Martin Grigg of PTS Consulting discusses the security challenges within a high-security environment and proposes a solution to identify and mitigate the risks associated with an insider threat.
Modern thinking appreciates that an integrated approach to security provides a far better solution than just having layers of different technologies. A succession of physical barriers coupled with detection technology and video surveillance for verification goes a long way to putting off an assailant. These layers of technology provide an increased ‘defence in depth’ and using systems in a ‘double knock’ configuration will provide an increased efficiency through verified detection. However, when security is critical to national and international safety, is a linear integrated approach strong enough to cope?
Network infrastructure, physical protection systems and cyber security go hand-in-hand as part of a cohesive scheme. But the people involved and the procedures that they follow are just as important in this integration. Having control room operators, response teams and the command structure in place to effectively analyse and deal with an incident is critical to the success of a high-security facility. However, it’s not just the security teams that need to be considered, everybody in an organisation must be integral to the scheme; security culture needs to run deep. And remember, it is these same people that pose one of the most difficult challenges to protecting a facility – the insider threat.
With the digital shift of security technology and process instrumentation to IP-based systems, the risk of cyber-attack increases significantly. Traditionally, these systems were analogue and isolated but now that they reside in the digital space they are subject to the same vulnerabilities as every other networked device. It has been proved that viruses, Trojans, worms and other malicious applications now have the capability to jump air gaps which means that isolated networks are not safe from attack either. The combination of physical, procedural, data and network security provides a greater resilience to the current trend of ‘blended’ attacks.
Defence in depth and changing threat horizons
To maximise the efficiency and effectiveness of a security system, a multiple layered and integrated approach is necessary. An adversary must defeat or avoid a number of protective measures in sequence to succeed. This complicated web of procedures, barriers and technology is referred to as ‘defence in depth’. Defence in depth will increase an adversary’s uncertainty about system design and their ability to overcome it. They will require more extensive preparations and equipment to defeat the system. Defence in depth creates additional steps where an adversary may fail or abort their mission.
If we take a closer look at a basic layered approachto security, an external adversary would be hindered by the policies and procedures, the perimeter fences, recruitment checks and so on. But an insider could bypass many of these layers by simply having the authority to do so and the knowledge of the systems that are in place. For this reason defence in depth needs to be very deep and fully integrated to mitigate this insider threat.
Being in the business of critical national infrastructure or any other sector that demands high-security means that organisations must have highly effective security measures in place to protect all of their activities. These measures must keep up with the changing threat horizon and the technology developments that people with malicious intent have access to. Therefore the use of modern integrated security systems that meet the operational and resilience needs of an organisation has to be considered. With this in mind it is important that a security design team ensure that their strategies are not hindered by historic or legacy solutions and that the new designs are relevant to the next generation of infrastructure and the ever-evolving threats that may target it.
It is not uncommon to find security operations and some command-and-control centres using paper-based processes and not sharing information. Business divisions and IT units rarely have access to data in security departments and vice versa. Events are often managed separately in operational isolation across an organisation.
Physical security information management (PSIM) systems can be used to produce better situational awareness, prompting better security and operational decisions. PSIM software produces useful information by bringing together video, alarm and sensor data, which improves situational awareness and makes incident responses more efficient. However, the inclusion of integrated data analysis significantly multiplies the power of the security system beyond that of what is happening now.
“Integrated data analytics presumes that data are being brought together from different functional and business areas so that new insights can be established by monitoring trends across traditional functional boundaries.” - WINS (World Institute for Nuclear Security) Special Publication on Data Analytics for Nuclear Security (2015)
Data sources to be considered might be from:
· Human Resources
· Medical Files
· Safety Operations
· Emails/Phone Records
· Material Audits
· Engineering and Maintenance
· Quality Control
· Supply Chain
Any one of the above data sources could indicate a potential safety or security threat that ordinarily would only be viewed in isolation and therefore possibly missed. Putting the obvious privacy issues to one side, integrated data analysis may highlight a personal motive and a corridor of opportunity being opened.
Insider threats and inter-departmental data sharing
An extreme – and imaginary – scenario to demonstrate the potential benefits of integrated data analysis might be that an employee with a grievance that has been highlighted to the human resources department might be showing signs of an addiction within his medical records. The same employee has been identified by the access control system as trying to enter an area where he would not be authorised to go, and in addition to this, the engineering and maintenance records for critical equipment show that this employee already has access to highly sensitive information. This hypothetical scenario demonstrates the ability to get an early detection of a potential security threat. Integrating and analysing data from different departments will help the security team visualise a bigger picture than they have seen before. This integration and analysis tackles one of the hardest security conundrums - the insider threat.
An inter-department data sharing process can allow for the bi-directional exchange of information to benefit the organisation. As storage costs decrease, many departments are streaming large quantities of data into their silos without necessarily analysing it. Analysis of latent data will often not only protect against major security breaches but can also monitor staff behaviour and movements. The same bi-directional communication means that investment in security can be leveraged to create powerful new business tools. For example, combining training records with access control permissions will ensure that a contractor is not only authorised to enter an area but that their training for the equipment in that area is still valid.
Physical security information management emerged as a concept because security end-users wanted better management of their security information. They wanted to be able to do with security data what every other business unit does with the data from their own units – that is, to make intelligent business decisions. The PSIM system will aggregate, correlate and analyse data from various sources, including alarms, environmental sensors, intrusion-detection systems and video surveillance but will it analyse data from other business units?
High-security to tackle high-consequence risks mandates integration of data sets
The proposition of this article is that in cases where high-security systems are required to mitigate the risks of high-consequence events, it may be necessary to tackle the privacy issues head-on and integrate data sets from other parts of an organisation. Combining this with accumulated intelligence and sensor information will dramatically increase the capability to identify anomalous behavior or predict an event occurrence. It is strongly recommended that organisations engage with external consultants that have experience in network integration, database management, data analysis as well as the traditional security disciplines of technology deployment and procedural response. It is equally important that consultants are independent and external to the organisation because this will remove any departmental bias and elements of ‘this is how it’s always been done’. An independent consultant will provide a vendor-neutral and unbiased approach to developing a proportional solution to the risks posed by an insider threat. Presenting this wealth of information to a human data analyst in a meaningful way and combined with a true PSIM solution will provide a better, more flexible and much more powerful way of identifying and managing security risks than a traditional command centre solution.
About the Author
Martin Grigg is a lecturer and technical author, as well as being a Principal Consultant at PTS Consulting Group whose physical security practice offers services that include threat & vulnerability assessments, security master planning and physical security design and consultation. PTS Consulting Group is an independent management and Information Technology company employing over 400 technical delivery specialists from 18 offices in ten countries. The Group has over 3,500 clients and has delivered in excess of 10,000 projects globally.
For further information please visit www.ptsconsulting.com
