When one thinks of critical infrastructures, some come quickly to mind: the water system, the power grid, the Internet, dams, bridges, roads, air and rail transportation to name a few. Commercial buildings may not occur to the average individual as critical infrastructure, but they are considered as such by the Department of Homeland Security (DHS) and ASIS International. If we think about the impact of the 9/11 attack on the Twin Towers, we understand why. The attack on the Twin Towers cost nearly 2,600 people their lives, and launched the United States into a long term war on terror that has increased the national debt approximately 1.5 trillion dollars.1
ASIS International’s 2011 Critical Infrastructure Resource Guide2 lists public assembly, sports leagues, gaming, lodging, outdoor events, entertainment and media, real estate (office buildings, mixed use facilities, apartments, etc.), and retail in the commercial facilities sector. Of course not all commercial buildings are “critical” infrastructure. The loss of a storage facility may have little impact on the owner and no impact on the economy or nation as a whole. This means we must evaluate the critical nature of our commercial infrastructure to determine what security or countermeasure we should implement to protect it. This is the purpose of a security risk assessment.
Several well established risk assessment methodologies are available, but in essence, to determine a risk level, most rate the assets (people and property) or infrastructure in terms of its critical nature (impact of a loss); threats in terms of their severity and credibility; and vulnerabilities in terms of their exposure. We then concentrate our efforts on mitigating or reducing the higher risks by reducing or eliminating vulnerabilities. In most cases we cannot affect the critical nature of the assets, or the severity of the threats. We can only reduce vulnerabilities.
A typical security risk assessment will use the company’s historical data and current intelligence to determine the design basis threats for the development of the risk matrix. These may include:
Each of these design basis threats will be evaluated against each asset considering various factors to determine vulnerabilities to the threat. A commercial facility that houses a work force of 5,000 will generally require more security than one that houses 5 people. Exceptions can be found in government or military facilities (as the nuclear silo that houses 2 men and weapons that can extinguish the lives of hundreds of thousands, if not millions), but it is generally true in commercial facilities. Likewise, a company that is considered an icon of the American way of life may make a more attractive target than one that is not a household name.
By examining various “what if” scenarios for each risk, countermeasures are theoretically applied, and the process repeated, to evaluate the proposed countermeasures. A comprehensive security program is then developed around the most effective countermeasures to include the appropriate physical security components, policies and procedures, and staffing and training.
A comprehensive security program that balances the use of protection resources (people, physical security systems, and policy and procedures) is generally the most effective. A weakness in any one of these components can negate the effectiveness of the other two. Perhaps the best illustration of this is that the best locks are useless if we don’t remember to lock the doors.
Physical security for low risk commercial facilities may include a basic burglar alarm system, a few cameras, and the use of good lighting. Security policies and procedures may include those that address disaster management and emergency response (evacuation or shelter-in-place), key control and accountability, opening and closing procedures, video management, pre-employment screening (background checks), prohibited items and substances, drug and alcohol use, and termination. There may be no dedicated security staff, or a few contracted security officers. Security functions may be performed by personnel with other duties. Training may include fire drills and safety and security awareness. The risk assessment will determine the extent to which facilities such as retail buildings, apartment complexes, condominiums, and self-storage facilities will fall into this category. Some of these may not fall into the realm of “critical” commercial infrastructure.
Medium risk facilities may also have card reader controlled access, a computer based visitor management system, intercom systems and/or emergency call stations, and an expanded video surveillance system. Additional policies and procedures may be needed to address security responsibility and accountability, access control (who gets a badge, who gets access to what, who authorizes badges, etc.), workplace violence prevention and intervention (including bomb threats and active shooters), use of archived video, and security post orders, general orders, and special orders. Security staff may include contracted or proprietary security officers. Additional training may be needed for proprietary security staff. The risk assessment will determine the extent to which facilities such as office buildings, conference centers, mixed use facilities, hotels, and retail centers will fall into this category.
A high risk facility may also have vehicle stand-off enforced with crash-rated barriers (both fixed in place and operable), facility hardening for ram, blast, and ballistic resistance, and X-ray screening systems and magnetometers. Additional policies and procedures may be needed to address occupational safety and health; personal use of company assets; property control, marking, and disposal; and information handling (disclosure, marking, storage, disposal, and destruction). The risk assessment will determine the extent to which facilities such as stadiums, museums, convention centers, casinos, and central banks will fall into this category.
Much of the commercial sector is trending towards more video cameras and the use of higher resolution megapixel cameras. Two and five megapixel cameras have become very popular. It is not uncommon for a large commercial facility to have hundreds of video cameras covering vehicle entrances, parking lots, building entrances, emergency exits, loading docks, and infrastructure that is critical to the operations of that facility (such as data centers, server rooms, electrical switchgear, generators, and uninterruptible power supplies).
It is difficult, if not impossible, for an operator to watch a multitude of video camera displays and maintain vigilance. Mental fatigue and boredom will set in and the operator will miss important events. This makes it imperative to automate the video surveillance system such that selected monitors only display video when triggered by potential alarm events. This can be done by connecting alarm outputs from the security management system to the video management system and configuring the system such that various events (such as door forced, door propped open, and emergency exit used) cause the video covering the event to be displayed on the alarm monitors. Built-in motion detection can also be used, but is limited to interior locations due to potential nuisance alarms.
Not all cameras cover areas where such alarm triggers exist. For example, a camera covering a fence line does not have any type of switch to act as a trigger. In this case there are special intelligent video analytics software and hardware systems that can provide detection of unwanted behavior, and alert the operator while initiating recording of the scene in question. Some of the behaviors that can be analyzed include:
It should be noted that no single video analytics system provides all of the above mentioned capabilities. Additionally, they are more often than not licensed on a “per behavior-per camera” basis and can be expensive to deploy on a wide scale. Therefore they are implemented for specific cameras (such as the camera covering the perimeter fence) and for specific behaviors (such as directional line crossing or trip wire). It is anticipated that the use of these analytics will continue to grow as more become aware of their capabilities and as costs decrease.
Many commercial facilities are considered an important part of the national critical infrastructure. Additionally, these facilities have infrastructure that are critical to the mission of the facility. Just how critical and to what level each should be protected is determined by a security risk assessment. Once the risks are evaluated, various countermeasures or mitigation means are applied and the risk re-evaluated. This process is repeated until effective mitigation measures are determined. Commercial facility owners and operators can find assistance through professional security consultants, the Department of Homeland Security, and ASIS International. The International Association of Professional Security Consultants members provide independent objective security advice on a range of specialties. DHS offers assistance to private sectors through many avenues; one is the DHS Private Sector Resources Catalog. A similar resource offered by ASIS International is the Critical Infrastructure Resource Guide, published by ASIS International’s Critical Infrastructure Working Group.
“Determining Appropriate Protection for Critical Commercial Infrastructure” was published in the February 2014 edition of The CIP Report.
Author: David R. Duda, PE, CPP, CSC, PSP