Defending High Security Applications: Integration Isn’t Everything
Drone monitoring a high security fence
One of the greatest challenges for any consultant, integrator or security manager is defending high security applications, particularly locations which are not purpose built or that must retain areas that face the public.
WHEN you think high security applications, the first things that come to mind are the concrete domes of nuclear power stations, the razor tape of prison fences and the complex manned entry points of defence installations. But many high security facilities cannot be virtual bunkers – they have operational parameters more nuanced than that.
According to Danny Bercovic, managing director of Fredon Security, key considerations for end users and integrators defending high security applications are complex.
“High security installations need to be extremely reliable, pervasive and yet simple to operate,” says Bercovic. “Responders need to take every event seriously and therefore any spurious event reports or alarm triggers need to be eliminated. To achieve this the quality of the installation must be high and the system must be designed with maintenance in mind.
“Redundancy, both hardware and software, is crucial for high-security sites and should be designed in from inception. Efficiencies can be found when designing redundancy not just for security systems but also for their supporting infrastructure.”
In Bercovic’s opinion, if there could be only one layer of security applied to defend a high security site, it would be perimeter security, but he points out that any missing layer would lead to compromised security. Bercovic argues the interplay between secure layers is a major contributor to overall site security.
“The layers of security systems depend on each other to each perform properly,” he says. “For a solution to be complete it depends on multiple sub-systems operating in unison. These sub-systems also depend on other building services such as electrical and – sometimes – data networks. It is important to have a holistic design that increases interoperability but also removes any unnecessary duplication of functionality.
“A holistic multi-services design is important to ensure a solution operates efficiently and without unnecessary complexity. Security should not be designed – or implemented – in isolation from other building services. There is an interdependency that is too often underestimated.
“A solution that includes best-of-breed sub-systems tied into a unified user interface with a PSIM is a good high-security solution. The advantage of a PSIM is it can integrate systems that are not traditionally considered part of a traditional ‘security’ solution – such as UPS, electrical, RTLS and others.”
According to Bercovic, complex design and duplication of sub-system functionality creates a maintenance nightmare.
“It results in an architecture that cannot be understood without a detailed knowledge of every sub-system,” he says. “This impedes diagnosis during an event – as too much knowledge resides in multiple people’s heads. These people may not be available when you need them most and that can negatively affect crucial decision making.”
When it comes to whether or not high security sites should have onsite security officers, Bercovic argues it is possible for a security solution to be managed by regular staff, however, he says consideration needs to be given to qualified first responders who may need to be security professionals – the choice depends on the nature of the site.
According to Bercovic, integration can be a doubled-edged sword on high security sites.
“Integration is a very effective way of providing a simple interface to operate a complex system,” he says. “In the event of a security breach, simple and accurate communication is key to judging a response and this is where integration can help. However, it often brings challenges when it comes to maintenance and upgrades.
“Security management systems are increasingly important in bringing disparate sub-systems into a single interface and adding some additional functionality along the way. Staff can also move between sites and remain competent in operating systems even though the sub-systems may be entirely different.
“It should be mentioned that some manufacturers are developing impressive end-to-end capability that don’t require a security management layer – but this depends on the customer being willing to run with a single vendor for a breadth of functionality. High security sites are more likely to choose specific expert sub-systems that are best suited and then use a management system to tie them all together.”
Given reductions in the cost of many security technologies, can a site be secured to a high level at relatively low cost, in Bercovic’s opinion?
“Yes, but you get what you pay for,” he explains. “Lower cost technologies play an increasing role in the security landscape and need to be assessed by any integrator to judge fitness for purpose. In some cases, they represent excellent value for money. However, in some high security sites the proven performance and integrity of mature systems is rightly valued. When talking about value, it is also especially important to consider total lifecycle costs – especially for high security sites where it may be difficult to replace or upgrade systems without affecting operations.”
Bercovic believes the security networks of high security sites can have connections to internal and/or public data networks.
“Yes – provided appropriate cyber security measures are taken,” he says. “This can reduce risk, as IT teams are often spending great effort securing and maintaining a data network. These networks also have greater intrusion detection and redundancy build into them. This can be neglected in orphaned air-gapped security network and vulnerabilities can be exploited over time. Also, disconnected networks are not necessarily protected from internal attacks.”
For Luke Percy-Dove of Matryx Consulting, when defending high security applications end users should focus on addressing the risks to the business when considering security.
“Risk does not just relate to loss of property but can also include things like business disruption and reputational damage,” he says. “If the risks are not entirely clear or have not been properly qualified, then the security practices may not be appropriate. Once the question of risk has been addressed, then security should also consider the profile of the client, the amenity of the property and how any systems, technologies or processes can be integrated into the work environment. Cost will also be a consideration.”
Like Bercovic, Percy Dove argues security layers are intertwined.
“Firstly, layers need to be complimentary and often will become more complex the closer you get to the primary asset,” he says. “An example of this is you may need just a key to get into a building but to open a vault within that building may require 2 people, both with alarm codes and appropriate access credentials. In terms of what layer would be most important, well that would be whatever layer 1 is. This is because the first layer provides the first opportunity to detect an irregular event.
“This could be a recessed reed switch on an entry door, an access reader to a computer hall or a perimeter beam. The first layer needs to provide a notification that something unusual has occurred. The earlier the event has been identified, the greater the chance of a meaningful response. Security is very much about creating time. As such the further the first layer can be from the actual asset, the better the chance that security can influence the event. Security layers do not necessarily need to be complex or high-tech. Basic vehicle gates have worked very well at client properties as a way of restricting access and prolonging the time on site for offenders.”
According to Percy-Dove, the perfect high security solution regardless of cost is not about the inclusion of every possible layer of security but about meeting the operational demand.
“A perfect security solution is one that appropriately addresses the risks to the business – it really is as simple as that,” he says. “But thinking broadly, a well-designed system would likely include a fence that is very difficult to breach, some clever technologies to detect early intrusion should it occur and an elite security force that can respond immediately. The primary assets would also be very well secured inside a building that would be impossible to break into. The building itself would also incorporate multiple layers of control and opportunities for detection.”
When it comes to the need for onsite security officers, Percy-Dove argues that risk defines need.
“Without sounding too repetitive, it depends on the risk to the business and the quality of the systems and work practices in place,” he explains. “We do have some clients that operate high-security sites that are operated purely by regular staff, but this is uncommon, especially during operational hours. Once operations have ceased for the day and the main assets are appropriately secured, it is possible to not need security officers on site. If security officers were not being used, the security systems and processes would need to be very tight and include a timely response mechanism.”
For Percy-Dove the most important layer of security to defend a high security site if there could only be one layer would be people.
“An elite, armed security team,” he says. “Technology alone cannot achieve what people can in a high security environment. People are also required for response, so I would see it as the only option.”
When it comes to integration and a shift towards single management solutions, Percy-Dove agrees integration is becoming more and more important.
“Integrated system may not include single management solutions because often the number of systems that are involved can be varied,” he says. “I understand that solutions like PSIM can address these issues, but their implementation can be complex and require careful consideration. Integration done well can provide all sorts of opportunities for improvement, so we are advocates if the benefits from an operational perspective are there and the costs can be justified. Like all things, whatever solution is recommended to a client needs to be outcome-driven. If integration is the best way of achieving a given outcome, then absolutely do it.”
Percy-Dove argues it is possible, given the reductions in the cost of many security technologies, for a site to be secured to a high level at relatively low cost.
“Absolutely it can – high security in no way needs to mean high-level expenditure on security for the client,” he says. “There are many ways that security can be achieved without the need for expensive security solutions. The single biggest factor in security costs will always be people so if ongoing costs are a factor, we would look at ways that technology-based solutions can achieve a comparable result. Many traditional control room functions can be automated or managed remotely with the right technologies. Modern communications allow us to manage almost any site from anywhere and we will see more and more centralisation of security operations.”
When it comes to connecting high security solutions to internal and/or public data networks, Percy-Dove believes security networks need to be air-gapped where ever possible.
“If they are not, then there will be a whole series of new risks and vulnerabilities that would need to be considered,” he says. “I am a believer in limiting risk wherever practical so while this approach may be seen as old school, cyber risk is greatly reduced managing security this way. There would have to be a good reason to connect to an internal or public network for us to endorse it.”