A little over a week ago I wrote about the perimeter breach at a nuclear fuel processing site. Yesterday there were news reports about a stranded jet-skier who walked from a beach at JFK to the terminal (across two runways and gained access to the terminal) without encountering security personnel until he asked an airline employee for assistance. In both instances amateurs easily gained effective access to high-profile security areas with little effort.
As a long-time reader and security professional noted in a response to my earlier blog posting (BTW: That response is well worth reading in its entirety.):
“With all of the academics discussing regional resiliency and other highly important subjects, it pains me that the journeymen of our industry still do not understand these basic tenants of industrial security.”
Why is Perimeter Security So Difficult?
With all of the advances in video surveillance, video analytics and intrusion detection systems, perimeter security remains a manpower intensive operation. Someone has to monitor these systems and someone has to respond to system alerts. Since security is not a profit center, the personnel responsible for monitoring and response are too often underpaid and under qualified. All too often this results in people that have no real incentive to care about their job.
In the real world effective automated detection systems have a high false alarm rate, if they don’t they make it too easy for professionals to penetrate the perimeter (NOTE: It is impossible to design a perimeter that cannot be penetrated). In the industry these false alarms are well known as ‘nuisance alarms’. As time passes the aggravation caused by these nuisances results in sensitivity adjustments to the automated systems to reduce the number of such alarms, or in people ignoring the alarms when they do occur. This is simply human nature. In any case this results in a perimeter that is easier to penetrate.
How to Avoid Security Complacency
Probably the best way to avoid perimeter security complacency is to conduct periodic penetration testing. Specially trained Red Teams are given the mission to penetrate the security perimeter. Special training is required so that these teams only use the amount of penetration skills appropriate to the security level of the facility being protected. For example a nuclear weapons storage facility would require a higher degree of professionalism to be used in the attempted penetration than would a warehouse holding high-cost consumer goods.
Bonuses can be given to the security team that detects and intercepts the Red Team; the earlier the detection and interception the higher the bonus. Penetrations such as those noted in the two recent news reports require the application of negative inducements and corrective reassessment of security measures including training.
Responsive Activities Require Training and Testing
Any kind of activity that requires an immediate and effective response to an outside stimulus requires periodic training and testing. If you require a high-level response to infrequent events you must invest the time and resources necessary. Proper training and periodic evaluation of the necessary skill sets is an absolute necessity. Otherwise your organization is going to be embarrassed by these types of incidents, or worse, you’re going to have a catastrophic failure of your security that is going to result in death and destruction.