Physical security has many holes to be plugged
“I can get into any facility in less than five minutes with the right tools,” says Sean Ahrens, global practice leader at AON Global Risk Consulting. That’s sobering news for security professionals charged with protecting vital data centers and warehouses. Fortunately, sensitive facilities can improve by calling on the advice of AON and other specialized firms.
“There’s a movement away from unmanned data centers and similar critical facilities,” explains Ahrens. “Most security efforts focus on preventing digital attacks since those represent the majority of attacks. That means that physical security often becomes a failure point,” he added. The most common failures Ahrens sees happen are via operations and human mistakes.
“The Holy Grail of security assessment is to gain access to a facility by non-destructive means. In security consulting projects, we have often been successful in obtaining access. For example, we had one of our staff gain access to a secure facility through a loading dock and they were almost granted a security card,” Ahrens explains.
In several cases, AON security consultants have obtained copies of secure facility blueprints from municipal offices. That approach shows that a determined aggressor’s attack may be informed by detailed technical and architectural information.
“Our reports typically include photos of secure assets and video records demonstrating how access was gained. These records accompany our reports to aid companies in improving their security,” he added. Continuous improvement is required in order to maintain a secure facility against constantly evolving threats. Regular physical patrols are an important way to detect security flaws and events. Broken glass, damaged locks and other changes are warning signs that an intrusion is underway.
“Ultimately, security professionals and our clients need to realize that it is impossible to prevent all attacks. Instead, we focus on delaying an attack and deterring an attack. The more time an attacker takes to carry out their attack, the more time we have to detect their presence, call law enforcement and deploy other measures,” Ahrens explains.
Physical security failures and breaches are not limited to criminal masterminds: operational failures are highly important. “Weak discipline over security badges and allowing another person to piggy back through a secure entrance is a chronic failure,” says Lee Kirby, chief technology officer at the Uptime Institute, a Seattle-based organization that provides IT certification, consulting and advisory services. “If an organization allows ‘piggy back’ access, that is a signal about other failures.
“Many times, organizations put security tools and technology in place and hope that the supporting processes will materialize. This approach rarely works well,” Kirby added. “A comprehensive approach such as the Uptime Institute’s Management & Operations (M&O) Stamp of Approval is an excellent way to ensure that an organization has the processes and operations in place to achieve high-quality security,” he commented.
CenturyLink and UBS are two leading companies that have adopted the M&O standard for some of their operations. The Stamp of Approval issued by Uptime is valid for two years so organizations have an added incentive to stay on top of best practices.
“Managers have an important role to play in all aspects of security practices. For example, is there a practice in place to screen and evaluate third-party staff such as maintenance crews and those who service power generators Those third parties are often forgotten in management plans and that poses a security risk. In addition, managers need to ensure that every person in the facility is trained on security versus focusing on IT staff alone,” Kirby added.
Delivering physical security improvement also requires an understanding of a facility’s setting. “We had an Ohio customer who felt their location was secure due to its location in an access controlled industrial park. They decided to enhance their site security through the addition of 'no climb' fencing after we presented additional data on local vandalism and other incidents,” says Chris Curtis, senior vice president at Compass Datacenters.
Governments face tremendous challenges in securing critical facilities because so many people depend on them and budget pressures are a constant concern. In addition to military bases, other sensitive government facilities include major political buildings (for example the White House, governor’s offices and court buildings), research facilities (such as Department of Energy National Laboratories) and transportation infrastructure (train stations and ports).
The government approach to physical security emphasizes staff and training procedures. In 2013, the U.S. Department of Homeland Security (DHS) published guidelines for armed security officers at federal facilities. Critical facility managers would do well to take note of these government practices and determine which measures adapt.
Government standards for armed security guards serve as a benchmark to evaluate security in other settings. The above practices can also be used to prepare procurement documents for companies that contract out physical security. In addition, DHS requirements can also be used to inform a balanced scorecard evaluation of current security practices at critical facilities.
Requirements are the beginning point for effective security at a critical facility. Fulfilling the security requirements of an organization or industry (e.g. PCI-DDS for the payment industry, HIPAA for healthcare and SOX for public companies) is essential. If these requirements are not met, a company’s credibility will be undermined. Penalties in the forms of media criticism, fines and industry censure are also possible. In 2015, Verizon found that two-thirds of companies using the PCI standard failed to test their security. Failing to fully utilize existing security standards is a significant gap.
Security requirements are especially important when planning a new facility. “In our experience, the biggest mistake that organizations make is failing to clearly identify their requirements up front such as the value of your applications and the cost of downtime,” explains Curtis.