security system design concepts instructor guide · 2017. 10. 24. · security system design...
TRANSCRIPT
Session 13:
Security System Design Concepts
Instructor Guide
SAND2017-13477R
Security System Design Concepts
Page 2 of 47
Revision Date: 10/24/2017
Security System Design Concepts
Page 3 of 47
Table of ContentsSecurity System Design Concepts ........................................................................................................... 7
Defense-In-Depth ................................................................................................................................... 7
Security in Layers.................................................................................................................................. 11
Purpose of Security in Layers ............................................................................................................. 11
Compartmentalized Areas ................................................................................................................. 11
Criteria for Selecting Layers ............................................................................................................... 13
Security Timelines................................................................................................................................. 15
Detection Before Delay...................................................................................................................... 15
Delay Time Exceeds Response Time................................................................................................... 21
Two Competing Time Lines................................................................................................................ 21
Adversary Timeline ........................................................................................................................ 21
Security System Timeline ............................................................................................................... 21
Robustness of Security.......................................................................................................................... 35
Robustness of Delay .......................................................................................................................... 35
Robustness of Detection.................................................................................................................... 37
Robustness of Access Control ............................................................................................................ 39
Balanced Security ................................................................................................................................. 39
Special Situations.................................................................................................................................. 43
Temporary Situations ........................................................................................................................ 43
Frequent Situations ........................................................................................................................... 43
Summary .............................................................................................................................................. 47
Security System Design Concepts
Notes
Page 4 of 47
Session IntroductionThis session covers five security system design concepts.
Course Map
ObjectivesRead the goal and objectives to the class.
What’s in it for them:It’s important for regulators to be aware of these design concepts so that when they inspect or evaluate a site’s security system, they can ensure that these concepts have been applied.
Security System Design Concepts
Page 5 of 47
Session 13: Security System Design Concepts
Session Goal
The goal of this session is to introduce five security system design concepts that will enable the development of an integrated security system and will increase the likelihood of effective security management.
As a regulator, it’s important to be aware of these design concepts so that when you inspect or evaluate a facility’s security system, you can ensure that these concepts have been applied.
Session Objectives
After this session, you will be able to:
List five security system design concepts
Describe how facilities should implement the five security system design concepts
Security System Design Concepts
Notes
Page 6 of 47
Security System Design ConceptsIf followed in the design, these concepts will lead to an integrated security system and will maximize the effectiveness of the system.
Each of these concepts will be described in this session.
Defense-In-Depth
Security System Design Concepts
Page 7 of 47
Security System Design ConceptsDesign concepts enable the development of an integrated security system and increase the likelihood of
effective security management.
To integrate the system, facilities should apply:
Defense-in-Depth
Security in Layers
Security Timelines
Robustness of Security
Balanced Security
Special Situations
Defense-In-DepthDefense in Depth is a general concept that is applied to both security and safety. Defense-In-Depth
refers to the use of multiple security layers and measures that an adversary must defeat to access
radioactive material.
In security, depth, which implies redundancy, is achieved by requiring the adversary, in any scenario, to
defeat multiple, successive security measures prior to being able to attempt theft or sabotage.
To make sure that this depth exists, the measures are developed in layers of security that encircle the
radioactive material. Depth implies multiple security layers.
You use complementary measures that use different technologies:
Human observation and electronic sensors to detect intrusion
Multiple, independent, and diverse barriers to delay the adversary
Layers of security facilitate defense-in-depth
Security System Design Concepts
Notes
Page 8 of 47
Defense-In-Depth Example
Layer 1 – Physical Security – Perimeter - lighting, fences, guards & patrols, inspections & checks
Layer 2 – IT Security – logon and passwords, encryption, audit trails, Orders & Policies
Reminder that everything in ASNET is audited – mention the Classified Media Register as part of this
Layer 3 – Laws and Legislation – vetting personnel
Level 4 – Physical Access control – ID cards, alarms, detection devices
Layer 5 – Categorisation and classification -- locks, access control
Layer 6 – Physical measures -- secure rooms, strongrooms, containers and vaults and vaults
So – security is achieved when …
Security System Design Concepts
Page 9 of 47
Example: Defense-In-Depth
Layer 1 – Physical Security – Perimeter - lighting, fences, guards & patrols, inspections & checks
Layer 2 – IT Security – logon and passwords, encryption, audit trails, Orders & Policies
Layer 3 – Laws and Legislation – vetting personnel
Level 4 – Physical Access control – ID cards, alarms, detection devices
Layer 5 – Categorisation and classification – locks, access control
Layer 6 – Physical measures -- secure rooms, strongrooms, containers and vaults and vaults
Security System Design Concepts
Notes
Page 10 of 47
Security in Layers
Purpose of Security in LayersEnsure that the material receives the same degree of protection regardless of the path or scenario
By eliminating paths where security is weaker (gaps)
Compartmentalized Areas
Security System Design Concepts
Page 11 of 47
Security in LayersFollowing the idea of depth, security systems are developed in layers. A layer is a continuous
boundary/barrier that completely surrounds the target.
Each layer will consist of detection measures including assessment, delay measures, and access control
measures to permit unencumbered access to authorized persons while maintaining the detection and
delay for unauthorized persons.
These layers are usually, but not always, defined along existing barriers that surround the radioactive
material.
Ideally, barriers on layer are robust and continuous
Gaps in barrier (windows, etc.) are minimized
Purpose of Security in LayersSecurity is developed in layers so that the adversary cannot bypass security measures simply by walking around, digging under, or climbing over them.
The layer ensures that detection, delay and access control are present regardless of the path and
scenario.
Compartmentalized AreasBy developing security in layers, we provide the foundation of a physical compartmentalization program, whereby a facility can define access rules in which only persons needing access can enter. This compartmentalization permits a facility to reduce insider risk by minimizing the population within an area to only those with authorized need to be there.
Limit access to the material to only to necessary personnel
Limit access to sensitive information to only those who have a need-to-know
Provides framework for deterring insiders by complicating insider scenarios
Physical Security is established in layers that surround the target
Layered security permits compartmentalization
Security System Design Concepts
Notes
Page 12 of 47
Criteria for Selecting Layers
Note: we will discuss balance later.
Exercise:If possible, have this slide on a poster. Break group into groups of 3-4. Have them discuss and choose two concentric layers for 5 minutes. Then have groups come up and draw their layers on poster.
If no poster, have groups describe their layers.
Security System Design Concepts
Page 13 of 47
Criteria for Selecting LayersThis following criteria will help facilities establish layered security in existing facilities. For new facilities,
security layers can be integrated into the building design phase.
Select layers following existing barriers that surround the target. Gaps in the layer should be
avoided if possible—open doorways, windows, 1/2 height walls, etc.
Avoid layers that include a pathway through which people will need to use to pass through,
without needing to be in the area.
Select layers for which the boundary barrier is similar along the boundary of the layer.
Exercise: Establish Two Security Layers
Directions: In groups, examine the diagram below. Define two concentric layers and draw the layers on
the diagram.
Security System Design Concepts
Notes
Page 14 of 47
Security Timelines
We will discuss these timelines in the next several slides
Detection Before Delay
Security System Design Concepts
Page 15 of 47
Security TimelinesSecurity timelines provide insight into how the security functions (detection, delay, response) integrate,
and how they can be assembled into an integrated system.
Specifically, we will examine how:
Detection precedes delay
Delay time exceeds response time
Detection Before DelayDetection, consisting of people, sensors or other means, announces to response forces (police) that
there is a problem. Detection alerts the responding force to begin to deploy.
Delay (barriers, people, tasks, and distances) slows the adversary to allow time for the response to
arrive.
[Did we cover this in a previous session?]
Delay can’t succeed in slowing adversary long enough, if response hasn’t started to deploy, therefore
delay is only purposeful after response has been notified/alerted (detected).
Detection precedes Delay
Security System Design Concepts
Notes
Page 16 of 47
ExerciseThis exercise is highlighting two of the more common violations of detection before delay—doors and windows
Door1. Door switch alarms when door switch separates from door
jam contact (i.e. when door opens).2. Door lock offers delay. It takes time to defeat lock (saw, …)
once door lock is defeated, door is opened.3. In this sense, door is defeated, then opened, and then alarm
is initiated.
Window1. Grating delays entry through window. Grating is on exterior
of window. Grating is defeated before window is accessed.2. Window is breached.3. Sensor alarms when window broken.
How could these be redesigned to result in detection before delay?
Security System Design Concepts
Page 17 of 47
Exercise: Detection Before Delay Violations
Directions: In groups, examine the diagram then answer the questions below.
1. What will happen when an adversary approaches to the outside of the door with intent to breach
(with a door saw)?
a. When do sensor alarm?
b. When does delay occur?
2. What will happen when adversary approaches window with intent to breach (with a cutting torch)?
a. When do sensor alarm?
b. When does delay occur?
3. Does Detection precede delay?
4. How could these be redesigned to result in detection before delay?
Current System:
Locked door with door switch
Window with grating installed and
glass break sensor on window
Security System Design Concepts
Notes
Page 18 of 47
Exercise Solution
Security System Design Concepts
Page 19 of 47
Exercise Solution
Door
Install dummy door with alarm outside or hardened door, or
Install motion sensor on outside of hardened door (possibly introduces nuisance alarms)
Window
Move grates inside of window, or
Install motion sensor across grates on outside (possible nuisance alarm issues).
Security System Design Concepts
Notes
Page 20 of 47
Delay Time Exceeds Response Time
Two Competing Time Lines
Security System Design Concepts
Page 21 of 47
Delay Time Exceeds Response TimeDelay time is the time after first detection until the malicious act is complete. Delay should slow the
progression of the malicious act long enough to permit effective response.
Response time includes time to communicate the alarm, to assess the alarm, to contact the response
force, for the response force to prepare, transit to the location of the alarm, tactically deploy and
interrupt the adversary.
Therefore, delay time after detection must exceed the expected time for:
Assessment of alarm, and
Response forces to be alerted, prepare, transport and deploy
Two Competing Time LinesThe security time line and the adversary time line are competing for any adversary scenario.
Adversary Timeline Enter facility
Penetrate or bypass barriers
Reach target
Security System Timeline Detection Time: sensor activates, initiate signal, assess alarm
Delay: slow adversary after detection by requiring him to penetrate or bypass multiple physical
barriers
Response Force Time: communicate to response force, deploy response force, travel to facility,
interrupt adversary
Overlay the Adversary Timeline and Security System Timeline to determine timeliness of response.
Delay Time > Assessment Time + Response Time
Security System Design Concepts
Notes
Page 22 of 47
Adversary and Security System TimelinesIt is important to take time to carefully describe this diagram.
Security System Design Concepts
Page 23 of 47
Adversary and Security System Timelines
The following diagram represents the progression in time of both the adversary from offsite to the
target (adversary task time), and in progression of the security system, starting with the first detection,
and ending with response force interruption of the adversary (overall security system time).
Adversary and Security System Timelines diagram:
The x axis represents time progression.
The detection time box represents the time from initial alarm, through communication and
display of alarm, to alarm assessment.
The response force time box, which represents the progression of response force from initial
notification of assessed alarm, through preparations, transit to the facility, tactical deployment,
and interruption of adversary.
The time remaining after interruption represents the time still required by the adversary to
complete his theft or sabotage. This time can used to address uncertainty in delay time and
detection and response times.
Although the adversary expends time early in the scenario, since the response force has not been
alerted, and therefore is not on its way, there is no particular hurry for response. This time before first
detection is not considered delay for this reason.
Security System Design Concepts
Notes
Page 24 of 47
Example: Late Detection
Walk through this example to show how it modifies the diagram on the previous page.
Late Detection
Mitigation for Late Detection
Security System Design Concepts
Page 25 of 47
Example: Late Detection
Is a timely detection is possible for following attack scenario?
Scenario:
The position sensor on an exterior emergency exit door fails to activate when an intrusion occurs (i.e.,
the sensor does not work).
A second sensor (another position sensor on an interior door) is activated at a point on the diagram
which is 2/3 of the way into the first detection, had the first sensor been working.
Detection time for the second alarm is the same as the first alarm.
Initial detection is delayed, so the security time line boxes slide to the right.
This problem can be mitigated by:
Adding more delay near the target (after the 3rd detection) such as: sages, safe, tie downs, etc.
Improve the quality of the early sensors (so they don’t fail to detect)
Add more sensors early (to increase the likelihood that one will detect)
Security System Design Concepts
Notes
Page 26 of 47
Exercise Introduction
We will do two exercises on timelines within the class. To do so divide into teams in the room (maybe just pairs of people.) Give them 5 minutes or less to complete.Goal is discussion/thinking
Exercise Scenario 1
Allow student to develop ideas.
The diagram should be provide either as handout, or as a poster.
Exercise Diagram
Security System Design Concepts
Page 27 of 47
Exercise: Scenario 1
Directions:
1. In groups, read the following scenario.
Scenario: The locks on the door are substantial; however, when patients are present, the door is
unlocked. An adversary penetrates the area when the door is unlocked to steal the source.
2. Determine whether timely detection/response is possible for the attack scenario.
3. Redraw the security boxes/task time on the diagram below.
Security System Design Concepts
Notes
Page 28 of 47
Exercise Scenario 1 Answer
Mitigation for Insufficient Delay
Security System Design Concepts
Page 29 of 47
Scenario 1 Answer: Insufficient Delay
The adversary task time is shorter—perhaps too short for security system time.
Mitigation for Insufficient Delay
• Increase delay
– Add compensating delay when doors unlocked
– Add a barrier near the target
• Reduce response time
– Hire onsite response
– Develop an agreement with police to have a unit always nearby
Security System Design Concepts
Notes
Page 30 of 47
Exercise Scenario 2
Is this scenario unrealistic? Not at all. The response times have a significant uncertainty due to traffic and other events in progress.
Describe how increased response time impacts this.
Exercise Diagram
Security System Design Concepts
Page 31 of 47
Exercise: Scenario 2
Directions:
1. In groups, read the following scenario.
Scenario: The response force cannot respond in their normal (average) time (e.g., they are
responding to a higher competing priority elsewhere in the hospital). It takes the response force
twice as long as their normal time to respond.
2. Determine whether timely detection/response is possible for attack scenario.
3. Redraw the security boxes/task time on the diagram below.
Security System Design Concepts
Notes
Page 32 of 47
Exercise Scenario 2 Answer
Expand the response timeline box
Mitigation for Insufficient Delay
Security System Design Concepts
Page 33 of 47
Scenario 2 Answer: Slow Response
The adversary task time is shorter—perhaps too short for security system time.
Mitigation for Slow Response
• Reduce response time
– Hire onsite response
– Develop an agreement with police to have a unit always nearby
• Increase delay
– Add a barrier near the target
Security System Design Concepts
Notes
Page 34 of 47
Robustness of Security
Each security level describes security measures in NSS 11; however, the degree of the robustness of the measure is not detailed. It depends on several issues, mostly the threat.
Robustness of DelayThe following notes apply:
All barriers can be defeated, but often different barriers are vulnerable to different defeat methods
o Select barrier to avoid defeat capabilities of threat to minimize chance that barrier is easily defeated
Table provides user to select barriers that are balanced across a layer, and to select barriers that are appropriate to the situation.
The categories (higher, medium, lower) are general and apply across most adversary tool sets.
Security System Design Concepts
Page 35 of 47
Robustness of SecurityThe levels of security define measures; however, the relative robustness of the measures can vary.
For more capable threats, more robust measures are needed.
If threat has power tools, barriers can be far more quickly defeated than if using hand tools.
If threat has technical sophistication, electronic systems may be vulnerable to defeat.
The following tables provide insight into the comparative robustness
Robustness of DelayThe following table provides a grading of barriers.
Higher Delay Medium Delay Lower Delay
Reinforced Concrete Sheet Metal Plasterboard
Filled Block with rebar Plywood Composite Sheet
Surfaces Steel plate (>1/4” thick)
Hollow brick (1-2 layers)
Chain link fencing
>3 layers of brick Welded wire fence
1 inch diameter thick grating/expanded metal/welded rebar surface
Ballistic Resistant/ Forced Entry rated glass
Laminated Glasses Standard Glass
Windows Exterior & Interior Heavy Metal Grating Over Windows
Tempered Glass Wired Glass
Film coated glass
GSA Class IV & V Vault Solid wooden doors with hinge pins and quality locks
Hollow wooden doors
Doors UL 608 Vault Doors or other burglary rated doors
Hollow steel doors with steel frames with hinge pins and quality locks
Any doors with standard windows that after breakage allow quick reach in to unlock from inside
Locks Shrouded “Hockey Puck” Locks
Multiple Deadbolt Single Deadbolt
Shrouded Padlocks Cipher Lock
Security System Design Concepts
Notes
Page 36 of 47
Robustness of DetectionThe following notes apply:
Dual Tec with OR’d output will alarm when either sensor is in alarm. There is high probability of detection but there will be very high incidence of nuisance alarms
Dual Tec with AND’d outputs will have lower detection, but very low nuisance alarm rate. Often this is the preferred configuration
Guards may not be completely sure what a malicious act is vs maintenance and operations
The table is offered to assist in assigning and evaluating the balance across a layer and appropriateness of each component to a particular requirement
Security System Design Concepts
Page 37 of 47
Robustness of DetectionThe following table provides a grading of detection measures.
Category of Detection
Type of Detection Higher Detection Medium Detection
Lower Detection
Door -Balanced Magnetic switch (BMS)
-Frame-mounted (Covert) Magnetic switch
-Plunger Contact switch-Magnetic Switch
Electronic Detection
Volume/room -Dual Tec (OR’d outputs)-Video Motion
-Passive Infrared-Microwave-Dual Tec (AND’d outputs)
-Audible sensor
Wall/window -Fiber optic mesh -Glass break-audible-Vibration
Target -Fiber optic cable-BMS
-Vibration -Volumetric
People
Adversary within a room
-By staff using Panic alarm (if covert)
-By staff
Conducting malicious act
-By staff using Panic alarm (if not incapacitated)
-By guard -By staff
Video Surveillance
-Penetrating area -Fresh guard-<5 video monitors
-Long shift->5 monitors
Conducting malicious act in
area
-By Escort if can report-By Guard if can report
-By staff if they can report
Security System Design Concepts
Notes
Page 38 of 47
Robustness of Access ControlsThe following notes apply:
Dedicated and trained guard. Inner badges controlled
A combination lock that everyone/large group shares is below a low accuracy biometric.
The table is offered to assist in assigning and evaluating the balance across a layer and appropriateness of each component to a particular requirement
Robustness Tables Note
Balanced Security
Balanced Security Video
Security System Design Concepts
Page 39 of 47
Robustness of Access ControlThe following table provides a grading of access control measures.
Higher Control Medium Control Lower Control
Picture Badge Exchange 2 factor control (without biometric)
One factor (key, or badge)
2 factor with Biometric (verification)
Lower accuracy Biometric (one factor)
One factor PIN only if not shared by a group
High Accuracy biometric (identification) one factor
Two Person Access (one factor ea.)
NOTE: The tables are not official, but are examples of what might be useful in regulation. The tables
should be validated by the regulatory body.
The data in the tables has some validity, but is not develop with consideration of threat. The tables
assume proper installation and maintenance of the measures.
Balanced SecurityBalanced protection describes the uniform application of security measures to ensure that detection,
delay, and access control are the same for any path traversing the layer.
It does not mean that delay measures are balanced with detection, etc.
[Include a description/example of what this means]
[Reference Rene’s video]
Security System Design Concepts
Notes
Page 40 of 47
Balanced Security ExerciseSplit into groups of 4-5. Give them 10 minutes. Refer to earlier layer exercise for descriptions of the rooms.
There are two layers of barriers here. Can you identify the layers? One is around the vault room, other covers the hallways, mechanical room, vault, and blood transfer room (at least).
Delay before detect—main entry door (BMS on hardened door)Detect without assess—main entry door, blood transfer room, mechanical room, within vault room
Imbalance in delay—outer layer window in blood room, back door to refrigeration, pathway through blood drawing room, front walls and door of vault room
-Imbalance in detection—every surface on outer layer but the blood transfer room and mechanical room, back entry door, the front walls of vault room,
Imbalance in access– outer layer two doors (badge reader to mag lock vs electric strike with simple code)
What are the problems with balance? (use the robustness tables)
Security System Design Concepts
Page 41 of 47
Exercise: Balanced Security
Directions:
1. In groups, develop balance for the facility illustrated below.
2. Answer the following questions:
a. How many security layers are there?
b. What are the boundaries?
c. What issues with balance can you identify? (Use the robustness tables)
Security System Design Concepts
Notes
Page 42 of 47
Special SituationsMust highlight that there is no security when PPS is disarmed.
This must be compensated for!
Security System Design Concepts
Page 43 of 47
Special SituationsPhysical Protection Systems are not active and armed 7 days a week, 24 hours a day. Often, they are
disarmed:
In radiotherapy when people, such as patients, medical staff, maintenance and re-sourcing
personnel, are present
In radiography and well logging when source in transit or being used
In repository/storage when people are present for inventory or introduction of new material
Security measures to put in place when alarms/video are disarmed and/or doors are unlocked:
Detection: duress buttons and observation by staff
Delay: ability to lock outer/inner doors upon alarm to restrict egress
Access Control: manually monitored by staff including identification of authorized visitors
Alarm Communication: security phone numbers posted on wall, possible duress to siren?
Temporary SituationsFor temporary situations, such as maintenance and re-sourcing, measures would consist of posting a
guard with a radio and duress alarm.
Detection: full time escort—with knowledge of what activities are authorized for
maintenance/re-sourcing personnel
Access Control: Verification and escorting of temporary staff
Alarm Communication: good communication options
Testing should also occur after the temporary activity to ensure that security components are properly
functioning again.
Frequent SituationsFor situations that occur often, such as daily operations where patients are in and out and alarms and
locks are disabled:
Install duress alarms
Install surveillance cameras (when not violating privacy)
Provide addition barriers/access controls at/within the device
Provide detection via radiation alarms
Post guards
Escorts should aware of what the personnel being escorted are allowed to do, and what they are not
allowed to do in order to detect malicious activity.
Security System Design Concepts
Notes
Page 44 of 47
Exercise: Compensatory Measures for Blood IrradiatorBreak participants into several groups of 3-5 persons in the lecture room. Have them work together for 10 minutes.
For temporary situations, such as maintenance and re-sourcing, measures would consist of posting a guard with a radio and duress alarm.
Review the answers by asking each group to offer some component (by walking up and sticking to the poster)
For situations that occur often, such as daily operations where patients are in and out and alarms and locks are disabled:
Install duress alarms
Install surveillance cameras (when not violating privacy)
Provide addition barriers/access controls at/within the device
Provide detection via radiation alarms
Post guards
For evacuation, need to apply measures to protect device from fire, and detect any approach/breaching of source device
Security System Design Concepts
Page 45 of 47
Exercise: Compensatory Measures for Blood Irradiator
Directions: In groups, complete the table with suggested security compensatory measures.
Possible Solution 1 Possible Solution 2 Possible Solution 3
Working Hours / device usage
Maintenance / re-sourcing
Abnormal Situation: Fire Evacuation
Security System Design Concepts
Notes
Page 46 of 47
SummaryAsk the summary points as questions.
Answers:1. Why are design concepts important?
Design concepts enable the development of an integrated security system and increase the likelihood of effective security management.
2. What does Defense-in-Depth involve?Defense-In-Depth involves the use of multiple security layers and measures.
3. What does Security in Layers involve?Security in Layers involves a continuous boundary/barrier that completely surrounds the target.
4. What are two concepts to remember for Security Timelines?Detection should precede delay and delay time should exceed response time.
5. What does Robustness of Security involve?Robustness of Security involves grading of delay barriers, detection measures, and access control measures based on the level needed.
6. How is Balanced Security achieved?Balanced Security is achieved through the uniform application of security to ensure detection, delay, and access control are the same for any path traversing the layer.
Security System Design Concepts
Page 47 of 47
SummaryDesign concepts enable the development of an integrated security system and increase the likelihood of
effective security management.
Defense-In-Depth – Use of multiple security layers and measures
Security in Layers – A continuous boundary/barrier that completely surrounds the target
Security Timelines – Detection should precede delay and delay time should exceed response
time
Robustness of Security – Involves grading of delay barriers, detection measures, and access
control measures based on the level needed
Balanced Security – The uniform application of security to ensure detection, delay, and access
control are the same for any path traversing the layer