10. Security and Physical Protection Basic Concepts

Physical Protection System A Physical Protection System (PPS) is the integration of people, procedures, and equipment for the protection of assets or facilities against theft, sabotage, or other malicious human attacks Allan Murray lecture, 29 August 2005

PPS Objectives: Prevent Theft and Sabotage Deter the Adversary Implement a PPS which all adversaries perceive as too difficult to defeat Problem: deterrence cannot be measured Defeat the adversary with PPS PPS functions required: detection, delay, response Actions of response force prevent adversary from accomplishing his goal Allan Murray lecture, 29 August 2005

Deterrence By definition is: “the act or process of discouraging actions or preventing occurrences by instilling fear or doubt or anxiety” Deterrence is one useful security functions in managing the insider threat

Components that have a deterrent effect: Deterrence Components that have a deterrent effect: enforcement and prosecution barriers access control systems signage closed circuit television policy and procedures employee trustworthiness checking information security etc... Allan Murray lecture, 29 August 2005

Deterrence

Exercise 1 – Module 9 Using a facility that is familiar to you, list as many existing elements that would deter an adversary. In addition list further elements that you believe would further enhance deterrence.

Physical Protection System Functions PPS Functions Detection • Intrusion Sensing • Alarm Communication • Alarm Assessment • Entry Control Delay • Passive Barriers • Active Barriers Response • Interruption: – Communication to Response Force – Deployment of Response Force • Neutralization Allan Murray lecture, 29 August 2005

Detection Purpose Provide detection of any attempted unauthorised access to the area or facility where the radioactive source is located. Provide detection of any attempted unauthorised access to the equipment housing the radioactive source.

Detection Detection can be typically achieved by one of the following means: Electronic Sensors Human Surveillance Video motion detection via a Closed Circuit Television system (CCTV)

Example - Radioactive Source Storage Room Exterior Windows Source B Adjacent Interior Room Target Room Source A Interior Door Exterior Door Exhaust Vent (near ceiling) Exterior Walls

Exercise 2 – Module 9 For the example source storage room on the previous slide, indicate where electronic detection sensors could be installed to detect an unauthorized access attempt.

Example Detection Sensor Layout Passive Infrared Sensor Vibration Sensors Source B Glass Break Sensors Adjacent Interior Room Tamper Switches Source A Balanced Magnetic Reed Switches Passive Infrared Sensor Vibration Sensors Active Infrared Sensor

Detection Performance Measures: Probability of Detection Alarm Activated Alarm Communication Alarm Reported Alarm Assessed Performance Measures: Probability of Detection Time for Communication and Assessment Frequency of Nuisance Alarms Probability of Assessment Another Nuisance? Allan Murray lecture, 29 August 2005

Detection - Assessment

Purpose: To assess the cause of each reported alarm activation Assessment Purpose: To assess the cause of each reported alarm activation

Assessment Assessment can be typically achieved by one of the following means: Response Force (roving guard patrols, emergency services) Technological means such as an Closed Circuit Television system (CCTV) Human Surveillance

Provide Obstacles to Increase Protective Force (Guards) Delay Delay Provide Obstacles to Increase Adversary Task Time Physical Barriers Protective Force (Guards) Performance Measure: Time to Defeat Obstacles Allan Murray lecture, 29 August 2005

Delay Purpose Ideally to provide sufficient delay after the detection and assessment phase, to allow response personnel to interrupt and defeat the adversary.

Delay Example Security Measures: Fences Cages and walls, Security containers, Strong rooms with three dimensional containment (floor, walls and ceiling) immobilisation of equipment Securely anchoring the equipment to nearby building structures such as walls, and floors Installing obstacles prohibiting the equipment from being wheeled away

Example Hospital Facility Allan Murray lecture, 29 August 2005

Response Performance measures Communicate to Response Force Deploy Response Force Defeat Adversary Attack Performance measures Probability of communication to response force Time to communicate Probability of deployment to adversary location Time to deploy Response force effectiveness Action by protective forces to prevent adversary success Can’t respond if they don’t know something is going on DEPLOY - deploy means get from where they are to where they are needed to engage the adversary Response force effectiveness generally depends on the numbers, training, and equipment of the response force as compared to the threat. Allan Murray lecture, 29 August 2005

Response Practical Implementation The response time after detection should be designed to be less than the time required to breach the barriers and tasks required to remove or sabotage the radioactive source. The response team should be of sufficient size and capability to defeat the adversary. Plan and response procedures should include the involvement of local law enforcement, and emergency services. The adequacy of the procedures should be defined in consultation with the regulatory authority. Exercised and tested (threat level based).

Effective response Interaction with Outside Agencies Written agreement or understanding Key issues for consideration Role of support agencies Communication with support agencies Off-site operations Joint training exercises The winning combination: Right people and planning Right equipment Right training Allan Murray lecture, 29 August 2005

The Principle of Timely Detection Deter Actions Mitigate Results Begin Action Task Complete Time Adversary Task Time First Alarm Detect Alarm Assessed Respond Adversary Interrupted PPS Time Required Delay Defeat T A T T I C T Allan Murray lecture, 29 August 2005

Exercise 3 – Module 9 Determine whether timely detection is possible for following attack scenario Scenario 1: The response force cannot respond in their normal (average) time (e.g., they are responding to a higher competing priority elsewhere in the hospital). It takes the response force twice as long as their normal time to respond.

Exercise 3 – Module 9 Determine whether timely detection is possible for following attack scenario Scenario 2: An alarm indicates the entrance door to the research wing was opened, but it cannot be confirmed for a long period of time (e.g., the camera viewing the entrance is out of focus, so the university alarm monitoring station dispatches a security personnel to visually inspect the area and assess the situation). It takes twice as long to assess the alarm.

Exercise 3 – Module 9 Determine whether timely detection is possible for following attack scenario Scenario 3: The position sensor on an exterior emergency exit door fails to activate when an intrusion occurs (i.e., the sensor does not work). A second sensor (another position sensor on an interior door) is activated at a point on the diagram which is 2/3 of the way into the first detection, had the first sensor been working. Detection time for the second alarm is the same as the first alarm.

Exercise 3 – Module 9

Characteristics of an Effective Physical Protection System Defence-in-depth Series of detectors better than a single one Prefer to use complementary sensors that use different principles Balanced protection Does not create an easy path for adversary Applies to Detection as well as Delay PPS based on threat, and the Graded Approach. Enough Detection, Delay, and Response Meet the “System Effectiveness” criteria One feature can compensate for another's weakness Allan Murray lecture, 29 August 2005

Defence in Depth Layer 1 – Physical Security – Perimeter - Lighting, Fences, Guards & Patrols, inspections & checks

Exterior & Interior Lighting Inspections & Checks Perimeter Fences Layer 1 – Physical Security – Perimeter - Lighting, Fences, Guards & Patrols, inspections & checks Guards Patrols

Exterior & Interior Lighting Instructions, Orders & Policies Audit Trails Inspections & Checks Instructions, Orders & Policies Logon & Passwords Perimeter Fences Layer 2 – IT Security – logon and passwords, encryption, audit trails, Orders & Policies Reminder that everything in ASNET is audited – mention the Classified Media Register as part of this Encryption Guards Patrols

Exterior & Interior Lighting Audit Trails -employee trustworthiness check Inspections & Checks Instructions, Orders & Policies Laws & Legislation Legislation Logon & Passwords Perimeter Fences Layer 3 – Laws and Legislation – vetting personnel Recruitment Background Checking Encryption Guards Patrols

Exterior & Interior Lighting Audit Trails -employee trustworthiness check -Alarms Inspections & Checks Access Control Instructions, Orders & Policies Laws & Legislation ID Cards Logon & Passwords Perimeter Fences Legislation Level 4 – Physical Access control – ID cards, alarms, detection devices Detection Devices Recruitment Checks Encryption Guards Patrols

Exterior & Interior Lighting Audit Trails -employee trustworthiness check -Alarms Classification Inspections & Checks Access Control Instructions, Orders & Policies Laws & Legislation ID Cards Access Control Locks Perimeter Fences Legislation Logon & Passwords Categorisation Layer 5 – categorisation and classification Detection Devices Recruitment Checks Encryption Guards Patrols

Exterior & Interior Lighting Audit Trails -employee trustworthiness check -Alarms Classification Detection Inspections & Checks Access Control Instructions, Orders & Policies Laws & Legislation ID Cards Access Control Physical Measures Locks Logon & Passwords Perimeter Fences Strong Rooms Legislation Containers Categorisation Layer 6 – secure rooms strongrooms, containers and vaults and vaults So – security is achieved when … Detection Devices Recruitment Checks Encryption Guards Patrols

Graded Physical Protection Requirements The level of protection required for a facility should be commensurate with the potential hazard posed by the facility. Graded concept of security measures based on: Anticipated threat Relative attractiveness Potential consequences of malevolent actions The need for beneficial use of the source Allan Murray lecture, 29 August 2005

SUMMARY While we would like to deter the adversary, we must be prepared to defeat him We also must be prepared for failure in our attempt to defeat the adversary because nothing is 100% effective We use Detection, Delay, and Response working together to interrupt the adversary We use the response force to defeat the adversary We are talking mostly about an outsider, but do not forget the insider threat The level of required protection should be commensurate with the potential hazard Allan Murray lecture, 29 August 2005

Thank You! Questions?