security system design concepts instructor guide · 2017. 10. 24. · security system design...

Session 13:

Security System Design Concepts

Instructor Guide

SAND2017-13477R


of 47

Revision Date: 10/24/2017


of 47

Table of ContentsSecurity System Design Concepts ........................................................................................................... 7

Defense-In-Depth ................................................................................................................................... 7

Security in Layers.................................................................................................................................. 11

Purpose of Security in Layers ............................................................................................................. 11

Compartmentalized Areas ................................................................................................................. 11

Criteria for Selecting Layers ............................................................................................................... 13

Security Timelines................................................................................................................................. 15

Detection Before Delay...................................................................................................................... 15

Delay Time Exceeds Response Time................................................................................................... 21

Two Competing Time Lines................................................................................................................ 21

Adversary Timeline ........................................................................................................................ 21

Security System Timeline ............................................................................................................... 21

Robustness of Security.......................................................................................................................... 35

Robustness of Delay .......................................................................................................................... 35

Robustness of Detection.................................................................................................................... 37

Robustness of Access Control ............................................................................................................ 39

Balanced Security ................................................................................................................................. 39

Special Situations.................................................................................................................................. 43

Temporary Situations ........................................................................................................................ 43

Frequent Situations ........................................................................................................................... 43

Summary .............................................................................................................................................. 47


Notes

of 47

Session IntroductionThis session covers five security system design concepts.

Course Map

ObjectivesRead the goal and objectives to the class.

What’s in it for them:It’s important for regulators to be aware of these design concepts so that when they inspect or evaluate a site’s security system, they can ensure that these concepts have been applied.


of 47

Session 13: Security System Design Concepts

Session Goal

The goal of this session is to introduce five security system design concepts that will enable the development of an integrated security system and will increase the likelihood of effective security management.

As a regulator, it’s important to be aware of these design concepts so that when you inspect or evaluate a facility’s security system, you can ensure that these concepts have been applied.

Session Objectives

After this session, you will be able to:

List five security system design concepts

Describe how facilities should implement the five security system design concepts


Notes

of 47

Security System Design ConceptsIf followed in the design, these concepts will lead to an integrated security system and will maximize the effectiveness of the system.

Each of these concepts will be described in this session.

Defense-In-Depth


of 47

Security System Design ConceptsDesign concepts enable the development of an integrated security system and increase the likelihood of

effective security management.

To integrate the system, facilities should apply:

Defense-in-Depth

Security in Layers

Security Timelines

Robustness of Security

Balanced Security

Special Situations

Defense-In-DepthDefense in Depth is a general concept that is applied to both security and safety. Defense-In-Depth

refers to the use of multiple security layers and measures that an adversary must defeat to access

radioactive material.

In security, depth, which implies redundancy, is achieved by requiring the adversary, in any scenario, to

defeat multiple, successive security measures prior to being able to attempt theft or sabotage.

To make sure that this depth exists, the measures are developed in layers of security that encircle the

radioactive material. Depth implies multiple security layers.

You use complementary measures that use different technologies:

Human observation and electronic sensors to detect intrusion

Multiple, independent, and diverse barriers to delay the adversary

Layers of security facilitate defense-in-depth


Notes

of 47

Defense-In-Depth Example

Layer 1 – Physical Security – Perimeter - lighting, fences, guards & patrols, inspections & checks

Layer 2 – IT Security – logon and passwords, encryption, audit trails, Orders & Policies

Reminder that everything in ASNET is audited – mention the Classified Media Register as part of this

Layer 3 – Laws and Legislation – vetting personnel

Level 4 – Physical Access control – ID cards, alarms, detection devices

Layer 5 – Categorisation and classification -- locks, access control

Layer 6 – Physical measures -- secure rooms, strongrooms, containers and vaults and vaults

So – security is achieved when …


of 47

Example: Defense-In-Depth

Layer 1 – Physical Security – Perimeter - lighting, fences, guards & patrols, inspections & checks

Layer 2 – IT Security – logon and passwords, encryption, audit trails, Orders & Policies

Layer 3 – Laws and Legislation – vetting personnel

Level 4 – Physical Access control – ID cards, alarms, detection devices

Layer 5 – Categorisation and classification – locks, access control

Layer 6 – Physical measures -- secure rooms, strongrooms, containers and vaults and vaults


Notes

of 47

Security in Layers

Purpose of Security in LayersEnsure that the material receives the same degree of protection regardless of the path or scenario

By eliminating paths where security is weaker (gaps)

Compartmentalized Areas


of 47

Security in LayersFollowing the idea of depth, security systems are developed in layers. A layer is a continuous

boundary/barrier that completely surrounds the target.

Each layer will consist of detection measures including assessment, delay measures, and access control

measures to permit unencumbered access to authorized persons while maintaining the detection and

delay for unauthorized persons.

These layers are usually, but not always, defined along existing barriers that surround the radioactive

material.

Ideally, barriers on layer are robust and continuous

Gaps in barrier (windows, etc.) are minimized

Purpose of Security in LayersSecurity is developed in layers so that the adversary cannot bypass security measures simply by walking around, digging under, or climbing over them.

The layer ensures that detection, delay and access control are present regardless of the path and

scenario.

Compartmentalized AreasBy developing security in layers, we provide the foundation of a physical compartmentalization program, whereby a facility can define access rules in which only persons needing access can enter. This compartmentalization permits a facility to reduce insider risk by minimizing the population within an area to only those with authorized need to be there.

Limit access to the material to only to necessary personnel

Limit access to sensitive information to only those who have a need-to-know

Provides framework for deterring insiders by complicating insider scenarios

Physical Security is established in layers that surround the target

Layered security permits compartmentalization


Notes

of 47

Criteria for Selecting Layers

Note: we will discuss balance later.

Exercise:If possible, have this slide on a poster. Break group into groups of 3-4. Have them discuss and choose two concentric layers for 5 minutes. Then have groups come up and draw their layers on poster.

If no poster, have groups describe their layers.


of 47

Criteria for Selecting LayersThis following criteria will help facilities establish layered security in existing facilities. For new facilities,

security layers can be integrated into the building design phase.

Select layers following existing barriers that surround the target. Gaps in the layer should be

avoided if possible—open doorways, windows, 1/2 height walls, etc.

Avoid layers that include a pathway through which people will need to use to pass through,

without needing to be in the area.

Select layers for which the boundary barrier is similar along the boundary of the layer.

Exercise: Establish Two Security Layers

Directions: In groups, examine the diagram below. Define two concentric layers and draw the layers on

the diagram.


Notes

of 47

Security Timelines

We will discuss these timelines in the next several slides

Detection Before Delay


of 47

Security TimelinesSecurity timelines provide insight into how the security functions (detection, delay, response) integrate,

and how they can be assembled into an integrated system.

Specifically, we will examine how:

Detection precedes delay

Delay time exceeds response time

Detection Before DelayDetection, consisting of people, sensors or other means, announces to response forces (police) that

there is a problem. Detection alerts the responding force to begin to deploy.

Delay (barriers, people, tasks, and distances) slows the adversary to allow time for the response to

arrive.

[Did we cover this in a previous session?]

Delay can’t succeed in slowing adversary long enough, if response hasn’t started to deploy, therefore

delay is only purposeful after response has been notified/alerted (detected).

Detection precedes Delay


Notes

of 47

ExerciseThis exercise is highlighting two of the more common violations of detection before delay—doors and windows

Door1. Door switch alarms when door switch separates from door

jam contact (i.e. when door opens).2. Door lock offers delay. It takes time to defeat lock (saw, …)

once door lock is defeated, door is opened.3. In this sense, door is defeated, then opened, and then alarm

is initiated.

Window1. Grating delays entry through window. Grating is on exterior

of window. Grating is defeated before window is accessed.2. Window is breached.3. Sensor alarms when window broken.

How could these be redesigned to result in detection before delay?


of 47

Exercise: Detection Before Delay Violations

Directions: In groups, examine the diagram then answer the questions below.

1. What will happen when an adversary approaches to the outside of the door with intent to breach

(with a door saw)?

a. When do sensor alarm?

b. When does delay occur?

2. What will happen when adversary approaches window with intent to breach (with a cutting torch)?

a. When do sensor alarm?

b. When does delay occur?

3. Does Detection precede delay?

4. How could these be redesigned to result in detection before delay?

Current System:

Locked door with door switch

Window with grating installed and

glass break sensor on window


Notes

of 47

Exercise Solution


of 47

Exercise Solution

Door

Install dummy door with alarm outside or hardened door, or

Install motion sensor on outside of hardened door (possibly introduces nuisance alarms)

Window

Move grates inside of window, or

Install motion sensor across grates on outside (possible nuisance alarm issues).


Notes

of 47

Delay Time Exceeds Response Time

Two Competing Time Lines


of 47

Delay Time Exceeds Response TimeDelay time is the time after first detection until the malicious act is complete. Delay should slow the

progression of the malicious act long enough to permit effective response.

Response time includes time to communicate the alarm, to assess the alarm, to contact the response

force, for the response force to prepare, transit to the location of the alarm, tactically deploy and

interrupt the adversary.

Therefore, delay time after detection must exceed the expected time for:

Assessment of alarm, and

Response forces to be alerted, prepare, transport and deploy

Two Competing Time LinesThe security time line and the adversary time line are competing for any adversary scenario.

Adversary Timeline Enter facility

Penetrate or bypass barriers

Reach target

Security System Timeline Detection Time: sensor activates, initiate signal, assess alarm

Delay: slow adversary after detection by requiring him to penetrate or bypass multiple physical

barriers

Response Force Time: communicate to response force, deploy response force, travel to facility,

interrupt adversary

Overlay the Adversary Timeline and Security System Timeline to determine timeliness of response.

Delay Time > Assessment Time + Response Time


Notes

of 47

Adversary and Security System TimelinesIt is important to take time to carefully describe this diagram.


of 47

Adversary and Security System Timelines

The following diagram represents the progression in time of both the adversary from offsite to the

target (adversary task time), and in progression of the security system, starting with the first detection,

and ending with response force interruption of the adversary (overall security system time).

Adversary and Security System Timelines diagram:

The x axis represents time progression.

The detection time box represents the time from initial alarm, through communication and

display of alarm, to alarm assessment.

The response force time box, which represents the progression of response force from initial

notification of assessed alarm, through preparations, transit to the facility, tactical deployment,

and interruption of adversary.

The time remaining after interruption represents the time still required by the adversary to

complete his theft or sabotage. This time can used to address uncertainty in delay time and

detection and response times.

Although the adversary expends time early in the scenario, since the response force has not been

alerted, and therefore is not on its way, there is no particular hurry for response. This time before first

detection is not considered delay for this reason.


Notes

of 47

Example: Late Detection

Walk through this example to show how it modifies the diagram on the previous page.

Late Detection

Mitigation for Late Detection


of 47

Example: Late Detection

Is a timely detection is possible for following attack scenario?

Scenario:

The position sensor on an exterior emergency exit door fails to activate when an intrusion occurs (i.e.,

the sensor does not work).

A second sensor (another position sensor on an interior door) is activated at a point on the diagram

which is 2/3 of the way into the first detection, had the first sensor been working.

Detection time for the second alarm is the same as the first alarm.

Initial detection is delayed, so the security time line boxes slide to the right.

This problem can be mitigated by:

Adding more delay near the target (after the 3rd detection) such as: sages, safe, tie downs, etc.

Improve the quality of the early sensors (so they don’t fail to detect)

Add more sensors early (to increase the likelihood that one will detect)


Notes

of 47

Exercise Introduction

We will do two exercises on timelines within the class. To do so divide into teams in the room (maybe just pairs of people.) Give them 5 minutes or less to complete.Goal is discussion/thinking

Exercise Scenario 1

Allow student to develop ideas.

The diagram should be provide either as handout, or as a poster.

Exercise Diagram


of 47

Exercise: Scenario 1

Directions:

1. In groups, read the following scenario.

Scenario: The locks on the door are substantial; however, when patients are present, the door is

unlocked. An adversary penetrates the area when the door is unlocked to steal the source.

2. Determine whether timely detection/response is possible for the attack scenario.

3. Redraw the security boxes/task time on the diagram below.


Notes

of 47

Exercise Scenario 1 Answer

Mitigation for Insufficient Delay


of 47

Scenario 1 Answer: Insufficient Delay

The adversary task time is shorter—perhaps too short for security system time.


• Increase delay

– Add compensating delay when doors unlocked

– Add a barrier near the target

• Reduce response time

– Hire onsite response

– Develop an agreement with police to have a unit always nearby


Notes

of 47

Exercise Scenario 2

Is this scenario unrealistic? Not at all. The response times have a significant uncertainty due to traffic and other events in progress.

Describe how increased response time impacts this.

Exercise Diagram


of 47

Exercise: Scenario 2

Directions:

1. In groups, read the following scenario.

Scenario: The response force cannot respond in their normal (average) time (e.g., they are

responding to a higher competing priority elsewhere in the hospital). It takes the response force

twice as long as their normal time to respond.

2. Determine whether timely detection/response is possible for attack scenario.

3. Redraw the security boxes/task time on the diagram below.


Notes

of 47

Exercise Scenario 2 Answer

Expand the response timeline box



of 47

Scenario 2 Answer: Slow Response

The adversary task time is shorter—perhaps too short for security system time.

Mitigation for Slow Response

• Reduce response time

– Hire onsite response

– Develop an agreement with police to have a unit always nearby

• Increase delay

– Add a barrier near the target


Notes

of 47

Robustness of Security

Each security level describes security measures in NSS 11; however, the degree of the robustness of the measure is not detailed. It depends on several issues, mostly the threat.

Robustness of DelayThe following notes apply:

All barriers can be defeated, but often different barriers are vulnerable to different defeat methods

o Select barrier to avoid defeat capabilities of threat to minimize chance that barrier is easily defeated

Table provides user to select barriers that are balanced across a layer, and to select barriers that are appropriate to the situation.

The categories (higher, medium, lower) are general and apply across most adversary tool sets.


of 47

Robustness of SecurityThe levels of security define measures; however, the relative robustness of the measures can vary.

For more capable threats, more robust measures are needed.

If threat has power tools, barriers can be far more quickly defeated than if using hand tools.

If threat has technical sophistication, electronic systems may be vulnerable to defeat.

The following tables provide insight into the comparative robustness

Robustness of DelayThe following table provides a grading of barriers.

Higher Delay Medium Delay Lower Delay

Reinforced Concrete Sheet Metal Plasterboard

Filled Block with rebar Plywood Composite Sheet

Surfaces Steel plate (>1/4” thick)

Hollow brick (1-2 layers)

Chain link fencing

>3 layers of brick Welded wire fence

1 inch diameter thick grating/expanded metal/welded rebar surface

Ballistic Resistant/ Forced Entry rated glass

Laminated Glasses Standard Glass

Windows Exterior & Interior Heavy Metal Grating Over Windows

Tempered Glass Wired Glass

Film coated glass

GSA Class IV & V Vault Solid wooden doors with hinge pins and quality locks

Hollow wooden doors

Doors UL 608 Vault Doors or other burglary rated doors

Hollow steel doors with steel frames with hinge pins and quality locks

Any doors with standard windows that after breakage allow quick reach in to unlock from inside

Locks Shrouded “Hockey Puck” Locks

Multiple Deadbolt Single Deadbolt

Shrouded Padlocks Cipher Lock


Notes

of 47

Robustness of DetectionThe following notes apply:

Dual Tec with OR’d output will alarm when either sensor is in alarm. There is high probability of detection but there will be very high incidence of nuisance alarms

Dual Tec with AND’d outputs will have lower detection, but very low nuisance alarm rate. Often this is the preferred configuration

Guards may not be completely sure what a malicious act is vs maintenance and operations

The table is offered to assist in assigning and evaluating the balance across a layer and appropriateness of each component to a particular requirement


of 47

Robustness of DetectionThe following table provides a grading of detection measures.

Category of Detection

Type of Detection Higher Detection Medium Detection

Lower Detection

Door -Balanced Magnetic switch (BMS)

-Frame-mounted (Covert) Magnetic switch

-Plunger Contact switch-Magnetic Switch

Electronic Detection

Volume/room -Dual Tec (OR’d outputs)-Video Motion

-Passive Infrared-Microwave-Dual Tec (AND’d outputs)

-Audible sensor

Wall/window -Fiber optic mesh -Glass break-audible-Vibration

Target -Fiber optic cable-BMS

-Vibration -Volumetric

People

Adversary within a room

-By staff using Panic alarm (if covert)

-By staff

Conducting malicious act

-By staff using Panic alarm (if not incapacitated)

-By guard -By staff

Video Surveillance

-Penetrating area -Fresh guard-<5 video monitors

-Long shift->5 monitors

Conducting malicious act in

area

-By Escort if can report-By Guard if can report

-By staff if they can report


Notes

of 47

Robustness of Access ControlsThe following notes apply:

Dedicated and trained guard. Inner badges controlled

A combination lock that everyone/large group shares is below a low accuracy biometric.

The table is offered to assist in assigning and evaluating the balance across a layer and appropriateness of each component to a particular requirement

Robustness Tables Note

Balanced Security

Balanced Security Video


of 47

Robustness of Access ControlThe following table provides a grading of access control measures.

Higher Control Medium Control Lower Control

Picture Badge Exchange 2 factor control (without biometric)

One factor (key, or badge)

2 factor with Biometric (verification)

Lower accuracy Biometric (one factor)

One factor PIN only if not shared by a group

High Accuracy biometric (identification) one factor

Two Person Access (one factor ea.)

NOTE: The tables are not official, but are examples of what might be useful in regulation. The tables

should be validated by the regulatory body.

The data in the tables has some validity, but is not develop with consideration of threat. The tables

assume proper installation and maintenance of the measures.

Balanced SecurityBalanced protection describes the uniform application of security measures to ensure that detection,

delay, and access control are the same for any path traversing the layer.

It does not mean that delay measures are balanced with detection, etc.

[Include a description/example of what this means]

[Reference Rene’s video]


Notes

of 47

Balanced Security ExerciseSplit into groups of 4-5. Give them 10 minutes. Refer to earlier layer exercise for descriptions of the rooms.

There are two layers of barriers here. Can you identify the layers? One is around the vault room, other covers the hallways, mechanical room, vault, and blood transfer room (at least).

Delay before detect—main entry door (BMS on hardened door)Detect without assess—main entry door, blood transfer room, mechanical room, within vault room

Imbalance in delay—outer layer window in blood room, back door to refrigeration, pathway through blood drawing room, front walls and door of vault room

-Imbalance in detection—every surface on outer layer but the blood transfer room and mechanical room, back entry door, the front walls of vault room,

Imbalance in access– outer layer two doors (badge reader to mag lock vs electric strike with simple code)

What are the problems with balance? (use the robustness tables)


of 47

Exercise: Balanced Security

Directions:

1. In groups, develop balance for the facility illustrated below.

2. Answer the following questions:

a. How many security layers are there?

b. What are the boundaries?

c. What issues with balance can you identify? (Use the robustness tables)


Notes

of 47

Special SituationsMust highlight that there is no security when PPS is disarmed.

This must be compensated for!


of 47

Special SituationsPhysical Protection Systems are not active and armed 7 days a week, 24 hours a day. Often, they are

disarmed:

In radiotherapy when people, such as patients, medical staff, maintenance and re-sourcing

personnel, are present

In radiography and well logging when source in transit or being used

In repository/storage when people are present for inventory or introduction of new material

Security measures to put in place when alarms/video are disarmed and/or doors are unlocked:

Detection: duress buttons and observation by staff

Delay: ability to lock outer/inner doors upon alarm to restrict egress

Access Control: manually monitored by staff including identification of authorized visitors

Alarm Communication: security phone numbers posted on wall, possible duress to siren?

Temporary SituationsFor temporary situations, such as maintenance and re-sourcing, measures would consist of posting a

guard with a radio and duress alarm.

Detection: full time escort—with knowledge of what activities are authorized for

maintenance/re-sourcing personnel

Access Control: Verification and escorting of temporary staff

Alarm Communication: good communication options

Testing should also occur after the temporary activity to ensure that security components are properly

functioning again.

Frequent SituationsFor situations that occur often, such as daily operations where patients are in and out and alarms and

locks are disabled:

Install duress alarms

Install surveillance cameras (when not violating privacy)

Provide addition barriers/access controls at/within the device

Provide detection via radiation alarms

Post guards

Escorts should aware of what the personnel being escorted are allowed to do, and what they are not

allowed to do in order to detect malicious activity.


Notes

of 47

Exercise: Compensatory Measures for Blood IrradiatorBreak participants into several groups of 3-5 persons in the lecture room. Have them work together for 10 minutes.

For temporary situations, such as maintenance and re-sourcing, measures would consist of posting a guard with a radio and duress alarm.

Review the answers by asking each group to offer some component (by walking up and sticking to the poster)

For situations that occur often, such as daily operations where patients are in and out and alarms and locks are disabled:

Install duress alarms

Install surveillance cameras (when not violating privacy)

Provide addition barriers/access controls at/within the device

Provide detection via radiation alarms

Post guards

For evacuation, need to apply measures to protect device from fire, and detect any approach/breaching of source device


of 47

Exercise: Compensatory Measures for Blood Irradiator

Directions: In groups, complete the table with suggested security compensatory measures.

Possible Solution 1 Possible Solution 2 Possible Solution 3

Working Hours / device usage

Maintenance / re-sourcing

Abnormal Situation: Fire Evacuation


Notes

of 47

SummaryAsk the summary points as questions.

Answers:1. Why are design concepts important?

Design concepts enable the development of an integrated security system and increase the likelihood of effective security management.

2. What does Defense-in-Depth involve?Defense-In-Depth involves the use of multiple security layers and measures.

3. What does Security in Layers involve?Security in Layers involves a continuous boundary/barrier that completely surrounds the target.

4. What are two concepts to remember for Security Timelines?Detection should precede delay and delay time should exceed response time.

5. What does Robustness of Security involve?Robustness of Security involves grading of delay barriers, detection measures, and access control measures based on the level needed.

6. How is Balanced Security achieved?Balanced Security is achieved through the uniform application of security to ensure detection, delay, and access control are the same for any path traversing the layer.


of 47

SummaryDesign concepts enable the development of an integrated security system and increase the likelihood of

effective security management.

Defense-In-Depth – Use of multiple security layers and measures

Security in Layers – A continuous boundary/barrier that completely surrounds the target

Security Timelines – Detection should precede delay and delay time should exceed response

time

Robustness of Security – Involves grading of delay barriers, detection measures, and access

control measures based on the level needed

Balanced Security – The uniform application of security to ensure detection, delay, and access

control are the same for any path traversing the layer

security system design concepts instructor guide · 2017. 10. 24. · security system design...

Documents