Tue Mar 10 20:41:43 PDT 2015

Technology: Physical Perimeters: What physical perimeters have what protection mechanisms?


For each type of physical facility, describe what protective mechanisms are associated with each physical protection layer.

Location / Mapping / Accessibility / Deceptions / Response forces and times
Perimeters / Signs / Entry paths / Barriers / Sensors / Response forces
Construction / Signs / Deceptions / Entry paths / Barriers / Sensors / Emergency modes / Response times and forces
Construction / Zones / Flow paths / Barriers / Sensors / Locking devices / Emergency modes / Response times and forces
Construction / Barriers / Sensors / Locking devices / Emergency modes / Response forces and times
Physical separation requirements for zone(s) of type XXX


All applicable other requirements are met for the nature and type of facility in the applicable jurisdictions. Generally, all facilities must meet legal, regulatory, and management defined requirements.

Design basis threat applied. A design basis threat is an assumption regarding the threat for which the protective design was done. It generally identifies the anticipated capabilities and intents of the set of threats considered to be relevant to the protection scheme.

Deceptions used to {conceal the nature of use of location / limit knowledge of content and locations}. Generally, deception can be used to induce or suppress signals. Thus the placement of a facing material on a building to conceal its nature will prevent it from being detected as a particular type of facility, while the introduction of sounds and sights normally associated with the depicted type of building will support that deception.

The {nature of use} of the location {concealed / not advertised / not mapped} where feasible. These are forms of concealment (and thus deceptions) where different facets of the plant or facility are made less available to those who might be seeking particular places. For example, maps that point out the areas with explosive chemicals might make it easier for those who are trying to cause explosions to find those locations before the detection and response process of the facility are able to prevent their further progress toward that goal.

Accessibility limited to {the extent feasible / normal plant controls}. Access is normally limited for health, safety, liability, and other reasons. However, when consequences warrant it, additional access limitations are put in place for improved protection effectiveness and separation of physical access to areas associated with zones and subzones.

Barriers determined based on {attack graph analysis / design basis threat / facility safety / property protection / normal plant} needs {fully / partially} separate {some / all} container areas {not requiring direct connectivity / as needed for health and safety} where feasible {and passage through container areas to reach other container areas is such that higher consequence contained areas are within lower consequence areas}. Generally, barriers to physical passage are used to assure separation of one area from another. Depending on the type and nature of the areas, the separation quality, thoroughness, strength, and time requirements, and the level of surety desired, these areas can be more completely separated at different levels of physicality. For example, a container that seals against gas leakage between subzones will have a much finer level of containment and have to be much more comprehensive in coverage than a fence that stops employees from going between two plant areas.

Construction designed to meet {normal needs of the plant / specific needs of the plant / specific needs for defending against threat(s)} and to the specification of {the plant environment / environmental threat conditions} Generally, construction must meet building codes and other general requirements for the overall plant as well as specific needs for specific areas of the plant, such as clean rooms, hot rooms, etc. In addition, special construction may be needed for dealing with specific threats, for example, facilities designed to be hit by aircraft may require special construction above and beyond the needs of containment for environmental hazards such as leaks.

Zones are separated and defined based on {access / response / separation} requirements {and structured so as to make zone traverse inconvenient and unnecessary to the extent feasible in normal operation, with higher consequence zones harder to reach than lower consequence zones}. In essence, protective zones are structured so as to meet the topological needs of the plant and at the same time, provide adequate protection so that detection and response can be timely, prevention effective, and deterrence operable.

Perimeters designed to {meet health and safety code and property protection requirements / restrict authorized entry at {normal plant property entry points / a distance determined by analysis}}. Health and safety standards apply to all plants, as do most property protection requirements. Most plants prohibit entry except to authorized personnel, although some have viewing areas and other similar entrances. Access it typically limited further from the critical consequence areas as consequences and threat capabilities increase, and for high consequence situations, perimeters are typically designed to create delays required to allow response forces to react after detection in time to mitigate potentially serious negative consequences.

Entry paths appropriate to {health and safety requirements on access / normal operation of the plant} {and limited to {defined paths for operating modes / normal paths used in operations and emergency evacuation or response paths / the minimum number required for safety and security}}. Entry and exit paths are more limited for higher surety relating to access, but with limits associated with the need for evacuation and access by emergency personnel (see emergency modes). Paths may also be designed so as to increase time to reach high consequence areas during normal operation and decrease time during emergencies.

Flow paths designed {for normal plant operational efficiency / to limit flows to tend to remain within zones and minimize inter-zone flows}. The flow of people and things is normally designed to assure that all necessary checks for safety and security are met en route from one place to another and to assure that these requirements are not bypassed by altering or avoiding the normal travel path through the facility.

Signs appropriate to {health and safety needs of {property access / the plant} / inward and outward flows of traffic / warning prohibition from unauthorized entry} {without revealing the nature of the facility}. Signs may or may not reveal information about the plant and yet still be effective at warning about necessary hazards, controlling flows of people and machines, meeting health and safety requirements, and warning about unauthorized entry.

Emergency modes {predefined / defined} {and flows restricted} so that in emergencies, {flow goes from higher consequence to lower consequence areas / containers allow exit-only or lock-down as appropriate / emergency evacuation and response paths are facilitated} based on {normal operations / attack graphs / design basis threat}. Everything done in normal operation has to be reconsidered for different emergency scenarios so that in emergencies, some parts of plants are shut down, others opened for emergency personnel, others shut to normal personnel, and flows and access changes made appropriate to the needs of the emergency. These are normally predefined for the design basis threat and anticipated scenarios.

Locking devices are suitable to {normal worker access controls / consequences / attack time requirements}. Locking devices including the things that they lock are normally designed to force minimum times for legitimate entry and slow illegitimate (inobvious) entry. These requirements vary with the threat environment and expectations of the locking mechanism. For example, locker rooms have different requirements than classified facilities, which are different from control rooms and wire closets.

Sensors used on {containers / barrier / facility / perimeter / property / closed areas} {approach / entry / exit / passage / access / movement within / breach} detect {authorized / unauthorized} {use / access / presence / absence} {in real-time / upon inspection} to meet {property protection / security-specific} needs. Sensors must be able to sense the desired observables so that the detection and response process can occur in time to mitigate potentially serious negative consequences. The specifics depend on the specific requirements of the protective architecture.

Response forces and times are determined by {safety and operational needs / needs of similar sorts of plants / normal plant requirements / analysis of attack graphs}. Response forces and times are dictated by different requirements depending on the consequences associated with timely and slower response. The design basis threat comes into play here so that for larger groups of more capable attackers, stronger, larger, and faster response forces and times are required. Of course safety and health and other similar plant requirements always apply, but as consequences and threats increase, so must response force capabilities. Generally, responses should be fast enough and have adequate force to mitigate potentially serious negative consequences between the time alarms are recognized (after bad things happen) and the response is adequately effective.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved