Physical security

Physical security describes security measures that are designed to deny access to unauthorized personnel (including attackers or even accidental intruders) from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts.^[1] Physical security can be as simple as a locked door or as elaborate as multiple layers of barriers, armed security guards and guardhouse placement.^[2]

1 Overview
2 Elements and design
3 Other physical security tools
4 Examples
5 See also
6 References

Overview

Physical security is primarily concerned with restricting physical access by unauthorized people (commonly interpreted as intruders) to controlled facilities, although there are other considerations and situations in which physical security measures are valuable (for example, limiting access within a facility and/or to specific assets, and environmental controls to reduce physical incidents such as fires and floods).

Security inevitably incurs costs and, in reality, it can never be perfect or complete - in other words, security can reduce but cannot entirely eliminate risks. Given that controls are imperfect, strong physical security applies the principle of defense in depth using appropriate combinations of overlapping and complementary controls. For instance, physical access controls for protected facilities are generally intended to:

deter potential intruders (e.g. warning signs and perimeter markings);
distinguish authorized from unauthorized people (e.g. using keycards/access badges)
delay, frustrate and ideally prevent intrusion attempts (e.g. strong walls, door locks and safes);
detect intrusions and monitor/record intruders (e.g. intruder alarms and CCTV systems); and
trigger appropriate incident responses (e.g. by security guards and police).^[3]

It is up to security designers, architects and analysts to balance security controls against risks, taking into account the costs of specifying, developing, testing, implementing, using, managing, monitoring and maintaining the controls, along with broader issues such as aesthetics, human rights, health and safety, and societal norms or conventions. Physical access security measures that are appropriate for a high security prison or a military site may be inappropriate in an office, a home or a vehicle, although the principles are similar.

Physical security is not uniquely human. The practice of actively defending a territory against intruders or opponents is very common in the animal kingdom. Physical security is also not a modern phenomenon. The technology is continually evolving along with the threats. Physical security controls that were considered adequate in the past tend to be insecure today due to advances in the knowledge and capabilities of attackers.

Elements and design

Spikes atop a barrier wall

The field of security engineering has identified the following elements to physical security:

obstacles, to frustrate trivial attackers and delay serious ones; to include:
- explosion protection;
detection systems, such as surveillance systems, alarms, security lighting, security guard patrols or closed-circuit television cameras, to make it likely that attacks will be noticed; and
security response, to repel, catch or frustrate attackers when an attack is detected.

In a well designed system, these features must complement each other.^[4] There are at least four layers of physical security:

Environmental design
Mechanical, electronic and procedural access control
Intrusion detection (with appropriate response procedures)
Personnel Identification (authentication)

There may be many choices to consider and there is no "best" solution that will satisfy a broad class of situations.

Deterrence

The goal of physical security is to convince potential attackers that the likely costs of attack exceeds the value of making the attack, e.g. that consequences of a failed attack may well exceed the gain. The combination of layered security features establishes the presence of territoriality.

The initial layer of security for a campus, building, office, or other physical space uses crime prevention through environmental design to deter threats. Some of the most common examples are also the most basic: warning signs or window stickers,^[5] fences, vehicle barriers, vehicle height-restrictors, restricted access points, security lighting and trenches. However, even passive things like hedgerows may be sufficient in some circumstances.

An electronic access control.

Access control

The next layer is mechanical and includes gates, doors, and locks. Key control of the locks becomes a problem with large user populations and any user turnover. Keys quickly become unmanageable, often forcing the adoption of electronic access control. Electronic access control easily manages large user populations, controlling for user lifecycles times, dates, and individual access points. For example a user's access rights could allow access from 0700h to 1900h Monday through Friday and expires in 90 days.

Another form of access control (procedural) includes the use of policies, processes and procedures to manage the ingress into the restricted area. An example of this is the deployment of security personnel conducting checks for authorized entry at predetermined points of entry. This form of access control is usually supplemented by the earlier forms of access control (i.e. mechanical and electronic access control), or simple devices such as physical passes.

An additional sub-layer of mechanical/electronic access control protection is reached by integrating a key management system to manage the possession and usage of mechanical keys to locks or property within a building or campus.

Detection

The third layer is intrusion detection systems or alarm systems. Alarm systems trigger a response when unauthorized access is detected. They consist of sensors including motion sensors, contact sensors, and glass break detectors.

In some jurisdictions, law enforcement will not respond to alarms from intrusion detection systems unless the activation has been verified by an eyewitness or video.^[6] Policies like this one have been created to combat the 94–99 percent rate of false alarm activation in the United States.^[7]

Closed-circuit television sign

Identification

The last layer is video monitoring systems. Security cameras can be a deterrent^[8] in many cases, but their real power comes from incident verification^[9] and historical analysis.^[10] For example, if alarms are being generated and there is a camera in place, the camera could be viewed to verify the alarms. In instances when an attack has already occurred and a camera is in place at the point of attack, the recorded video can be reviewed. Although the term closed-circuit television (CCTV) is common, it is quickly becoming outdated as more video systems lose the closed circuit for signal transmission and are instead transmitting on IP camera networks.

Advances in information technology are transforming video monitoring into video analysis. For instance, once an image is digitized it can become data that sophisticated algorithms can act upon. As the speed and accuracy of automated analysis increases, the video system could move from a monitoring system to an intrusion detection system or access control system. A video camera could potentially data to a processor that outputs to an electronic lock, making a person's visage the key. When actual design and implementation is considered, there are numerous types of security cameras that can be used for many different applications. One must analyze their needs and choose accordingly.^[11]

Note that video monitoring does not necessarily guarantee that a human response is made to an intrusion. A human must be monitoring the situation realtime in order to respond in a timely manner. Otherwise, video monitoring is simply a means to gather evidence to be analyzed at a later time.

Human response

Private factory guard

Intertwined in these four layers are people. Guards have a role in all layers, in the first as patrols and at checkpoints. In the second to administer electronic access control. In the third to respond to alarms. The response force must be able to arrive on site in less time than it is expected that the attacker will require to breach the barriers. And in the fourth to monitor and analyze video. Users obviously have a role also by questioning and reporting suspicious people. Aiding in identifying people as known versus unknown are identification systems. Often photo ID badges are used and are frequently coupled to the electronic access control system. Visitors are often required to wear a visitor badge.

Other physical security tools

New developments in information and communications technology, as well as new demands on security managers, have widened the scope of physical security apparatus.

Fire alarm systems are increasingly becoming based on Internet Protocol, thus leading to them being accessible via local and wide area networks within organisations. Emergency notification is now a new standard in many industries, as well as physical security information management (PSIM). A PSIM application integrates all physical security systems in a facility, and provides a single and comprehensive means of managing all of these resources. It consequently saves on time and cost in the effectual management of physical security.

Examples

Canadian Embassy in Washington, D.C. showing planters being used as vehicle barriers, and barriers and gates along the vehicle entrance

Many installations, serving many different purposes, have physical obstacles in place to deter intrusion. This can be high walls, barbed wire, glass mounted on top of walls, etc.

The presence of PIR-based motion detectors are common in many places, as a means of noting intrusion into a physical installation. Moreover, VSS/CCTV cameras are becoming increasingly common, as a means of identifying persons who intrude into physical locations.

Businesses use a variety of options for physical security, including security guards, electric security fencing, cameras, motion detectors, and light beams.

ATMs (cash dispensers) are protected, not by making them invulnerable, but by spoiling the money inside when they are attacked. Money tainted with a dye could act as a flag to the money's unlawful acquisition.

Safes are rated in terms of the time in minutes which a skilled, well equipped safe-breaker is expected to require to open the safe. These ratings are developed by highly skilled safe breakers employed by insurance agencies, such as Underwriters Laboratories. In a properly designed system, either the time between inspections by a patrolling guard should be less than that time, or an alarm response force should be able to reach it in less than that time.

Hiding the resources, or hiding the fact that resources are valuable, is also often a good idea as it will reduce the exposure to opponents and will cause further delays during an attack, but should not be relied upon as a principal means of ensuring security. (See security through obscurity.)

References

^ Task Committee; Structural Engineering Institute (1999). Structural Design for Physical Security. ASCE. ISBN 978-0-7844-0457-7.
^ "Home Safety Tips". Yourlocalsecurity.com. Retrieved 2011-03-31.
^ http://lenlong.dyndns.org/webresource s/Temp%207-2-08/UNH%20Pilot%20Course/ INTRO-Security%20Awareness-%20Practic al%20elements%20of%20Security-Intro.p pt
^ Anderson, Ross (2001). Security Engineering. Wiley. ISBN 978-0-471-38922-4.
^ "Window deterrent stickers" deter would-be intruders.
^ "Evaluation of alternative policies to combat false emergency calls". p. 238.
^ "Evaluation of alternative policies to combat false emergency calls". p. 233.
^ "Evaluating the Use of Public Surveillance Cameras for Crime Control and Prevention".
^ Welcome to Security Systems News
^ "Better Business Planning With Intelligent Video Analytics". Dell.com. Retrieved 2012-03-22.
^ Oeltjen, Jason. "Different Types of Security Cameras".

Contents