Site protection requires training, vigilance and the latest electronic equipment
- By John Nemerofsky
- Aug 07, 2020
Our nation’s critical infrastructure serves as the
backbone supporting activities at manufacturing
plants to elementary schools. The network of
power plants, water facilities, bridges and more
are so vital that any significant disruption of their
operations could profoundly impact our nation’s economy, public
health or safety.
The USA Patriot Act defines 16 critical infrastructure sectors.
Protecting thousands of sites against both foreign and domestic
terrorists requires training, vigilance and layers of the latest electronic
equipment and some of the most basic security activities.
HARDEN THE PERIMETER
It is best to stop intruders before they reach their targets. Many
critical infrastructure facilities install perimeter fencing incorporating
fiber optic sensors. These sensors detect disruptions in light
sent down the length of the cable. They integrate with software
controlling security cameras, including low-light infrared devices,
to provide first responders with live video of attempted breaches.
Waterfront properties discourage divers by using the same type of
fiber cable woven into anchored, stainless-steel rope fences. Trees
along the perimeter should be removed or regularly trimmed so
they don’t allow intruders to scale barriers.
Terrorists have successfully used vehicles to deliver explosive
payloads. A 15,000-pound truck traveling at 50 miles per hour
can be stopped by fencing made of the same steel cable used to
catch fighter jets landing on an aircraft carrier.
Also, fortified gates with an installed video intercom enable
a security officer to see and have a two-way conversation with
vehicle drivers before remotely opening the barrier. A card reader
can be either separately mounted or embedded in the intercom
allowing employees to use a card-key to enter without assistance.
Extra lighting around the perimeter acts as a deterrent to
would-be attackers and enables patrolling guards to see better at night. Concrete bollards protect building entries from vehicular attacks
while also serving as planters or benches that blend into an
area’s landscape plan.
Access control. Access control protects buildings and critical
areas within. Keypads or readers at entries to sensitive areas limit
access to authorized employees, vendors and visitors. The credentials,
which also serve as photo ID badges, should be worn
whenever a person is on secured property. The cards also may
include colored stripes, quickly indicating which areas a person
is authorized to access.
Mobile credentialing allows vendors to access unattended
sites such as remote utility substations without an escort. Vendors
download a mobile app and email credential to their smartphones.
The device’s Bluetooth technology signals the access control
reader or keyless padlock to allow entry. Security is enhanced
as mobile credentialing requires possession of the smartphone, a PIN or biometric verification to unlock the device, the app and a
downloaded credential. The smartphone’s built-in GPS enables
security officers to precisely track each phone and its owner.
Highly secured areas such as airport tarmac entries, laboratories
and security command centers often require a second identity
authenticator. Biometric readers using iris, fingerprint or facial
recognition are commonly used.
Video. Surveillance cameras provide security officers with realtime
views of facilities, both inside and out. Cameras should be
positioned at all external entry points, as well as in any lobbies,
interior hallways and at secure rooms to enable officers to see who
enters. Network-based cameras allow video monitoring from remote
command centers or on smart devices of patrolling officers.
Thermal cameras spot people at night and may also identify
those with elevated body temperatures, a potential sign of a COVID-
19 virus infection. The Centers for Disease Control recently
advised that critical infrastructure employees be permitted to
work after possible exposure to COVID-19 as long as they remain
asymptomatic and precautions to protect them and other
workers are added.
Drones. They may be both an asset and a liability when it
comes to protecting critical infrastructure. A drone with a mounted
video camera can provide security officers with excellent aerial
views of the immediate perimeter, and beyond, to see early warnings
of a potential attack.
However, drones may also be used by terrorists to spy as well as
to deliver explosives and other hazardous materials. Non-military
drones can carry 20-plus-pound payloads for distances up to 20
miles – or more – and can easily travel at speeds of 40 miles per hour.
U.S. law has not fully caught up with the threat drones represent.
Currently, private organizations are prohibited from shooting
down drones or using electronic signals to jam a pilot’s control
capabilities. However, a 2018 federal law gives the Department of
Homeland Security and the FBI authority to disable drones that
pose a threat to critical infrastructure.
Systems, including radar technology, can spot drones and
provide information on a pilot’s location, the drone type and the
controller’s IP address. Data is displayed on a smartphone app
and may be shared with authorities for possible apprehension and
prosecution of the pilot.
Resiliency. This implies an ability to withstand and rapidly
recover from an attack, accident or natural disaster. Protecting
people should be the first step taken during and immediately
following an emergency. Emergency notification systems are essential
for sharing information to avoid panic that increases the
likelihood of injuries and possible deaths.
Fire systems are often a first-line choice for notifying people
via email blasts, sirens, voice and strobe lights. Separate highpower
speaker arrays share emergency information over larger
areas. Tower-mounted speakers can deliver intelligible live and
pre-recorded messages at distances of up to a third of a mile or
more, depending upon topography.
Smartphone apps, may be developed for a specific site, enable
employees to report suspicious activity and receive text, voice and
email warnings from the security staff. Officers can use apps to
contact people en route to a site, alerting them to an emergency
and advising them to stay away until the situation is resolved.
Critical infrastructure sites require backup generators to continue
emergency operations in case of a power failure. Protecting
key employees as they travel also may avoid or reduce operational
disruptions. Critical management software providers can warn of
significant threats worldwide, enabling people to eliminate or re- route travel plans.
Security teams need to create an emergency plan that includes
procedures for shelter-in-place and evacuations. Regularly conducted
drills allow the team to check the operability of communications
systems and response times. The results of each exercise should be
reviewed and used to make changes to the plan, if necessary.
In case of an attack, a well-trained security team will help
shorten the recovery process.
Consider an integrator’s offer to embed an experienced employee
or two as part of a site’s security team.
Risk assessments. Before creating a new plan, work with an
outside security integrator to help conduct a risk assessment. It’s
easy for the in-house security team to overlook deficiencies due
to familiarity with the site. An experienced integrator will review
legacy systems and suggest where new tactics and solutions are
warranted. The assessment helps security directors focus their
limited budgets on those areas most in need of improvement.
Plans for new critical infrastructure or renovations of existing
sites should include physical security requirements from the outset.
The results are often more effective security at a lower cost.
Cyberattacks. Cybersecurity plays an increasingly important
role as virtually all modern physical security systems rely on
network connections. Those connections that improve security
operations also increase the risk of a successful cyberattack. Security
officials must harden their system software with firewalls
and anti-malware to reduce the chance of the devices providing
hackers a pathway into the network.
To use a site workstation, employees should use Personal
Identity Verification (PIV) cards with greater encryption and embedded
biometric data authenticated by a separate reader. Also,
keep the organization’s laptops and mobile phones locked up
when not in use.
Cyber and physical attacks differ in nature, but the results may
be the same – a segment of the nation’s critical infrastructure being
out of service. And a review of recent cyberattacks on government,
financial and retail organizations shows almost any group
is susceptible to dedicated and sophisticated hackers.
These are just a few highlights of all the steps required to secure
critical infrastructure. Work with an experienced integrator
to provide current best practices. And plan on working closely
with federal, state and local first responders to improve communication
and coordination during an emergency.
The security needs of each critical infrastructure site may vary
widely based on its use and location. More than 80 percent of
these sites are owned by non-governmental organizations, with
their own budgets and views on protecting employees and assets.
Any security solution requires multiple layers of integrated systems.
There is no one technology capable of meeting all physical
and cybersecurity needs.
Also, not all disruptions are due to terrorists. Other causes
may include severe weather and other natural disasters, pandemics
and accidents. Security directors must
always plan, prepare, monitor, and, when necessary,
react and innovate to harden their facilities
against all threats.
This article originally appeared in the July / August 2020 issue of Security Today.
John Nemerofsky is the chief operating officer of Kent, Ohio-based Sage Integration.