Security layers: defence-in-depth
Mike Sopp examines how organisations can assess their vulnerabilities, with reference to BS ISO 31000, the Centre for the Protection of National Infrastructure (CPNI) operational requirements and the International Security Management Institute (ISMI) and looks at the importance of having several layers of security in place.
Effective security management requires the development of a security framework, understanding of the risks from identified security threats and the implementation of appropriate security solutions, commensurate with the risks and organisational vulnerabilities.
Typically, the security solutions required will consist of a combination of physical and procedural measures that aim to deter, detect, delay and disrupt any adversary so as to enable an appropriate response to be instigated.
However, a motivated adversary will try to exploit any weakness in the protective measures and as such, organisations will need to ensure that any weaknesses in the so-called adversarial path are identified and addressed to ensure the premises have security layers that provide defence-in-depth.
Principles of security
Security protection systems are normally based upon the following principles.
Deterrence of potential adversaries through measures that are perceived as being undesirable to defeat.
Detection of an adversary and verification of the action so as to initiate an appropriate response.
Delay of the adversary from reaching the asset to provide detection and response.
Disruption of the adversary through an appropriate response.
The key functions of the above are to meet the requirement of another principle of security, this being to ensure that the time of penetration must be greater than the time of detection plus the time of response so as to ensure the security of the asset is not compromised.
Taking into account another principle, this being that there is no such thing as an impenetrable barrier, if an organisation bases its security system on a single layer such as a strong physical perimeter, this can be overcome, thereby leaving any assets (including personnel) vulnerable to adversarial action.
In the same way that a supply chain is only as strong as its weakest link, security measures will only be as strong as their weakest point. Therefore, as the CPNI states, “effective physical security of an asset is achieved by multi-layering the different measures, what is commonly referred to as defence-in-depth”.
The concept is based on the principle that the security of an asset is not significantly reduced with the loss of any single layer thereby providing the necessary time to detect and respond to any adversarial action in good time.
However, unlike some other risk disciplines (eg health and safety) there are limited regulatory “benchmarks” in the security sector that must be applied to manage risks to meet the “as low as reasonably practicable” criteria.
Adversarial paths and vulnerabilities
According to BS 16000:2015 Security Management: Strategic and Operational Guidelines, an organisation needs to “understand the threats and vulnerabilities it faces in order to determine the nature of the security programme and control measures”.
This will normally be achieved through the completion of a robust security risk assessment/analysis process. There is no one set approach to this but it can include the use of formal standards such as BS ISO 31000, the CPNI operational requirements approach or that ascribed by the ISMI.
As the CPNI, highlights, “in order to achieve success, an adversary will attempt to identify and then exploit any perceived weakness within your protective security measures”. The latter two risk assessment approaches in particular, take this into consideration.
ISMI, for example, express these vulnerabilities in terms of existing controls and their adequacy, while the CPNI suggests as part of the operational requirement approach, an organisation should identify where the assets are located and how these may be vulnerable to threats, linking this to the methods of attack, thereby determining what security measures may be necessary.
One method to link the vulnerabilities with adversary actions is to develop an adversary path or sequence diagram which is defined as “a means of graphically displaying paths that an adversary might take to accomplish his or her objective”.
In effect, the adversary path is a fault tree logic diagram that can be used to identify potential events along an adversary path that leads to the asset, linking these as necessary using “and/or” gates. Along that path, the security measures in place in the various layers through which the adversary will travel can then be identified and analysed for their adequacy.
In larger premises, there are likely to be numerous adversary paths relating to a variety of assets. It is therefore essential that the most critical assets are given consideration. This may not necessarily be based upon actual financial value of the assets but rather their criticality in terms of business criticality and the dependency of other assets on the asset under analysis.
To undertake this study, the CPNI recommends that a desktop approach can be taken as this will be an inclusive exercise where relevant stakeholders will have the opportunity to input into the analysis.
Having identified the adversarial paths and determined if vulnerabilities in the security layers exist, the organisation will need to determine what action is required to improve the security measures.
The purpose is to ensure that the security principles noted above are met but in doing so to ensure that the security controls are in balance and proportionate to the risk. As well as deterring, detecting and delaying, the layered security measures may also look to influence the adversary path/s so as to funnel or channel an adversary into an area where these principles are more effectively applied.
In terms of the security layers, the CPNI guidance identifies the following.
Beyond the perimeter of the site.
The perimeter of the site.
The area within the site.
The building/s in the site.
The assets in the building or area within the site.
For each of these, the CPNI provides advice as to how an adversary can be deterred, detected or delayed.
In terms of the first point, the CPNI defines the area beyond the site as information that can be obtained without breaching the site (eg through hostile surveillance), the area beyond the site where security measures can be projected and assets that are taken off site.
Therefore to address adversarial action, the CPNI makes recommendations, for example:
deny adversaries access to the information and other resources they require to conduct attack planning
detecting hostile reconnaissance through the monitoring and detection of suspicious activities on the corporate website and visits to the asset
monitor the area beyond the perimeter enabling early detection and maximising delay time for an adversary to transition the ground.
The process would then lead onto the following layers where additional measures can be taken. This can include:
installing a security rated fence around the site
installing a perimeter intrusion detection system and CCTV camera system to detect and track an intrusion
reducing the effectiveness of an attack by ensuring key assets or buildings are not signposted in ways that would help an adversary
using both natural and man-made obstacles to slow progress
using intrusion detection systems on the outer fabric of the building to ensure detection occurs at the earliest opportunity.
As with any security system, the various layers of security will need to be kept under review to ensure their efficacy remains and also to take account of any changes in the security risk profile or to take account of any breaches that have occurred and the lessons learnt from those.
British Standards Institution, available at www.bsigroup.com
BS 16000:2015 Security Management: Strategic and Operational Guidelines
Centre for the Protection of National Infrastructure, available at www.cpni.gov.uk
Guide to Producing Operational Requirements for Security Measures
Mary Lynne Garcia: The Design and Evaluation of Physical Protection Systems
Last updated 7 February 2017