Backbone Support

Site protection requires training, vigilance and the latest electronic equipment

• By John Nemerofsky
• Aug 07, 2020

Our nation’s critical infrastructure serves as the backbone supporting activities at manufacturing plants to elementary schools. The network of power plants, water facilities, bridges and more are so vital that any significant disruption of their operations could profoundly impact our nation’s economy, public health or safety.

The USA Patriot Act defines 16 critical infrastructure sectors. Protecting thousands of sites against both foreign and domestic terrorists requires training, vigilance and layers of the latest electronic equipment and some of the most basic security activities.

HARDEN THE PERIMETER

It is best to stop intruders before they reach their targets. Many critical infrastructure facilities install perimeter fencing incorporating fiber optic sensors. These sensors detect disruptions in light sent down the length of the cable. They integrate with software controlling security cameras, including low-light infrared devices, to provide first responders with live video of attempted breaches. Waterfront properties discourage divers by using the same type of fiber cable woven into anchored, stainless-steel rope fences. Trees along the perimeter should be removed or regularly trimmed so they don’t allow intruders to scale barriers.

Terrorists have successfully used vehicles to deliver explosive payloads. A 15,000-pound truck traveling at 50 miles per hour can be stopped by fencing made of the same steel cable used to catch fighter jets landing on an aircraft carrier.

Also, fortified gates with an installed video intercom enable a security officer to see and have a two-way conversation with vehicle drivers before remotely opening the barrier. A card reader can be either separately mounted or embedded in the intercom allowing employees to use a card-key to enter without assistance.

Extra lighting around the perimeter acts as a deterrent to would-be attackers and enables patrolling guards to see better at night. Concrete bollards protect building entries from vehicular attacks while also serving as planters or benches that blend into an area’s landscape plan.

Access control. Access control protects buildings and critical areas within. Keypads or readers at entries to sensitive areas limit access to authorized employees, vendors and visitors. The credentials, which also serve as photo ID badges, should be worn whenever a person is on secured property. The cards also may include colored stripes, quickly indicating which areas a person is authorized to access.

Mobile credentialing allows vendors to access unattended sites such as remote utility substations without an escort. Vendors download a mobile app and email credential to their smartphones. The device’s Bluetooth technology signals the access control reader or keyless padlock to allow entry. Security is enhanced as mobile credentialing requires possession of the smartphone, a PIN or biometric verification to unlock the device, the app and a downloaded credential. The smartphone’s built-in GPS enables security officers to precisely track each phone and its owner.

Highly secured areas such as airport tarmac entries, laboratories and security command centers often require a second identity authenticator. Biometric readers using iris, fingerprint or facial recognition are commonly used.

Video. Surveillance cameras provide security officers with realtime views of facilities, both inside and out. Cameras should be positioned at all external entry points, as well as in any lobbies, interior hallways and at secure rooms to enable officers to see who enters. Network-based cameras allow video monitoring from remote command centers or on smart devices of patrolling officers.

Thermal cameras spot people at night and may also identify those with elevated body temperatures, a potential sign of a COVID- 19 virus infection. The Centers for Disease Control recently advised that critical infrastructure employees be permitted to work after possible exposure to COVID-19 as long as they remain asymptomatic and precautions to protect them and other workers are added.

Drones. They may be both an asset and a liability when it comes to protecting critical infrastructure. A drone with a mounted video camera can provide security officers with excellent aerial views of the immediate perimeter, and beyond, to see early warnings of a potential attack.

However, drones may also be used by terrorists to spy as well as to deliver explosives and other hazardous materials. Non-military drones can carry 20-plus-pound payloads for distances up to 20 miles – or more – and can easily travel at speeds of 40 miles per hour.

U.S. law has not fully caught up with the threat drones represent. Currently, private organizations are prohibited from shooting down drones or using electronic signals to jam a pilot’s control capabilities. However, a 2018 federal law gives the Department of Homeland Security and the FBI authority to disable drones that pose a threat to critical infrastructure.

Systems, including radar technology, can spot drones and provide information on a pilot’s location, the drone type and the controller’s IP address. Data is displayed on a smartphone app and may be shared with authorities for possible apprehension and prosecution of the pilot.

Resiliency. This implies an ability to withstand and rapidly recover from an attack, accident or natural disaster. Protecting people should be the first step taken during and immediately following an emergency. Emergency notification systems are essential for sharing information to avoid panic that increases the likelihood of injuries and possible deaths.

Fire systems are often a first-line choice for notifying people via email blasts, sirens, voice and strobe lights. Separate highpower speaker arrays share emergency information over larger areas. Tower-mounted speakers can deliver intelligible live and pre-recorded messages at distances of up to a third of a mile or more, depending upon topography.

Smartphone apps, may be developed for a specific site, enable employees to report suspicious activity and receive text, voice and email warnings from the security staff. Officers can use apps to contact people en route to a site, alerting them to an emergency and advising them to stay away until the situation is resolved.

Critical infrastructure sites require backup generators to continue emergency operations in case of a power failure. Protecting key employees as they travel also may avoid or reduce operational disruptions. Critical management software providers can warn of significant threats worldwide, enabling people to eliminate or re- route travel plans.

Security teams need to create an emergency plan that includes procedures for shelter-in-place and evacuations. Regularly conducted drills allow the team to check the operability of communications systems and response times. The results of each exercise should be reviewed and used to make changes to the plan, if necessary.

In case of an attack, a well-trained security team will help shorten the recovery process.

Consider an integrator’s offer to embed an experienced employee or two as part of a site’s security team.

Risk assessments. Before creating a new plan, work with an outside security integrator to help conduct a risk assessment. It’s easy for the in-house security team to overlook deficiencies due to familiarity with the site. An experienced integrator will review legacy systems and suggest where new tactics and solutions are warranted. The assessment helps security directors focus their limited budgets on those areas most in need of improvement.

Plans for new critical infrastructure or renovations of existing sites should include physical security requirements from the outset. The results are often more effective security at a lower cost.

Cyberattacks. Cybersecurity plays an increasingly important role as virtually all modern physical security systems rely on network connections. Those connections that improve security operations also increase the risk of a successful cyberattack. Security officials must harden their system software with firewalls and anti-malware to reduce the chance of the devices providing hackers a pathway into the network.

To use a site workstation, employees should use Personal Identity Verification (PIV) cards with greater encryption and embedded biometric data authenticated by a separate reader. Also, keep the organization’s laptops and mobile phones locked up when not in use.

Cyber and physical attacks differ in nature, but the results may be the same – a segment of the nation’s critical infrastructure being out of service. And a review of recent cyberattacks on government, financial and retail organizations shows almost any group is susceptible to dedicated and sophisticated hackers.

These are just a few highlights of all the steps required to secure critical infrastructure. Work with an experienced integrator to provide current best practices. And plan on working closely with federal, state and local first responders to improve communication and coordination during an emergency.

The security needs of each critical infrastructure site may vary widely based on its use and location. More than 80 percent of these sites are owned by non-governmental organizations, with their own budgets and views on protecting employees and assets. Any security solution requires multiple layers of integrated systems. There is no one technology capable of meeting all physical and cybersecurity needs.

Also, not all disruptions are due to terrorists. Other causes may include severe weather and other natural disasters, pandemics and accidents. Security directors must always plan, prepare, monitor, and, when necessary, react and innovate to harden their facilities against all threats.

This article originally appeared in the July / August 2020 issue of Security Today.