While physical security is a topic not often discussed, it is a vital component to every business. After all, physical access gives even the moderately skilled attacker access to the network, unencrypted workstations and servers, and hardcopy information just waiting for someone to come by and pick it up. Have you looked at the output bin on your shared fax machines and printers, lately? Physical security does include more than stopping human intruders. However, information on heating, cooling, fire suppression systems, and power backup is available simply by discussing your needs with your facilities management staff. It is not so easy when it comes to intrusion controls. It takes more than a lock or two to secure sensitive information and critical systems. This is the realm of the security professional’s expertise. In this article, we look at the objectives of physical security and various controls to meet those objectives. When you finish, you will have the skills necessary to have an informed discussion with facilities and business management about what is right and what is missing in your organization’s physical security plan.

What is Physical Security?

The best definition I could find for physical security is available from the United States Geological Survey: There is no object so well protected that it cannot be stolen, damaged, destroyed, or observed by unauthorized individuals. A balanced security system provides protection against a defined set of threats by informing the user of attempted intrusions and providing resistance to the would-be intruder’s attack paths (USGS, 2005, p. 12) The first part of this definition is common to all security efforts; we cannot stop a highly motivated attacker. It is in the second sentence of our definition that we find the objectives of physical security. Said another way, the purpose of physical security is to delay an intruder’s advance toward a target long enough to detect and respond with human intervention. Human intervention includes on-site security guards, police, or other relevant human controls. Achieving physical security objectives requires policies, standards, guidelines, and controls addressing prevention, detection, delay, response, and assessment. We identify gaps with physical security risk assessments and surveys, similar to those used for logical security. Through all physical security planning, we must remember one very important principle: ensuring human safety is the most important outcome.

Motive, Opportunity, and Means

The same things drive physical intruders that drive cyber criminals: motives like money, advancement of a social agenda, etc. Further, intruders seek opportunities that do not exceed their ability (means) to exploit. Finally, controls help mitigate opportunities, increase required skills, and mitigate the business impact resulting from a successful intrusion. This leads us back to the risk formula:

Figure 13- 1: Expanded Risk Formula The basic principles of assessing and managing risk are the same for physical security as for configuring logical controls in the data center. Only the processes and controls differ.

Risk Assessment

Because we base all security controls on risk, the first step in a physical security program is the risk assessment: sometimes called a physical security survey. A physical security risk assessment identifies threats, pairs them with vulnerabilities, and determines the probability of successful attacks. Using best practice recommendations, the organization implements reasonable and appropriate controls intended to deter, delay, detect, and detain human intruders. For additional guidance on the details of physical security survey/assessment tasks and expected results, see the U.S. Army and U.S.G.S references at the end of the second article.

Physical Security Controls

Layered security also applies to physical security. Each layer supports others to prevent successful intrusions. For our purposes, I placed controls into two categories:

  • Deterrence and Delay (prevention)
  • Detection and Detainment

Deterrence and Delay

An intruder selects an attack path based on a cost/benefit assessment. If the risk of detection or detainment (apprehension) is too high, he selects another path: if one exists. Further, not all intruders possess a high level of motivation. These potential criminals are easily put off by high fences and other common barriers. Deterrence and delay controls fall into two general categories: location and barriers.

Location, location, location…

We seldom have say in where management builds a facility. In most cases, we are hired well after the organization opens its doors. However, an analysis of structure locations helps determine level of risk, even if we cannot pick up high risk offices and move them to low-risk neighborhoods. Risky locations possess one or more of the following:

  • High pedestrian traffic
  • High vehicular traffic
  • Obscured visibility of areas of probable approach to the site
  • High local crime rate
  • Infrequent or ineffective police presence
  • Volatile/corrupt political or legal environment
  • Significant labor unrest
    • Area in general
    • Against your organization

The impact each of these has on your organization depends on its industry, its overall impact on the community, and how the locals feel about the organization’s quality of citizenship. In other words, do the people like your organization or hate it? Is your product something in high demand by criminals? The conditions listed above do not remain static. Consequently, review them every year during your annual physical security risk assessment. Use your own observations as well as crime statistics and other publicly available resources to determine overall location risk and changes since the previous year.

Barriers

Deterrence requires barriers: psychological, physical, or both. We should never expect barriers to stop a motivated intruder. Instead, they provide a level of effort and planned delay. Figure 13-2 shows a layered approach to barrier use: site perimeter, building walls and doors, and internal walls and doors.

Figure 13- 2: Layered Barriers

Site perimeter

“The perimeter is a clearly bounded space surrounding all property controlled by the organization” (Olzak, 2012). Site barriers tell anyone approaching the site that she is about to enter private property. They usually take the form of signs, landscaping, walls, or fences.

Signs

Signs provide a weak deterrent: one useful only to stop accidental intrusion.

Landscaping and natural barriers

In addition to signs, natural barriers can provide a stronger deterrent. Often consisting of ditches, hills, and vegetation, they introduce some resistance to casual intrusion. One example of a landscaping barrier is the basic berm, shown in Figure 13-3. Adding thick vegetation, such as hedgerows, increases resistance to perimeter entry. In some cases, the location of a site provides natural site boundaries, such as rivers, streams, cliffs, thick brush, or forest. Regardless of whether man-made or natural, most barriers of this type provide little or no real deterrence for motivated intruders.

Figure 13- 3: Berm

Fences

When landscaping and natural barriers do not sufficiently mitigate risk, one of most common choices is fencing. As shown in Table 13-1, fencing characteristics should match the threat type you want to deter and delay. In most cases, an organization is safe enough with one of the chain link designs shown in the table. According to the U.S.G.S (2005), chain link should consist of a mesh of 11-gauge or better wire. To deter an intruder attempting to go under the fence, the bottom links should be no higher than two inches from firm ground. In addition, installers should embed fence posts in concrete, as shown in Figure 13-4.

Table 13- 1: Fence Design and Expected Outcomes

Figure 13- 4: Fence Installation In some cases, simple fencing is not enough. In such cases, you might have to recommend a top guard. See Figure 13-5. A top guard uses strands of barbed wire or barbed/razor tape, spaced six inches apart, to deter fence climbing. Extending outward at 45 degrees, it increases fence height by about one foot and threatens to make going over the top a painful affair.

Figure 13- 5: Top Guard (Olzak, 2010) Adding fences and barbed wire can make your site look harsher than your customers or management might like. It is common to hide fences with hedges or other types of landscaping. If this is one of your organization’s requirements, remember to avoid blocking camera or human security views of the fence line. Place berms, hedgerows, etc. outside the fence. In addition, any landscaping, natural barriers, or neighboring structures at or higher than the height of the fence should be at least 20 feet from the fence line. Finally, consider keeping grass and weeds cut around the perimeter. This helps eliminate potential intruder concealment opportunities.

Walls

In situations where security is strengthened by restricting the view from outside the perimeter, walls make a better barrier. Figure 13-6 shows a concrete wall. It is high enough to deter intruders, blocks the view of what is happening inside the perimeter, supports a top guard if necessary, and looks better than many fence solutions.

Figure 13- 6: Concrete Wall (Artisan Precast, 2011)

Structure perimeters

Once an intruder passes the site perimeter, the next barriers to movement toward her objective are the walls and roof of the target building. Walls form external (outside wall) and internal barriers.

External walls

In some cases, external walls might be part of the site perimeter, filling intentional gap in the fence line or wall. When this happens, one consideration is ensuring roof access via the structure’s perimeter wall is impossible or restricted. Another variable to assess is the composition of the building’s perimeter wall. Whether or not a structure is part of a perimeter and the sensitivity of what exists inside the structure affect the types of materials used for the structure’s exterior walls. Table 2 provides examples of various wall constructions and the amount of deterrence and delay each provides.

Table 13- 2: External Wall Penetration Times and Relative Effort to Breach (NFESC, 1993)

Interior walls

Interior walls provide additional barriers, assuming the target is not located in a room sharing an outside wall. For example, place data centers in the center of a structure with walls independent from external walls. Once an intruder makes it through an external door or wall, he will meet additional deterrence and delay… as your response team closes in. An important consideration for interior walls is whether they reach from floor to a solid ceiling. Walls that stop several inches from a plaster or other type of hard surface provide opportunity to enter a secure area by going over the wall. You might want to raise a ceiling tile or two to check around the perimeter of your data center. Finally, internal walls surrounding sensitive areas should resist an intruder trying to circumvent other controls by breaking through. Table 13-3 provides a look at common internal wall constructions. If all other controls have worked properly (some still to come below), your first responders should already be on the way. Consequently, not all organizations require steel reinforced walls standing guard around servers and storage.

Table 13- 3: Interior Wall Constructions (U.S. Army, 2010)

Barrier gaps

With all the fences and walls going up, employees have to gain ingress somewhere. This requires gates and doors in fences and walls. Additional potential points of entry include maintenance panels, windows, skylights, air circulation vents, etc. In summary, your physical security assessment must consider all points at which access is provided through an otherwise strong barrier. Controlling ingress and egress through perimeter and structural barriers requires one or more of the following:

  • Gates
  • Vehicle barriers
  • Access controls
  • Doors
  • Grates
  • Bars
  • Locks
  • Window design
Gates

Site perimeter gates are the first point of authorized ingress. Like any barrier gap, they present a weakness to intruders if not properly managed. Most organizations use one of two types of gate access control: automated and manual. Automated access does not require a security guard to open and close the gate. Instead, the organization issues an access card or PIN for employee use when arriving on site. An automated entry system works well for employee access but not for contractor or visitor access. Discretionary access requires a human presence, either at the gate or remotely managing gate access. Two types of gates are vehicle and pedestrian. Vehicle gates range from simple chain link to crash gates (see Figure 13-7). In some cases, a gate is impractical or requires support to provide stronger resistance. Vehicle controls, such as the retractable bollards shown in Figure 13-8, provide this support.

Figure 13- 7: Crash Gate (NEUSS, 2010)

Figure 13- 8: Retractable Bollards (Hercules, 2012)

Like vehicle gates, pedestrian gates are either automatic or manual and come in various styles and levels of resistance. Figure 13-9 shows a common pedestrian gate with electronic access control. Manual points of ingress for moderate to heavy pedestrian traffic often do without gates, with guards controlling access via employee ID or other means of identification. Human presence also provides a means of hindering the unauthorized removal of company property.

Figure 13- 9: Pedestrian/Maintenance Access Gate (Tonbridge, n.d.)

Vehicle and pedestrian control

Some sites are large and contain multiple structures. Controlling vehicle or pedestrian access to restricted areas within the site is the next layer of protection.

Vehicle constraints

Controlling vehicle movement requires strong physical devices, such as bollards and jersey barriers, to control traffic flow (see Figure 13-10). In addition to providing intra-site traffic control, bollards, large rocks, jersey barriers, or other similar anti-vehicle controls help prevent intruders from crashing a vehicle through a perimeter fence.

Doors

Pedestrian control is more complicated. Business operation usually requires employee and vendor access to restricted areas within structures. Deciding who does and does not enter these areas occurs at one or more doors. External doors The first door encountered is the primary exterior entry door. It should enter into a reception or guard desk area. Separate the entry area from any restricted area by doors or walls. Lock and closely control access via all exterior doors not opening into the public entry area.

Figure 13- 10: Intra-site Vehicle Barriers (Jersey Barriers, U.S. Army, 2010)

Internal doors Internal doors provide points of entry through additional barriers within structures. Each door “should be at least as difficult to break through as the surrounding walls” (Olzak, 2012). It makes no sense, for example, to construct steel reinforced walls around a restricted area only to finish off with an easily bypassed door. We look at various locking systems later in the second part. A vulnerability to door access control is piggybacking. This occurs when an authorized person unlocks a door and another person, authorized or not, takes the opportunity to enter without using a key code, smart card, key, etc. It is not hard to see examples of this; just watch employees coming to work in the morning. Our willingness to be courteous causes people to hold the door open for the person behind them. One common solution, in addition to policies and employee awareness, is a mantrap, as shown in Figure 13-11. Although the figure depicts a complicated—and very secure—mantrap configuration, the basic principle is enforceable at low cost. Only one person at a time is allowed to enter the mantrap. In some cases, a guard might watch through a window. In others, a scale might check to see if the contents of mantrap exceed the weight threshold set by security. In this example, cameras determine how many humans are in the mantrap. The approach you take is based on cost and the value of what you protect.

Figure 13- 11: Mantrap (Newton, 2012)

Access “doors” Maintenance access to wiring, plumbing, and environmental equipment requires hatches and other types of barrier gaps. During your assessment, make sure all access portals are secured with locks commensurate with the access provided. For example, a hatch leading to a site irrigation system for watering the grass might only need a basic padlock. However, a portal leading to a power panel likely requires better security. In addition to locking doors to restricted areas, ensure hinges are inside the protected area: away from public access. Most locking systems do not prevent someone from removing the hinge pins.

Windows

Employees like windows. It lets the sun in and allows them to check weather and escape from often tedious business tasks. However, windows can also be the best friend of an intruder. Windows close to the ground (less than 14 feet up the wall) or near a fire escape are the most vulnerable. If these barrier gaps provide access to restricted areas, consider one or more of the following:

  • Install windows too narrow for human access (96 square inches or smaller)
  • Grillwork or bars
  • Alarm the windows (alarms covered in a later section)

Skylights are another challenge. In addition to the recommended precautions above, restrict roof access. Often, it is not only the skylights up there you have to protect.

Ditches, culverts, and nature

Not all fences and walls run over smooth, flat terrain. Many encounter manmade and natural structures that create unintentional gaps, and Mother Nature can create her own intruder friendly conditions. One of the biggest challenges in this category is site drainage infrastructure: ditches and culverts. When a fence runs over a ditch, for example, it can leave a large opening for easy site access. Any gap exceeding 96 square inches, configured in a way that provides access (e.g., 10″ x 10″ as opposed to 2″ x 50″), requires attention (USGS, 2005). Figure 13-12 shows one way to close the gap under a fence line. Another method is to drive steel rods or posts into the ditch and ditch bank, securely attaching them to the fence.

Figure 13- 12: Ditch Barrier (Hercules, 2012)

In the background of Figure 13-12, another common gap in a perimeter appears: the culvert. Culverts run under roads, walkways, and natural barriers. If large enough, they provide an easy point of access to your site. Locked grates or installation of steel pipe inserts, as shown in Figure 13-13, are two methods to control access. Again, the 96 square inch rule applies. Finally, the utility companies often install manholes or other access points on a site. Make sure to secure these possible points of entry. This usually requires collaboration with the responsible utility.

Figure 13- 13: Blocked Culvert

Fence and wall vulnerabilities Natural events can reduce the effectiveness of a barrier. Further, each type of barrier has its own limitations. For example, an intruder can simply cut a hole in a fence. Conditions you might encounter include (U.S. Army, 2010, p. 4-2)

  • Snow or sand drifting against a barrier, making the barrier easy to cross, or it deep enough that an intruder may tunnel near the barrier and move undetected…
  • Vegetation such as bushes and trees providing cover and concealment for intruders. They can also provide means to breach or scale the barrier.
  • Rain softening the ground around barriers, allowing tunnels or trenches to be dug under barriers.
  • Inclement weather such as fog, heavy rain, or snow limiting the visibility of the barrier and providing intruders the opportunity to breach the barrier unseen…

It becomes obvious that barriers are simply one layer in a multi-layered physical security controls framework. In the next article we will talk about Access Control Systems, Visitor Control, Monitoring, Surveillance and Alarms.