keys to a more successful physical security program

INTRODUCTION

Background

US ArmyRussian Cryptography Interceptor

○1984 to 1987Mandarin Chinese Intelligence Officer

○1989 to 2001

Sept 11, 2001World Trade Centers

“Working in security is doing God’s work as far as I am concerned. Security work is an opportunity to serve fellow man…There is

nothing greater than saving lives.”

Dr. Ona Ekhomu, CPP Security Management Magazine, March 2007 First Nigerian ASIS

Certified Protection Professional

Background Antiterrorism/Force Protection

2001 – US Corps of Engineers2002 – Operation Enduring Freedom2003 – Operation Iraqi Freedom2004 – Security Management Solutions

○ Federal Energy Regulatory Commission○ Association of State Dam Safety Officials○ InterAgency Forum for Infrastructure

Protection

Post 9/11

A Paradigm Shift

Threat Dimensions1. Non-linear/Asymmetrical

2. Off-the-shelf technology

3. WMD and mass casualties Low Tech vs. High Tech

Urban vs. Rural fights

4. Urban fights

5. Avoid decisive battle

W. Foos, SMS

April 19, 1995 Murrah Federal

BuildingAug 7, 1998

US Embassy NairobiSept 11, 2001

World Trade Centers

Physical Attacks

11 March 2004 Madrid Train Bombings:

Spain

Physical AttacksSept 2004

Chechnya Rebels

Cyber Attacks

2003-2007 - TITAN RAIN 2006-present - SHADY RAT 2008- DOD Classified and Unclassified

Systems-Contaminated thumb drive 2010 - STUXNET 2011 - 50 DAYS OF LULZ

Cyber Attacks 2012

13.37 million recorded compromised 189 total breaches

NY Electric and Gas 1.8m Global Payments 1.5m CA Dept. of Child Support 800k Utah Dept. of Technical Services 780k

W. Foos, SMS

MAKING A SECURITY

PROGRAM MORE EFFECTIVE

Why is a Security Program so vital?

How does a Security Program Work?

A Security Program protects assets or facilities against:

1. Theft

2. Sabotage

3. Malevolent human attacks

4. Natural Events

What does a Security Program Encompass?

1. Physical Security

2. Cyber Security

3. Personnel Security

4. Information Security

5. Business Continuity

6. Crisis Management

PreventionRemediation

Education

Remediation1. Upgrading PPS

2. Upgrading Security Program

3. Responding to Incidents

4. Implementing Risk Reduction Recommendations

Education1. R&D

2. SOPs

3. Emergency Response Plan

4. Physical Security Plans

5. Define, Establish, & Update HLS security procedures

6. Guard Contracts

Prevention1. Maintenance of Systems

2. Assessment – Evaluations

3. SOP Development

4. Integration of Security Operations

5. Training & Exercise of EAPs

6. Implementation of Heightened Security Procedures

Security Documents:-Threat Assessments

- Vulnerability Study

Three Components of a Security Program

W. Foos, SMS

An Effective Security Program ties it all together.

Fundamentals of Security Integration

People

Policies

EquipmentProcedures

Security Program Measures

1. Preventative measures – Reduce the likelihood of an attack, delay the success of the attack, protect the assets or make it less vulnerable of being compromised.

2. Detective measures – Discover the attack and activate corrective or mitigative action.

3. Corrective measures – Reduce the effects of an attack and restore to normal operations.

W. Foos, SMS

What are The Steps Necessary?

1. Evaluate

2. Establish

3. Sustain

Step One: Evaluation

1. Mission

2. Assets

3. Consequences

4. Threats

5. Security System Effectiveness

Step One: Evaluation (Mission)

1. What do I buy?

2. What do I sell?

3. How do I produce it?

4. What components do I need to make what I make?

5. What does it take to get those components and deliver the finished product?

Company Mission Company Vision License Requirements Shareholder Mandates Products of the facility Vendors Inventory System Shipping and Receiving Operational involvement & location of

senior executives

How Missions lead to Assets

W. Foos, SMS

1. Physical

2. People

3. Knowledge

4. Information Technology

5. Clientele

6. Any activity that has a positive value to its owner

Step One: Evaluation (Assets)

What would it take to disrupt operations?

What would it take to stop operations? What would happen to the vendors, your

company, your customers, if operations paused or ceased?

Who and What would be impacted?

Step One: Evaluation (Consequences)

The Security Program Arch

THREAT

INFOSEC

PH

YS

EC

CY

BE

RS

EC

PERSEC

Step One: Evaluation (Threat)

Natural

Intentional

Unintentional

Step One: Evaluation (Threat)

W. Foos, SMS

Threat Categories

Terrorists (CONUS or OCONUS)EcologicalMilitia / ParamilitaryRogueRacist

Extremist Group Vandals

Saboteurs Criminals Cyber Threat Gangs Other Insider(s)

RAMTM

UNDERSTANDING THE DESIGN BASIS

THREAT

Identifying the Design Basis Threat

Motivation Capability History and Behavior

Patterns Current Activity Geographic Access Organization &

Numbers Mobility Technology/ Tactics

RAMTM

Design Basis Threat (Example)

Adversary Type Militia/Paramilitary Terrorist Group

Motivation Ideological/Political/Publicity

Group Terrorist Cell - 2 to 7 persons – well organized

Tactics Large scale sabotage

Equipment Hand tools, construction equipment, 2-way radios

Weapons Small handguns, rifles, submachine guns

Explosives Vegan Jell-O, TNT or Equivalent Explosives

Transportation Sport utility vehicles, all-terrain vehicles, vans, 4x4s, foot access

Intelligence gathering means

Surveillance, Internet research, public record review

Technical skills and knowledge

Sophisticated technical education

Financial resources Assumed unlimited

Potential for collusion Disgruntled or planted employee or contractor

RAMTM

Intelligence Methods used by Adversaries

Open Source Research FOIA Internet Public Domain Technical

Reports People Informers Intelligence Agents Communications Photographs / Surveillance Trash

W. Foos, SMS

Based on analysis of Asset and Threats, create Asset-Threat Pairing

Not every Asset is considered attractive to the same Threat

Every asset’s protection must be evaluated against its own Design Basis Threat

Step One: Evaluation (Security System Effectiveness)

Basics of Security

1. Detect

2. Assess

3. Delay

4. Respond

5. Integration and Communication

Fundamentals of SecurityProtection in Depth & Balanced

Protection

OAsset

Outer Perimeter

Intermediate Perimeter

Inner Perimeter

Exclusion Zone

What are The Steps Necessary?

1. Evaluate

2. Establish

3. Sustain

Step Two: Establish

1. Fill in the gaps

2. Create what wasn’t there

3. Accept versus Reject Risk

4. Risk Reduction Measures

PreventionRemediation

Education

Remediation1. Upgrading PPS

2. Upgrading Security Program

3. Responding to Incidents

4. Implementing Risk Reduction Recommendations

Education1. R&D

2. SOPs

3. Emergency Response Plan

4. Physical Security Plans

5. Define, Establish, & Update HLS security procedures

6. Guard Contracts

Prevention1. Maintenance of Systems

2. Assessment – Evaluations

3. SOP Development

4. Integration of Security Operations

5. Training & Exercise of EAPs

6. Implementation of Heightened Security Procedures

Security Documents:-Threat Assessments

- Vulnerability Study

Three Components of a Security Program

W. Foos, SMS

Security Policies and Procedures

Establish strategic security objectives and priorities for

organization

Identify personnel responsible for security functions

Identify the employee responsibilities Should be aligned with the objectives of the

organization

Should cover the following topics

- People - Property - Information

What are The Steps Necessary?

1. Evaluate

2. Establish

3. Sustain

Step Three: Sustain

1. Education

2. Exercises

3. Relationships

4. Reevaluation