Hardening Access to Critical National Infrastructure
Advances at the high tech end of security, in areas such as biometrics, cyber security and IP video surveillance, tend to grab the technology headlines. Nevertheless, today’s approaches to physical protection are no less inventive or exacting while remaining fundamental to the hardening of critical assets.
Focal to this are security doors, window protection, cabinets, kiosks, access covers and an increasingly specialised population of products that stand as the last line of defence against physical infiltration of critical access points. They must resist attempts at forced entry, according to the assessed risk of terrorist, criminal or even accidental intervention, while the attack is detected and first responders arrive – or the attack is abandoned.
Any breach of these physical defences could give assailants time to reach sensitive areas of CNI operation: IT systems, data storage, network control rooms, hazardous chemicals, pharmaceutical stores, treated water supplies, electrical plant, process controls, to name just a few.
Acts of vandalism, theft, extortion, arson or even terrorist attack staged within these prohibited zones will have magnified consequences in a CNI environment. First and foremost, there is the risk of disruption to vital services, such as hospital care, utilities supply and public transport, and potential injury or loss of life. The operator also faces costly damage and repairs, financial losses from business interruption together with reputational damage, and the possibility of compromised commercial or security intelligence.
At operational hubs or areas attracting large footfall, notably railway stations and airports, physical access protection will form part of a hierarchy of security provision. This could include perimeter fences, CCTV, security policing and patrols, personnel identification and recognition technology, together with access control. But as we move out along the CNI network, physical protection assumes a more prominent role.
Sectors with significant distribution infrastructure, specifically the utilities (water, gas, electricity, telecommunications) and transportation, face additional challenges in the implementation of physical resilience measures.
With assets ramified across large geographic areas, the management of physical security is not all neatly contained within clearly bound sites. Operators must also mitigate against a continuum of risks across miles of publically used or publically accessible infrastructure, running from densely populated urban centres to remote rural locations.
The hardening of access points and housings to trackside, roadside and underground services becomes paramount, especially in locations that are unmanned and without CCTV surveillance.
Here, physical security is the prime defence for the services and controls sustaining the utilities and transport network: electrics, switchgear, transformers, fibre optics, telemetry, storage tanks, pumping stations, valve chambers, among others.
Criminal attack, theft, vandalism and trespass are the prevalent security risks. Theft of metal, ranging from access cover lids and cabinet doors to copper cabling, is a growing problem, with storage depots and operational installations both being targets. Injury to members of the public, from hazards such as electrocution or a fall down an underground chamber, is another risk tied to unauthorised access. The water industry faces the additional risk of contamination of water supply, whether accidental or intentional.
In response, physical protection equipment has undergone its own quiet revolution in keeping step with the needs of these logistically demanding CNI networks.
One of the more conspicuous changes is the growth in security equipment with third party approval, that is, independent testing and certification of product performance.
Especially since 9/11, governments and security agencies around the world have stepped up their strategies for acquiring intelligence and assessing the threat picture to national security. This has undoubtedly filtered through to the wider adoption in many CNI sectors of products approved to a robust test standard, driven by legislation in some cases.
Robust is the operative word. CNI specifications will often stipulate third party approval by a government owned or affiliated testing house, or other accepted approval marque by a commercial organisation with a trusted pedigree.
Third party approval and claims for product performance must be approached with great care.
Security specifiers and consultants should be clear about the performance standard, test methods and quality control behind third party approval and the security ratings declared for physical protection equipment. As already illustrated, it may be the final barrier between an assailant and critical assets.
Due to its particular history of national security risk pre-9/11, the UK is relatively advanced in its adoption of certificated equipment. With security legislation in place since the late 90s, the UK water industry has undoubtedly set the pace.
Investment in water protection has been a staple of the industry’s Asset Management Plans (AMPs) since privatisation 25 years ago. Alongside government approved (CPNI) products, this has created opportunities for the development of physical security solutions to commercial third party approval marques of equivalent rigour, specifically LPCB (Loss Prevention Certification Board).
Physical resilience programmes in the water sector have been widely rolled out from high priority applications demanding high security levels, such as potable water, to other lower risk assets. Physical security solutions have tracked this evolution; from anti-contamination access covers over underground water tanks; to high security doors, louvres, and fully serviced security buildings; and now the emerging integration of physical security with access control.
Early adopters like the UK water industry have been instrumental in driving the market for third party approval and pushing standards in physical protection technology, in partnership with quality committed and innovative suppliers.
Some 10 to 15 years ago, when market demand and sales volumes for third party approved products were at a lower level, investment in certification for products was a tougher cost consideration for manufacturers.
But increasing migration of CNI clients to third party approved equipment is driving up sales volumes and creating diversified needs, making the cost of testing and certifying products much less of a barrier in bringing new innovations to market.
With this market mechanism now established, demand is being met for many more types of third party approved solutions across different assets and for a full range of threats. Physical protection technologies evolved to third party approval criteria can be readily and confidently transferred, or adapted, to meet needs across all CNI sectors – from the utilities to financial services.
Future evolution of physical security is likely to be shaped by its increasing integration with access control. CNI clients are looking at the potential to link doors at multiple sites with central access control, with the flexibility to specify a range of electronic control and personnel ID systems – RFID (radio-frequency identification), fob, swipe card, solenoid or mobile.
Wider integration of physical security with access control will inevitably add to the complexity of security upgrades and physical resilience programmes. This makes it especially important for early consultation between all parties involved in their planning, specification, design and delivery.
The client should sit down with the security consultant, contractor, together with the physical security and electronic access suppliers, to carry out a coordinated and thorough review of project detail. This will provide the opportunity to identify and resolve any potential issues of equipment compatibility, technical integration with the access control network, site preparation, installation and delivery logistics. System details and installation can be screened and aligned with construction planning on BIM (Building Information Modelling), if being used.
In addition to resolving physical protection needs, there will be other important considerations to ensure equipment provides the best return on investment over its service life. These may include features and accessories to enhance operational efficiency as well as health and safety, eg, reducing the risks of falls from height, manual handling, and slips and trips.
Early collaboration is key to cost control. It allows time and cost savings to be harnessed in project delivery, and opportunities for value engineering in the design of bespoke security installations. As well as ensuring the selection of best value solutions, potential problems can be anticipated and addressed so that projects can be brought in ‘right first time’, on budget and to schedule.
Without this timely exchange of expertise, problems may be overlooked that can add significantly to budget and programme length if considered too late.
For example, in planning security upgrades or retrofit of existing facilities, it will be necessary to assess the strength and integrity of walls, roof construction and interfacing building structures. There is little use in installing a high security door, roof escape hatch or secure kiosk within building fabric or groundworks that are not sufficiently robust to anchor them.
Opportunities might also be missed to identify faster or more convenient solutions to suit site logistics, such as modern options for the supply of secure kiosks. Where site access is constrained, it may be more convenient to deliver them flat-packed for in situ assembly. If access is unhampered, then a pre-assembled kiosk, fully fitted with power, lighting and H&V (heating and ventilation), will save time and labour.
Early dialogue between the security consultant and technology suppliers is particularly important. This can highlight any potential issues in matching physical security and electronic access to the needs of the risk assessment and achieving the access control desired.
While the security consultant will have up-to-date knowledge of emerging risk factors for making accurate risk assessments, the supplier will have the product and design expertise to identify how best to meet them.
For further information telephone 01938 555511 or E-mail: firstname.lastname@example.org
This article was published in the September 2014 issue of Intersec Magazine. Reproduced here with the permission of the publisher.
About the author:
Michael Miles is managing director of Technocover, a UK based designer, manufacturer and installer of third party approved physical protection equipment, and part of Ensor Holdings plc. He has over 25 years’ experience in the site risk assessment and technical specification of physical access security and asset protection equipment for utilities, transport and other areas of critical national infrastructure. As Technocover’s technical head, Mr Miles has acted as a consultee and advisor on security equipment specifications for CNI clients as well as to industry groups involved in the development of sector standards for physical protection.