security by numbers physical security –the art of ... · physical security –the art of...

58
Part of the BRE Trust Protecting People, Property and the Planet Security by numbers Physical security – The art of specification Richard Flint BRE Global Limited, incorporating LPCB June 2014 © BRE Global Limited, 2014 Copyright BRE Global Ltd, 2014 Copyright BRE Global Limited, 2014

Upload: lambao

Post on 12-May-2018

215 views

Category:

Documents


1 download

TRANSCRIPT

Part of the BRE Trust

Protecting People, Property and the Planet

Security by numbersPhysical security – The art of specification

Richard FlintBRE Global Limited, incorporating LPCBJune 2014

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Protecting People, Property and the Planet

Security by numbersThe art of specifying effective physical security

• Who we are

• The Threat

• Basics of effective security

• Physical security standards

• Specifying effective physical security

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Protecting People, Property and the Planet

Assurance of critical infrastructure securityThe role of standards, testing & certification

Who we are

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Introduction to LPCB

• Leading international centre for fire and security product testing and approvals

• Approve >5000 loss prevention products produced in >40 countries

• One of two internationally recognised approvals and listings operated by BRE

Global. The other is

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Introduction to LPCB

Our heritage

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Copyri

ght B

RE Glob

al Lim

ited,

2014

Working with others to protect against terrorists and criminals

GovernmentCabinet Office, Home Office (incl.

OSCT), DCSF, CPNIPlus other National Governments

GovernmentCabinet Office, Home Office (incl.

OSCT), DCSF, CPNIPlus other National Governments

National Counter Terrorism Security Office (NaCTSO)

ArchitectsArchitects

Security consultantsSecurity consultants

ContractorsContractors

ManufacturersManufacturers

Specifiers and end users

Specifiers and end users

Enforcement agenciesEnvironment Agency

Revenue and CustomsPolice Special Branch

Enforcement agenciesEnvironment Agency

Revenue and CustomsPolice Special Branch

Home Office Centre for Applied Science and Technology

(HO CAST)

Home Office Centre for Applied Science and Technology

(HO CAST)

Association of Chief Police Officers (ACPO)

Association of Chief Police Officers (ACPO)

Secured By Design (SBD)Secured By Design (SBD)

Association of Chief Police Officers (ACPO)

Secured By Design (SBD)

Insurers and underwritersAssociation of British Insurers

(ABI)Lloyds Market AssociationAssociation of Insurance

Surveyors (AIS)Risc Authority

Insurers and underwritersAssociation of British Insurers

(ABI)Lloyds Market AssociationAssociation of Insurance

Surveyors (AIS)Risc Authority

Suppliers and distributorsSuppliers and distributors Installers and maintenance companies

Installers and maintenance companies

Testing laboratoriesTesting laboratories

Centre for Protection of National Infrastructure (CPNI)

Centre for Protection of National Infrastructure (CPNI)

National Counter Terrorism Security Office

(NaCTSO)

National Counter Terrorism Security Office

(NaCTSO)

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Owned by a charitable trust

Who BRE Trust

What Charitable trust

Why To advance knowledge, innovation and communication in all matters concerning the built environment for public benefit

How First class research and education funded by investing profits made by BRE and other subsidiaries in research and education

Over 600 staff within the BRE Trust Group

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Protecting People, Property and the Planet

LPCB – The mark of effective security

The basics of effective security

- The context

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Assuring critical infrastructure securityOur role and responsibilities regarding physical security

*IRA, 1984

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Assuring critical infrastructure securityOur role and responsibilities regarding physical security

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Assuring critical infrastructure securityOur role and responsibilities regarding physical security

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Assuring critical infrastructure securityOur role and responsibilities regarding physical security

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Assuring critical infrastructure securityOur role and responsibilities regarding physical security

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Assuring critical infrastructure securityOur role and responsibilities regarding physical security

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Assuring critical infrastructure securityOur role and responsibilities regarding physical security

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Protecting People, Property and the Planet

LPCB – The mark of effective security

The basics of effective security

- The threat

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

The basics of effective security

Identify the threat:

• Manual forced entry attack• Plant attack (e.g. diggers)

• Vehicle attack

• Ballistic

• Explosion

• Undetected compromise

• Other• Chemical, pathogen, toxin, radiological or nuclear

• Cyber

• Fire

• Vandalism© BRE Global Limited, 2014

Copyright BRE Global Ltd, 2014Copyri

ght B

RE Glob

al Lim

ited,

2014

The basics of effective security

Identify the threat:

• Manual forced entry attack• Forced entry (without fear of making noise)• Stealth attacks

• Mob attacks

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Protecting People, Property and the Planet

LPCB – The mark of effective security

The basics of effective security

- Preventing forced entry

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

The basics of effective security against forced entry

Effective forced entry protection requires three things to work together:

Delay

Effective security occurs when: Time Delay ≥ Time Detection + TimeResponse

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Copyri

ght B

RE Glob

al Lim

ited,

2014

The basics of effective security against forced entry

Effective forced entry protection requires three things to work together:

Late detection will be exploited!

DelayExploitable security gap

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

The basics of effective security against forced entry

Effective forced entry protection requires three things to work together:

Ineffective physical security will be exploited!

Delay

© BRE Global Limited, 2014

Exploitable security gap

Copyright BRE Global Ltd, 2014Copyri

ght B

RE Glob

al Lim

ited,

2014

The basics of effective security against forced entry

Effective protection requires three things to work together: Unreliable alarm transmission could undermine other measures

Delay

Faulty alarm transmission equipment / paths delay the alarm signals sent to

alert the response

Exploitable security gap

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

The basics of effective security against forced entry

Effective forced entry protection requires three things to work together:

No response leads to anarchy!

Delay© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

The basics of effective security against forced entry

Delay

How do you determine what physical security products will provide a

suitable delay?

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Protecting People, Property and the Planet

LPCB – The mark of effective security

The art of specifying effective security

- Selecting an appropriate performance standard to specify

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

How do you specify effective security equipment?

Specify approval to appropriate ‘performance standards’It is important to ensure the standard used to specify security equipment:

• Covers the type of product/system being considered

• Is performance based rather than design based

• Is based on sound principles of terrorism/crime prevention and address terrorist’s/criminal’s entrepreneurial tendencies

• Considers the whole product and not just components

• Determines the product’s resistance to the risks identified

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Scope of publically available physical security standards

Acc

ess

cove

rs a

nd h

atch

es

Cur

tain

wal

ling

/cla

ddin

g

Doo

rset

s (C

antil

ever

ed)

Doo

rset

s (F

oldi

ng)

Doo

rset

s (H

inge

d)

Doo

rset

s (P

ivot

ing)

Doo

rset

s (R

evol

ving

)

Doo

rset

s (S

lidin

g)

Enc

losu

re

Fenc

es

Par

titio

ning

sys

tem

s

Roo

fing

syst

ems

Roo

f lig

hts

and

skyl

ight

s

Sec

onda

ry g

lazi

ng s

yste

ms

Sec

urity

gril

les

Sec

urity

scr

eens

Sec

urity

shu

tters

Tem

pora

ry b

uild

ings

Gat

es a

nd tu

rnst

iles

Voi

d pr

otec

tion

scre

ens

Win

dow

s

Wal

ls a

nd c

eilin

gs

EN 1627: 2011 ü ü* ü* ü* ü* ü* ü ü* ü ü* ü ü

LPS 1175: Issue 7 ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü

PAS 24: 2012 ü ü ü ü ü ü‡

DOS ST-STD-01.02 ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü

*EN1627 covers pedestrian access and not

vehicle/goods access

‡PAS 24 is restricted to certain configurations only

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

LPS1175 – One standard covering all physical security layers

LPS 1175• Fences• Gates• Vehicle barriers• Enclosures• Entrance doors• Emergency exits• Windows

• Shutters• Rooflights• Roofs• Walls• Enclosures• Vehicles• Cycle racks• Cycle locks• Padlocks

• Glazing

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

How do you specify effective security equipment?

Specify approval to appropriate ‘performance standards’It is important to ensure the standard used to specify security equipment:

• Covers the type of product/system being considered

• Is performance based rather than design based

• Is based on sound principles of terrorism/crime prevention and address terrorist’s/criminal’s entrepreneurial tendencies

• Considers the whole product and not just components

• Determines the product’s resistance to the risks identified

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

‘Performance based’ verses ‘design based’ specifications

Type Pro’s: Con’s:

Design • Easy to describe visible attributes (materials and dimensions).

• Risk the design defined will not deliver the performance required

• Restricts use of ingenuity to solve problems

Performance • Links specification directly to the threats identified

• Lack of availability of products meeting desired performance attributes

• Does not describe what the solution looks like so architects can find it hard to visualise the products likely to be offer

How do you specify effective security equipment?

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

‘Manual attack testing’ verses ‘mechanical testing’

Type Pro’s: Con’s:Mechanical • Repeatable • Cannot economically cover the

wide scope of modus operandi available to intruders

• Test equipment must be developed for each product type/design and results cannot therefore be accurately compared between product types

Manual attack • Modus operandi can reflect the scope used by intruders

• Tests can be more easily tailored to different types of product

• Results may be inconsistent because they are affected by the testers’ knowledge, skill, stamina and strength

How do you specify effective security equipment?

© BRE Global Limited, 2014

Copyright BRE Global Ltd, 2014Copyri

ght B

RE Glob

al Lim

ited,

2014

How do you specify effective security equipment?

Specify approval to appropriate ‘performance standards’It is important to ensure the standard used to specify security equipment:

• Covers the type of product/system being considered

• Is performance based rather than design based

• Is based on sound principles of terrorism/crime prevention and address terrorist’s/criminal’s entrepreneurial tendencies

• Considers the whole product and not just components

• Determines the product’s resistance to the risks identified

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Principles of effective security

The ‘entrepreneurial criminal’

Effective loss prevention standards are based on grading structures that recognise the increased investment criminals (and terrorists) will make to reap greater rewards.

• Investment (tools, time, effort)

• Risks (noise, leaving evidence)

• Reward (value of goods stolen)

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

20 min SR8

15 min

10 min SR4 SR5 SR6 SR7

5 min SR3

3 min SR2

1 min SR1

A B C D D+ E F G

LPS1175 Security RatingsD

elay

ACME

E

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Copyri

ght B

RE Glob

al Lim

ited,

2014

How do you specify effective security equipment?

Specify approval to appropriate ‘performance standards’It is important to ensure the standard used to specify security equipment:

• Covers the type of product/system being considered

• Is performance based rather than design based

• Is based on sound principles of terrorism/crime prevention and address terrorist’s/criminal’s entrepreneurial tendencies

• Considers the whole product and not just components

• Determines the product’s resistance to the risks identified

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

How do you specify effective security equipment?

Security is only as good as the weakest part!

• EN1627:– Relies on tests conducted on glazing and locks to separate associated

component standards such as EN356, EN1303 and EN12209– The supporting component standards do not use common test methods or

failure criteria– The standard therefore does not result in the assembled products

providing holistic levels of security – many are vulnerable to basic attacks

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

How do you specify effective security equipment?

Security is only as good as the weakest part!

• EN1627:– Relies on tests conducted on glazing and locks to separate associated

component standards such as EN356, EN1303 and EN12209– The supporting component standards do not use common test methods or

failure criteria– The standard therefore does not result in the assembled products

providing holistic levels of security – many are vulnerable to basic attacks

• LPS1175:– Considers the whole assembled product to a common classification

system– Is supported by standards for security glazing (LPS1270) and locks

(LPS1242 and LPS1654) sharing common performance requirements– Ensures holistic levels of security are provided by the assembled

product/system– Empowers the development and selection of components that deliver

compatible levels of security performance © BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Principles of effective security – Features of standards

Standards should address the threats identified• The delay required (i.e. working time)

• The number of intruders

- Loan intruder (LPS1175 and EN1627)

- Pair of intruders (DOS - FE5)

- Mob (DOS - FE15 and FE60)

• The attack tools available to the intruders

- Type, number, and the methods by which those tools may be

used

• Level of information about the product available to the intruder

• Whether the intruder is likely to use stealth to achieve their objective

undetected or whether they would be willing to make noise

• Whether the intruder wishes to achieve entry surreptitiously or not © BRE Global Limited, 2014

Copyright BRE Global Ltd, 2014Copyri

ght B

RE Glob

al Lim

ited,

2014

Protecting People, Property and the Planet

Security by numbersThe art of specifying effective physical security

Comparison of publically available physical security standards

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Comparison of alternative façade security standards

Time and tools

Standard PAS23/24 and

BS7950

LPS1175 EN1627

Rating/ Class Not applicable

SR1 RC1

Working Time 1 minutes No manual attack testing conductedTotal Test Time 10 minutes

Tools

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Comparison of alternative façade security standardsStandard PAS23/24 and

BS7950LPS1175 EN1627

Rating/ Class Pass SR2 RC2

Working Time 3 minutes

Total Test Time 15 minutes

Tools Glazing removal

Manipulation

Levering

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Copyri

ght B

RE Glob

al Lim

ited,

2014

Comparison of alternative façade security standards

Time and tools

Standard LPS 1175 EN 1627

Rating/Class SR3 RC3

Working Time 5 minutes

Total Test Time 20 minutes

Tools As earlier, plus: As earlier, plus:

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Attack methods and tool use not covered by EN1627 RC3

Comparison of alternative façade security standards

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

EN 1627 – Resistance Class 3 doors attacks (5 minutes)

Remember• EN 1627 assumes NO NOISE up to RC3 (5 minute attack)!• Above restrictions on tool use also apply at higher resistance classes

Comparison of alternative façade security standards

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Comparison of alternative façade security standards

Time and tools

Standard LPS 1175 EN 1627

Rating/Class SR4 RC4

Working Time 10 minutes

Total Test Time 30 minutes

Tools

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Comparison of alternative façade security standardsBenchmark(LPS 1175) LPS 1175: Issue 7 EN 1627‡ PAS 24

VERY HIGH RISK

LOW RISK

SR1

SR2

SR3

SR4

SR5

SR6

SR7

SR8

RC

1

RC

2

RC

3

RC

4

RC

5

RC

6 *

RC

1

RC

2

RC

3

RC

4

RC

5 *

RC

6 *

Unglazed

Doorsets◊

Glazed

Doorsets

Window

s◊

All Products Glazed Products† Unglazed Products

SR8

SR7

SR6

SR5

SR4

SR3

SR2

SR1

Unclassified

Level of security

provided by approved products

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Protecting People, Property and the Planet

LPCB – The mark of effective security

The art of specifying effective security

- The benefits of using third party approved products

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

The basis of effective security

How do you determine what products provide an effective delay?

The best!

Secure! Robust! Unbeatable!

Seriously strong!

Designed to meet…

Complies with …

Tested to …Certified to …

Approved to …

Recognised by …

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

How effective is the product being specified?

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

We test all features until we are certain there is no way past them

Testing - Reasons products fail

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Copyri

ght B

RE Glob

al Lim

ited,

2014

Incompatible locking hardware and glazing

LPCB’s experienced test engineers often exploit incompatible hardware and glazing

• ‘Fishing’ attacks to manipulate internal operating devices (panic hardware, lever handles, thumbturns)

• Targeting access control wiring leading to solenoid or other electronic locks

• Overcoming cylinder protection

• Manipulating other features (e.g. shoot bolt link rods)

• Compromising glazing (e.g. 7.5 mm or 11.3 mmcommonly believed to deliver good levels of attack resistance)

Testing - Reasons we fail so many products

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Third party approval – Ensuring products are effective

Third party approval helps ensure the products supplied deliver the performance required by ensuring there is effective management of all the factors that affect a product’s performance

Design

UseQuality

Performance

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

The Red Book

Benefits of Red Book listing

Free LPCB does not charge people to receive/view the Red Book

Accessible Available in a range of formats:

– Limited edition softback format– Downloadable PDF on website www.redbooklive.com– Searchable database on website www.redbooklive.com– Apps for Android, Apple and Windows (free from App stores)

Up to date Web versions are updated as soon as certificates are issued, changed or suspended/withdrawn. This provides up-to-date confirmation of a product’s approval status to specifiers and other stakeholders.

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

The Red Book

Benefits of Red Book listing

Scope Red Book covers an increasingly broad selection of proven security solutions

Red Book is becoming a one-stop-shop for specifiers seeking to verify the effectiveness of products they are considering specifying

Widely promoted We exhibit at a large number of fire, security and construction shows around the world

Widely recognised The Red Book is used by specifiers around the world by those who recognise the huge benefits of using LPCB approved products and services.

© BRE Global Limited, 2014

Copyright BRE Global Ltd, 2014Copyri

ght B

RE Glob

al Lim

ited,

2014

Preventing crime and terrorism

Remember

They only have to be lucky some of the time.

You have to be lucky all of the time!

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Preventing crime and terrorism

Remember

Using security products approved by

recognised third parties to appropriate

standards:

• Ensures the products used provide a

reliable delay

• Helps mitigate the risk of forced entry

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14

Thank you for listening

Any questions?Richard Flint

Physical Security Certification Scheme ManagerLoss Prevention Certification Board

Email: [email protected]

The mark of effective security

© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop

yrigh

t BRE G

lobal

Limite

d, 20

14