in the protection of itself. Intellectual property–based physical threat monitoring systems can leverage the same infrastructure they are protecting.
Information security professionals have long focused on virtual risks, but at some point, all things virtual become physical. It is that crossing point—where physical infrastructure and systems provide an access point to the virtual world—that the link between physical threats and virtual threats is most apparent.
Two perspectives exist that highlight the need and power of new physical threat monitoring systems, protecting systems from physical attacks and using systems to make protection more effective.
Sometimes the most apparent attack paths get ignored in favor of what is “in vogue.” In a lot of ways, that is what is happening in the information security world. Certainly, cyber attacks, hackers, and worms are very real threats. But we can’t ignore attacks that are targeted against physical computing infrastructure and so must factor in other threats to these assets.
One example of this kind of threat is apparent with today’s multinational corporations. Information security professionals may disregard the threat of physical attacks when attempting to thwart the hack attack coming from the other side of the world, but entities with facilities in countries with diverse geopolitical ideas may have a serious physical threat from employees who can tap networks or steal hard drives.
The power of software is in its ability to consistently process large amounts of data and identify nuggets of information in an efficient and effective manner. The challenge of physical threat monitoring is always in identifying an attack before it occurs or determining the likelihood of a problem in advance. Applying the power of software creates an opportunity to more effectively protect an enterprise.
For example, the failure of a network hub may be identified because it stops sending its status reports. A virtual monitoring system can identify that something is wrong. A physical threat monitoring system that has links to the software can do more. It can identify the same problem and then provide information about the cause of that failure—temperature, air flow, or water existence in the physical facility, for example. The decisive benefit comes from the existence of a secure camera in the room that can send images back through the wires to an operations console. In this way, the full picture of what is happening can be created and the problem solved more quickly.
Building the story around a threat first involves understanding the variety and types of physical threats that exist today.
The Physical Threat
Everyone has a different mental picture of a “physical threat.” Often, the picture that forms first does not provide the clearest, broadest perspective on threats that exist. When it comes to networking infrastructure and equipment, a number of threat types must be considered when evaluating the physical threat.
Theft (Physical and Virtual)
Theft is the most obvious threat, particularly for individuals with a security background. At the intersection between physical and logical worlds, theft can occur in either place. Computing and network equipment has long been stolen and resold on the black market simply for the value of its computing power. In addition, physical attacks against logical security can be easily perpetrated. Logical attacks can occur at system consoles, through available Ethernet ports, and in network equipment rooms (wiring closets).
Sabotage
A close cousin to theft, the deliberate destruction of equipment is an oft-used technique for “teaching lessons.” Anyone with a grudge against an organization may provide some risk of sabotage against sensitive systems. Nowadays, terrorists are often considered when evaluating the likelihood of physical sabotage to mechanical and computing equipment.
Human Error
A much more common occurrence, although often not considered a “threat,” is human error. Stories abound of the “early days” of computers when janitorial staffs would unplug mainframes to sweep behind them and then plug them back in when things were clean. Although incidents like this are highly unlikely to occur in today’s data centers, ubiquitous networks have led to pieces of the computing infrastructure being placed in precarious places. It is not difficult to imagine human error resulting in equipment being jostled out of place (say, in a copy room or janitor’s closet) and unplugged, reset by mistake, or knocked off a shelf.
Environmental Disruption
Perhaps the most prevalent threat today is simply the “act of God” and related man-made environmental problems. Fire tears through buildings. Floods caused by plumbing or natural means destroy infrastructure assets and data. Electricity spikes and power outages caused by thunderstorms can wreak havoc on computing equipment, particularly when backup generators aren’t regularly tested. These threats are common in any organization today.
All of these threats must be evaluated against the likely risks in the environment. There are basic objectives for building out a strategy for physical threat monitoring.
Employee Background Checks
One critical vulnerability at any site, regardless of function, is the trustworthiness of the employees. The insider threat increases when quality background checks of employees are lacking. The more sensitive the site, the important the background check are to ensure security at the site. This applies to all levels of employees.
Use of Security Officers
An effective deterrent is a trained armed or unarmed security officer force. The use of security officers should be based upon a cost–benefit analysis of other physical security alternatives.
In the United States, armed security officers are expensive, and many different electronic security devices are available. In areas with lower labor costs (rural areas), local law enforcement’s response capabilities and the technical support required to maintain a sophisticated electronic security system might make armed security officers a better choice. In areas with higher labor costs (urban areas), the cost and liabilities of using armed security officers, the availability of security system technical support, and quality of local law enforcement response might favor use technology over personnel.
Some companies are asking themselves whether it is more economical and efficient to choose a CCTV over security guards. Let’s not fool ourselves. CCTV is a vital part of any security system and should definitely be included in your budget; however, there are certain things that CCTV cameras are unable to accomplish, such as covering those blind spots. Below we can see that using a manned system has many advantages over CCTV.
CCTV lacks a personal touch and is unable to use judgment in situations. A human is able to pick out which situations and events he or she believes are threatening of suspicious; a camera is unable to do this.
With a manned guarding system in place, you can be assured that whether or not you have a CCTV system on site, the human touch can maximize the effective functionality of any equipment you may choose to operate in your establishment. If you ensure you have a good manned guarding system in place, you can be safe in the knowledge that your building will be protected 24 hours a day.
Because a guard is able to see immediately what the trouble is, he or she is more likely to act on it right away, which is not the case with CCTV. To prevent accidents and any other possible threats, the security guard is constantly monitoring the security cameras themselves. By using both methods, you ensure that an establishment has maximum protection.
Unlike CCTV people have emotions, meaning that they are more likely to do a better job because they care about what they are doing. You must be aware, though, that people do occasionally make mistakes. By ensuring you have employed a good mix of reliable people, you will probably find that they will let you down because they want to get paid! Additionally, if you employ people with a previous background in the security sector, they will be able to assist you with other security-related issues.
One of the main reasons for choosing manned guarding is that security guards are human beings. There is usually a tough training process involved in becoming a security guard. Security guards have other skills such as communication and the ability to fill out paperwork, which gives them additional advantages over cameras.
For a security officer force to be effective, several key elements must be in place. The security officer must be trained to a level that projects credible deterrence and be empowered by management to act in accordance to the protocols contained within the facility’s emergency plan or post orders.
The training program must be progressive and occur at regular intervals to ensure that the security officer force maintains its professionalism and remains a legitimate deterrent and response. The security officer force must also be paid at a level that attracts qualified personnel.
The system should be implemented that provides opportunities for employees to advance to great positions of responsibility within the security department or employee turnover may become a problem.
Emergency Action Plans
The facility’s emergency action plan (EAP) should detail the expected response protocols for responding to a variety of threats and hazards. An EAP is an essential component of an organization’s safety procedures. Creating an EAP and training employees on how to follow it can greatly reduce employee injuries and property damage and can ensure the safety of visitors in the event of an emergency.
An EAP can be useful in a wide range of emergencies. The response to many emergencies will include similar components, but they will also have unique components that will require careful planning and execution.
It is important to identify the emergencies most likely to impact your organization and plan accordingly. It wouldn’t make sense, for example, for an organization in Miami, Florida, to spend precious time and resources preparing for power loss during a winter storm.
It is also important to recognize that some emergency responses will have radically different recommendations than others. Fires and tornadoes, for example, have two very different requirements. During a fire evacuation, the main objective is to get out of the building as quickly as possible, but during a tornado, the goal is to get everyone inside the building. Sometimes it is even more complicated, such as during an active shooter emergency, when hiding within the building may be the best option for some and evacuating may be the best option for others.
The response should consider the severity of the threat to the facility and the current threat level to the local area or country. The Department of Homeland Security (DHS) uses its advisory system chart (Fig. 8.1) to communicate the threat advisory.
Plans should include actions to take as the national level changes. Additional or parallel levels may need to be defined specific to an asset, with associated actions defined in the emergency plan.
The EAP should detail how the response protocols will complement and support the system’s other capabilities to detect and delay an intrusion into a protected area. The system must be designed to allow for the proper detection and assessment before a response is mounted. It then must give the responding force time to interrupt the intrusion before the asset is compromised.
For example, a proper response to an intrusion by children playing soccer might be a conversation with them that they are on private property. A response to an armed intrusion might be calling local law enforcement or an internal trained and armed security officer force response.
Traditional security focused upon intrusion by strangers or unusual acts by authorized occupants. In recent years, our need to respond has broadened to include the intrusion of chemical, biological, radiologic, nuclear, and explosive (CBRNE) weapons. A proper response to a biological or chemical intrusion might be to shelter in place or evacuate depending on the situation.
Response protocols are different for each facility and are dictated by internal and external considerations.
The security system design must match the design of the building. The operations of the security team must match the operation of the business conducted at the building. Therefore, it is efficient and cost effective to incorporate the design of the security system into the design phase of the building. It is also important to reevaluate and update the security system whenever facility modifications are made to decrease the chances of a vulnerability being overlooked and exploited by an intruder.
No two EAPs will be identical. Building layouts, hours of operation, personnel qualifications, and more all have an impact on the particulars of an EAP. There are, however, certain universal components that should be included in most EAPs; including:
Evacuation procedures, escape routes, and floor plans
Reporting and alerting authorities
Alerting staff and visitors of an emergency
Accounting for people after implementing an EAP
Notifying parents, guardians, or next of kin
Some of the components are broken into three distinct sections: considerations for emergencies that start or occur within the building, emergencies that occur outside of the building, and emergencies that come about from a health-related scare. Here are a few examples for each category for your reference:
Emergencies within the building: fire, active shooter, or power outage
Emergencies outside of the building: tornado, lightning, or extreme heat
Health-related emergencies: heart attacks, seizures, drowning, or concussions
Evacuation Procedures, Escape Routes, and Floor Plans
In the event of an emergency, people need to respond quickly; knowing where to go and how to get there is often an important part of a quick response. Depending on the type of emergency, people will either need to exit the building as quickly as possible or be prepared to navigate to a safer part of the building. It is important that each person knows exactly where to go in the event of an emergency.
Current floor plans are an integral part of every written EAP. Regardless of the emergency, an EAP should contain an up-to-date floor plan for the entire property. The floor plan should include clearly marked evacuation routes, and all emergency exits should be easily identifiable. Remember that this information isn’t only posted for the good of employees; guests, including emergency personnel, will also rely on this information to navigate the building safely.
Emergencies Outside of the Building
In most cases, when an emergency starts outside of the building, the safest thing to do is find a safe place within the building. Most often, emergencies outside of the building will be weather related or natural disasters such as a tornado, earthquake, or lightning storm. These events provide different levels of warning before they strike, so it’s important to be prepared to respond to the emergency quickly.
Emergencies Within the Building
For emergencies occurring inside of the facility (e.g., fires, power outages), the main goal is to get everyone out of harm’s way. To achieve this goal, staff should be aware of the fastest and safest way out of the building. It is also necessary to ensure that evacuation procedures are easily accessible to customers and visitors inside of the building. Having a broad understanding of the layout of a building can help staff members prepare for unanticipated detours along the most common emergency exits.
Health Emergencies
If someone inside of the building is injured or harmed in some way, an EAP should be initiated quickly. Staff should be prepared to respond to a wide range of plausible health scares such as a heart attack, seizure, possible drowning, and more. Depending on the emergency, local emergency medical services may be contacted. Be sure that these authorities will have easy access to the injured person and that they’ll be able to exit the building quickly when it is time to do so.
Reporting and Alerting Authorities
Most emergencies require the involvement of police, fire and rescue, and medical professionals. Contacting these authorities is usually as easy as dialing 9-1-1. With that said, it’s important that someone in the organization be designated to make the call. There’s nothing worse than a delayed response because everyone assumed someone else contacted authorities.
It’s important to note that some emergencies require specialized emergency responders. For instance, a chemical spill needs the services of specialized hazardous materials unit, and downed power lines or utilities issues require the work of the utility company. Make sure the EAP contains all the emergency numbers and contact information that may be needed.
Alerting Staff and Visitors of an Emergency
In addition to alerting the proper authorities, it is equally important to communicate to all staff and guests that an emergency is occurring. The exact method of communication will vary based on the size and design of the facility and the type of emergency.
For example, in the event of a fire, the best way to alert everyone is to simply pull the fire alarm. For other emergencies, an intercom system might be the most effective method. Some alert systems can be as simple as blowing a whistle (i.e., aquatic EAPs) or ringing a bell.
Accounting for Everyone After Implementing an Emergency Action Plan
After initiating and executing an EAP, the next step is to regroup. It is important to identify if anyone was lost or injured during the process. For larger organizations, this is best accomplished by breaking up into manageable groups. In most cases, these groups are based on departments or specific physical areas within the facility, but they can be organized any way that makes sense for your organization.
Accounting for everyone after an emergency can be as easy as keeping a printed roster and asking people to check in when they’re in a safe location. It is also recommended to have each group meet in a designated area to make it easier to check in each person.
Emergencies Outside of the Building
Hiding in a secured area is an appropriate response to emergencies that begin outside of the building such as tornadoes or lightning storms. Violent emergencies such as active shooter scenarios are also an appropriate time to hide. Note that these instances will make the task of locating everyone a challenge. Keeping detailed records can help alleviate some of the trouble, however.
Notifying Next of Kin
After an EAP has been activated, it may be necessary to notify next of kin for the people involved. Depending on the situation, family members may need to be alerted immediately to provide information or come to pick up their family members. A good EAP will detail who is responsible for alerting family members, what emergencies require alerting families, and what information should be relayed. It is also important to maintain up-to-date contact information for all members.
Identifying a Media Contact Person
Depending on the type and severity of the emergency, there’s a possibility that a member of the media will contact your organization seeking information. When dealing with the media, it is important to have a single individual identified as the media contact person. Instruct all staff within your organization to direct any inquires from both the media and the public to the media contact person. This individual should be well trained on how to respond properly to sensitive questioning and should know what information is and is not acceptable to divulge.
Training New Staff
Because emergencies can occur any time without warning, it is essential to develop a policy to train all new staff on the various EAPs and their roles within the EAP. As part of new employee training and orientation, give all new staff a copy of the EAPs and provide them with a layout of the facility along with where all the emergency exits and escape routes are.
New staff should be provided with important locations in the event of specific emergencies, such as where to take shelter in the event of a tornado. Identify multiple emergency exits because certain emergencies may make the closest exit inaccessible. If there is a chemical spill, for instance, staff should be trained to avoid exits near the area and find another way to evacuate the building.
Policies for Updating and Maintaining the Emergency Action Plan
Change is constant. Keeping all EAPs current is a major undertaking but is the only way to ensure an efficient emergency response. New hires, building redesigns, new programs, office changes, remodeling, and much more can all impact the effectiveness of an EAP.
Remember, emergency plans must be flexible and be able to change with national or site threat levels.