Fri Apr 8 06:51:40 PDT 2016
Technology: Physical Perimeters: What physical perimeters have what protection mechanisms?
Options:
For each type of physical facility, describe what protective mechanisms are associated with each physical protection layer.
World
Location / Mapping / Accessibility / Deceptions / Response forces and times
Property
Perimeters / Signs / Entry paths / Barriers / Sensors / Response forces
Perimeters
Construction / Signs / Deceptions / Entry paths / Barriers / Sensors / Emergency modes / Response times and forces
Facilities
Construction / Zones / Flow paths / Barriers / Sensors / Locking devices / Emergency modes / Response times and forces
Containers
Construction / Barriers / Sensors / Locking devices / Emergency modes / Response forces and times
|
|
|
|
|
Physical separation requirements for zone(s) of type XXX
Decision:
Typical controls for different risk levels are identified here:
High Risk
World
Location concealed where feasible.
Mapping does not designate nature of facility.
Accessibility limited to the extent feasible.
Deceptions used to conceal the nature of use of location.
Response forces and times determined by analysis of attack graphs.
Design basis threat applied.
Property
Perimeters restricted to authorized entry at a distance determined by analysis.
Signs warning prohibition from unauthorized entry without revealing the nature of the facility.
Entry paths restricted to the minimum number required for safety and security.
Barriers determined based on attack graph analysis.
Sensors used to detect barrier approach, passage, and access to unauthorized areas of the property.
Response forces and times determined by analysis of attack graphs.
Design basis threat applied.
Perimeters
Construction designed to meet specific needs for defending against threat(s).
Signs direct inward and outward flows of traffic without revealing the nature of the facility.
Deceptions used to limit knowledge of content and locations within the perimeters other than "Parking" and other locations required for initial entry to facility access controls.
Entry paths limited to defined paths for operating modes.
Barriers determined based on attack graph analysis and design basis threat.
Sensors used to detect perimeter approach, passage, and access to unauthorized areas within the perimeter(s).
Emergency modes predefined based on analysis of attack graphs, normal operations, and design basis threat.
Response times and forces determined by analysis of attack graphs.
Design basis threat applied.
Facilities
Construction designed to meet specific needs for defending against threat(s).
Zones separated and defined based on access, response, and separation requirements and structured so as to make zone traverse inconvenient and unnecessary to the extent feasible in normal and emergency operating modes, with higher consequence zones harder to reach than lower consequence zones.
Flow paths designed to limit flows to tend to remain within zones and minimize inter-zone flows.
Barriers determined based on attack graph analysis.
Sensors used to detect facility approach, entry, movement within, and access to unauthorized as well as authorized areas within the facility.
Emergency modes defined and flows restricted to the extent feasible so that in emergencies, flow goes from higher consequence to lower consequence areas with reentry into higher consequence areas limited even during emergency evacuation to the extent feasible.
Locking devices are suitable to the consequences and attack time requirements.
Response times and forces are determined by analysis of attack graphs.
Design basis threat applied.
Containers
Construction is to the specification associated with the applicable environmental threat conditions.
Barriers fully separate all container areas not requiring direct connectivity where feasible and passage through container areas to reach other container areas is such that higher consequence contained areas are within lower consequence areas.
Sensors are used on containers to detect unauthorized access in real-time.
Emergency modes for containers allow exit-only or lockdown as appropriate.
Locking devices are suitable to the consequences and attack time requirements.
Response forces and times are determined by analysis of attack graphs.
Design basis threat applied.
|
|
|
|
|
Other requirements: All applicable other requirements are
met for the nature and type of facility in the applicable jurisdictions. |
Physical protection requirements for high risk facilities
Medium Risk
World
Location not advertised where feasible. Mapping does not
designate nature of facility. Accessibility limited to the normal
plant controls. The nature of use of the location is not
advertised. Response forces and times determined by normal needs of
similar sorts of plants.
Property
Perimeters restricted to authorized entry at
normal plant property entry points. Signs warning prohibition from
unauthorized entry. Entry paths appropriate to normal operation of the
plant. Barriers determined based on property protection needs. Sensors
used to detect unauthorized entry to closed areas of the property.
Response forces and times determined by normal plant requirements.
Perimeters
Construction designed to meet normal needs of
the plant. Signs direct inward and outward flows of traffic. Entry
paths limited to normal paths used in operations and emergency
evacuation or response paths. Barriers determined based on facility
safety needs. Sensors used to detect perimeter breaches and access to
unauthorized areas within the perimeter(s). Emergency modes predefined
based on safety and emergency evacuation or response paths. Response
times and forces determined by safety and operational needs.
Facilities
Construction designed to meet specific needs
of the plant. Zones separated and defined based on access requirements
and structured so as to make zone traverse inconvenient and
unnecessary to the extent feasible in normal operation, with higher
consequence zones harder to reach than lower consequence zones. Flow
paths designed to limit flows to tend to remain within zones and
minimize inter-zone flows. Barriers determined based on normal plant
needs. Sensors used to detect unauthorized facility or area entry.
Emergency modes defined and flows restricted so that in emergencies,
flow goes from higher consequence to lower consequence areas. Locking
devices suitable to the consequences. Response times and forces are
determined by safety and operational needs.
Containers
Construction is to the specification associated
with the plant environment. Barriers should separate containers not
requiring direct connectivity where feasible. Sensors are used on
containers to detect unauthorized access upon inspection. Emergency
modes for containers allow exit-only or lockdown as appropriate.
Locking devices are suitable to the consequences. Response forces and
times are determined by safety and operational needs.
|
|
|
|
|
Other requirements: All applicable other requirements are met for the nature and type of facility in the applicable jurisdictions. |
Physical separation requirements for medium risk facilities
Low Risk
World
No special security controls.
Property
Perimeters deigned to meet health and safety code
and property protection requirements. Signs appropriate to health and
safety requirements on property access. Entry paths appropriate to
health and safety requirements on property access. Barriers suited to
appropriate health and safety requirements on property access. No
special sensors required for security. Response forces and times are
determined by safety and operational needs.
Perimeters
Construction designed to meet normal needs of
the plant. Signs appropriate to health and safety needs of the plant.
Entry paths limited to normal paths used in operations and emergency
evacuation or response paths. Barriers determined based on facility
safety needs. Sensors designed for property protection needs.
Emergency modes predefined based on safety and emergency evacuation or
response paths. Response times and forces determined by safety and
operational needs.
Facilities
Facilities: Construction designed to meet specific needs of
the plant. Zones separated and defined based on access requirements.
Flow paths designed for normal plant operational efficiency. Barriers
determined based on normal plant needs. Sensors designed for property
protection needs. Emergency modes predefined based on safety and
emergency evacuation or response paths. Response times and forces
determined by safety and operational needs.
Containers
Construction is to the specification associated
with the plant environment. Barriers should separate containers as
needed for health and safety. Sensors designed for property protection
needs. Emergency modes predefined based on safety and emergency
evacuation or response needs. Locking devices are suitable to normal
worker access controls. Response forces and times are determined by
safety and operational needs.
|
|
|
|
|
Other requirements: All applicable other requirements are met for the nature and type of facility in the applicable jurisdictions.
|
Physical separation requirements for low risk facilities
Identify the zone separation specifics for each relevant class of separation requirements applicable and codify:
World
Location / Mapping / Accessibility / Deceptions / Response forces and times
Property
Perimeters / Signs / Entry paths / Barriers / Sensors / Response forces
Perimeters
Construction / Signs / Deceptions / Entry paths / Barriers / Sensors / Emergency modes / Response times and forces
Facilities
Construction / Zones / Flow paths / Barriers / Sensors / Locking devices / Emergency modes / Response times and forces
Containers
Construction / Barriers / Sensors / Locking devices / Emergency modes / Response forces and times
|
|
|
|
|
Physical separation requirements for zone(s) of type XXX
Basis:
All applicable other requirements are met for the
nature and type of facility in the applicable jurisdictions.
Generally, all facilities must meet legal, regulatory, and management
defined requirements.
Design basis threat applied. A design basis
threat is an assumption regarding the threat for which the protective
design was done. It generally identifies the anticipated capabilities
and intents of the set of threats considered to be relevant to the
protection scheme.
Deceptions used to {conceal the nature of use of
location / limit knowledge of content and locations}. Generally,
deception can be used to induce or suppress signals. Thus the placement
of a facing material on a building to conceal its nature will prevent
it from being detected as a particular type of facility, while the
introduction of sounds and sights normally associated with the depicted
type of building will support that deception.
The {nature of use} of the location {concealed /
not advertised / not mapped} where feasible. These are forms of
concealment (and thus deceptions) where different facets of the plant
or facility are made less available to those who might be seeking
particular places. For example, maps that point out the areas with
explosive chemicals might make it easier for those who are trying to
cause explosions to find those locations before the detection and
response process of the facility are able to prevent their further
progress toward that goal.
Accessibility limited to {the extent feasible /
normal plant controls}. Access is normally limited for health,
safety, liability, and other reasons. However, when consequences
warrant it, additional access limitations are put in place for
improved protection effectiveness and separation of physical access to
areas associated with zones and subzones.
Barriers determined based on {attack graph
analysis / design basis threat / facility safety / property protection
/ normal plant} needs {fully / partially} separate {some / all}
container areas {not requiring direct connectivity / as needed for
health and safety} where feasible {and passage through container areas
to reach other container areas is such that higher consequence
contained areas are within lower consequence areas}. Generally,
barriers to physical passage are used to assure separation of one area
from another. Depending on the type and nature of the areas, the
separation quality, thoroughness, strength, and time requirements, and
the level of surety desired, these areas can be more completely
separated at different levels of physicality. For example, a container
that seals against gas leakage between subzones will have a much finer
level of containment and have to be much more comprehensive in
coverage than a fence that stops employees from going between two
plant areas.
Construction designed to meet {normal needs of the
plant / specific needs of the plant / specific needs for defending
against threat(s)} and to the specification of {the plant environment
/ environmental threat conditions} Generally, construction must
meet building codes and other general requirements for the overall
plant as well as specific needs for specific areas of the plant, such
as clean rooms, hot rooms, etc. In addition, special construction may
be needed for dealing with specific threats, for example, facilities
designed to be hit by aircraft may require special construction above
and beyond the needs of containment for environmental hazards such as
leaks.
Zones are separated and defined based on {access /
response / separation} requirements {and structured so as to make zone
traverse inconvenient and unnecessary to the extent feasible in normal
operation, with higher consequence zones harder to reach than lower
consequence zones}. In essence, protective zones are structured
so as to meet the topological needs of the plant and at the same time,
provide adequate protection so that detection and response can be
timely, prevention effective, and deterrence operable.
Perimeters designed to {meet health and safety
code and property protection requirements / restrict authorized entry
at {normal plant property entry points / a distance determined by
analysis}}. Health and safety standards apply to all plants, as do
most property protection requirements. Most plants prohibit entry
except to authorized personnel, although some have viewing areas and
other similar entrances. Access it typically limited further from the
critical consequence areas as consequences and threat capabilities
increase, and for high consequence situations, perimeters are typically
designed to create delays required to allow response forces to react
after detection in time to mitigate potentially serious negative
consequences.
Entry paths appropriate to {health and safety
requirements on access / normal operation of the plant} {and limited
to {defined paths for operating modes / normal paths used in
operations and emergency evacuation or response paths / the minimum
number required for safety and security}}. Entry and exit paths
are more limited for higher surety relating to access, but with limits
associated with the need for evacuation and access by emergency
personnel (see emergency modes). Paths may also be designed so as to
increase time to reach high consequence areas during normal operation
and decrease time during emergencies.
Flow paths designed {for normal plant operational
efficiency / to limit flows to tend to remain within zones and
minimize inter-zone flows}. The flow of people and things is
normally designed to assure that all necessary checks for safety and
security are met en route from one place to another and to assure that
these requirements are not bypassed by altering or avoiding the normal
travel path through the facility.
Signs appropriate to {health and safety needs of
{property access / the plant} / inward and outward flows of traffic /
warning prohibition from unauthorized entry} {without revealing the
nature of the facility}. Signs may or may not reveal information
about the plant and yet still be effective at warning about necessary
hazards, controlling flows of people and machines, meeting health and
safety requirements, and warning about unauthorized entry.
Emergency modes {predefined / defined} {and flows
restricted} so that in emergencies, {flow goes from higher consequence
to lower consequence areas / containers allow exit-only or lock-down as
appropriate / emergency evacuation and response paths are facilitated}
based on {normal operations / attack graphs / design basis
threat}. Everything done in normal operation has to be
reconsidered for different emergency scenarios so that in emergencies,
some parts of plants are shut down, others opened for emergency
personnel, others shut to normal personnel, and flows and access
changes made appropriate to the needs of the emergency. These are
normally predefined for the design basis threat and anticipated
scenarios.
Locking devices are suitable to {normal worker
access controls / consequences / attack time requirements}.
Locking devices including the things that they lock are normally
designed to force minimum times for legitimate entry and slow
illegitimate (inobvious) entry. These requirements vary with the
threat environment and expectations of the locking mechanism. For
example, locker rooms have different requirements than classified
facilities, which are different from control rooms and wire closets.
Sensors used on {containers / barrier / facility /
perimeter / property / closed areas} {approach / entry / exit /
passage / access / movement within / breach} detect {authorized /
unauthorized} {use / access / presence / absence} {in real-time / upon
inspection} to meet {property protection / security-specific}
needs. Sensors must be able to sense the desired observables so
that the detection and response process can occur in time to mitigate
potentially serious negative consequences. The specifics depend on the
specific requirements of the protective architecture.
Response forces and times are determined by
{safety and operational needs / needs of similar sorts of plants /
normal plant requirements / analysis of attack graphs}. Response
forces and times are dictated by different requirements depending on
the consequences associated with timely and slower response. The
design basis threat comes into play here so that for larger groups of
more capable attackers, stronger, larger, and faster response forces
and times are required. Of course safety and health and other similar
plant requirements always apply, but as consequences and threats
increase, so must response force capabilities. Generally, responses
should be fast enough and have adequate force to mitigate potentially
serious negative consequences between the time alarms are recognized
(after bad things happen) and the response is adequately effective.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
|