Chapter 8

Critical Infrastructure Protection ¹

 

8.1. General context of critical infrastructure protection

8.1.1.Challenges

One of the main characteristics of our modern societies is their megalopolises, whose numerous infrastructures are often the hubs of the economic and social activity of the region, sometimes of the country. A non-exhaustive list of key infrastructures of the economic activity would feature: airports, train stations, subway stations, the main commercial harbors, regional centers of food supplies (for example Rungis in the Parisian suburbs).

All these infrastructures feature the following characteristics:

– they are thoroughfares through which thousands, sometimes tens of thousands, people and/or goods transit every day;

– they are open and interlinked within generally dense agglomerations;

– closing them for several days on end would have severe consequences on the human, social and economical activity of the region, sometimes of the country;

– any incident or deliberate attack leading to a severe malfunctioning of the infrastructures would instantly attract the attention of the media, or even of the politics.

Similar issues are raised by large events which bring together a high number of players or spectators: political meetings, sports games such as soccer, rugby or car races, etc.

For most of these events, security demands that the problem be studied in its entirety, the whole infrastructure taken into account, in its physical definition (the buildings and various physical components) as much as its functional definition and its procedures. Indeed, if the physical attack of an infrastructure might obviously cause a sensible alteration of, or even put a stop to, its operation, a functional attack without any physical damage might just as well lead to a shutdown.

8.1.2. Structure of a vital infrastructure

An infrastructure is built on three types of components: physical, functional and organizational. To illustrate these concepts as clearly as possible, we will use the station of a metropolitan network, but the ideas are generic and can just as well apply to any other type of critical infrastructure, such as stadiums, airports, regional food supply centers, etc.

The physical components are of course the most visible, and the first components to come to mind: they are the various buildings and works, or part of the buildings and works, which form the infrastructure. For example, the physical components of a metropolitan train station include the buildings, the corridors, the hallways, the platforms, the bulletin boards (the public ones as well as the ones used by the operators), the railway, and last but not least, the rooms and devices necessary to the train’s control and power supply (transformers, control room, etc.). Evidently, any significant damage suffered by these components could, depending on its criticality, bring the activity to a momentaneous, partial or complete stop. Such would be the case, for example, in the event of an explosion, a fire, or a flood, resulting in partial destruction.

Since the main objective is to protect the infrastructure against deliberate threats, its physical components are compartmentalized, broken down following a notion of “basic physical component”, characterized in relation to the people that will go through them:

– an “open” basic physical component of the infrastructure receives a flow of persons that have not been subjected to a background check, and is characterized by a large geographical perimeter, featuring unbroken segments, sometimes poorly defended against intrusions. Such is the case, for example, with airport runways, train stations, security perimeters within the Vigipirate¹ system, school campuses;

– a “semi-open” basic physical component receives a flow of people that have not been subjected to a background check, and is characterized by a geographical perimeter through which intrusions are only possible on a small number of well-identified spots. Such is the case, for example, of an underground subway station, a public area of ministries, a school;

– a basic physical component with “controlled access” is a “semi-open” basic component which only accepts people that have been subjected to a background check. Such is the case, for example, of ministries, EDF (France’s main electricity provider company) power plants, sensitive organizations;

– a basic functional and physical component of the type “itinerary from point A to point B” is a part of the infrastructure through which people or goods transit to go from point A to point B, following a well-known itinerary. Such is the case, for example, of the highway or railway networks, a luggage screening system, waterways, power transmission channels, etc.

As we can see, these basic physical components can be easily assembled to form more complex physical structures. For example, the physical structure of an airport features the following basic physical components:

– open (runways);

– semi-open (passenger terminal);

– with controlled access (from the security screening to the plane’s door);

– itinerary (passengers’ trip from the security screening to the plane and likewise, but following a different route, for the luggage).

The functional components encompass all the services which the infrastructure must provide in order to fulfill its mission. For example, for the aforementioned train station, the services would be:

– bill the passengers;

– carry the passengers;

– keep the passengers informed;

– ensure the passengers’ and staff’s safety;

– etc.

For example, let us pretend that the subway’s barriers are locked into the open position. The physical components as previously described would not be destroyed, but a main functionality would be affected and it would in all probability lead to the momentary shutdown of the station till the barriers were fixed, or to their temporary replacement by human ticket collectors.

These main or first tier functionalities can be broken down into several functionalities of lower or secondary levels. For example, “carry the passengers” needs two functionalities in order to ensure:

– that the passengers can access the trains;

– that the traffic is regular.

Thus functionalities can be broken down into a succession of functionalities of inferior levels whose fulfillment is necessary for the global working of the infrastructure. For instance, the propagation of tear gas through the station’s passageways would affect the functionality “ensure access to the trains” and would therefore paralyze the whole station, without altering the physical components in any way.

It should of course be noted that the partial or total destruction of physical components generally leads to the loss or the sensible degradation of one or more functionalities, while the reverse does not necessarily apply.

Lastly, the infrastructure features organizational components. The smooth running of the infrastructure generally calls for human intervention, either for its actual operation, or for maintenance and repairs, or to ensure the passengers’ safety and create a feeling of trust, etc. Stopping, paralyzing or altering these men’s work inevitably has immediate consequences on the functionalities, which can themselves have an impact on the physical components. An illustration is easily found in the problems arising from personnel strikes: traffic is disrupted or stopped, and therefore the functionality “carry the passengers” is altered or even completely unavailable. But one might also envision the problems arising, for example, from poor organization of the communication between the various departments, which would also lead to the disruption or actual stop of an infrastructure’s operation.

Succinctly, to secure a vital infrastructure is to secure the set of its components against various hazards and threats, whether fortuitous or intentional. “Perfect” or total security will never be reached in actual practice, would it be only because of its cost. The most likely and/or most dangerous hazards and threats will systematically be assessed along with the protection focus on them.

8.1.3. Hazards and threats

Incidents altering the infrastructure in one or several of its components can be caused by human or material failures which are, in the case of material failures, fortuitous. However, they might also result from deliberate attacks, such as vandalism, sabotage or terrorism: so-called established threats.

To efficiently secure an infrastructure, an inventory as thorough as possible is therefore necessary, both of the hazards that might befall each of the aforementioned components, and of the most credible threats. Their likelihood and severity must also be assessed.

Most risks generally taken into account in critical infrastructures are those linked to fires and electrical and mechanical failures.

Simple hazards can lead to events with no great impact on the infrastructure’s physical components, such as an electrical failure on the level of an airport’s bulletin board. But they can just as well have a serious impact on the infrastructure’s functional components.

Obviously, some of these hazards hold more danger for the physical components, and therefore might have consequences that will block the functional components. Moreover, these hazards can create incidents with varying consequences depending on the places and circumstances. For example, a simple fire can, if it reaches a transformer containing pyranol, turn into a chemical incident with the spreading of highly toxic smokes. This is a “domino effect”, where one incident sets off a chain of other incidents, each on a larger scale than the previous one.

Likewise, threats must be described and evaluated according to the infrastructure, the eventual social tensions within the organization managing the infrastructure, the town or the country, as well as the current geopolitical situation. Nowadays, they are stigmatized by the terrorist threat, the importance of which was unfortunately attested by the catastrophes of September 11, 2001, the Madrid train bombings, the London bombings, etc.

These threats are all the more difficult to prevent since they exploit suicidal behaviors and aim at domino effects, in which the catastrophes are mainly the result of the triggering events’ consequences. The September 11 attacks are a dramatic example of the desired domino effect. In that particular case, the terrorists did not board with any kind of explosive, but used the very planes as bombs, planes which then provoked massive fires, fires which made the twin towers collapse, collapse which caused many more victims than the crashing of the planes.

Finally, it should be noted that individuals with nothing to lose can use fragmented security systems as facilitators to their attacks! Indeed, in many cases, the possibility of a domino effect is not really taken into account by the system, even in relatively simple situations. For example, many critical infrastructures include restricted areas for which no solution of global security has been planned in case of fire or alarm. The fire alarm system triggers the opening of doors to allow for the prompt evacuation of personnel, and there is no system left to monitor the entries! It is therefore easy to start a simple fire in a nearby area and thus open the doors of the area one wishes to enter.

8.2. Protection requirements

The infrastructures’ complexity, which stems as much from the number of their components as from mutual dependence, and the few examples we have studied which emphasize the necessity of taking the value chain into account under its physical, functional and organizational aspects, illustrate the “system of systems” dimension which must inevitably be considered if one wants to achieve true, flawless security. Protection must therefore only be conceived in its entirety, by meeting a set of requirements.

8.2.1. Looking at the infrastructure in its entirety

The protection of a critical infrastructure must take into account every one of its components, each belonging to one of the three categories we have mentioned. It must be conceived with the obvious purpose of avoiding major crisis situations, or even catastrophes. However, by the very essence of the aforementioned hazards and threats, there can be no absolute guarantee that such a crisis will never happen. The security system will therefore have to be of use not only before, but during the crisis, and help curb it as much as possible.

To that end, the security system must be operational:

– preemptively, to avoid a serious crisis through the instant detection of its warning signs and the activation of the required actions;

– at the outset of a crisis, to activate (or allow the activation of) the interventions of the appropriate level;

– during a crisis, to monitor its evolution if it hasn’t been avoided, and assist the interventions (for example by guiding the personnel);

– at the end of a crisis, to restore a normal situation, safe and secure.

Therefore, the study and the design of a global security system must regroup, around the team of engineers in charge of that design, all the agents involved in the infrastructure on any level, namely the infrastructure’s operators, the incident response teams, and the regulatory authorities.

The added value of the infrastructure’s operators (or even of its end-users) lies, on the one hand, in their inventory of the existing data, tools and procedures, of the implemented organizations, and on the other hand, their inference, from that inventory, of the needs in: infrastructure modeling, available information, suitable representations, control and exchange of data with the incident response teams and the authorities.

The input of the incident response teams is essential to narrow down the demands regarding the informed mapping of the premises and infrastructures, and the teams’ means of transmission and local control.

Finally, the input of regulatory authorities is necessary to narrow down the needs in rooms dedicated to the control and synthesis of the transferred data, the decision support systems, the support systems for dynamic management of the actions, the procedures and formats for the interoperability with the systems of military intervention in the event of specific major crisis.

It is indeed necessary for the system to take many aspects into account, such as:

– the high level security policies which govern the running of the town or the region in the event of a serious crisis;

– the normal, or even the corrupted, operating conditions, and the functionalities of the infrastructure which are well-known to the operators;

– the conditions in which the appropriate teams can operate, such as the time necessary to reach the scene, the access roads, the means of intervention and the damages these might cause on the security system itself (for example, using fire hoses probably implies shutting down the nearby electric circuits);

– the interfaces corresponding to the intervention services (organization, communication tools, messages formats, etc.).

The various agents must therefore participate to the studies on the definition of the global security system, to the design of scenarios that will test the systems’ efficiency (during the elaboration, the testing, or the drill of the incident response teams), to the actual tests and drills, and to the establishment of conclusions.

Moreover, besides the conceptual difficulty of building a global alert and management system both adapted to the infrastructure and taking into account the specificities of the places, the organizations and the available means, the actual achievement of such a global system is challenged by the multiplicity of the agents involved, of the procedures and various databases, and finally by the multiplicity and asynchronism of the budgets for equipments and operation.

One of the largest margins for improvement in global security lies in the coordination of that multiplicity. On the technical level, this coordination happens through the choice of tools and local procedures which are coherent from one service to the next, part of a global master plan.

The most efficient procedure is therefore to first sketch out the global system we are wishing to implement in the medium term, so as to make an informed decision on the equipments the agents should be supplied with, and thus help those agents make investments, settled on locally but part of the master plan and therefore contributing to the system’s global improvement.

8.2.2. A structured, continuous approach

The infrastructures evolve with time, following the economical and/or demographic development of the town or of the region. An example can be found in the continuous evolution of airports, driven by the democratization of air transportation, the economical evolution and the technical advances of civil aviation. This leads to regular modifications of the functional, organizational and physical structure of the infrastructures, sometimes even to the construction of new physical structures (e.g. the arrival of new large commercial airplanes, such as the Airbus A380, entails new terminals, landing tracks, etc.).

The infrastructure’s protection must inevitably evolve along with the infrastructure itself, while keeping its global dimension.

This implies an approach structured through time, consisting of:

– defining a coherent and progressive (on the scale of a few years) plan of development and evolution, so that it remains coherent with the investment plans and the evolution of needs;

– implementing an organization charged with the constant monitoring of the global security system’s adaptation;

– defining corresponding budget lines, so the necessary adjustments can be made in time;

– choosing electronic and organizational systems that are by nature evolutionary, therefore minimizing the loss of previous investments. This calls for the use of standards whose durability is probable, and the hiring of industrialists who can vouch for that durability.

These steps are still underestimated in many cases, most often due to economical constraints. For that reason, in time, the systems often become incoherent, sometimes even unsustainable, and feature “weak links”, doors wide open to hazards and threats. In some circumstances, the old savings can have expensive consequences, etc.

8.2.3. Confidentiality

The efficient protection of an infrastructure calls for the upholding of confidentiality on various levels.

First of all, the design of a security system demands that the hazards and threats be analyzed, and more specifically the ones relative to the weaknesses of systems already in use. The weaknesses of the physical, functional and organizational components must be identified and passed on to the industrial teams charged with the design of a new security system. It is clear that such information is sensible and must only be transferred under certain guarantees of confidentiality so as to avoid handing possible targets to terrorists. To this day, national legislation, in France notably, does not regulate the confidentiality of this type of information insofar as its disclosure does not threaten national security (when such is the case, classification levels such as “confidential”, “secret” and “top secret” are specified in the penal code). On the European level, this problem is slowly taken into account, notably through the possibility, introduced in 2007, of classifying certain results, or even some research programs.

Moreover, no matter how efficient, every detection system has limitations which can be exploited to circumvent it. For example, knowledge of the sensibility limit of a scanner, meant to detect objects hidden under clothes according to their volume, could lead a terrorist to carry explosives in smaller pieces.

Thus the need for confidentiality when it comes to the characteristics and limitations of equipments and detection and analysis systems which play a part in the protection of a critical infrastructure.

But this goes against the commercial promotion of the equipments sold by manufacturers, who generally mention in no unclear terms their products’ limitations. Thus the importance of ensuring the confidentiality of the principles, technologies and equipments implemented within an infrastructure’s global security system.

8.2.4. Security analysis file

The protection of a critical infrastructure calls for the establishment of a general security file which will breach every aspect, from the detailed analysis of the infrastructure, the identification of hazards and threats, to the potentially usable technologies.

Typically, a security file should include at least the following facts:

– a functional description of the infrastructure in terms of principal functions and those functions’ constitutive sub-functions;

– a description of the requirements that are to be checked by these functions and sub-functions;

– the analysis of possible hazards or threats, through the identification of the affected infrastructure’s component(s) (physical, functional or organizational);

– the analysis of the consequences those hazards and threats might have on the functions, in terms of gravity (through the definition of several gravity levels), likelihood (to be defined for each level of gravity), and risks (function to be defined from the gravity and likelihood, their product for example);

– a detailed description of the most likely hazards and threats against which security must be reinforced: description of the physical and organizational components enabling the implementation of the function or the sub-function (place, environment, existing security system, etc.), consequences of the hazards or threats on the physical, functional and organizational components;

– possible solutions to diminish the risk, prevent an established risk, raise the alarm as soon as a sub-function is altered;

– the technical means involved in those possible solutions: which kind of technique and technology, the feasibility and level of control, the availability of the matching equipments, the durability of the solution, in terms of the product’s evolution as much as the durability of the industrial base and production industry.

8.2.5. Decision making

The protection of a critical infrastructure can answer constraint fields of rather diverse natures. It can be supported by:

– legal or institutional demands, such as international or regional regulations: for example, the standards laid down by the International Civil Aviation Organisation (ICAO) or by the regulatory authorities of the infrastructure’s operator;

– the necessity to ensure the durability of the users’ trust. For example, the extended unavailability of an infrastructure such as a subway line, following an incident, can lead to the development of alternative solutions by the users, and a substantial loss of customers in the long run, even once the infrastructure is back to normal;

– the prospect of a short- or medium-term return on investment. In that case, protection is a means and not an end, not necessarily part of a long-term plan.

It is easily conceived that, depending on the case, the demands will differ and so will the initiators of the protection operation. Notably, in the last case, the industry is the driving force and must not only offer its potential clients a security system, but also a profitable economical model.

8.2.6. Admissibility

The legal admissibility of a system is a constraint that must be taken into account, depending on which country the system will be implemented in. Some technologies are allowed in some countries while they are banned in others. As an example, in the United States, the use of x-ray screening systems is authorized for the control of people, this is forbidden in France, where standard controls must generally not include any intrusion upon the human body.

The public’s acceptance of the security system is also an element that should be pondered on before reaching a decision, even more so since critical infrastructures often see a very great number of people through every day, people of highly varied sensibilities and cultures. The infrastructure’s nature also has a direct influence on that acceptance. Let us look at two radically different cases: a regional or national public administration building, such as a French prefecture, and an airport.

In a public administration building, people must be welcomed and, as much as possible, should not feel that they are being observed, their behavior analyzed, a database filled without their consent. This feeling (the Big Brother syndrome) would be totally groundless, since such practices are illegal in most countries, including France. The purpose of public administration is, after all, to deliver a service to the people, and not to suspect them a priori or control them without their knowledge. A security system must therefore be discreet so as not to attract attention, to curb any reluctance and exaggerated protest movement.

On the other hand, in an airport, the pre-boarding screening, even though very visible and troublesome, is well-accepted, for each passenger understands the benefits to their own safety.

Moreover, depending on the events and the country’s geopolitical situation, the public’s acceptance of more visible, sometimes more exacting, control systems, is much more easily achieved. For example, in the weeks that followed September 11, 2001, screenings in airports were much more thorough and led to rather frequent searches, since the sensitivity of the walk-through scanners had been considerably heightened.

This shows how much acceptance depends upon the context of the security system’s implementation, and the country’s (and the time’s) geopolitical conditions.

8.3. Security systems of the future

Many of the security systems currently in use are based on a principle of deterrence, which is to say on the fear of being found and prosecuted. Such is the case with video surveillance systems. Admittedly, this approach is successful within the current Western ethics, in which freedom and life are primordial values. It should be noted that these values are dependent on the current geopolitical conditions, and deep individual feelings. The value system of one society is not necessarily shared by other societies. For example, some terrorist organizations do not place the same value on human life at all.

We can also note that stress conditions and social troubles can lead to desperate action where life is no longer at the center of the value system. In all these situations, suicidal behaviors emerge, which completely invalidate the dissuasive approach, since the eventuality of an investigation and a sanction loses all meaning.

Finally, the ever-growing complexity of large infrastructures made up of several functional, organizational, sometimes even physical systems, leads to the study of the aforementioned domino effects, and the search for the early containment of any event that could trigger such an effect.

All these reasons lead us to consider, more and more often, proactive security systems, which would not only detect serious events, but also the warning signs of such events, and trigger the appropriate actions to keep said events from happening.

8.3.1. Proactivity, crisis management and resilience

The proactivity of a security system can only stem from the intelligent analysis of a set of weak signals, received elements of information which are not, in themselves, important enough to trigger an alert insofar as they only correspond to the minimum probability of a dreaded event.

On principle, the aim is to integrate several weak signals into a proactive system, in order to create a range of corroborative hypotheses whose probability reaches a sufficient level so as to correspond to the near occurrence of a dreaded event. This process is akin to the human reasoning which makes a sensible individual expect a fire when he sees a burning cigarette butt thrown to the ground next to an inflammable liquid spreading on the surface; thus the need for devices that can integrate these weak signals which are based, as suggested by the previous example, on the disjointed occurrence of elements constitutive of a dreaded event. Of course, solutions are also sought to eliminate the constitutive events themselves, which is always for the best!

As successful as proactive systems may be, it would be irresponsible not to envision that, despite those systems, a dreaded event might happen and lead, for example through a domino effect, to a serious crisis. To that effect, we should always try and anticipate possible events so as to possess, when the time comes, the appropriate means to counter them.

To this end, we need to be able to follow the evolution of the crisis, to anticipate the possible effects if the crisis is not stopped, to evaluate the means necessary to stop it and to trigger their implementation.

Thus the necessity of crisis management tools, which help monitor the crisis, anticipate the effects and evaluate which means to implement.

8.3.2. Early reduction of risk

The design of the security system must take into account the desired resilience following a crisis, that is to say the infrastructure’s ability to repair itself so it can resume its functionalities as soon as possible, safety being one of the main functionalities to restore.

To proactively protect, we must therefore either eliminate the elements constitutive of a dreaded event or crisis, or detect them through an intelligent integration such as we studied in the previous section.

Considering the infrastructure’s “system of systems” dimension, we should first try to reduce the risks linked to the apparition of an element constitutive of a dreaded event, and do so in all the functional, organizational and physical fields. To this end, the risks must be analyzed and eliminated as soon as possible, within the infrastructure’s standard operation.

For example, on an organizational level, the first thing would be to check the “reliability” (trust and morals) of any personnel with access to the infrastructure’s sensitive zones, without omitting the service providers. On a functional level, replacements must be ensured in the event of the failure of some of the systems. On a physical level, for example, we should plan redundant communication tools to keep in contact with the teams or the sensors in the event of a failure of the regular tools, provide safe havens for people trapped in a fire, etc.

8.3.3. Electronic detection systems

The critical infrastructure security market has known an exponential growth in the last few years, in particular since the events of September 11 and the bombings in Madrid and London. The realization of some infrastructures’ fragility has directed worldwide research, leading to the emergence of new technologies. These new technologies have in-depth impacts on security measures, and they come into play on various levels within the 21^st century’s security solutions by giving them a new system dimension, laying more importance on the entire infrastructure. This leads to an interest in technologies which can operate on the system’s various levels.

The security systems which have already been implemented or are being implemented are often based on video cameras, access control systems, intrusion, biometric, or x-ray sensors. For the most part, these systems use fixed or hertzian communication standards, basing themselves on predefined architectures. They are good candidates as the foundations of future surveillance and early alert systems, as long as complements are provided by various levels of intelligence (scattered and central) and by complementary sensors.

The first level is related to the addition of new sensors, or the miniaturization and industrialization of existing technologies. These new sensors, for example neutronic detection, often efficiently replace or assist humans in brand new fields. For example, in the detection of illegal goods (explosives, drugs, etc.) trafficking, the x-rays are at the base of most equipment in use in sensitive areas: luggage screening in airports, entry control, container control, etc. The objects’ shape and density are essentially the data used in the detection process. The rate of false alarm (explosives are detected in the place of harmless objects) is then rather high. The running of these systems could be improved by adding data concerning the physical composition of the object. Such is the potential and essential service that could be added by neutronic technology, for example. Another example can be found in the sensor technologies within millimetric frequency bands which allow for the passive detection of metallic or dielectric objects, carried under a person’s clothing.

Parallel to the use of new basic technologies, heightening the elementary sensors’ capacities, either through intelligent networking, or through their coupling with information technologies and in particular image processing, equips a sensor or a set of clustered sensors with a local intelligence capacity. For example, scene analysis software can detect abnormal behavior, abandoned objects, etc. There lies the second major technological level.

The third technological level is related to the abundance of sensors and information, whether rough or elaborated. This overwhelming amount of data has put forward the need to correlate or merge said data, so as to avoid a single event being reported as many times as there are sensors (following the principle that too much information kills the information). Moreover, this fusion, or intelligent merging of data, leads to a much richer characterization of events, which enables the estimation of risks and even the forecasting of domino effects. For example, the simple coupling of audio-surveillance and video-surveillance leads to the correlation of events at the base of the data individually picked up by each sensor.

Lastly, for their work to be made easier, the operators need to be given the clearest and most informed vision of the situation, so they can then make the right decisions. This will only be made possible through the use of information management tools and man-machine interfaces capable of giving them the constantly updated tactical situation while drawing their attention to the most critical parameters. This presentation aspect is crucial, for closely related to the human being and his limitations. This is the fourth technological level.

The use of these technological contributions, on each level – sensors, sensor networks, data fusion, information presentation – is greatly facilitated by open software architectures of the middleware kind, which enable the integration of these new technologies within a coherent and interoperable information system.

8.3.3.1. Architecture: the sensors

Let us now detail the architecture of the system of systems formed by the critical infrastructure’s security system, and in particular the information related to the sensors. This architecture ought to be as modular as possible: modularity is reached through the defining of autonomous blocks interfaced with one another, so as to control the complexity which arises as much from the number of constitutive elements as from their interconnection topology. This property partly puts the architectural problem on the level of interface management, which on the one hand reduces the complexity, and on the other facilitates the insertion ad libitum (plug and play) of new components.

Modular architecture can translate into the organization of the sensors into three levels:

– the lowest level, the level of basic sensors, such as a video camera, a microphone, or a gas detector. On that basic level, intelligence can consist, for a video camera, of pre-processing the information to determine outlines, speed, shapes, colors, so as to only transmit data relevant to the current situation. Some video cameras are also capable of changing their focus depending on certain conditions, conditions which are checked out by those very cameras;

– the intermediate level, a “cluster” of sensors of similar or differing natures, for example a set of video cameras fully or nearly collocated, observing the same scenes. In large and complex sites, the great number and heterogenity of the sensors creates a flow of data difficult to process with a centralized architecture. The challenge is to decentralize part of the intelligence within clusters of sensors, leaning on:

-  the collaborative integration of several physical principles (audio-video, magnetic-millimetric, X-neutron, etc.),

- local preprocessing capacities,

- connections to data processing and communication nodes, distributed within the sensors’ network;

– the highest level, where all the data transmitted by the previous levels is integrated. This integration is done in a security control center, where the high level data, which trigger the alerts and monitor the possible evolution of events, are elaborated.

The collected data is all the richer since it comes from several kinds of sensors. The interpretation of an image transmitted by a video camera is greatly facilitated by simultaneous acoustic information: a sudden sway in the crowd and the simultaneous sound of an explosion are much more instructive than each piece information received separately. However, the intelligent fusion of heterogenous data is not simple and demands that the information coming from different kinds of sensors be communicated in a unified format. This integration must guarantee a level of data integrity: indeed, the fusion must compact the data into a more elaborate message, but must not under any circumstance fabricate information; moreover, it must not use all the available data. Intelligence, which consists of judiciously integrating the information picked up by the sensors, happens on each of the previously mentioned levels.

A security system’s optimum architecture is the one which optimizes that intelligence depending on the level, so as to lead to the best result while reducing the global cost of the system (not necessarily by reducing the number of sensors) and securing the system’s evolutionary nature.

8.3.3.2. Communications

The electronic security systems of a critical infrastructure almost always consist of a constellation of multisensors. Since the sensors are spread on a relatively broad geographical area, it is necessary to transmit the collected data, sometimes already pre-processed by a sensor or a cluster of sensors, toward a sublevel processing node or straight to the central control room. Whichever the case, channels of communication must be implemented between the various levels of the architecture.

Three major solutions can be used:

– dedicated communication networks;

– internal communication networks, of general use, which belong to the infrastructure’s internal communication networks even though their usage is not restricted to the security system;

– open communication networks, which can have other uses besides what is required by the infrastructure: Internet, GSM, etc.

By nature, security demands that the communication network itself be safe and able to guarantee the received data’s integrity. The physical or functional continuity of the transmission channel must therefore be monitored so as to guarantee the transmission, as must be the security of the transferred data, so as to prevent it being altered in any way, whether it be by accident or by design.

The transmission channel might be material (cable, optical fiber) or immaterial (radio waves, infrared). In both cases, we should monitor network intrusions, that is to say block or delete information added within the network and not coming from one of the security system’s sensors. For example, interferences in wireless transmission systems. Thus the need to first authenticate information by checking its origin, then guarantee its integrity.

For example, the convergence and interconnection of application software around an IP network introduces new threats. The goal is no longer to secure one or two external connections located on the network’s fringes, but to implement a strategy over the entire network, in which the security functions are scattered among the various network layers and working components. If security must always be assured on the fringes, it must also be implemented ahead of the resources (for example on the servers), on the client workstations, all the way to the network’s core. Such a strategy is all the more necessary in the case of radiocommunication networks, because of their open nature.

Lastly, as can be easily guessed, upgrading a security system through the addition of new sensors asks for the design of an extensible communication network which can simplify that addition. In that particular case, the in-depth defense principle concerns the authentification of the equipment and the users, regardless of the context, and the IP communications’ confidentiality, regardless of the transfer channel.

Moreover, if the network does not in itself have a sufficiently high security level (public Wi-Fi network, civil satellite access, etc.), a sufficiently efficient protocol of end-to-end IP encryption must then enable the use of multimedia applications (voice, video) while maintaining the quality of service.

8.3.4. Plug and play

The plug and play concept, well-known from the general public, consists of making the system able to automatically autoconfigure so that any physical and functional evolution is as transparent as possible to the user.

The standards and the technologies pertaining to that concept are a good illustration of the concept’s growing importance as a unifying key mechanism, as much on the level of interoperability as on the modularity of ever more dynamic and mobile installations. Today, these technologies are mainly available to the public at large and identified within the global issue of Home Networking. Indeed, the evergrowing presence of digital equipments both intelligent and able to communicate (PC, high-rate modems, video recorders, digital television networks, surveillance cameras, printers, etc.), their increase in number and types, clearly asks for the simplification of their deployment (the user is not systematically a seasoned computer specialist!).

It should also be pointed out that the Web and the current success of service-oriented architectures (SOA) are another important source of inspiration which goes well beyond the concerns of Home Networking.

Two architectural approaches are possible, not necessarily opposable but rather complementary:

– the work approach, specific, generally low-level and mostly driven by equipment manufacturers;

– the generic approach, generally high level, sometimes even very high level in the case of Web services, mostly driven by software publishers (in particular operating systems designers) and the Web world.

These approaches can be used as an axis for the development of the architectures of critical infrastructure security systems, such as airports, large train stations, energy storage sites, buildings with a high media and political value. Indeed, these infrastructures’ configurations might need to be upgraded for several reasons:

– either following a spatial extension of the infrastructure: for example, the Paris Roissy 2 airport is in full expansion with the opening, in the last two years, of two more terminals;

– or when the security level must be heightened:

- new international regulations,

-  temporary increase of risk corresponding, for example, to a higher level of threat within a security system (“Vigipirate”, in France), which calls for the deployment, for a limited time, of new equipments to complement those already in use,

-  the occurrence of a particular event in a site which is not permanently identified as a critical infrastructure (social, cultural or sports events, meetings of key political figures, etc.),

-   necessity to intervene within an infrastructure during a major crisis (bombing, accident) or in an urban area after a catastrophe.

In each case, we wish to avoid modifying, or even fully replacing, the electronic security system already in use. The issue is therefore, on the one hand, to design means to detect the current configuration so as to auto-adapt in real-time the algorithms to the sensors’ heterogenity, their number and their positioning (position and coverage), parameters a priori unknown. On the other hand, automatic mechanisms must be designed so as to reach, in that particular situation, optimum processing of the data transferred by the sensors and the databases.

For example, the system architecture must automatically detect the introduction, on a given zone, of new sensors carried by the people entering that zone. It must auto-adapt the algorithms of data fusion and analysis so that this new influx of information is automatically taken into account without the operators’ intervention. Moreover, the algorithms which monitor and manage the system must also reconfigure in real time depending on the detected configuration.

8.3.5. Crisis management tools

Recent events, whether they had natural (storms, tsunamis, earthquakes) or human origins (equipment malfunctions, organization malfunctions, human errors, terrorist attacks) demonstrate our society’s frailty against unexpected events. By definition, these events alter the working conditions of the installations and the agents, and can therefore lead to true disasters when the security systems are not able to stop the dreaded events before they can trigger deep crisis.

In such cases, the crisis must be monitored, its effects contained by keeping the populations and the infrastructures safe, and the means necessary for the restoration of the infrastructure’s normal operation must be deployed. These various procedures are regrouped under the standard name “crisis management”.

This management is all the more efficient when the following key-factors are mastered:

– the capacity to rapidly assess the situation and its evolution;

– the quickness of the intervention and of the appraisal of the means necessary to contain the crisis’ consequences;

– the implementation of secured communication channels, out in the field and with the distant centers (control centers, hospitals, airports, etc.);

– the authorities’ and field agents’ handling of the information and global knowledge about the catastrophe;

– the coordination and monitoring of the incident response teams so the rescue can be more efficient;

– the use of decision support systems.

The technological challenges that must be met to master those factors are numerous. The answers can only be found through a global and mutual approach to the security and crisis management systems by the various agents, infrastructure managers, incident response teams, local authorities and industrial teams in charge of designing the security system and the crisis management system.

Indeed, the efficiency of crisis management depends on the coherence of actions such as:

– the provision of efficient teaching aids which will help mimic the effects of a crisis during exercises, trainings and drills of the various agents of crisis management;

– the detection of any element foreshadowing such abnormal events, which comes down to giving the alert as early as possible;

– crisis management, which means triggering the appropriate actions and the real-time monitoring of these actions’ development as soon as possible so as to adapt them to the situation’s evolution.

The aim is therefore to design a single security system featuring coherent interoperable tools of analysis, forecasting, decision support, training and management.

8.3.5.1. Informed mapping

A crisis management system must help organize means of rapid intervention before the crisis, and therefore limit an event’s consequences, and enable the redeployment, simultaneously and in real time, of personnel and means, both on the level of the surveillance centers and the intervention field.

This can be done by implementing a set of technologies that will enable:

– the improvement of the real-time characterization of events;

– the sharing of information between all the agents, through an adapted real-time reproduction;

– the optimization of the answer to the events, through the predictive simulation of the situation.

This calls for great efficiency and reactivity, notably in the three following fields: local gathering of information; validation of that information; centralization and visual display of that information in a stationary or mobile control center.

It is therefore necessary to possess tools that will allow, on the one hand, the real-time access to an informed map, that is to say featuring information on the various micro-infrastructures within the studied geographical zone, and on the other hand the real-time forecasting of the crisis’ evolution. For both those aspects, mapping tools are necessary and enable the transfer of information to an operator in a simple and adapted form.

More precisely, informed mapping includes geographical data such as:

– cartographic/geographic information in 2D or 3D;

– specific critical and/or useful characteristics of the equipments or the micro-infrastructures depending on the crisis’ nature. For example, knowledge of the presence of pyranol in a transformer allows the forecasting of a particularly serious domino effect which could happen in the event of a fire: if the fire reached the transformer, the event would change nature and take on a chemical character it did not formerly possess.

The juxtaposition of information coming from several sources brings up several problems that should not be forgotten about, notably:

– the interoperability of the various databases, spread on a vast geographical zone;

– the granting of access to said databases;

– the legal matters of responsibility that come with the possible mixing of public and private information, the decision to act and the means implemented.

3D mapping leans, on the one hand, on 3D modeling of the site holding the infrastructure, and on the other hand on the visual display of that modeling for the benefit of an operator. The 3D modeling of a site consists of recreating, from data gathered out on the field with the level of detail required by the application, a 3D representation of the elements of terrain, culture, the infrastructure and the superstructures.

In the case of sites within an open area (sparse or non-existent houses), the entry data are as follows: digital elevation model, planimetric representation of the occupation of the grounds and infrastructures, airborne or satellite imagery (orthoimages and multi-angle views are recommended) of the textures and flat features, 3D models, either vectors or images. Based on these entry data, editing tools, for correction and alignment, and conversion tools, for the generation of the imagery (polygones, defined surfaces, etc.), are used to generate representation databases of the studied sites, first in the standard formats, then in formats specific to the processing tools (display, for example).

In the case of sites within an urban area, the entry data are: orthoimage airborne imagery, stereoscopic pairs (triplets, or even quadruplets), ground or elevated imagery, photos of particular facades, buildings and architectural objects, point clouds generated by a scanner (laser), drawings and maps. Based on these data, acquired on-site from airborne or terrestrial platforms, operations of alignment, and later of reconstruction (calculating the envelopes, for example) must be run.

In the case of confined sites, the entry data consist of ground imagery and drawings. Based on these data, edition and modeling tools reconstitute the internal volumes, as much their geometrical aspect as their visual aspect (within the visible, or possibly in other electromagnetic tapes), and furnish them with internal objects. Semantic information on the objects’ nature, physical information on the material’s nature, and topological information, can be associated to this geometric and visual modeling. These databases rapidly become voluminous depending on the level of detail and the width of the area, and must be organized in an optimized way and divided so as to be exploitable in segments.

The 3D modeling of an urban site is still a research field in parts. Current developments concern the search for automation of the various acquisition functions (automation of the acquisition, geolocation, etc.) of alignment and reconstruction. It is highly likely that these techniques will be commonly used in security systems in the future.

Creating a 3D display of a site consists of creating a dynamic image (on a frequency going from a few Hz to 60 Hz depending on the application software) of the studied site following a perspective piloted by the application. Image generation takes into account, besides the rendering of the site and its layout (the objects and equipments which populate it), the conditions of observation, including the visual sensor’s characteristics and the light conditions, as well as the weather conditions (fog, rain) and dynamical aspects such as smoke or other darkening cover. In the case of urban and confined environments, 3D visual display takes into account the many sources of light which will contribute to the scene’s lighting.

On top of this “dead” vision of the site, the visual display must be able to take into account specific animation effects such as the triggered events, whether they concern objects, people or vehicles. The animation of these objects is realized through the use of specific components integrated within the simulation system and communicating with the 3D visual display component so as to give it the data necessary to the representation of the various objects’ state and position.

Today, 3D visual displaying is commonly used in various fields, from real-time simulation to video games, as well as design and scale modeling simulation. The future systems will treat a higher number of static objects with a higher level of detail, they will represent the dynamic effects and agents more finely and with added realism.

8.3.5.2. Dynamic tools

The use of a field modeling common to all the agents must also enable access to crisis management data, such as:

– visual display of specific critical and/or useful characteristics of the infrastructures depending on the crisis’ nature;

– visual display of the effects and their predictive propagation, and the quantification of the risks (effects on the population, industrial and economical impacts);

– adaptative and contextual visual display adapted to each agent;

– dynamic (time-dependent) determination of the security perimeters.

Moreover, crisis management support systems must allow real-time access to: – segmentation of the actions to launch after an incident;

– creation and updating of structured databases, providing the incident response team with the appropriate information in terms of the nature, location and evolution of the information;

– knowledge on the crisis’ constituents and the means of intervention;

– management and real-time browsing of the archived documents and procedures for fast access to a richer and more specific information upon the request of a team member;

– audit and replaying for legal or training purposes;

– evolution of knowledge and training.

In particular, the cartographic tools, with the added “crisis management” dimension, must allow for the exploitation of the data gathered in real-time by the various sensors (video surveillance, alert sensors in fields such as nuclear energy, radiology, bacteriology and chemistry, telemetry, satellite imagery, aerosols, gamma cameras), as well as the monitoring of the incident (prediction of domino effects, safety perimeters, etc.). They lean on hierarchized archival tools which can be located on other sites, and on decision support algorithms.

Hierarchized archival tools enable collaborative updating from heterogenous sources, the analysis and tagging of the data for the purpose of precise indexing, the real-time consultation of the archived documents and procedures so as to access richer and more specific information with increased rapidity.

The diagnosis and decision support algorithms perform:

– an evaluation of the situation according to a risk scale relative to the dreaded events that were identified during the design of the security system;

– the constitution of databases prior to the intervention;

-  definition and scale of the intervention means, planned arrival dates of the means on-site,

-  functional modifications to launch within the infrastructure (closing the doors, stopping certain services, informing the public);

– the segmentation of the actions to launch after an incident;

– the real-time optimization of the security perimeters depending on the field data and the evolution of the situation.

These dynamic decision support tools lean on the communication and interoperability tools of the geographical information systems, and the many private and/or public databases which help take into account the procedures and the characteristics of the infrastructure’s equipment and constituents (chemical contents, mechanical resistance, etc.).

Thus it is necessary to use harmonious standards and procedures that will guarantee interoperability between the various databases and tools, and have transverse organizations and processes between the various actors which will guarantee the availability, the relevance and the accessibility in real-time to the necessary data. As has been previously pointed out, and has just been confirmed, the optimization of those elements can only be reached after considering the issue in its entirety.

8.4. The human factor

In the near future, the electronic systems dedicated to infrastructure security will raise early alarm, most of the time helping people act before the real crisis can actually start. However, if these systems can automatically trigger a certain number of prevention measures (for example: intelligent stop of subway circulation, closing of doors, triggering of smoke extractors, etc.), they will most often involve operators and intervention personnel. For these men, it will be necessary to see the information they need in the most natural and comprehensible way, avoiding any possible misinterpretation.

The man-machine interfaces are therefore an important feature of the security system, necessary but not sufficient: a crisis control center requires the intervention of a diversity of experts which must be coordinated. Beyond the technical solutions which facilitate the exchanges, robust and adaptative organizational processes must be implemented so as to take into account the unpredictability inherent to crisis situations.

Moreover, in the event where domino effects were to develop, it is crucial for the operators of the impacted critical infrastructure to closely follow the situation’s evolution in real-time, and also have a predictive vision of it, so as to decide which means to implement and monitor the incident response teams active on the site. Ways to monitor the situation are also necessary in order to control the data coming from assorted origins and make the right decisions by optimizing the adequacy between the needs and the available resources (incident response teams for example).

8.4.1. Monitoring

In order to set up human means of intervention (rescue teams, intervention personnel) and monitor their deployment as well as their results, an operational control center is necessary, preferably located away from the infrastructure for security reasons, and allowing for the grouping, in one room, of the set of information necessary for the management of a crisis, namely:

– the visual display, as detailed as possible, of the situation in real-time;

– the predictive display of the probable evolution, including the display of probable domino effects;

– the real-time situation of the rescue and intervention teams;

– the information about the infrastructure’s operation.

It should be noted that these pieces of information will most often not only be about the affected critical infrastructure, but also its neighborhood (the city block, the town, or even further away). For example, in the event of a crisis in an underground subway station, it is obviously crucial to know the situation within that station, but also to follow in real-time the effects on the roadway traffic around the block and even the town, the traffic having a direct impact on the time it will take rescue teams to reach the scene, since they might be delayed by traffic jams.

Moreover, beyond that visual display, crisis management integrates the management of the entire set of resources which will be necessary to ensure the successful running of the operations relative to the intervention, regrouping the installations, technologies, equipments and human resources. The absence or failure of one of these elements can contribute to the paralysis of the intervention team. It is therefore important to know these resources’ availability in advance, as well as the instructions for the equipment’s use and operation.

In parallel with the assessment of the situation and the analysis of the damages, the goal is to evaluate and determine the needs of the crisis management teams, according to the objectives, and to optimize the allocation and deployment of the resources for an increased efficiency, in particular when faced with a shortage of one of these resources.

To enable the mobilization, rollout, use, monitoring and eventual demobilization of the resources, decision support systems must optimize all the plan’s elements, such as time, tasks, means, resources, constraints.

Depending on the tasks corresponding to the identified actions to lead in the planned interventions (for example: “define the security perimeters”, “evacuate a zone”, etc.) and the analysis of the operational plans, sequencing constraints are defined for the various types of interventions and the corresponding resources are established in terms of the volume of means to deploy (personnel and equipments) and in terms of maximum time allotted to these interventions. Of course this monitoring relies on the modeling of intervention operations, the use of resources, as well as the command of the combinatorics resulting from the allocation of resources to tasks when the global capacity is limited or when their simultaneous use is made difficult by the acknowledgment of a certain number of operational constraints.

As is easily understood, a single operator will have a hard time monitoring the totality of this information. Hence the necessity, as is already the case in modern operational security centers, of setting up monitoring stations run by the appropriate personnel depending on the organization of the entities that are called on: means of intervention, infrastructure, authorities. From the devices controlling the display and storage of the information, the communication with the critical infrastructure and the various organizations involved in the action, to the maps of the premises, the architecture of the operating core of security is an important aspect of operational efficiency and deserves appropriate care. Indeed, we must have access to a global synthetic situation that will, with a reduced number of screens, or sometimes an entire wall of screens, help comprehend the situation and its evolution; we must also have the set of determining factors on nearby stations so as to monitor the situation, and do so depending on the many points of views relative to the various intervention trades.

The organization and architecture of the security’s operating core must obviously be specified according to the studied infrastructure. We can however mention the following things:

– the solution that is aimed at must call on the fewer number possible of equipment so as not to scatter the attention of the operator working in the control/monitoring room;

– means allowing subgroups to work in parallel on hypotheses or different evolutions must be designed with the ability to quickly change hypothesis if need be;

– multimodal interfaces such as radio or hand-held digital devices must enable interaction with the system;

– the man-machine interfaces must be, if possible, “adjustable” by personnel on-site, according to the various profiles (trades, languages, special skills), either manually (with an entry code) or automatically (through wireless communication for example). They must also be adapted to stress situations.

8.4.2. The man-machine interface

As has been previously mentioned, the man-machine interface is an important component of a system. It is present on the various levels of an infrastructure security system, from the control center to the personnel scattered within the infrastructure and in charge, for example, of the first controls or the first interventions.

The purpose of such an interface is to provide the operator, as precisely as possible, with the strictly necessary information at a given time, allowing him to grasp the situation and its context, and monitor:

– some of the infrastructure’s functionalities in real-time (people flow, delay on specific geographical points, status of parameters characteristic of the infrastructure’s operation). Of course, this first set is highly dependent on the type of infrastructure and on its functionalities. For example, the surveillance of people flow can be achieved through control screens on which any abnormal event is signaled to the operator by a visual and auditive alarm. The automatic detection of, for example, people displaying abnormal behaviors in comparison with the expected behavior on that spot of the infrastructure will enable the precise display of what is actually useful to the operator and not of other scenes coming from other video cameras and not presenting any hazardous situation;

– the development of a crisis so as to handle it as well as possible. In that case, the nature and quantity of information can vary depending on the nature of the crisis, the present time, the type of analysis required by the user, and the user’s skill level.

The security systems of the future might use man-machine interfaces featuring the following characteristics:

– on the level of the control center (which might be mobile), the availability of enriched maps which are:

- 3D with layered animations reproducing what a human observer would see at the present time in a site chosen by the operator, such as is the case today in many video games which use, with reason, an animated synthetic 3D representation which is more intuitive and more natural,

-  3D and predictive, showing the results of domino effects as well as the corresponding security perimeters,

- 2D, but dynamic and large-scaled, showing the available resources in terms of means of intervention (equipments, teams), availability of the access channels for these means, security perimeters;

– on the agents’ level, display of the local enriched map corresponding to their immediate surroundings, and providing them with the necessary characteristic for them to do their work, and inform them about their own safety. This information can be displayed on laptops or PDAs.

8.4.3. Training

Finally, this presentation would be incomplete if it did not breach the subject of training. It is indeed essential to train the teams, first so they can have a proper grasp of the system, secondly so they can practice the designed procedures, so as to allow the easy interoperability of the means and organizations, and finally so they can learn through repetition the emergency motions and reflexes.

This is achieved through the use of simulation tools and field exercises in realistic configurations unknown of the tested incident response teams.

Simulation tools are of course necessary in order to place the staff in charge of managing the crisis and coordinating the agents in a situation scenario. It is indeed highly complicated and constraining for the infrastructure to create a crisis within its own walls, even if the crisis is only “pretend”, that is to say it does not require physical attacks and of course spares human lives! Thus the necessity of virtually creating incidents of all sorts, provoking domino effects and “playing” with hypothesis on the crisis’ spreading.

These simulators must integrate, besides all the aforementioned maps, the acknowledgement, within said maps, of the probable movement of population within the infrastructure or close to it (city block, or even the whole city). To this end, the simulator must implement behavioral models of the human agents involved. These models must be as realistic as possible and thus able to take into account the individuals’ individual behaviors. For, in the event of crisis or events which put the individuals’ safety at risk, panic phenomena emerge, characterized by a great variety of behavior which cannot be assumed to be average crowd behavior, and is more akin to a collection of individual behaviors, acknowledging the various levels of emotionality, stress, culture.

Moreover, in order to test the teams and the equipment in actual size, exercises must also be staged on-site, despite the complexity and difficulty this poses on the infrastructure’s normal operation. To this end, the exercises are staged while the infrastructures are closed to the public (at night, for example), so as not to put too great a strain on the infrastructure’s normal operation: of course, we must then be cautious with their conclusions, for staging the evacuation of a subway station at night is not the same thing as doing it during rush hour with traffic of 60,000 people per hour. The aforementioned simulation helps focus the exercises on the most critical problems. Caution is necessary, during on-field exercises, not to divulge the crisis scenario that is going to be simulated, so as to effectively test the system in an unexpected situation.

8.5. Conclusion

By presenting the protection of critical infrastructures as an illustration of the concept of system of systems, we have emphasized the problem’s complexity, which is present in the three dimensions, physical, functional and organizational. One cannot neglect any of these dimensions without risking the failure of a security system when the crisis happens. The partial failure of the relief efforts after hurricane Katrina and the damages suffered by New Orleans in 2005 were a good illustration of this multidimensional problem and the criticality of a systemic vision of the whole value chain.

Neither technology, nor the existence of a plan on paper, can be sufficient answers. All these components must have been thought out and designed so as to operate together in times of crisis, hence the need of a global architecture and the necessity of training sessions for the use of the system of systems.

Emphasis has been placed on the technical and functional aspects, perhaps to the detriment of the organizational aspects. They are, however, just as essential. In particular, the most important points to study are: how does an organization restructure itself in times of crisis? How can a culture of risk management be elaborated?

---

1 Chapter written by Jean-Luc Zolesio.

1. Vigipirate: France’s national security alert system.