Be Strong
Asset and infrastructure protection: only as good as the weakest link
- By Peter Boriskin
- Jul 11, 2018
There are assets within our buildings, towns, states and
across the nation that make up the totality of what
can be considered a network of critical infrastructure.
These assets include transportation systems, water/
power/gas utilities, information and communications
networks, and municipal and emergency services.
It is not an overstatement to say that protecting a single asset plays
a critical role in the health of the rest of the infrastructure network.
Consider the importance of a single cell phone tower or fire department
in the aftermath of a storm. Or, consider the need to keep natural
gas lines and power stations protected from any type of impact.
Looking at examples of how municipalities or governments protect
these assets can help businesses plan as well. Critical infrastructure
for businesses often shares similar needs with municipalities:
how do we best protect servers, structures and the people who live
and work in private buildings?
When we look at securing the assets that make up our critical infrastructure
we look at it with a two-pronged approach:
- How do we physically secure or safeguard these areas to keep out
individuals attempting to tamper with them?
- How do we make these assets resilient to natural disasters and
other emergency events?
The built environment has a major role to play in both of these
areas, and physical security—including doors, door hardware and access
control—is one of the most important considerations in protecting
important assets.
Physical Security
To protect critical assets within a building, managers must first identify
what is critical to the community, the business and/or the people
served. There are a few guidelines on this as outlined by both the federal
government and third-party groups. That said, the goal is typically
to assess both physical and digital assets that must be protected
for the benefit of the organization, and then seek ways to eliminate
any vulnerabilities that might allow unauthorized access.
In terms of physical security, one of the best ways to keep an individual
out of a specific area is to use the appropriate combination
of doors, door hardware and access control components to thwart
would-be intruders. For some, this can be as simple as installing components
from a trustworthy manufacturer.
It is also critical to undergo routine maintenance checks of all
assets. Ensure that all doors and hardware are in working condition.
Do the doors close and latch? Do the keys and locks work? Regularly
take a key inventory, and if keys are constantly missing, consider
moving to an electronic access control system or intelligent key solution
to mitigate this risk.
A well-looked-after facility is always the first step in thwarting a
physical intrusion. However, there are unique situations that could
require a more robust level of protection.
Specialty Solutions
Attack-resistant openings have the ability to repel physical attacks for
a sustained period of time. These solutions can withstand an attack
from hand tools and firearms and are often used for life-safety. That
said, the opening can also be installed to thwart an attack on a room
or location that houses critical assets.
Taking that thought a step farther, blast-resistant openings are
also designed to meet the standards needed on critical government
buildings such as military installations and embassy buildings. If the
facility or asset you are tasked with protecting requires this level of
protection, be aware that there are solutions available.
Additional specialized solutions like radio frequency shielding,
for example, are available on doors and openings to keep sensitive
equipment from potential harm.
Digital Assets
When it comes to protecting digital assets from unauthorized access,
NERC (North American Electric Reliability Corporation) standards
for Critical Infrastructure Protection (CIP) include specifics for digital
security.
- Standard CIP-006-3c was established to ensure the implementation
of a physical security program for the protection of critical
cyber assets.
- Standard CIP-006-5 was established to manage physical access to
Bulk Electric Systems (BES) cyber systems by specifying a physical
security plan to protect these systems against compromise that
could lead to mis-operation or instability in the BES.
Intelligent locking and key systems, which not only provide robust
physical security but also digital rights management and access
audit trails, are ideally suited to help utilities which follow NERC
standards. These systems also work well in verticals such as data centers,
public buildings, financial institutions, hospitals or any business
where server racks are storing critical information.
Further, as intelligent locks and keys can be fit to almost any type
of cabinet or opening, the use extends far beyond just digital assets.
Hospitals have a need to protect narcotics, medical supplies and patient
records. Banks also store paper records that need to be kept
under robust lock and key. Several corporate users, from small and
midsize business to enterprise, could benefit from ensuring that their
paper assets or supplies remain secure.
Many intelligent locks have added resilience by leveraging battery
power, which allows them to be untethered from the power grid status.
With access control information stored either locally on the lock,
or on the credential itself, locks will still work in the event of a flood
or power outage.
This consideration dovetails in with the need for critical assets
to be resilient in the face of a natural disaster such as a hurricane or
tornado.
Hurricanes. When planning for hurricanes, the goal is to ensure
all doors, windows, walls and roofs remain in place on the building to
protect the interior and contents of the structure. Furthermore, in a
situation where high winds will pummel doors with debris, buildings
must be equipped with impact-rated doors and door hardware.
Hospitals, fire stations and police stations typically take a “defend
in place” type of approach during these events as they will be operationally
critical in the aftermath of a storm and may serve as shelters.
To protect these locations, building owners and integrators need to be
aware of what changes in air pressure or storm surge are likely to be
encountered during a storm—it may be necessary to install different
openings on the ground floor of a building as opposed to the 10th
floor, for example.
As noted previously, access control devices that can run in a
stand-alone mode—where power and credential management aren’t
dependent on a network or power grid—means security remains intact
even in the aftermath of a storm. For business and building owners
(regardless if they must remain operational in the aftermath of
a storm) keeping assets secure during this time may be critical. For
government facilities, access control devices that support mandated
PIV credentials and can function independent of a network or power
grid may be a consideration.
Tornados. Tornados are fundamentally different from hurricanes
in that the building is not intended to survive the impact of the storm.
Instead, buildings are built to ensure that the people inside of a tornado-
affected building survive. In regions of the country designated
as active tornado areas, it is a requirement to build code compliant
shelters in certain public buildings to ensure life-safety is prioritized.
An important reality of tornado-level events is that critical infrastructure
must rely on redundancy. For business, this means ensuring
mission critical assets are digitized and backed up using infrastructure
designed to tolerate failures gracefully, like a cloud-based solution.
For municipalities, it means relying on neighboring cities, counties
and the federal government to assist in critical operations. When
one link breaks, the others are ready to carry the load.
There are too many critical assets to count in this short of space—
power lines, grain silos, off-site data centers, water pumps, emergency
service buildings, shelter locations, financial institutions, and more
are all critical in some way. What is important to note is that having
each of these protected individually, is what ensures the entire critical
infrastructure network remains intact.
The Universal Solution
There is no “one size fits all” solution. Each building in every community
will have its own specific needs. That said, whether your role
requires safeguarding a fire station’s garage and ambulances, a utility
station located away from the city, or the HIPAA-protected patient
files at a hospital, there are solutions to meet those needs.
As a business or building owner, a facility manager, or anyone
with a role in protecting critical infrastructure, it’s imperative to
develop partnerships with leading local and national safety and
security experts. Local integrators and trusted
manufacturers are ready and willing to assist in
protecting the assets that are important to your
organization and potentially, to the community
at large.
This article originally appeared in the July/August 2018 issue of Security Today.