Physical security has many holes to be plugged

Delivering improved reliability through physical security represents the next frontier for continuous improvement.

Cybersecurity makes all the headlines these days but there are plenty of predators looking to scam unsuspecting employees at the physical plant.

“I can get into any facility in less than five minutes with the right tools,” says Sean Ahrens, global practice leader at AON Global Risk Consulting. That’s sobering news for security professionals charged with protecting vital data centers and warehouses. Fortunately, sensitive facilities can improve by calling on the advice of AON and other specialized firms.

“There’s a movement away from unmanned data centers and similar critical facilities,” explains Ahrens. “Most security efforts focus on preventing digital attacks since those represent the majority of attacks. That means that physical security often becomes a failure point,” he added. The most common failures Ahrens sees happen are via operations and human mistakes.

“The Holy Grail of security assessment is to gain access to a facility by non-destructive means. In security consulting projects, we have often been successful in obtaining access. For example, we had one of our staff gain access to a secure facility through a loading dock and they were almost granted a security card,” Ahrens explains.

In several cases, AON security consultants have obtained copies of secure facility blueprints from municipal offices. That approach shows that a determined aggressor’s attack may be informed by detailed technical and architectural information.

“Our reports typically include photos of secure assets and video records demonstrating how access was gained. These records accompany our reports to aid companies in improving their security,” he added. Continuous improvement is required in order to maintain a secure facility against constantly evolving threats. Regular physical patrols are an important way to detect security flaws and events. Broken glass, damaged locks and other changes are warning signs that an intrusion is underway.

“Ultimately, security professionals and our clients need to realize that it is impossible to prevent all attacks. Instead, we focus on delaying an attack and deterring an attack. The more time an attacker takes to carry out their attack, the more time we have to detect their presence, call law enforcement and deploy other measures,” Ahrens explains.

Physical security failures and breaches are not limited to criminal masterminds: operational failures are highly important. “Weak discipline over security badges and allowing another person to piggy back through a secure entrance is a chronic failure,” says Lee Kirby, chief technology officer at the Uptime Institute, a Seattle-based organization that provides IT certification, consulting and advisory services. “If an organization allows ‘piggy back’ access, that is a signal about other failures.

“Many times, organizations put security tools and technology in place and hope that the supporting processes will materialize. This approach rarely works well,” Kirby added. “A comprehensive approach such as the Uptime Institute’s Management & Operations (M&O) Stamp of Approval is an excellent way to ensure that an organization has the processes and operations in place to achieve high-quality security,” he commented.

CenturyLink and UBS are two leading companies that have adopted the M&O standard for some of their operations. The Stamp of Approval issued by Uptime is valid for two years so organizations have an added incentive to stay on top of best practices.

“Managers have an important role to play in all aspects of security practices. For example, is there a practice in place to screen and evaluate third-party staff such as maintenance crews and those who service power generators? Those third parties are often forgotten in management plans and that poses a security risk. In addition, managers need to ensure that every person in the facility is trained on security versus focusing on IT staff alone,” Kirby added.

Delivering physical security improvement also requires an understanding of a facility’s setting. “We had an Ohio customer who felt their location was secure due to its location in an access controlled industrial park. They decided to enhance their site security through the addition of 'no climb' fencing after we presented additional data on local vandalism and other incidents,” says Chris Curtis, senior vice president at Compass Datacenters.

Government issues

Governments face tremendous challenges in securing critical facilities because so many people depend on them and budget pressures are a constant concern. In addition to military bases, other sensitive government facilities include major political buildings (for example the White House, governor’s offices and court buildings), research facilities (such as Department of Energy National Laboratories) and transportation infrastructure (train stations and ports).

The government approach to physical security emphasizes staff and training procedures. In 2013, the U.S. Department of Homeland Security (DHS) published guidelines for armed security officers at federal facilities. Critical facility managers would do well to take note of these government practices and determine which measures adapt.

  • Hiring Criteria. The government recommends that armed guards have specific work experience (e.g. two years of experience in the armed forces, police or security) and specific education (e.g. police offer training program or an associate’s degree in security)
  • Security Equipment and Appearance. DHS recommendations include body armor, police baton, handcuffs, and standard uniforms.
  • Training For Excellence. The DHS best practices make an excellent point that security officers require both traditional security training (e.g. weapons and defensive tactics – DHS recommends 64 hours of training per hour – 80% of training time to emphasize hands on tasks such as use of firearms, use of handcuffs etc.) and non-traditional skills (e.g. customer service, human interaction and training regarding the organization). This training seeks to manage troublemakers without the use of force.
  • Matching Security Staff Levels To Activity. The DHS estimates that a well-staffed security station can evaluate 40 people per hour. Multi-tenant facilities need to consider workload considerations in security staffing. Rushing security procedures is a recipe for increased risk.

Government standards for armed security guards serve as a benchmark to evaluate security in other settings. The above practices can also be used to prepare procurement documents for companies that contract out physical security. In addition, DHS requirements can also be used to inform a balanced scorecard evaluation of current security practices at critical facilities.

Start with requirements

Requirements are the beginning point for effective security at a critical facility. Fulfilling the security requirements of an organization or industry (e.g. PCI-DDS for the payment industry, HIPAA for healthcare and SOX for public companies) is essential. If these requirements are not met, a company’s credibility will be undermined. Penalties in the forms of media criticism, fines and industry censure are also possible. In 2015, Verizon found that two-thirds of companies using the PCI standard failed to test their security. Failing to fully utilize existing security standards is a significant gap.

Security requirements are especially important when planning a new facility. “In our experience, the biggest mistake that organizations make is failing to clearly identify their requirements up front such as the value of your applications and the cost of downtime,” explains Curtis.

Join the CSO newsletter!

Error: Please check your email address.

More about CenturyLinkCSOVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Bruce Harpham

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts