security by numbers physical security –the art of ... · physical security –the art of...
TRANSCRIPT
Part of the BRE Trust
Protecting People, Property and the Planet
Security by numbersPhysical security – The art of specification
Richard FlintBRE Global Limited, incorporating LPCBJune 2014
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Protecting People, Property and the Planet
Security by numbersThe art of specifying effective physical security
• Who we are
• The Threat
• Basics of effective security
• Physical security standards
• Specifying effective physical security
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Protecting People, Property and the Planet
Assurance of critical infrastructure securityThe role of standards, testing & certification
Who we are
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Introduction to LPCB
• Leading international centre for fire and security product testing and approvals
• Approve >5000 loss prevention products produced in >40 countries
• One of two internationally recognised approvals and listings operated by BRE
Global. The other is
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Introduction to LPCB
Our heritage
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Copyri
ght B
RE Glob
al Lim
ited,
2014
Working with others to protect against terrorists and criminals
GovernmentCabinet Office, Home Office (incl.
OSCT), DCSF, CPNIPlus other National Governments
GovernmentCabinet Office, Home Office (incl.
OSCT), DCSF, CPNIPlus other National Governments
National Counter Terrorism Security Office (NaCTSO)
ArchitectsArchitects
Security consultantsSecurity consultants
ContractorsContractors
ManufacturersManufacturers
Specifiers and end users
Specifiers and end users
Enforcement agenciesEnvironment Agency
Revenue and CustomsPolice Special Branch
Enforcement agenciesEnvironment Agency
Revenue and CustomsPolice Special Branch
Home Office Centre for Applied Science and Technology
(HO CAST)
Home Office Centre for Applied Science and Technology
(HO CAST)
Association of Chief Police Officers (ACPO)
Association of Chief Police Officers (ACPO)
Secured By Design (SBD)Secured By Design (SBD)
Association of Chief Police Officers (ACPO)
Secured By Design (SBD)
Insurers and underwritersAssociation of British Insurers
(ABI)Lloyds Market AssociationAssociation of Insurance
Surveyors (AIS)Risc Authority
Insurers and underwritersAssociation of British Insurers
(ABI)Lloyds Market AssociationAssociation of Insurance
Surveyors (AIS)Risc Authority
Suppliers and distributorsSuppliers and distributors Installers and maintenance companies
Installers and maintenance companies
Testing laboratoriesTesting laboratories
Centre for Protection of National Infrastructure (CPNI)
Centre for Protection of National Infrastructure (CPNI)
National Counter Terrorism Security Office
(NaCTSO)
National Counter Terrorism Security Office
(NaCTSO)
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Owned by a charitable trust
Who BRE Trust
What Charitable trust
Why To advance knowledge, innovation and communication in all matters concerning the built environment for public benefit
How First class research and education funded by investing profits made by BRE and other subsidiaries in research and education
Over 600 staff within the BRE Trust Group
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Protecting People, Property and the Planet
LPCB – The mark of effective security
The basics of effective security
- The context
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Assuring critical infrastructure securityOur role and responsibilities regarding physical security
*IRA, 1984
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Assuring critical infrastructure securityOur role and responsibilities regarding physical security
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Assuring critical infrastructure securityOur role and responsibilities regarding physical security
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Assuring critical infrastructure securityOur role and responsibilities regarding physical security
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Assuring critical infrastructure securityOur role and responsibilities regarding physical security
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Assuring critical infrastructure securityOur role and responsibilities regarding physical security
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Assuring critical infrastructure securityOur role and responsibilities regarding physical security
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Protecting People, Property and the Planet
LPCB – The mark of effective security
The basics of effective security
- The threat
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
The basics of effective security
Identify the threat:
• Manual forced entry attack• Plant attack (e.g. diggers)
• Vehicle attack
• Ballistic
• Explosion
• Undetected compromise
• Other• Chemical, pathogen, toxin, radiological or nuclear
• Cyber
• Fire
• Vandalism© BRE Global Limited, 2014
Copyright BRE Global Ltd, 2014Copyri
ght B
RE Glob
al Lim
ited,
2014
The basics of effective security
Identify the threat:
• Manual forced entry attack• Forced entry (without fear of making noise)• Stealth attacks
• Mob attacks
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Protecting People, Property and the Planet
LPCB – The mark of effective security
The basics of effective security
- Preventing forced entry
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
The basics of effective security against forced entry
Effective forced entry protection requires three things to work together:
Delay
Effective security occurs when: Time Delay ≥ Time Detection + TimeResponse
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Copyri
ght B
RE Glob
al Lim
ited,
2014
The basics of effective security against forced entry
Effective forced entry protection requires three things to work together:
Late detection will be exploited!
DelayExploitable security gap
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
The basics of effective security against forced entry
Effective forced entry protection requires three things to work together:
Ineffective physical security will be exploited!
Delay
© BRE Global Limited, 2014
Exploitable security gap
Copyright BRE Global Ltd, 2014Copyri
ght B
RE Glob
al Lim
ited,
2014
The basics of effective security against forced entry
Effective protection requires three things to work together: Unreliable alarm transmission could undermine other measures
Delay
Faulty alarm transmission equipment / paths delay the alarm signals sent to
alert the response
Exploitable security gap
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
The basics of effective security against forced entry
Effective forced entry protection requires three things to work together:
No response leads to anarchy!
Delay© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
The basics of effective security against forced entry
Delay
How do you determine what physical security products will provide a
suitable delay?
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Protecting People, Property and the Planet
LPCB – The mark of effective security
The art of specifying effective security
- Selecting an appropriate performance standard to specify
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
How do you specify effective security equipment?
Specify approval to appropriate ‘performance standards’It is important to ensure the standard used to specify security equipment:
• Covers the type of product/system being considered
• Is performance based rather than design based
• Is based on sound principles of terrorism/crime prevention and address terrorist’s/criminal’s entrepreneurial tendencies
• Considers the whole product and not just components
• Determines the product’s resistance to the risks identified
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Scope of publically available physical security standards
Acc
ess
cove
rs a
nd h
atch
es
Cur
tain
wal
ling
/cla
ddin
g
Doo
rset
s (C
antil
ever
ed)
Doo
rset
s (F
oldi
ng)
Doo
rset
s (H
inge
d)
Doo
rset
s (P
ivot
ing)
Doo
rset
s (R
evol
ving
)
Doo
rset
s (S
lidin
g)
Enc
losu
re
Fenc
es
Par
titio
ning
sys
tem
s
Roo
fing
syst
ems
Roo
f lig
hts
and
skyl
ight
s
Sec
onda
ry g
lazi
ng s
yste
ms
Sec
urity
gril
les
Sec
urity
scr
eens
Sec
urity
shu
tters
Tem
pora
ry b
uild
ings
Gat
es a
nd tu
rnst
iles
Voi
d pr
otec
tion
scre
ens
Win
dow
s
Wal
ls a
nd c
eilin
gs
EN 1627: 2011 ü ü* ü* ü* ü* ü* ü ü* ü ü* ü ü
LPS 1175: Issue 7 ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü
PAS 24: 2012 ü ü ü ü ü ü‡
DOS ST-STD-01.02 ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü
*EN1627 covers pedestrian access and not
vehicle/goods access
‡PAS 24 is restricted to certain configurations only
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
LPS1175 – One standard covering all physical security layers
LPS 1175• Fences• Gates• Vehicle barriers• Enclosures• Entrance doors• Emergency exits• Windows
• Shutters• Rooflights• Roofs• Walls• Enclosures• Vehicles• Cycle racks• Cycle locks• Padlocks
• Glazing
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
How do you specify effective security equipment?
Specify approval to appropriate ‘performance standards’It is important to ensure the standard used to specify security equipment:
• Covers the type of product/system being considered
• Is performance based rather than design based
• Is based on sound principles of terrorism/crime prevention and address terrorist’s/criminal’s entrepreneurial tendencies
• Considers the whole product and not just components
• Determines the product’s resistance to the risks identified
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
‘Performance based’ verses ‘design based’ specifications
Type Pro’s: Con’s:
Design • Easy to describe visible attributes (materials and dimensions).
• Risk the design defined will not deliver the performance required
• Restricts use of ingenuity to solve problems
Performance • Links specification directly to the threats identified
• Lack of availability of products meeting desired performance attributes
• Does not describe what the solution looks like so architects can find it hard to visualise the products likely to be offer
How do you specify effective security equipment?
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
‘Manual attack testing’ verses ‘mechanical testing’
Type Pro’s: Con’s:Mechanical • Repeatable • Cannot economically cover the
wide scope of modus operandi available to intruders
• Test equipment must be developed for each product type/design and results cannot therefore be accurately compared between product types
Manual attack • Modus operandi can reflect the scope used by intruders
• Tests can be more easily tailored to different types of product
• Results may be inconsistent because they are affected by the testers’ knowledge, skill, stamina and strength
How do you specify effective security equipment?
© BRE Global Limited, 2014
Copyright BRE Global Ltd, 2014Copyri
ght B
RE Glob
al Lim
ited,
2014
How do you specify effective security equipment?
Specify approval to appropriate ‘performance standards’It is important to ensure the standard used to specify security equipment:
• Covers the type of product/system being considered
• Is performance based rather than design based
• Is based on sound principles of terrorism/crime prevention and address terrorist’s/criminal’s entrepreneurial tendencies
• Considers the whole product and not just components
• Determines the product’s resistance to the risks identified
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Principles of effective security
The ‘entrepreneurial criminal’
Effective loss prevention standards are based on grading structures that recognise the increased investment criminals (and terrorists) will make to reap greater rewards.
• Investment (tools, time, effort)
• Risks (noise, leaving evidence)
• Reward (value of goods stolen)
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
20 min SR8
15 min
10 min SR4 SR5 SR6 SR7
5 min SR3
3 min SR2
1 min SR1
A B C D D+ E F G
LPS1175 Security RatingsD
elay
ACME
E
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Copyri
ght B
RE Glob
al Lim
ited,
2014
How do you specify effective security equipment?
Specify approval to appropriate ‘performance standards’It is important to ensure the standard used to specify security equipment:
• Covers the type of product/system being considered
• Is performance based rather than design based
• Is based on sound principles of terrorism/crime prevention and address terrorist’s/criminal’s entrepreneurial tendencies
• Considers the whole product and not just components
• Determines the product’s resistance to the risks identified
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
How do you specify effective security equipment?
Security is only as good as the weakest part!
• EN1627:– Relies on tests conducted on glazing and locks to separate associated
component standards such as EN356, EN1303 and EN12209– The supporting component standards do not use common test methods or
failure criteria– The standard therefore does not result in the assembled products
providing holistic levels of security – many are vulnerable to basic attacks
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
How do you specify effective security equipment?
Security is only as good as the weakest part!
• EN1627:– Relies on tests conducted on glazing and locks to separate associated
component standards such as EN356, EN1303 and EN12209– The supporting component standards do not use common test methods or
failure criteria– The standard therefore does not result in the assembled products
providing holistic levels of security – many are vulnerable to basic attacks
• LPS1175:– Considers the whole assembled product to a common classification
system– Is supported by standards for security glazing (LPS1270) and locks
(LPS1242 and LPS1654) sharing common performance requirements– Ensures holistic levels of security are provided by the assembled
product/system– Empowers the development and selection of components that deliver
compatible levels of security performance © BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Principles of effective security – Features of standards
Standards should address the threats identified• The delay required (i.e. working time)
• The number of intruders
- Loan intruder (LPS1175 and EN1627)
- Pair of intruders (DOS - FE5)
- Mob (DOS - FE15 and FE60)
• The attack tools available to the intruders
- Type, number, and the methods by which those tools may be
used
• Level of information about the product available to the intruder
• Whether the intruder is likely to use stealth to achieve their objective
undetected or whether they would be willing to make noise
• Whether the intruder wishes to achieve entry surreptitiously or not © BRE Global Limited, 2014
Copyright BRE Global Ltd, 2014Copyri
ght B
RE Glob
al Lim
ited,
2014
Protecting People, Property and the Planet
Security by numbersThe art of specifying effective physical security
Comparison of publically available physical security standards
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Comparison of alternative façade security standards
Time and tools
Standard PAS23/24 and
BS7950
LPS1175 EN1627
Rating/ Class Not applicable
SR1 RC1
Working Time 1 minutes No manual attack testing conductedTotal Test Time 10 minutes
Tools
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Comparison of alternative façade security standardsStandard PAS23/24 and
BS7950LPS1175 EN1627
Rating/ Class Pass SR2 RC2
Working Time 3 minutes
Total Test Time 15 minutes
Tools Glazing removal
Manipulation
Levering
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Copyri
ght B
RE Glob
al Lim
ited,
2014
Comparison of alternative façade security standards
Time and tools
Standard LPS 1175 EN 1627
Rating/Class SR3 RC3
Working Time 5 minutes
Total Test Time 20 minutes
Tools As earlier, plus: As earlier, plus:
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Attack methods and tool use not covered by EN1627 RC3
Comparison of alternative façade security standards
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
EN 1627 – Resistance Class 3 doors attacks (5 minutes)
Remember• EN 1627 assumes NO NOISE up to RC3 (5 minute attack)!• Above restrictions on tool use also apply at higher resistance classes
Comparison of alternative façade security standards
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Comparison of alternative façade security standards
Time and tools
Standard LPS 1175 EN 1627
Rating/Class SR4 RC4
Working Time 10 minutes
Total Test Time 30 minutes
Tools
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Comparison of alternative façade security standardsBenchmark(LPS 1175) LPS 1175: Issue 7 EN 1627‡ PAS 24
VERY HIGH RISK
LOW RISK
SR1
SR2
SR3
SR4
SR5
SR6
SR7
SR8
RC
1
RC
2
RC
3
RC
4
RC
5
RC
6 *
RC
1
RC
2
RC
3
RC
4
RC
5 *
RC
6 *
Unglazed
Doorsets◊
Glazed
Doorsets
Window
s◊
All Products Glazed Products† Unglazed Products
SR8
SR7
SR6
SR5
SR4
SR3
SR2
SR1
Unclassified
Level of security
provided by approved products
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Protecting People, Property and the Planet
LPCB – The mark of effective security
The art of specifying effective security
- The benefits of using third party approved products
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
The basis of effective security
How do you determine what products provide an effective delay?
The best!
Secure! Robust! Unbeatable!
Seriously strong!
Designed to meet…
Complies with …
Tested to …Certified to …
Approved to …
Recognised by …
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
How effective is the product being specified?
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
We test all features until we are certain there is no way past them
Testing - Reasons products fail
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Copyri
ght B
RE Glob
al Lim
ited,
2014
Incompatible locking hardware and glazing
LPCB’s experienced test engineers often exploit incompatible hardware and glazing
• ‘Fishing’ attacks to manipulate internal operating devices (panic hardware, lever handles, thumbturns)
• Targeting access control wiring leading to solenoid or other electronic locks
• Overcoming cylinder protection
• Manipulating other features (e.g. shoot bolt link rods)
• Compromising glazing (e.g. 7.5 mm or 11.3 mmcommonly believed to deliver good levels of attack resistance)
Testing - Reasons we fail so many products
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Third party approval – Ensuring products are effective
Third party approval helps ensure the products supplied deliver the performance required by ensuring there is effective management of all the factors that affect a product’s performance
Design
UseQuality
Performance
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
The Red Book
Benefits of Red Book listing
Free LPCB does not charge people to receive/view the Red Book
Accessible Available in a range of formats:
– Limited edition softback format– Downloadable PDF on website www.redbooklive.com– Searchable database on website www.redbooklive.com– Apps for Android, Apple and Windows (free from App stores)
Up to date Web versions are updated as soon as certificates are issued, changed or suspended/withdrawn. This provides up-to-date confirmation of a product’s approval status to specifiers and other stakeholders.
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
The Red Book
Benefits of Red Book listing
Scope Red Book covers an increasingly broad selection of proven security solutions
Red Book is becoming a one-stop-shop for specifiers seeking to verify the effectiveness of products they are considering specifying
Widely promoted We exhibit at a large number of fire, security and construction shows around the world
Widely recognised The Red Book is used by specifiers around the world by those who recognise the huge benefits of using LPCB approved products and services.
© BRE Global Limited, 2014
Copyright BRE Global Ltd, 2014Copyri
ght B
RE Glob
al Lim
ited,
2014
Preventing crime and terrorism
Remember
They only have to be lucky some of the time.
You have to be lucky all of the time!
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Preventing crime and terrorism
Remember
Using security products approved by
recognised third parties to appropriate
standards:
• Ensures the products used provide a
reliable delay
• Helps mitigate the risk of forced entry
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14
Thank you for listening
Any questions?Richard Flint
Physical Security Certification Scheme ManagerLoss Prevention Certification Board
Email: [email protected]
The mark of effective security
© BRE Global Limited, 2014Copyright BRE Global Ltd, 2014Cop
yrigh
t BRE G
lobal
Limite
d, 20
14