How hard is hard enough in perimeter security?
Steve Green examines the current threats posed to physical security and what measures would be most suitable in controlling access to buildings or other populated areas that could face a security threat
Since time immemorial, one of the basic tenets of security has been the principle of ‘Defence in Depth’; the establishment of multiple, concentric, secure perimeters around a critical asset, each of increasing resilience, to filter authorised friend from unauthorised foe. Assets, in this regard, may include property, people and information. The object of the exercise is to ensure that any actual or perceived weaknesses in a perimeter layer are reinforced and neutralised by strengths in the next, such that a coincidence of gaps cannot occur which might allow an assailant passage to the asset. This ‘hardens’ the target, increasing the perceived risk to the attacker of being caught and sanctioned, and thus providing a powerful psychological, as well as physical, deterrent factor. Both Roman castra marching camps and Norman motte-and-bailey castles employed this simple but effective design philosophy, and it serves equally well in every conceivable operational theatre in the modern world. Such perimeter control can be designed to segregate and filter people, vehicles or goods, according to the type of risks being addressed.
But herein lies the security practitioner’s dilemma; how many layers, and of what size and granularity, is optimal in a given situation? Or to put it more simply, when hardening a target, just how hard is hard enough?
Unfortunately, as with much else in the risk management domain, the answer is entirely subjective. It is a complex function of personal and collective risk appetites, assessment and interpretation of the security risks faced, the nature of the site being protected and, of course, the available budget. In the simplest case of a fixed, highly-valued asset, for example, where the risk perceived is one of access by unauthorised persons, a solution might be appropriate in which the types and number of authentication factors varies and becomes more individually specific the closer you approach, thus creating a number of ‘access levels’.
So whilst a notional outer perimeter might feature proximity card readers and CCTV cameras, the next might include PIN keypad & proximity card readers and video motion detection, while the inner perimeter could comprise biometric authentication and volumetric intruder detection. Coupled with appropriate levels of personnel and baggage screening, with effective security vetting of staff matched closely to the required level of clearance required for each access level, a robust yet flexible architecture begins to form.
Similarly, where motorised access into a site needs to be controlled, this may be achieved by fencing or otherwise demarcating secure areas, providing vehicle control points for authorised access into these areas, whilst anti-impact protection on vulnerable parts of the boundary prevents unauthorised access.
However, if operating in the counter terror domain, the security risk is not merely unauthorised access which might lead to theft of information or property, but rather a scenario in which the perpetrator aims to damage, destroy or otherwise harm the asset itself, including personnel. In this case the equation changes. Now, access control regimes need to take into account the concept that the assailant no longer needs necessarily to be in immediate proximity to the asset to achieve the required impact. Instead, force may be projected and applied from afar, or the infrastructure supporting the asset may be compromised.
In the former case, where explosive attack is anticipated, the guiding light for designers remains the venerable Hopkinson’s Inverse Cube Rule. Simply put, this 100 year old model suggests that, with all else being equal, the effect of an explosion reduces by the cube of the distance of the blast from the target. In other words, a similar impulse force as might be generated by a 100kg explosion at a specific distance would require an 800kg device at twice this distance. It is therefore possible to calculate the maximum theoretical blast load that a structure can support, equate this to a notional device size at a range of distances, and design access control measures to restrict the size of explosive device that can be delivered by a perpetrator at these distances. Thus sequential perimeters would filter out trucks, cars and a person with baggage respectively as the distance to the asset reduces.
Conversely, where space is limited and perimeters must be placed at less than optimal distances, the standoff achieved can be used to calculate the residual blast load which is likely to be applied to the asset. The structure can then be reinforced to meet this requirement, or additional intervening mitigation can be provided, such as hard landscaping or screening walls. Such screening can also support hostile vehicle mitigation to prevent explosive devices being forcefully delivered through the perimeter.
The major failing of this simplistic model is that, where a terrorist’s targets include organisational reputation, an attack on an outer perimeter may be just as damaging as one that reaches the centre of the site. It also creates an ‘arms race’ of crime displacement, where the response to hardening of a specific target leads the assailant simply to seek out new weaknesses to exploit. Recent bitter experience in aviation security, in London, Glasgow, Brussels and Istanbul, has demonstrated this all too clearly. As a result of attempted attacks on aircraft, enhanced security between landside and airside was introduced. However, this simply pushed the point of attack to the check-in hall, both on foot and by vehicle through the glass facade. Subsequent enhancement of hostile vehicle mitigation measures, and the creation of search areas prior to check-in, has resulted in the terminal entrances becoming targets. These advances in counter-measures have limited successfully the damage to the terminal building, and thus aided early return to service, but the resultant publicity demonstrates that the fear caused remains the same no matter how far away you push the point of attack. The terrorist goal is still, in the main, achieved.
New risk scenarios
Indeed, we have to face the unpleasant reality that it may never be possible to deflect the problem far enough away. The interconnected nature of the modern world has benefitted society in innumerable ways, allowing us to contemplate lifestyles and business processes inestimably more complex than our forefathers could imagine. However, such systemic interdependency comes at a price, not least of which is that both our critical assets, and those security systems that we put in place to protect them, now depend inevitably on various elements of supporting infrastructure. This introduces a whole new set of risk scenarios in which it becomes attractive for an assailant to attack dependent infrastructure and thus either deny the use of the asset to its owner, or to negate the security counter-measures protecting it. Our notional perimeter protection must therefore become multi-nodal, with protection being provided across multiple smaller, isolated, geographically-dispersed infrastructure assets.
This is a challenge faced by the owners of very large facilities, such as air and sea ports. The cost of protecting the entire outer perimeter of an extensive site rapidly becomes prohibitive. In such cases, an alternative ‘Citadel’ approach may be more appropriate, in which a semi-permeable outer boundary is drawn around discrete clusters of critical assets which are then individually hardened. Thus, rather than preventing access through the huge outer layers, these are provided simply with detection capability, such as ground radar, to provide notification of a breach. The asset clusters are then designed to delay the intruder long enough for intervention forces to arrive. A similar model can be applied on a national basis, where protection of the entire border against security risks is impractical, but protection of specific critical national infrastructure, such as water, fuel, electricity and telecommunications facilities, is adopted.
Here is where we start to rub up against the limits of what physical security alone can achieve, as we have arrived at the point where infrastructure can be compromised not by the application of direct physical intervention, but rather remotely via telecommunications media. Quite correctly, international governments have recognised that the myriad benefits arising from the Internet are accompanied by a new set of vulnerabilities which allow an assailant to attack corporate and national infrastructure systems without ever setting foot in the country. Judging by the priorities being set in national security expenditure across the world, the adversaries that governments are losing sleep over today are less likely to be balaclava-clad insurgents or sinister Mafia gangsters, but rather acne-ridden ITC students, living with their mums. The motivations, however, are often identical; greed, naïve ideology or a misplaced sense of challenge.
Ironically the solution, in both physical and virtual versions of reality, is simply to close the circle, returning once more to the simple principles of Defence in Depth. Information is just an asset as any other, and can be protected using perimeter protection following the same basic rules of access control and intruder detection as in the physical world. Fences and firewalls, card readers and passwords, logical and physical security are two sides of the same coin. The modern converged world, it turns out, is not that different from Roman Britain.