Fri Apr 8 06:51:40 PDT 2016

Technology: Physical Perimeters: What physical perimeters have what protection mechanisms?


Options:

For each type of physical facility, describe what protective mechanisms are associated with each physical protection layer.

World
Location / Mapping / Accessibility / Deceptions / Response forces and times
Property
Perimeters / Signs / Entry paths / Barriers / Sensors / Response forces
Perimeters
Construction / Signs / Deceptions / Entry paths / Barriers / Sensors / Emergency modes / Response times and forces
Facilities
Construction / Zones / Flow paths / Barriers / Sensors / Locking devices / Emergency modes / Response times and forces
Containers
Construction / Barriers / Sensors / Locking devices / Emergency modes / Response forces and times
Physical separation requirements for zone(s) of type XXX

Decision:

Typical controls for different risk levels are identified here:


High Risk

World
Location concealed where feasible. Mapping does not designate nature of facility. Accessibility limited to the extent feasible. Deceptions used to conceal the nature of use of location. Response forces and times determined by analysis of attack graphs. Design basis threat applied.
Property
Perimeters restricted to authorized entry at a distance determined by analysis. Signs warning prohibition from unauthorized entry without revealing the nature of the facility. Entry paths restricted to the minimum number required for safety and security. Barriers determined based on attack graph analysis. Sensors used to detect barrier approach, passage, and access to unauthorized areas of the property. Response forces and times determined by analysis of attack graphs. Design basis threat applied.
Perimeters
Construction designed to meet specific needs for defending against threat(s). Signs direct inward and outward flows of traffic without revealing the nature of the facility. Deceptions used to limit knowledge of content and locations within the perimeters other than "Parking" and other locations required for initial entry to facility access controls. Entry paths limited to defined paths for operating modes. Barriers determined based on attack graph analysis and design basis threat. Sensors used to detect perimeter approach, passage, and access to unauthorized areas within the perimeter(s). Emergency modes predefined based on analysis of attack graphs, normal operations, and design basis threat. Response times and forces determined by analysis of attack graphs. Design basis threat applied.
Facilities
Construction designed to meet specific needs for defending against threat(s). Zones separated and defined based on access, response, and separation requirements and structured so as to make zone traverse inconvenient and unnecessary to the extent feasible in normal and emergency operating modes, with higher consequence zones harder to reach than lower consequence zones. Flow paths designed to limit flows to tend to remain within zones and minimize inter-zone flows. Barriers determined based on attack graph analysis. Sensors used to detect facility approach, entry, movement within, and access to unauthorized as well as authorized areas within the facility. Emergency modes defined and flows restricted to the extent feasible so that in emergencies, flow goes from higher consequence to lower consequence areas with reentry into higher consequence areas limited even during emergency evacuation to the extent feasible. Locking devices are suitable to the consequences and attack time requirements. Response times and forces are determined by analysis of attack graphs. Design basis threat applied.
Containers
Construction is to the specification associated with the applicable environmental threat conditions. Barriers fully separate all container areas not requiring direct connectivity where feasible and passage through container areas to reach other container areas is such that higher consequence contained areas are within lower consequence areas. Sensors are used on containers to detect unauthorized access in real-time. Emergency modes for containers allow exit-only or lockdown as appropriate. Locking devices are suitable to the consequences and attack time requirements. Response forces and times are determined by analysis of attack graphs. Design basis threat applied.

Other requirements: All applicable other requirements are met for the nature and type of facility in the applicable jurisdictions.
Physical protection requirements for high risk facilities

Medium Risk

World
Location not advertised where feasible. Mapping does not designate nature of facility. Accessibility limited to the normal plant controls. The nature of use of the location is not advertised. Response forces and times determined by normal needs of similar sorts of plants.
Property
Perimeters restricted to authorized entry at normal plant property entry points. Signs warning prohibition from unauthorized entry. Entry paths appropriate to normal operation of the plant. Barriers determined based on property protection needs. Sensors used to detect unauthorized entry to closed areas of the property. Response forces and times determined by normal plant requirements.
Perimeters
Construction designed to meet normal needs of the plant. Signs direct inward and outward flows of traffic. Entry paths limited to normal paths used in operations and emergency evacuation or response paths. Barriers determined based on facility safety needs. Sensors used to detect perimeter breaches and access to unauthorized areas within the perimeter(s). Emergency modes predefined based on safety and emergency evacuation or response paths. Response times and forces determined by safety and operational needs.
Facilities
Construction designed to meet specific needs of the plant. Zones separated and defined based on access requirements and structured so as to make zone traverse inconvenient and unnecessary to the extent feasible in normal operation, with higher consequence zones harder to reach than lower consequence zones. Flow paths designed to limit flows to tend to remain within zones and minimize inter-zone flows. Barriers determined based on normal plant needs. Sensors used to detect unauthorized facility or area entry. Emergency modes defined and flows restricted so that in emergencies, flow goes from higher consequence to lower consequence areas. Locking devices suitable to the consequences. Response times and forces are determined by safety and operational needs.
Containers
Construction is to the specification associated with the plant environment. Barriers should separate containers not requiring direct connectivity where feasible. Sensors are used on containers to detect unauthorized access upon inspection. Emergency modes for containers allow exit-only or lockdown as appropriate. Locking devices are suitable to the consequences. Response forces and times are determined by safety and operational needs.

Other requirements: All applicable other requirements are met for the nature and type of facility in the applicable jurisdictions.
Physical separation requirements for medium risk facilities

Low Risk

World
No special security controls.
Property
Perimeters deigned to meet health and safety code and property protection requirements. Signs appropriate to health and safety requirements on property access. Entry paths appropriate to health and safety requirements on property access. Barriers suited to appropriate health and safety requirements on property access. No special sensors required for security. Response forces and times are determined by safety and operational needs.
Perimeters
Construction designed to meet normal needs of the plant. Signs appropriate to health and safety needs of the plant. Entry paths limited to normal paths used in operations and emergency evacuation or response paths. Barriers determined based on facility safety needs. Sensors designed for property protection needs. Emergency modes predefined based on safety and emergency evacuation or response paths. Response times and forces determined by safety and operational needs.
Facilities

Facilities: Construction designed to meet specific needs of the plant. Zones separated and defined based on access requirements. Flow paths designed for normal plant operational efficiency. Barriers determined based on normal plant needs. Sensors designed for property protection needs. Emergency modes predefined based on safety and emergency evacuation or response paths. Response times and forces determined by safety and operational needs.
Containers
Construction is to the specification associated with the plant environment. Barriers should separate containers as needed for health and safety. Sensors designed for property protection needs. Emergency modes predefined based on safety and emergency evacuation or response needs. Locking devices are suitable to normal worker access controls. Response forces and times are determined by safety and operational needs.

Other requirements: All applicable other requirements are met for the nature and type of facility in the applicable jurisdictions.
Physical separation requirements for low risk facilities

Identify the zone separation specifics for each relevant class of separation requirements applicable and codify:

World
Location / Mapping / Accessibility / Deceptions / Response forces and times
Property
Perimeters / Signs / Entry paths / Barriers / Sensors / Response forces
Perimeters
Construction / Signs / Deceptions / Entry paths / Barriers / Sensors / Emergency modes / Response times and forces
Facilities
Construction / Zones / Flow paths / Barriers / Sensors / Locking devices / Emergency modes / Response times and forces
Containers
Construction / Barriers / Sensors / Locking devices / Emergency modes / Response forces and times
Physical separation requirements for zone(s) of type XXX

Basis:

All applicable other requirements are met for the nature and type of facility in the applicable jurisdictions. Generally, all facilities must meet legal, regulatory, and management defined requirements.

Design basis threat applied. A design basis threat is an assumption regarding the threat for which the protective design was done. It generally identifies the anticipated capabilities and intents of the set of threats considered to be relevant to the protection scheme.

Deceptions used to {conceal the nature of use of location / limit knowledge of content and locations}. Generally, deception can be used to induce or suppress signals. Thus the placement of a facing material on a building to conceal its nature will prevent it from being detected as a particular type of facility, while the introduction of sounds and sights normally associated with the depicted type of building will support that deception.

The {nature of use} of the location {concealed / not advertised / not mapped} where feasible. These are forms of concealment (and thus deceptions) where different facets of the plant or facility are made less available to those who might be seeking particular places. For example, maps that point out the areas with explosive chemicals might make it easier for those who are trying to cause explosions to find those locations before the detection and response process of the facility are able to prevent their further progress toward that goal.

Accessibility limited to {the extent feasible / normal plant controls}. Access is normally limited for health, safety, liability, and other reasons. However, when consequences warrant it, additional access limitations are put in place for improved protection effectiveness and separation of physical access to areas associated with zones and subzones.

Barriers determined based on {attack graph analysis / design basis threat / facility safety / property protection / normal plant} needs {fully / partially} separate {some / all} container areas {not requiring direct connectivity / as needed for health and safety} where feasible {and passage through container areas to reach other container areas is such that higher consequence contained areas are within lower consequence areas}. Generally, barriers to physical passage are used to assure separation of one area from another. Depending on the type and nature of the areas, the separation quality, thoroughness, strength, and time requirements, and the level of surety desired, these areas can be more completely separated at different levels of physicality. For example, a container that seals against gas leakage between subzones will have a much finer level of containment and have to be much more comprehensive in coverage than a fence that stops employees from going between two plant areas.

Construction designed to meet {normal needs of the plant / specific needs of the plant / specific needs for defending against threat(s)} and to the specification of {the plant environment / environmental threat conditions} Generally, construction must meet building codes and other general requirements for the overall plant as well as specific needs for specific areas of the plant, such as clean rooms, hot rooms, etc. In addition, special construction may be needed for dealing with specific threats, for example, facilities designed to be hit by aircraft may require special construction above and beyond the needs of containment for environmental hazards such as leaks.

Zones are separated and defined based on {access / response / separation} requirements {and structured so as to make zone traverse inconvenient and unnecessary to the extent feasible in normal operation, with higher consequence zones harder to reach than lower consequence zones}. In essence, protective zones are structured so as to meet the topological needs of the plant and at the same time, provide adequate protection so that detection and response can be timely, prevention effective, and deterrence operable.

Perimeters designed to {meet health and safety code and property protection requirements / restrict authorized entry at {normal plant property entry points / a distance determined by analysis}}. Health and safety standards apply to all plants, as do most property protection requirements. Most plants prohibit entry except to authorized personnel, although some have viewing areas and other similar entrances. Access it typically limited further from the critical consequence areas as consequences and threat capabilities increase, and for high consequence situations, perimeters are typically designed to create delays required to allow response forces to react after detection in time to mitigate potentially serious negative consequences.

Entry paths appropriate to {health and safety requirements on access / normal operation of the plant} {and limited to {defined paths for operating modes / normal paths used in operations and emergency evacuation or response paths / the minimum number required for safety and security}}. Entry and exit paths are more limited for higher surety relating to access, but with limits associated with the need for evacuation and access by emergency personnel (see emergency modes). Paths may also be designed so as to increase time to reach high consequence areas during normal operation and decrease time during emergencies.

Flow paths designed {for normal plant operational efficiency / to limit flows to tend to remain within zones and minimize inter-zone flows}. The flow of people and things is normally designed to assure that all necessary checks for safety and security are met en route from one place to another and to assure that these requirements are not bypassed by altering or avoiding the normal travel path through the facility.

Signs appropriate to {health and safety needs of {property access / the plant} / inward and outward flows of traffic / warning prohibition from unauthorized entry} {without revealing the nature of the facility}. Signs may or may not reveal information about the plant and yet still be effective at warning about necessary hazards, controlling flows of people and machines, meeting health and safety requirements, and warning about unauthorized entry.

Emergency modes {predefined / defined} {and flows restricted} so that in emergencies, {flow goes from higher consequence to lower consequence areas / containers allow exit-only or lock-down as appropriate / emergency evacuation and response paths are facilitated} based on {normal operations / attack graphs / design basis threat}. Everything done in normal operation has to be reconsidered for different emergency scenarios so that in emergencies, some parts of plants are shut down, others opened for emergency personnel, others shut to normal personnel, and flows and access changes made appropriate to the needs of the emergency. These are normally predefined for the design basis threat and anticipated scenarios.

Locking devices are suitable to {normal worker access controls / consequences / attack time requirements}. Locking devices including the things that they lock are normally designed to force minimum times for legitimate entry and slow illegitimate (inobvious) entry. These requirements vary with the threat environment and expectations of the locking mechanism. For example, locker rooms have different requirements than classified facilities, which are different from control rooms and wire closets.

Sensors used on {containers / barrier / facility / perimeter / property / closed areas} {approach / entry / exit / passage / access / movement within / breach} detect {authorized / unauthorized} {use / access / presence / absence} {in real-time / upon inspection} to meet {property protection / security-specific} needs. Sensors must be able to sense the desired observables so that the detection and response process can occur in time to mitigate potentially serious negative consequences. The specifics depend on the specific requirements of the protective architecture.

Response forces and times are determined by {safety and operational needs / needs of similar sorts of plants / normal plant requirements / analysis of attack graphs}. Response forces and times are dictated by different requirements depending on the consequences associated with timely and slower response. The design basis threat comes into play here so that for larger groups of more capable attackers, stronger, larger, and faster response forces and times are required. Of course safety and health and other similar plant requirements always apply, but as consequences and threats increase, so must response force capabilities. Generally, responses should be fast enough and have adequate force to mitigate potentially serious negative consequences between the time alarms are recognized (after bad things happen) and the response is adequately effective.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved