[ISN] Perimeter Security: It's Not Just about Razor Wire and Guard Towers Anymore

From: InfoSec News (isn@private)
Date: Fri Apr 15 2005 - 02:58:33 PDT


Forwarded with with permission from www.homelandresponse.org.
Copyright 2005 Penton Media Inc.

http://homelandresponse.org/full_story.php?WID=13218

By Sandy Smith
04/13/2005

Terry Wood, PE, CPP, is the director of Engineering and Security 
Applications for Wackenhut Corp. He says effective perimeter security 
can range from high fences to guard patrols to motion sensors to a 
good lock. Wood ought to know: his responsibilities at Wackenhut 
include preparation of physical security system analysis, 
vulnerability and risk assessments, design and construction document 
development (drawings and specifications) and the performance of 
construction administration and technical consultation services.

The projects he has worked on include the design of security systems 
for the new international airport in Hong Kong, port security 
assessments for a West African government, petroleum refinery security 
analysis in Greece, security assessment of copper mining operations 
throughout South America, and security analysis and support for all 
areas of critical U.S. infrastructure, including nuclear power plants 
and water treatment plants. 

"Some facilities have no perimeter whatsoever. Take a high-rise 
building, for example. There, perimeter security consists of a lock on 
the door," says Wood. "Then, there are other facilities that have a 
large perimeter that includes double fencing with motion sensors 
inbetween the fences, closed-circuit television, security patrols, 
guard stations, limited access, etc."

The Plan

The first step to determining if your perimeter security plan fulfills 
your needs is to conduct a risk assessment and take a long, hard look 
at the mission of your facility and the security measures you already 
have in place. According to Wood, a risk assessment is a tool for 
measuring the compliance of a facility with security requirements. The 
assessment is used to analyze a system or facility to identify 
vulnerabilities that could potentially result in losses of life, 
products or technology. The methodology behind the risk assessment is 
based on the interrelationships of four key factors:

* Assets. Any useful or valuable resource. 

* Vulnerability. Weakness or susceptibility of an asset or a 
  collection of assets to losses of various kinds. 

* Threat. An event, process or act which, when realized, has an 
  adverse effect on one or more assets. 

* Safeguard. A countermeasure, control or action taken to decrease the 
  existing level of vulnerability of an asset to one or more threats. 

According to Wood, "A risk equals a threat plus your vulnerability to
that threat."

"If you operate a corrections facility, then your plan is to keep
individuals from crossing the perimeter. If your facility is an
automotive manufacturing plant, then you want to protect the product
and monitor who is entering and leaving the facility," says Wood. The
threat at a chemical facility, petrochemical plant or nuclear power
station might be sabotage or terrorism, which means limiting access to
the facility and the surrounding area.

An effective security plan will include:

* The operational aspects of a security program, 

* Establishment of a proactive process to prevent security and safety 
  issues, 

* An assessment of threat and vulnerability, 

* The utilization of and need to balance manpower and electronic 
  solutions. 


Technology

The first step in a perimeter security program, once you determine
your risks and vulnerabilities and needs, is to assess what you've
already got in place. Is it enough? Is it too much? Should you beef it
up?

Some facilities choose to utilize two or three different types of
perimeter systems, depending on the location.

Sensors placed between two lines of fencing might work in some
locations, but in other locations, where you might find birds nesting
between the two fences or trees or shrubbery moving with the wind,
sensor technology is not a good choice.

"You end up with a lot of nuisance alarms, and management loses
confidence in the system. So, the sensitivity is turned way down or
the system is turned off entirely," says Wood. "What good is that
technology if it doesn't work for your situation?"

Some sensors make use of buried cable, which doesn't work in climates
where permafrost is an issue, while others utilize an infrared beam.  
That technology works well as long as there is nothing - including
piles of snow in winter - blocking the beam.

Facilities on the water - such as the airport that was recently opened
in Hong Kong - present special challenges. "Boat traffic on the edge
of the runway was a concern," Wood remembers. "There were limitations
in the structures that could rise above the ground - such as fences -
that might interfere with the landing and takeoff of aircraft."

The solution was to install biostatic sensors that utilize microwaves
to measure motion in volumetric space. Sonar, underwater video systems
and boat patrols are other ways to protect harbors, says Wood.

Lighting is another important aspect of perimeter security. Lighting
is more than throwing up some light poles, says Wood. "A lighting
assessment examines the facility. Is there a storage yard, truck
parking, a loading dock? If you light just the façade of a building,
are there other areas that can't be seen where people can run in and
out?"

Gatehouses pose a challenge when it comes to lighting. The interiors
are usually well-lit while the exterior is sometimes dark. "Guards
can't see outside. Half the time, they turn the lights out inside so
they can see what's going on outside. That makes it difficult for them
to work inside." The answer can be to increase the lighting outside
the gatehouse or to install dimmer switches inside.

Fencing, or the lack of it, can contribute to perimeter security
problems. A company came to Wood and wanted a perimeter security
system with all the high-tech bells and whistles: cameras, CCTV,
sensors. When he went out to the facility to take a look at what the
company was already doing in terms of perimeter security, Wood
discovered that the fence surrounding the property had fallen down in
several locations.

"I don't know how often they walked around the perimeter of the fence,
but that's probably a good first step before investing in technology
like sensors and cameras. If whole sections of fence are missing, your
perimeter security will not be great," counsels Wood.

Fencing has changed since the basic chain link was invented. Electric
fences are sometimes used, and new fences have been developed that
curve back out toward the outside, if you are trying to keep people
out, or back in toward the inside, if you are trying to keep people
in. "Intruders can't get a foothold," says Wood. "You see this type of
fencing a lot on bridges and overpasses."

Barbed wire or razor wire at the top or between layers of fencing can
be useful, while some companies utilize plantings around the
foundations of buildings, such as thorny bushes, to deter intruders.

Wood says special paint is available for objects such as light poles,
which might provide easy access over a fence. "Sometimes, you'll have
a light pole or some other type of pole that has to be there, even if
it's close enough to a fence to be a concern for the perimeter. The
paint makes it slippery, so the pole can't be climbed," said Wood.

Signage is an effective element of a perimeter security plan, says
Wood. Use signs to direct visitors to their entrance, employees to
their entrance and deliveries to that entrance. Place signs in
strategic places that note the area is monitored and that security is
on site. "You'd be surprised how effective a security tool a sign can
be," Wood states.

Separating employees from visitors is a key element of any perimeter
security program. Wood strongly suggests receiving visitors to your
facility away from your manufacturing or processing areas. "Visitors
shouldn't be in those areas unless they have received proper security
clearance and are escorted by employees," says Wood. "Don't allow
visitors near sensitive areas without good reason." And try to keep
visitor parking outside your secure perimeter.

If your facility has multiple buildings, it can be relatively easy to
separate employee entrances from visitor entrances. In the case of a
software manufacturer with one building, or several floors in a
building, that can be more difficult, but not impossible. "Have one
place, near the door or perimeter of the offices, where visitors
report. Try to have another entrance for employees, but if that's not
possible, have a badge or ID system that does not allow entrance to
interior offices without proper credentials," says Wood.


Engage Employees

Employees could be one of your greatest security advantages or
disadvantages, says Wood. Employees will realize a stranger is on site
almost immediately, but it's what they do about it that can make or
break your perimeter security program. Do they report the visitor, or
do they hold open the door and allow full access to your facility?

"It's human nature to see someone struggling with packages and hold
open the door for them. But it's bad security policy," says Wood.

"You can have great perimeter security - high fences, barricades,
stopping and searching incoming delivery trucks, ID checks for
everyone - and still allow a former employee to enter because you
never got his ID badge back," says Wood. It can be these types of
lapses that can cost you everything.

Wood says he'll go out to a client who has good policies in place and
will ask him, "Who controls the keys to the building? If an employee
is dismissed, do you re-key the building?" The client will say that
the maintenance department handles that. The maintenance department
says, "We don't have anything to do with that."

"We'll ask, 'How many master keys are there to the building?'" says
Wood, "and the client will say, 'I don't know.' It could be that there
are dozens of master keys out there, and not all of them belong to
current employees."

The solution, says Wood, is to make employees active participants in
the perimeter security program by offering security awareness
training. Have guidelines for employees about what they should do if
they see a stranger walking around unescorted or without proper
credentials. Instill in employees the idea that all visitors must go
through proper channels and should not be allowed to walk through an
open door. The security systems are in place to not only protect your
facility and technology, but employees as well. For their own safety,
they need to follow security policies.

"Some companies think that if they invest a lot of money in
technology, they will solve their security problems," says Woods. "A
camera, even a very good camera, never caught anyone doing anything.  
It's just a tool used by security personnel who can receive the
message, assess the problem and direct a response."

"Physical security is the first step in a perimeter security program,
but your employees and security personnel can make or break your
program," he adds.



_________________________________________
Network Security - http://www.auditmypc.com
Free vulnerability test - How secure is your computer?



This archive was generated by hypermail 2.1.3 : Fri Apr 15 2005 - 04:07:17 PDT