Anil Puri
CMD, APS group
A second generation entrepreneur, thought leader and an action catalyzer rolled into one – Anil Puri is a rare combination of a visionary, and one who has mastered the art of strategic and tactical thinking to the core. He has been using this combination to seed new ideas and to lead them to their implementation on-ground. This has been a consistent feature of his career. He has rich experience of approximately 35 years in corporate in diverse domains & from functional managerial level to apex as chairman of a corporate group. PSA came to him as a part of inheritance and by choice. He at times spends part of his time in listening to his ops team in their due diligence in understanding the nitty – gritty of the PSS or security design of the client premises. Most of the time his niche experience and deep understanding of the PSS is of immense value to the ops team in unwinding the folds of the system.
INTRODUCTION
Security standards are heavily context dependent and tailored to the needs of the company and/ or region. Whether it is heavy crime, militias or corruption, security by design (SBD) is needed to protect assets and to ensure that a company continues operating without interference. When a project is in its infant stages with low exposure, the companies take little to no heed, but it is of the utmost importance that your business is prepared for potential risks when the wheels of your project start turning full throttle.
PHYSICAL SECURITY & CYBER SECURITY – WHY CONVERGENCE MIRRORS THE PILLARING EFFECT?
Cybersecurity/ digital security has become the watchword of the day. Having stepped into the 21st century, the world is heavily dependent on IT infrastructure for carrying out everyday business operations. Be it monetary transactions or information exchange, digital platforms today dominate the world stage. Naturally, digital data has taken the center stage in the grand scheme of things – with more and more devices coming online due to the advent of technologies such as wearables and IoT, and this volume of data is only going to increase. Due to the rather sensitive nature of digital infrastructure, businesses are investing heavily in ensuring the digital security of their IT assets, and with newer, more sophisticated threats on the horizon, this is only to be expected. Malicious elements on the internet are regularly amping up their repertoire of attack techniques. Ransomware, DDoS, and spyware are just some of the many weapons in the arsenal of these malicious players. In order to protect IT resources from such attacks, companies are prepared to invest time as well as money. But are our present security measures enough? True, you can put in place advanced digital security structures, create digital safety and hygiene protocols, and deploy state-ofthe-art technology to ensure that your assets are digitally protected.
All this overlooks one of the main chinks in the cyber security armour – the Physical Security. Consider this – you have implemented all the encryption in the world, you’ve created a digitally insulated system that cannot be penetrated by digital means. What if a fire happens to ravage your data servers? Or any unauthorized personnel gains access to secure areas of your computing infrastructure? What happens next? Physical security was, is, and will remain one of the prime avenues by which your cyber infrastructures can and should be adequately protected. Keeping your organization safe against physical attacks is essential to safeguarding your digital assets. This not only helps reduce the risks to your IT infrastructure but also contributes towards protecting your employees as well as related physical property. Yet physical security rarely occupies a position of concern in the minds of most information security professionals. Seeing as physical security has multiple technical as well as administrative components, organizations fail to recognize it as a valid component of cyber security. Physical security must be one of the key components of your digital security plan. Without a well laid physical security infrastructure, your digital security remains half-baked at the best, and dangerously exposed at the worst – most important link in the cyber security chain.
WHAT DOES SECURITY BY DESIGN (SBD) IMPLY?
An effective physical security system when evolved by design; integrates people, procedures, and technology for the protection of the assets against all possible types of crime; to mention a few – intrusion, thefts, sabotage, malicious human attacks and most vital being the cybersecurity breaches. Hence, the designer or security director should weigh the objectives of the physical security system (PSS) clearly against available resources and then evaluate the proposed design to ascertain how well it meets the objectives of the security program.
SECURITY BY DESIGN VS SECURITY BY NUMBERS?
As discussed above, security by design takes into account multiple disciplinary approaches to ensure that a building is safe and secure for office, residence or commercial purpose; more so as part of fool proof PSS (physical security system). Sheer deployment of numbers without taking into account the pillars of the asset protection like risk assessment (RA) & risk management (RM) tools, non-integration of selected components of technology will only amount to flooding with human presence amounting to melee, overcrowding and overlapping of job profiles leading to utter confusion and non-accountability. Human error will overwhelm the system with no space for technology and processes leading to erratic & regressive response mechanism – thus vitiating the very principle of detect, deter, delay and respond (destroy) leading to ultimate failure of PSS.
WHAT DOES SECURITY BY DESIGN INVOLVE?
To design and construct a safe and secure building, a collaborative approach to the design process is required, starting at the conceptual phase of the project and continuing throughout the process. So is the case when we decide to evolve a PSS. It is necessary for all persons responsible for the safety and security of the building components to interact closely throughout the entire design and construction process. This means that all interested parties involved in the issues pertaining to safety and security do understand the issues and mutual concerns of both parties. This also involves inviting the client, local building and fire officials, and the appropriate designers and consultants to participate in such discussions. This process is particularly helpful in complex situations where many people represent different interests and a common goal needs to be achieved (i.e., a safe and secure building). A multidisciplinary team will determine the appropriate design criteria for each project, post a building specific risk assessment and analysis of all available information on security considerations, constraints, and tenant needs. However, a delicate balance must be achieved between safety and the security measures proposed. Hence; the need of fire protection engineer as part of the multi-disciplinary team.
Crime Prevention through Environmental Design (CPTED) techniques should be used to help prevent and mitigate crime. Good strategic thinking on CPTED issues such as site planning, perimeter definition, sight lines, lighting, etc., can reduce the need for some engineering solutions.
Risk Assessment (RA). A comprehensive security risk assessment is essential prior to design the effective physical security system. The PSS (physical security system) might waste valuable capital on unnecessary protection or fail to provide sufficient protection at critical points of the facility if comprehensive security risk assessment is not carried out. For instance, it is probably imprudent to protect employee recreation area with the same level of protection that a data center may require. Similarly, maximum security at main entrance would waste if the entry could also possible from other unprotected points. As each facility is unique, a proper security risk assessment that evaluates the criticality of assets, threats, vulnerabilities will give a clear picture of risk exposure that gives a baseline for effective physical security system design.
Performance Based System Design (PBSD). PBSD is always effective than compliance or features based system. Because performance-based system design provides clear performance measures that can be validated with numeric characteristic for various system components. For instance, a performance based system design allows predicting performance against identified threat in various system effectiveness parameters. In this, we can assess sensors effectiveness under various environmental conditions, video clarity at different illuminating conditions, the response time of guard force etc. This performance-based system is also quite helpful to build the business case to persuade the business leaders to by highlighting clear cost benefit analysis.
Design Basis Threat (DBT). An effective PSS design should have a process that produces the design as per DBT (design basis threat) and not on mere assumptions or experience of the individual designing the system. Even though there are a number of security risk assessment and system design methodologies available to adapt, the following 3-step methodology has proven its effectiveness over 3 decades at the critical installations:
- Determining PSS objectives.
- Design or characterization of PSS.
- Analysis and Evaluation of PSS.
Objectives of Physical Security System (PSS). In order to develop the objectives, the designer must accomplish three steps: a) Facility characterization, b) Threat definition, and c) Target identification.
- Facility characterization: In this step, the designer needs to understand the facility itself. He needs to assess the facility operations, conditions, operating states and the entire layout of the facility such as site boundary, building location, building interiors floor plans, access points, blueprints, process descriptions, health, safety and environmental analysis reports etc. Then he also needs to assess any additional considerations for any operational, safety, legal liability or regulatory requirements while designing PSS. In addition, a tour of the sites and interviews with the facility personnel will provide necessary info on the effectiveness of any existing physical protection features. Involving all-important stakeholders is also necessary for ensuring the business operations are continued in a secure, safe and efficient environment. As each facility is unique, this process should be followed each time a need is identified.
- Threat definition: The second step in determining the objectives is to define the threat. In this step, the designer needs to consider the factors about potential adversaries, their class, capabilities and a range of tactics. He must collect information about the adversary class, tactics, and capabilities.
The classes of adversary: An adversary can be categorized into three classes – outsiders, insiders and outsiders working in collusion with insiders.
Tactics of adversary: Deceit, stealth, force, or any of the combination is the range of tactics each class of adversary can use to defeat PSS. For instance, Deceit is an attempt to defeat a security system by using false authorization or identification. Stealth is an attempt to defeat a security system by using covert means. (Spoofing or bypassing a sensor). Force is an overt, forcible attempt to overcome a security system.
Capabilities of adversary: The designer needs to identify the most likely threats and should design the system to meet those threats by the keeping their capabilities in consideration. For instance, there may be several threats, any given facility can encounter, such as a criminal outsider, disgruntled employee, competitors or some combinations. Hence, an effective physical security system must be designed to protect against all of these threats.
- Target identification: The final step is to perform target identification for the facility. For, this a thorough review of the facility and its assets should be conducted. This may include identifying critical assets, people, information or critical equipment or processes or reputation – anything that could impact business operations. For instance, determining the negative impact or unacceptable consequence in the event of loss of an asset or sabotage of an equipment or interruption of a business process will help identify critical assets, or equipment, or process that needs to be protected. Once the designer completes these three steps, he can determine the protection objectives of the physical security system. For example, to intercept a criminal adversary with hand tools and a vehicle before he removes finished goods from the shipping dock. The threat definition will depend on target identification and vice versa. Since any facility can have any number of threats, the process of determining objectives will be somewhat recursive and requires assessing the complex relationships among the protection system objectives.
DESIGNING THE PHYSICAL SECURITY SYSTEM
Once the designer knows the objectives of PSS that is what to protect against whom, the next step is to design the new system or characterize the existing system. The primary functions of a physical Security system are – detection of an adversary, delay of that adversary, and response by security personnel (guard force). If a new system is to be designed, the designer should better integrate PSS components (people, procedures, and technology) with PSS functions (detect, delay and response) to achieve PSS objectives. The integration process includes better combining the elements such as barriers, intrusion detection systems, access control systems, video surveillance, communication devices, procedures, and security personnel into a physical security system that can achieve the protection objectives. An effective PSS should meet protection objectives within the operational, safety, legal and economic constraints of the facility. The designer should also be aware and implement certain important principles during the physical security design and the close associations between detection, delay, and response functions. For instance, a physical security system performs better if detection is as far from the target as possible and delays are as near as the target, Detection without assessment is not detection and a response force cannot respond unless it receives a communication call for a response. The designer should integrate each system component in combinations that complement each other to protect any weaknesses in the overall PSS. If the physical security system already exists, it must be characterized to establish whether it is meeting the protection objectives. If not, then it needs to be redesigned.
ANALYSIS AND EVALUATION OF PSS
Once the PSS is designed, it must be analyzed and evaluated to ensure that it is meeting the physical security objectives. To estimate the minimum performance levels achieved by a physical security system, more sophisticated qualitative and quantitative analysis techniques can be used. Generally, quantitative analysis will be used in systems that are designed to protect high-value critical assets, and qualitative techniques will be used in systems that are designed to protecting lower value assets. In order to complete a quantitative analysis, performance data must be available for the system components. The outcome of this analysis process is a system vulnerability assessment which will find that the design effectively achieved the protection objectives or it will identify weaknesses. If the protection objectives are achieved, then the design and analysis process has been completed. However, the PSS should be analyzed periodically to ensure that the original protection objectives remain valid. If the PPS is found to be ineffective, the designer needs to redesign or upgrade the initial protection system design to correct the identified vulnerabilities. Then, an analysis of the redesigned system is performed. This cycle continues until the outcome indicates the PSS meets the protection objectives.
CONCLUSION
At its core, an effective physical security system design (PSSD) will deter, detect, address, respond to and interdict the threats and risks that disrupt a safe work environment. Historically, there has been a trade-off between security and ease of use. Figuring out how to achieve that system doesn’t have to be an overwhelming challenge, as long as you have the right guidance. In true security parlance, the security by design primarily dwells in the cybersecurity. In present day context, the cybersecurity market is overly focused on auditing policy compliance and performing vulnerability testing when the level of business risk presented demands a holistic risk assessment and agile security architecture to be proactively developed. Cost risk analysis and economic analysis also needs to be factored into the entire process of designing the PSS to ensure its cost effectiveness.
