Protecting Critical Infrastructure

For the purposes of this paper I am assuming the hypothetical role of Chief Security Officer for Acme Foods, a company in the business of selling, marketing, and distributing food products to restaurants, healthcare and educational facilities, and lodging establishments in the New York City metropolitan area.  The company’s entire operation, including its processing and distribution functions, administration and sales, and its corporate headquarters are located in one 300,000 square foot facility located on a three acre site in an industrial area of Queens, New York.  The company has approximately 300 employees working at the facility, including management, administration, operations, and support personnel.

The first step in developing a comprehensive security plan for Acme Foods is to determine what is the critical infrastructure of the company.  On a national level, there are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.  These sectors include chemical, communications, dams, emergency services, financial services, government facilities, information technology, transportation systems, commercial facilities, critical manufacturing, defense industrial base, energy, food and agriculture, healthcare and public health, nuclear, and water systems. (“Homeland Security”)  Determining the critical infrastructure of a business is similar in concept.  In business, infrastructure consists of people, technology, systems, procedures, policies, processes, and intellectual property.  The right infrastructure can be the key to a sustainable competitive advantage that creates increased cash flow and profitability. (“Company Infrastructure”)  With these factors in mind I must develop a security plan to adequately protect the company employees, real estate, machinery, computers, vehicles, food perishables, and intellectual property.  To determine what levels of protection are adequate I must analyze the risk factors that are present.  Considering that Acme Foods is a food wholesaler, the CARVER + Shock method of risk analysis is appropriate. (Nemeth, 2010)   The CARVER system employs various criteria labeled as CARVER; CARVER is an acronym for the following six attributes used to evaluate the attractiveness of a target for attack:

  • Criticality—Measure of public health and economic impacts of an attack.
  • Accessibility—Ability to physically access and egress from target.
  • Recuperability—Ability of system to recover from an attack.
  • Vulnerability—Ease of accomplishing attack.
  • Effect—Amount of direct loss from an attack as measured by loss in production.
  • Recognizability—Ease of identifying target.

In addition, the modified CARVER tool evaluates a seventh attribute, the combined health, economic and psychological impacts of an attack, or the shock attributes of a target. The CARVER system attempts to quantify risk by the assignment of specific numbers for specific conditions. It looks to products and food, facilities, and manufacturing processes. So valued is its methodology that the U.S. Food and Drug Administration (FDA) has developed and disseminated software that is downloadable on the web.  The CARVER ANALYSIS has reflected the critical nature and potential effect of an attack on the food being processed, so my security system will focus on the accessibility, vulnerability, and recuperability of the company and its facility.

The vulnerability and accessibility to attack is mainly contingent on the physical security systems in place.   In designing proper physical security systems on the exterior of the site, I will follow the 5 D’s of outdoor physical security. (“The 5 D’s of Outdoor Perimeter Security”).  These five factors comprise the essence of a layered security plan, as they focus on a key objective for each specific perimeter, and layers the perimeters from outside the facility to inside the building.  The 5 D’s starting from the outside are Deter, Detect, Deny, Delay, and Defend.

Deter – My first step in deterring an attack on the Acme Food site is to ensure that the entire exterior of the facility is well lit.  Lighting can act as a deterrent to unauthorized intrusion, and also aids in the use of CCTV systems and helps the security force to delay or apprehend perpetrators. (Knoke, 2009, p. 170).  In determining the proper lighting to use, I will utilize the guidelines of the  Illuminating Engineering Society of North America (IES) because they are the accepted national standard for emergency safety and security lighting. (Knoke, 2009, p. 173).  My other main deterrent tool will be the perimeter fencing.  Due to budgetary constraints I am using an 8-foot high standard chain link fence.  Ordinary chain-link fences constitute a visible legal boundary around a facility and provide a means of posting signs regarding trespassing, security measures, or even use of deadly force. However, such fences do not pose a serious obstacle to a dedicated adversary. In seconds, a person can ram through the fence with a vehicle, climb over it, crawl under it, or cut through it. Therefore, I will harden my perimeter by using barbed-tape concertina (BTC) attached to outriggers on the top of the fence at a 45-degree outward angle. (Knoke, 2009, p. 245-46)

Detect – My security system will address detection via CCTV cameras and an intrusion detection alarm system.  I want CCTV cameras present inside and outside the facility to obtain visual information about something that is happening, and to obtain visual information about something that has happened.  The specific choice of cameras will be based on the camera’s sensitivity, resolution, and features.  I will leave the specific choice of type, numbers, and deployment of cameras to my security technology contractor, who will make his choices based on the scope of work I provide to him. (Knoke, 2009, p. 130).  My security technology contractor will also recommend and install an alarm system.  Whatever the specific choice, the alarm system must be effective, efficient, and easy for security personnel to monitor and operate. (Knoke, 2009, p. 177)

Deny – My security plan to deny entry to intruders and other unauthorized personnel again involves a layered approach.  The fencing and lighting already mentioned for their deterrent effect are also involved as means to deny entry.  Additionally, I will utilize Smart Card technology to allow access to the facility.  All employees will be issued photo identification cards that have to be placed in close proximity to a card reader to unlock a door.  This Smart Card technology allows individual cards to be programmed to unlock only the doors for which an employee is authorized to have access. (“Using Smart Cards for Secure Physical Access”).  For the key walk-in entry point from the street, biometrics will be integrated into the Smart Cards.  Besides putting the card up to the reader, the user will also have to confirm identity via a biometric aspect, such as fingerprint, hand geometry, or iris scan. (Clifton, “Homeland Security Today: SPECIAL: Airports Eye Biometrics for Employee Access Control”).  One other piece of my security system that aids in denying unauthorized entry is the use of turnstiles at the employee walk in entrance, in lieu of a gate or door.  Even though entrance will be granted via Smart Card biometrics, there is always the danger of “Tailgating”, or a person entering through a door or gate directly behind another person.  Turnstiles allow entry to only one person at a time. (Conrad, 2011)

Delay –    Delaying involves a combination of security measures. We should never expect barriers to stop a motivated intruder. Instead, they provide a level of effort and planned delay. Again, the layered approach is critical as perimeter fencing, building walls and doors, and internal walls and doors all should at least partially serve to delay intruders . Interior walls provide additional barriers, assuming the target is not located in a room sharing an outside wall. For example, my computer data center is in the center of a structure with walls independent from external walls. Once an intruder makes it through an external door or wall, he will meet additional deterrence and delay… giving more time for a security response.  Door locks are also an important part of this strategy.  Locks are like passwords: the stronger the better, but always vulnerable when an attacker has enough time and the right tools.  As a physical security control, locks simply add additional deterrence and delay. (“Physical Security: Managing the Intruder – InfoSec Resources”)

Defend – The defense of the facility and its assets rests primarily with the private security force contracted to provide security at the site.  Here is where it is extremely important for me to be very specific in the scope of work regarding the expectations for the security force.  My expectation is that the security personnel will take enforcement action, if absolutely necessary, to engage and detain intruders or others observed committing crimes.  My expectation is within legal guidelines as NYS Law does grant private citizens (legal authority of a security guard) the authority to arrest under certain circumstances. (Penal and Criminal Procedure Law of the State of New York).  The law also authorizes a private citizen to use necessary force to make a legal arrest or in self defense. (Penal and Criminal Procedure Law of the State of New York).  Many private security companies, however, have an observe and report philosophy, and have written policies prohibiting their personnel from making arrests under any circumstances. (Security Officer Basic Course, 2011).  Therefore, it will be extremely important to articulate my enforcement expectation within the scope of work.

A final area of the security plan involves community outreach.  I am going to be active with the local community board because this is the local level where issues involving neighbors in the area can be resolved.  I am also going to establish a partnership with the New York City Police Department through the local precinct Community Affairs Officer and through membership with NYPD SHIELD. (“NYPD SHIELD).  Finally, since the  perimeter of Acme Foods is bordered on one side by a creek, I am going to establish liaison with the U.S. Coast Guard at Station New York.  The creek is considered navigable waters and is therefore under Coast Guard jurisdiction.  Any observations of suspicious activities on these waters will be reported to the Coast Guard.

An example of this type of layered security approach is found in my present position.  I am the Director of Security at the MTA Consolidated Revenue Facility.  This facility processes over $2 billion annually, as it is the central repository for all subway, bus, bridge & tunnel, and railroad revenues.  Protection of this high security facility is maintain via a contracted armed guard force, and several layers of physical security, including steel mesh anti-climb fencing, over 600 CCTV cameras with minimum 60-day playback, Smart Card biometric access control, man traps, truck traps, crash rated wedge barriers, and written security policies, procedures and an emergency action plan.

Leave a Comment

Your email address will not be published. Required fields are marked *