Access Control Solutions for Critical Infrastructure and High Security Applications
Special Focus Access Control: More Critical Than Ever
Any technology that is applied to protect such locations can itself often be faced with some unusual challenges: high levels of dust and moisture – think roadside equipment; extremes of temperature – think mountaintop installations; strong electromagnetic fields – think electricity sub-stations; corrosive atmospheres – think water treatment plants, or high levels of vibration or mechanical shock – think railway trackside equipment. As well as being physical, the challenges can also be digital, financial or regulatory, accidental, malicious, or coincidental. We concentrate here on the first category and mention below some manufacturers of equipment who have products specifically designed to tolerate such conditions and nevertheless provide reliable service.
Simple Remote Sites
The increasing availability and usage of encrypted LoRa (long range, low power wireless) has solved a long-standing problem for the IT and security departments of utility companies. Whereas they might earlier have had to build and maintain an expensive microwave network between sites to reach outlying locations – whose capacity was seriously underutilized – the advent of effective long-range radio networks to transport low volume data means that utilities’ equipment can be security monitored, operationally monitored, and controlled with a lot less infrastructure than was previously required. But physical access even to that equipment must still be secure and yet easy for authorized technicians. For example, some of the Uhlmann & Zacher electronic door handle, electronic knob, and wall reader products are built for just such use outdoors. In America, the experience of chilly North Dakota-based New Vision Security Systems will greatly benefit customers with critical infrastructure to protect. And while we’re in the USA, the National Institute of Standards and Technology (NIST) has produced a very helpful White Paper specifically covering Identity and Access Management for Electric Utilities – link below – that can also by applied to other utilities and high-security locations.
Computer and Colocation Centers
A world without the Internet and the nebulous Cloud would be unthinkable nowadays. And yet, this ‘thing’ exists only in virtual form, spread across thousands of locations around the world in whirring buildings. These must obviously be secure locations, but surprisingly and in spite of their obvious importance, they are not necessarily considered as ‘critical infrastructure’ in every country. Their owners are often not their operators, and they in turn are normally not the clients or end-users of the equipment that is housed there. So a clear division of responsibility and defined lines of demarcation are essential to be sure of who is taking responsibility for each aspect of security. Someone has responsibility to ensure that supervised access – both physical and electronic – to racks of servers and transmission equipment is working effectively 24/7. So we see a mix of employees, contractors and – very occasionally – visitors within the site.
We have to accept that a concentrated attack on such infrastructure installations will probably succeed when an overwhelming amount of force used, and this cannot be considered under the ‘normal’ security planning. This ‘worst-case scenario’ of the loss of resources at a particular location forms the bottom line of the overall security concept, but leads on of course to the separate plan for recovery and repair. In such cases, having the right personnel available quickly and without having to worry about further security issues is essential, so do not delay the preparatory work of installing a flexible but secure access control system that can suddenly cope with unusual hours of work by both employees and external contractors.
What a Shock
Our good friend from the kitchen, the onion, serves well to visualize the multi-layer active security risk management concept that we need to protect anything other than the simplest building. At the perimeter of the site there should be a physical barrier – a fence – high enough and painful enough to deter scaling. Best of all, this can be equipped with motion and damage detection, for example the VibraTek system from Detection Technologies or the fiberoptic-based FiberPatrol product from EAS. Alternatively you can go the whole hog and electrify the fence, but we do urge you to check that this is legal at your location before doing so! Advanced Perimeter Systems in Scotland can literally empower your site with a well thought-out electric fencing solution.
Where visible physical barriers are either impractical or unwanted, invisible infra-red, microwave or radar barriers can immediately detect intruders and trigger lights, sirens, or the dog-handler. The Micro-Ray linear mW barrier from CIAS is one such product, while a solar-powered alternative called Solaris is available from the French manufacturer Sorhea. The columns from Sicurit can incorporate dual detection technology, to be sure of correct detection and a minimum of false alarms.
To actually enter a building, after personal, face-to-face recognition, some sort of electronic access control credential should open the first of a number of access control points. Today you can use a card, a fob/token, an electronic key, a mobile phone or other device that reacts over a short distance using RFID, Bluetooth low-energy or, if preferred, only by actual contact with a reader. Choose from the wide range of systems now on the market, for example from Assa Abloy, Salto Systems or SimonsVoss.
One At A Time Please
Although tradesmen with ladders abhor them, an interlocking door or ‘man trap’ provides a very secure method of restricting personal access and totally prevents any sort of rushed attack. The Swedish manufacturer Gunnebo is one whose CompacSas single person entry/exit products might be of interest to you; the Clearlock, Revlock or Interlock security door series from Automatic Systems of Belgium might also be too.
Deeper within the building, the same credential used at the building entrance can form one of a two-part authorization system for enhanced security. The second check could be
a – nowadays quite common –fingerprint scan for example, or even a special iris, retina, or hand vein scan for higher security situations. You could get in contact with Nedap Security here whose AEOS access control system is an open platform that already integrates well with many other specialist systems to provide tailor-made solutions to specific security situations.
Within the security control room where staff are present 24/7, indoor and outdoor surveillance cameras are monitored both by people and also by pattern recognition algorithms for unusual activity, even at far away sites. The power of software to detect unusual situations without raising false alarms grows year by year. This can be experienced first-hand in the systems from Geutebrück for example, whose wide range of cameras and indoor components ensure that no part of a site goes unwatched, day or night, come rain or shine. Their video content analysis is trained to raise the alarm only when required and to ignore the trees waving in the wind. Dallmeier’s Panomera cameras and extensive video analysis portfolio could also be of interest to you here, with some interesting downloads on the subject available from their website.
Don’t Forget the Roof
While we might have secured a building at ground level, a not so uncommon way of unauthorized entry is via the roof. One or more cameras from the suppliers mentioned above, equipped with content analysis software, will give an early warning of unusual activity there day or night, in particular of tampering with roof-mounted HVAC or communications equipment. A less obvious but equally effective detection method is using infra-red beams, for example with the RLS detector series from Optex in Japan. Secure skylights from Velux, for example, will also stall and deter any break-in attempt from above, and a rolling shutter will add an extra level both of security and comfort.
There are a number of recommendations and standards that apply to the security of certain special installations, any or all of which might apply to your particular operation, and there may be more that we have not mentioned here. For example, data centers in Europe should be constructed, secured and their availability ensured in accordance with the latest iteration of EN 50600-2-5:2021. The ISO/IEC 27001:2013 standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system. ISO/IEC TS 30104:2015 addresses physical security attacks directed against hardware, provides guidance on principles, best practices and techniques of tamper protection mechanisms as well as mitigation guidance and evaluation of hardware tamper protection mechanisms. ASIS has just released a revised and very helpful Physical Asset Protection standard, while the New Zealand government has issued its expectations of security measures in a well-structured PSR document. The European Union’s EPCIP program (European Program for Critical Infrastructure Protection) aims to reduce the vulnerabilities of critical infrastructure through a package of measures across Europe. How effective this has been since its initiation in 2004 will no doubt be kept a closely guarded secret.
The Human Factor
In quieter times, an attack on critical infrastructure may be a lot more subtle. Personnel are people, people are normally honest, and honesty can be compromised. It is good practice to regularly check that all is well at a social level with the staff who are entrusted to operate and maintain critical infrastructure. They should be able to communicate any problems to their superiors easily and without fear of retribution. And there should also be a way for staff to communicate a potential problem of blackmail using a ‘silent alarm’, be that through their choice of words or, when it comes to operating equipment, by using a pre-agreed sequence or code. For example, access control equipment can be programmed with two codes, both of which will open a door, but one of them will activate a silent alarm if they are being forced to provide access unwillingly. Getting a grip on the personnel side of security is a specialty of Privatismus, a consultancy for personal and business protection. Mobius International also offer anti-bribery management systems as well as a risk and vulnerability assessment service and could turn up some surprises.
In summary, protection of critical infrastructure should be multi-layer and multi-disciplinary. The right combination of measures will, as usual, be different for each client and for each location. With this article we hope to have stirred your imagination, and possibly to have alerted you to potential weak points in your own security concept. The topics above are, of course, not exhaustive, but GIT SECURITY will continue to address these and other related security topics in forthcoming issues.
NIST publication: Identity and Access Management for Electric Utilities: www.nist.gov/publications/identity-and-access-management-electric-utilities
Advanced Perimeter Systems · www.advancedperimetersystems.com
ASIS · www.asisonline.org
Automatic Systems · www.automatic-systems.com
CIAS · www.cias.it
Dallmeier · www.dallmeier.com
Detection Technologies · www.detection-technologies.com
Dormakaba · www.dormakaba.com
EAS · www.eas-pr.com
Geutebrück · www.geutebrueck.com
Gunnebo · www.gunnebo.com
Hikvision · www.hikvision.com
LoRa · www.lora-alliance.org
Mobius · www.mobius.international
Nedap · www.nedapsecurity.com
New Vision · www.newvisionnd.com
Optex · www.optex.co.jp
Privatismus · www.privatimus.com
Salto Systems · www.saltosystems.com
Sicurit · www.sicurit.it
SimonsVoss · www.simons-voss.com
Sorhea · www.sorhea.com
Uhlmann & Zacher · www.uundz.com
1625 Prince Street
+49 2303 553 4040
Via Durando 38
+49 941 8700 0
+49 941 8700 180
Im Nassen 7-9
Tel: +49 26 45 137 - 0
Post Box 5181
+46 31 836800
+46 31 836810
Dirk Storklaan 3
2132 PX Hoofddorp
+31 (0) 23 554 2770
+31 (0)23 5631112
+31 544 471 627
*OPTEX (Europe) Ltd. - EMEA Headquarters
Unit 13, Cordwallis Park, Clivemont Road
SL6 7BZ Maidenhead
Polígono Lanbarren, C/ Arkotz, 9
Via Gadames 91
+49 89 99228 0
+49 89 99228 222
1 rue du Dauphiné, CS 90323
Cedex , France
+33 4 78 03 06 10
+49 931 40672 0
+49 931 40672 99