HW Security

1

Title: Encyclopedia of Security and Emergency Management/Physical security: Methods (e.g., Crime prevention through environmental design/CPTED) and practices (e.g., surveillance) Key words: Physical security, Detection, Delay, Response, Design Author: Adam Williams, Sandia National Laboratories*1 Definition: Physical security methods and practices are those systematic plans and actual uses of counter measures applied to prevent unauthorized access to, and protect against malicious acts upon, critical assets. Introduction Physical security—despite the simplistic refrain that all it consists of is “gates, guards, and guns”—is not a “one-size-fits-all” enterprise. Rather, it consists of the use of active and passive measures to protect critical assets from adversary or criminal activities by preventing unauthorized access to critical assets—be they personnel, buildings, geographic areas, or equipment.2 According to the U.S. Department of Defense, physical security is defined as “That part of security concerned with physical measures designed to safeguard personnel; to prevent unauthorized access to equipment, installations, material, and documents; and to safeguard them against espionage, sabotage, damage, and theft” (2016, p. 185). In addition, physical security seeks the “protection of Federal employees and private citizens who within and visit U.S. government-owned or leased facilities” (Interagency Security Council 2015, p. iii). After describing high-level physical security goals, the rest of this paper describes how two mechanisms can support the completion of such goals for a critical assets. The first consists of physical security methods, or the systematic planning related to physical security countermeasures implemented for protecting critical assets (e.g., systems-engineering design frameworks). The second encompasses physical security practices, or how physical security countermeasures are used to protect critical assets (e.g., facility-specific access control procedures). The Goals of Physical Security To evaluate the effectiveness of related methods and practices, it is necessary to understand the goals of physical security. Physical security can best be measured by the ability of countermeasures – technologies, procedures, and individuals—to interact in support of all efforts to identify, slow, and neutralize any adversary or criminal action against critical assets (Garcia 2008; Interagency Security Council 2015). More simply put, the “theory and application of physical [security], include the functions of deterrence, detection, delay, and response” (Interagency Security Council 2015, p. 19). Detection, as a physical security goal, relates to all countermeasures that communicate the occurrences of an adversary or criminal activity against an asset is occurring. Examples include guard patrols observing an individual climbing a perimeter fence or a motion sensor indicating movement inside a locked vault. The detection goal includes the process by which observations of undesired actions

1 SAND-9629J. Sandia National Laboratories is a multimission laboratory managed and operated by National Technology and Engineering Solutions of Sandia, LLC., a wholly owned subsidiary of Honeywell International, Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA-0003525 2 Please see Chapter XX, “Threat assessment” or Chapter XX, “Insider threat” for further discussion.

2

(e.g., surveillance and monitoring) are analyzed (e.g., detection and assessment) and lead to decisions to initiate additional protection actions. When concentrated farther away from critical assets detection countermeasures are more effective and efficient because they provide additional time for more accurate assessment and for supplementary protection actions to be taken. Detection effectiveness is generally described as the likelihood that the selected collection of related countermeasures are able to adequately identify the presence of adversary or criminal activities threatening critical assets.3 Delay, as a physical security goal, includes countermeasures employed to increase the physical resources, intellectual capabilities, and time necessary for an adversary or criminal action to be successful. Common examples of delay countermeasures include cement bollards to prevent vehicle access or enhanced locking mechanisms on entrances to sensitive buildings. Countermeasures selected and implemented to support delay goals seek to insert additional time into adversary or criminal activities for other protection actions to be successfully deployed. Delay-related countermeasures are most effective and efficient when they occur after detection4 and are concentrated closer to critical assets. The ability to achieve delay-related goals is described as the additional time provided by extra physical, temporal, or cognitive burdens placed on adversary or criminal activities against critical assets.5 Response, as a physical security goal, incorporates countermeasures for neutralizing adversary or criminal activities against critical assets by killing, capturing or causing them to flee. Examples include using onsite guard personnel to cordon off a specific area to contain the perpetrators or the arrival of an offsite, armed local law enforcement agency. Countermeasures supporting response goals can include providing improved equipment, requiring advanced tactical training, enhancing communications, or moving forces closer to critical assets. Timely and appropriate response, in general, is most effective and efficient when coordinated with early detection and sufficient delay by other physical security countermeasures. Response effectiveness is commonly described as the speed and efficiency with which appropriate response personnel—most often agencies with national or local authority to be carry weapons—are able to arrive and neutralize adversary or criminal activities against critical assets.6 Taken together, these physical security goals aim to prevent interruptions to the benefits provided by critical assets—arguing that there is an inherent need for alignment between physical security goals and desired asset operations. Therefore, the level to which countermeasures independently and interdependently operate to achieve high level physical security goals within the context of normal facility operations will determine the overall effectiveness of being able to protect critical assets. According to the U.S. Interagency Security Council (ISC), it is important to “articulate how a 3 For additional discussion on related topics, please see Chapter XX, “Intrusion detection systems,” Chapter XX, “Physical Security: Interior Applications – Doors, Access Control,” or Chapter XX, “Physical security: Video surveillance, equipment and training”. 4 Perhaps the quintessential example of the “delay after detection” mantra is illustrated in a scene from the 1994 film The Shawshenk Redemption. In the film, Andy Dufresne spent years slowly chipping away at his cement-walled prison cell. He was able to eventually dig a hole large enough to facilitate his escape—completely unbeknownst to the prison guards or warden. In this example, even the delay of multiple foot-thick prison cell walls are negated because there was no forewarning—or detection—of the malicious act. 5 For additional discussion on related topics, please see Chapter XX, “Physical security: Exterior application: perimeter controls (bollards, fencing, lighting).” 6 For additional discussion on related topics, please see Chapter XX, “Security guards: Academic and training programs” or Chapter XX, “Security guards: Authority and power.”

3

holistic and comprehensive physical security program contributes to the success of the agency and its mission” (Interagency Security Council, 2015, p. 20). Achieving physical security goals can be most efficiently and effectively achieved by leveraging insights from well-known physical security methods and practices. Overview of Physical Security Methods Successfully detecting, delaying, and responding to adversary or criminal activities to protect critical assets requires strategic thought, tactical understanding, and rigorous evaluation. In response, physical security methods can be defined as systematic planning processes to identify, select, and arrange physical security countermeasures to protect critical assets from threats. Navigating such influences as normal asset operations, natural terrain, and architectural designs on physical security performance requires an emphasis on balance identifying, selecting, and arranging countermeasures. While various methods exist for identifying, selecting, and arranging physical security countermeasures to protect critical assets, this paper uses two examples to crystallize this concept. The first is the design evaluation and process outline, which was created at Sandia National Laboratories for the protection of various U.S. Department of Defense and U.S. Department of Energy critical assets. The second is crime prevention through environmental design, which evolved from the “defensible space” concept that emerged from the union of criminology and architecture domains in the 1970s (Ray 1971). The Design Evaluation Process Outline (DEPO) builds generic systems engineering concepts for its systematic planning for physical security. DEPO is popularly considered the current standard for security analysis at nuclear facilities (Garcia 2008). The DEPO methodology consists of the following key steps (Garcia 2008):

• Characterize the facility (e.g., defining its mission)

• Identify the undesired events and critical assets (e.g., identifying assets as theft or sabotage targets)

• Determine potential consequences of undesired events (e.g., defining facility damage, or health effects)

• Define threats to the facility (e.g., identifying anticipated adversary capabilities)

• Analyze security system effectiveness (e.g., evaluating performance of physical security countermeasures)

• Estimate the risk (e.g., determining how well the physical security countermeasures mitigate adversary activities)

• Compare this risk to the acceptable risk level from the competent authority and: o If sufficient, complete the (re)design of physical security countermeasures o If insufficient, suggest (and re-evaluate) physical security countermeasure upgrades

The DEPO method argues that the “detect, delay, and respond” paradigm fully describes the necessary functions of strong physical security (Garcia 2008). As a physical security method, DEPO seeks to between the accepted level of risk (e.g., the likelihood of successful adversary or criminal action) and physical security upgrade impact to facility budget and operations. To do so, DEPO shares a philosophical foundation with popular probabilistic risk assessment approaches to safety and arranges countermeasures to make adversary tasks more complex and take longer to complete. According to DEPO, extending the adversary or criminal timeline improves the ability of countermeasures to achieve physical security-related goals. To this end, DEPO describes how well an arranged collection of physical security countermeasures to achieve a defined ability of defeating a specific adversary along a specific attack path. More

4

specifically, this method describes a conditional probability that adversary or criminal activities will be interrupted in time for them to be neutralized for how well detection and delay goals are achieved. Similarly, DEPO describes a conditional probability that, once interrupted, adversary or criminal activities are neutralized for how delay and response goals are achieved. Ultimately, the DEPO method produces an overall description—called the system effectiveness7–of the ability of a given collection of physical security countermeasures to achieve detection, delay, and response goals to protect critical assets against malicious acts. A second example of a physical security method is Crime Prevention through Environmental Design (CPTED). This method is based on the argument that urban form—including landscapes, buildings, and traffic flow patterns—can be used to reduce criminal activity. This multidisciplinary approach leverages concepts from social, behavioral, psychological, and biological explanations for what causes criminal and malicious behavior. More specifically, CPTED is

a process for analyzing and assessing crime risks in order to guide the design, management, and use of the built environment (and products) to reduce crime and the fear of crime and to promote public health, sustainability and quality of life (Cozens & Paul 2015, p. 14).

CPTED, ideally, is implemented during design phases, because they offer the most flexibility and control over potential changes in the environment. Cozens & Paul (2015) summarize this method in terms of seven physical and four social strategies. These physical strategies include: creating a sense of ownership to protect an asset (e.g., “territorial reinforcement”); observing various activities in an area around an asset (e.g., “surveillance”); maintaining appearance to transmit positive signals about an asset (e.g., “image”); limiting entrance to, or contact with, an asset (e.g., “access control”); promoting high levels of desired activities around assets (e.g., “legitimate activity support”); increasing the physical difficulty of accessing an asset (e.g., “target hardening”); and, using the influence adjacent “safe zones” to protect assets (e.g., “geographical juxtaposition”). Similarly, the four social strategies, according to Cozens & Paul (2015), include: building a mutual respect among members in a local community (e.g., “social cohesion”); coordinating activities among members in a local community (e.g., “community connectivity”); sharing a sense of place between members of a local community (e.g., “community culture”); and, understanding the finite ability to support certain community activities (e.g., “threshold capacity”). CPTED has a long history of being used as a method to reduce crime in community spaces (Cozens & Paul 2015)—which provides examples of how its use for systematic planning helps achieve physical security goals. For example, CPTED’s argument that revitalizing dilapidated portions of neighborhoods will eliminate opportunities to conceal criminal activities is similar to the physical security goal of detection. Similarly by restricting access, delay is demonstrated in CPTED-based redesigns of walking paths to limit entranceways into public space. The social strategies listed above also serve to better incorporate relevant law enforcement agencies into CPTED-based plans which results in increased familiarity and trust with the community. This can cause more effective and 7 DEPO uses the formula R=PA*(1-PE)*C to determine system effectiveness, where PA is the assumed probability of attack; C is a quantitative approximation of qualitative consequence descriptions; and PE is the physical security system effectiveness. To mitigate the difficulty of predicting adversary actions (PA), DEPO best practices set PA = 1 to simplify the equation to RC=(1-PE)*C. With physical security now described as a conditional probability, PE is defined as the product of the probability of interruption (PI) and the probability of neutralization (PN), where PI and PN are nested, conditional probabilities related to physical security countermeasure performance.

5

more efficient prevention of crime by these law enforcement agencies and directly serves the response physical security goal. As a method, CPTED “continues to represent an attractive option for individuals, communities, local, state and national governments and international organizations alike” (Cozens & Paul 2015, p. 14) for leveraging to achieve physical security goals for critical assets. Additional physical security methods also exist. One other popular method, known as “defense-in- depth,” argues for using combinations of physical security countermeasures (each considered insufficient to meet physical security goals on their own) in concentric layers to enhance physical security performance. For example, using a chain-link fence and ring of tall shrubbery around a public space combines the robustness of the former with the opacity of the latter to enhance the overall physical security of the space. The concept of a “graded approach”—which argues for appropriately matching selected and arranged physical security countermeasures to facility operations, anticipated threats, and potential consequences—is another systematic planning process for physical security. Consider, for example, the how countermeasures employed to protect a remote power substation in the rural U.S. Midwest will look different than those for a nuclear power plant near a metropolitan area for the same anticipated threat because of the differences in operations and potential consequences. Despite the common goals of detecting, delaying, and responding to adversary or criminal activities to protect critical assets, physical security methods provide systematic planning processes to avoid a “one size fits all” physical security mentality. Actual Application(s) to Protect Assets from Threats: Physical Security Practices In physical security, systematic planning should be augmented by a deeper understanding of (and expectations for) the patterns that describe regular application of physical security countermeasures. In other words, where methods illustrate systematic planning processes for physical security countermeasures (e.g., actions taken during the design of physical security), practices describe how such countermeasures are routinely used. Physical security practices, then, can be defined as the behavioral patterns of how individuals interact with physical security countermeasures to achieve asset protection goals. Therefore, the ability to achieve physical security goals is enhanced with a deeper understanding of such behavioral patterns and, while many exist, two are described in more detail to illustrate the importance of this concept. Successful physical security is predicated on the having an accurate understanding of the current conditions impacting countermeasure performance and the asset they are intended to protect. Surveillance is a key physical security practice that relates to countermeasures are used to make observations that inform this understanding of current conditions influencing asset protection. Traditionally, surveillance relates to targeted, close observation of suspicious (or, expected to be suspicious) activities—surveilling an employee suspected of tampering with a bank vault, for example. There are different kinds of observations, however, that can inform knowledge of the current conditions impacting countermeasures. Monitoring, for example, describes efforts for broad observations of critical assets at regular time intervals, often as a quality control mechanism. Consider cameras aimed at the entrance door to a bank, for example. Another type—assessment— describes the ability to distinguish between non-malicious and malicious intent for unexpected or unanticipated observations. Ultimately, assessments aim to identify whether the observation was a tumbleweed blowing into the bank lobby or an adversary or criminal activity. As a physical security practice, surveillance supports both DEPO and CPTED-based countermeasure designs to achieve high level physical security goals. In DEPO, various technical

6

and human-based countermeasures are identified and implemented to improve the observation and communication of unexpected activities to support the method’s emphasis on assessed detection (Garcia 2008). Common examples include roving guard patrols along a facility’s perimeter and closed-circuit television (CCTV) systems. Similarly, CPTED argues that the ability (and the perceived ability) for regular observations of activities in public spaces deters criminal acts for fear of exposure and attribution. CPTED-specific examples include street design (e.g., one-way traffic flows), the location of building windows (e.g., some should face the back alley), and CCTV (Cozens & Paul, 2015). Whether performing under the specific parameters of surveillance, monitoring, or assessment, physical security is enhanced when countermeasures improve the quantity and quality of observations on conditions related to protecting assets. In addition to having early warnings of potentially adversary or criminal activities, physical security is also enhanced by efforts to purposefully restrict proximity to (or contact with) critical assets. This physical security practice distinguishes between who does (and who does not) have authority to access a critical asset. Called access control, this practice includes behavioral patterns that use countermeasures to limit the ability for close proximity or contact with critical assets. Related practices include more formal efforts like background investigations commonly used for U.S. government jobs requiring a national security clearance and informal mechanisms like neighbor- based identification of “strangers” in the community. Access control practices also include discriminating based on the type of access allowed to support achieving physical security goals. For example, access to a bank’s vault can range from bank customers being escorted to their safety deposit boxes to bank employers entering the vault unescorted during business hours to bank managers having the codes to open the vault during non-business hours. Asset protection, then, can be enhanced by practices that restrict the number of people or the type of proximity to assets that are permitted. Access control practices, like surveillance, supports DEPO and CPTED-based countermeasures to help achieve high level physical security goals. Related practices include both technological and procedural mechanisms to (at best) eliminate or (at worst) reduce unauthorized access to protected assets. Common DEPO-based applications of access control include the use of identification badges—from simple visual inspection to electronic examination to biometric verification. Likewise, one of the key CPTED strategies centers on access control, more specifically emphasizing both natural and man-made uses of “spatial definition to deny access to potential targets” (Cozens & Paul 2015, p. 5). Using landscape features like steep terrain or creeks to locate entranceways are traditional CPTED-related approaches to access control, but more recent practices include using mechanical locks and cages to deny unauthorized proximity to assets. In both DEPO and CPTED related instantiations, access control practices support achieving high level delay goals. When used to support surveillance efforts (e.g., alerting when an employee suspected of malicious intent attempts access to an asset), access control can also help achieve detection goals. These practices can also support high level physical security response goals, particularly when utilized in a forensic or investigatory role. While surveillance and access control were highlighted in this paper, they are not the only physical security practices to consider in achieving physical security goals. Another visible physical security practices is employing dedicated, onsite guard personnel. Such personnel can range from contracted personnel who focus on small theft prevention (as in many U.S. retail stores) to (un)armed individuals who focus on slowing criminal activities (as in many U.S. commercial banks) to armed personnel with para-military training (as in many U.S. nuclear power plants). Another popular

7

physical security practice relates to the use of protection zones, where different levels of countermeasures are located to protect different types of assets. Most clearly related to the aforementioned “defense-in-depth” physical security method, this practice places more valuable assets in zones that require more robust countermeasures, with the tendency of placing the highest value assets in the center of a concentric set of protection zones. An example of clear protection zones are those around nuclear power plants, but similar practices can be seen in more common organizations like airports where increasingly robust countermeasures protect access to the terminal(s), aircraft, tarmac, and air traffic control towers. Taken together, this section demonstrates the important role of how regular patterns of using countermeasures support systematic planning processes to achieve physical security goals to protect critical assets. Conclusions Physical security methods and practices must continually adapt to changing and expanding challenges into opportunities for better critical asset protection. Consider the natural tension between physical security countermeasures and the operational focus of critical infrastructure, like the difficulty in balancing between the resources spent on attempting to detect weapons entering an airport and the need for airports to process thousands of people an hour. Here, coupling a focus on preventing interruptions to normal operations with detection, delay, and response goals provides the opportunity to develop new systematic planning processes and patterns of behaviors to protect critical assets. Another challenge is confusing “threat” (or, those aspects of physical security that cannot be controlled) and “vulnerability” (or, those aspects of physical security that can be controlled). Threats to physical security can either be natural (e.g., floods, fires, hurricanes) or intentional (e.g., terrorist or criminal acts), whereas vulnerabilities are faults within countermeasures that can be addressed (and resolved) with physical security methods and practices. Further, new and evolving threats should be used as drivers for innovation in physical security methods and practices. One last challenge is the increasing digitization of physical security countermeasures (e.g., controllers of physical countermeasures or networked countermeasure system designs). This, in turn, provides the opportunity to better incorporate key cyber security and information protection strategies into physical security methods and practices. Ultimately, combining and leveraging the benefits of well- known—and developing new, innovative—physical security methods and practices can help overcome these challenges to ensure that critical infrastructure assets are protected and able to support their role in society. References Cozens, Paul and Terence Love (2015) “A Review and Current Status of Crime Prevention through Environmental Design (CPTED),” Journal of Planning Literature, 30 (4), p. 393-412. Garcia, Mary Lynn. (2008) The Design and Evaluation of Physical Protection Systems (2nd Edition), Boston, MA: Butterworth-Heinemann. Jeffery, C. Ray. (1971). Crime Prevention Through Environmental Design. Beverly Hills, CA: Sage Publications. U.S. Department of Defense (2016) “Department of Defense Dictionary of Military and Associated Terms (Joint Publication 1-02),” <https://fas.org/irp/doddir/dod/jp1_02.pdf>.

8

U.S. Interagency Security Council, Department of Homeland Security (2015) “Best Practices for Planning and Managing Physical Security Resources: An Interagency Security Committee Guide,” <https://www.dhs.gov/sites/default/files/publications/isc-planning-managing-physical-security- resources-dec-2015-508.pdf>. Further Reading Relevant Standards within the United States Code (U.S.C.) and the Code of Federal Regulations (CFR) for physical security can be located by searching for specific U.S. government entities. Cozens, Paul. (2014) Think Crime! Using Evidence, Theory and Crime Prevention through Environmental Design (CPTED) for Planning Safer Cities, Quinns Rock Perth, WA: Praxis Education. Garcia, Mary Lynn. (2005) Vulnerability Assessment of Physical Protection Systems, Boston, MA: Butterworth-Heinemann.