Physical security

Physical security describes measures that are designed to deny access to unauthorized personnel (including attackers) from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts. ^[1] Physical security can be as simple as a locked door or as elaborate as multiple layers of barriers, armed security guards and guardhouse placement.^[2] Good physical security uses the concept of layered defense, in appropriate combinations to deter and delay intrusions (passive defense), and detect and respond to intrusions (active defense). Ultimately it should be too difficult, risky or costly to an attacker to even attempt an intrusion. However, strong security measures also come at a cost, and there can be no perfect security. It is up to a security designer to balance security features and a tolerable amount of personnel access against available resources, risks to assets to be protected, and even aesthetics. There are also life-cycle sustaining costs to consider.

Physical security is not a modern phenomenon. Physical security exists in order to stop persons from entering a physical facility. Historical examples of physical security include city walls, moats, etc.

The technology used for physical security has changed over time. While in past eras, there was no passive infrared (PIR) based technology, electronic access control systems, or video surveillance system (VSS) cameras, the essential methodology of physical security has not altered over time.^{[citation needed]} Fundamentally, good physical security is a combination of defensive principles designed to:

• deter
• delay
• detect, and
• respond (and ultimately, deny access)

... to intrusions into critical physical spaces.^[3] The first two actions of deter and delay are considered passive defense, while the remaining are active in nature.

Elements and design

Spikes atop a barrier wall

The field of security engineering has identified the following elements to physical security:

• obstacles, to frustrate trivial attackers and delay serious ones; to include:
  • explosion protection;
• detection systems, such as surveillance systems, alarms, security lighting, security guard patrols or closed-circuit television cameras, to make it likely that attacks will be noticed; and
• security response, to repel, catch or frustrate attackers when an attack is detected.

In a well designed system, these features must complement each other.^[4] There are at least four layers of physical security:

• Environmental design
• Mechanical, electronic and procedural access control
• Intrusion detection (with appropriate response procedures)
• Personnel Identification (authentication)

There may be many choices to consider and there is no "best" solution that will satisfy a broad class of situations. Each situation is unique. What is offered in this article are only proven techniques, but not always required or expected, or satisfactory for the end user.

The goal of physical security is to convince potential attackers that the likely costs of attack exceeds the value of making the attack, e.g. that consequences of a failed attack may well exceed the gain. The combination of layered security features establishes the presence of territoriality.

The initial layer of security for a campus, building, office, or other physical space uses crime prevention through environmental design to deter threats. Some of the most common examples are also the most basic - warning signs, fences, vehicle barriers, vehicle height-restrictors, restricted access points, site lighting and trenches. However, even passive things like hedgerows may be sufficient in some circumstances.

Electronic access control

The next layer is mechanical and includes gates, doors, and locks. Key control of the locks becomes a problem with large user populations and any user turnover. Keys quickly become unmanageable, often forcing the adoption of electronic access control. Electronic access control easily manages large user populations, controlling for user lifecycles times, dates, and individual access points. For example a user's access rights could allow access from 0700h to 1900h Monday through Friday and expires in 90 days. Another form of access control (procedural) includes the use of policies, processes and procedures to manage the ingress into the restricted area. An example of this is the deployment of security personnel conducting checks for authorized entry at predetermined points of entry. This form of access control is usually supplemented by the earlier forms of access control (i.e. mechanical and electronic access control), or simple devices such as physical passes.

An additional sub-layer of mechanical/electronic access control protection is reached by integrating a key management system to manage the possession and usage of mechanical keys to locks or property within a building or campus.

The third layer is intrusion detection systems or alarms. Intrusion detection monitors for unauthorized access. It is less a preventative measure and more of a response trigger, although some^[who?] would argue that it is a deterrent. Intrusion detection has a high incidence of false alarms. In many jurisdictions, law enforcement will not respond to alarms from intrusion detection systems.^{[citation needed]} For example, a motion sensor near a door could trigger on either a person or a squirrel. The sensor itself does not do identification and as far as it is designed, anything moving near that door is unauthorized.

Closed-circuit television sign

The last layer is video monitoring systems. Security cameras can be a deterrent^{[citation needed]} in many cases, but their real power comes from incident verification^[5] and historical analysis.^[6] For example, if alarms are being generated and there is a camera in place, the camera could be viewed to verify the alarms. In instances when an attack has already occurred and a camera is in place at the point of attack, the recorded video can be reviewed. Although the term closed-circuit television (CCTV) is common, it is quickly becoming outdated as more video systems lose the closed circuit for signal transmission and are instead transmitting on computer networks. Advances in information technology are transforming video monitoring into video analysis. For instance, once an image is digitized it can become data that sophisticated algorithms can act upon. As the speed and accuracy of automated analysis increases, the video system could move from a monitoring system to an intrusion detection system or access control system. It is not a stretch to imagine a video camera inputting data to a processor that outputs to a door lock. Instead of using some kind of key, whether mechanical or electrical, a person's visage is the key. FST21, an Israeli company that entered the US market this year, markets intelligent buildings that do just that.^[7] When actual design and implementation is considered, there are numerous types of security cameras that can be used for many different applications. One must analyze their needs and choose accordingly.^[8]

Note that video monitoring does not necessarily guarantee that a human response is made to an intrusion. A human must be monitoring the situation realtime in order to respond in a timely manner. Otherwise, video monitoring is simply a means to gather evidence to be analyzed at a later time - perhaps too late in some cases.

Private factory guard

Intertwined in these four layers are people. Guards have a role in all layers, in the first as patrols and at checkpoints. In the second to administer electronic access control. In the third to respond to alarms. The response force must be able to arrive on site in less time than it is expected that the attacker will require to breach the barriers. And in the fourth to monitor and analyze video. Users obviously have a role also by questioning and reporting suspicious people. Aiding in identifying people as known versus unknown are identification systems. Often photo ID badges are used and are frequently coupled to the electronic access control system. Visitors are often required to wear a visitor badge.

Other physical security tools

In recent times, new developments in information and communications technology, as well as new demands on security managers, have widened the scope of physical security apparatus.

Fire alarm systems are increasingly becoming based on Internet Protocol, thus leading to them being accessible via local and wide area networks within organisations. Emergency notification is now a new standard in many industries, as well as physical security information management (PSIM). A PSIM application integrates all physical security systems in a facility, and provides a single and comprehensive means of managing all of these resources. It consequently saves on time and cost in the effectual management of physical security.

Examples

Canadian Embassy in Washington, D.C. showing planters being used as vehicle barriers, and barriers and gates along the vehicle entrance

Many installations, serving a myriad of different purposes, have physical obstacles in place to deter intrusion. This can be high walls, barbed wire, glass mounted on top of walls, etc.

The presence of PIR-based motion detectors are common in many places, as a means of noting intrusion into a physical installation. Moreover, VSS/CCTV cameras are becoming increasingly common, as a means of identifying persons who intrude into physical locations.

Businesses use a variety of options for physical security, including security guards, electric security fencing, cameras, motion detectors, and light beams.

ATMs (cash dispensers) are protected, not by making them invulnerable, but by spoiling the money inside when they are attacked. Money tainted with a dye could act as a flag to the money's unlawful acquisition.

Safes are rated in terms of the time in minutes which a skilled, well equipped safe-breaker is expected to require to open the safe. These ratings are developed by highly skilled safe breakers employed by insurance agencies, such as Underwriters Laboratories. In a properly designed system, either the time between inspections by a patrolling guard should be less than that time, or an alarm response force should be able to reach it in less than that time.

Hiding the resources, or hiding the fact that resources are valuable, is also often a good idea as it will reduce the exposure to opponents and will cause further delays during an attack, but should not be relied upon as a principal means of ensuring security. (See security through obscurity and inside job.)

Not all aspects of Physical Security need be high tech. Even something as simple as a thick or thorny bush can add a layer of physical security to some premises, especially in a residential setting.

See also

Access badge Access control Alarm Alarm management Bank vault Biometrics Bollard Boundaries of Security Report Burglar alarm Castle Category:Security companies Closed-circuit television Common Access Card Computer security Credential Door security Electronic lock Electric fence

Fence Fortification Guard tour patrol system ID Card IP video surveillance Journal of Physical Security Key (lock) Key (cryptography) Keycard Locksmithing Lock picking Logical security Magnetic stripe card Optical turnstile Photo identification Physical Security Professional

Physical key management Prison Proximity card Razor wire Safe Safe-cracking Security Security engineering Security lighting Security Operations Center Security policy Security seal Smart card Surveillance Swipe card Wiegand effect

References

1. Task Committee (1999). Structural Design for Physical Security. ASCE. ISBN 0784404577.
2. "Home Safety Tips". Yourlocalsecurity.com. Retrieved 2011-03-31.
3. http://lenlong.dyndns.org/webresources/Temp%207-2-08/UNH%20Pilot%20Course/INTRO-Security%20Awareness-%20Practical%20elements%20of%20Security-Intro.ppt
4. Anderson, Ross (2001). Security Engineering. Wiley. ISBN 0471389226.
5. http://www.securitysystemsnews.com/index.php?p=article&id=ss200910sZyvgw
6. http://www.securitysystemsnews.com/index.php?p=article&id=ss2010066EloVu
7. http://www.securitysystemsnews.com/index.php?p=article&id=ss200912Oku0rm
8. Oeltjen, Jason. "Different Types of Security Cameras".