Vulnerability Assessments: First Step for Security System Design
By W. Douglas Fitzgerald And William B. Embree
The purpose of security systems is to protect people, business assets, and buildings or structures. In order for the security system to perform as intended, several questions must be asked: what is the most probable threat, what are the operation's most vulnerable points, what level of technology is compatible with the operation, and what is management's security and control philosophy.
Although security professionals have many of the technical answers for providing a relatively safe environment, it is important to merge this technical expertise with the operation and management of the facility or business type. The initial phase of implementing a security and control system at a treatment facility is conducting the vulnerability assessment. This assessment allows the security professional to gather all the background information necessary to design or modify a security system as well as answer the above questions.
There are three steps to conducting a vulnerability assessment: background information, site security assessment, and final analysis and recommendations.
BackgroundThe collection and review of the background information allows the security professional to become familiar with the facility and its operation. This general knowledge of the facility and operation help accomplish two objectives during the site assessment: review the effectiveness of existing precautionary systems; and develop concepts for improvements and modifications. It has been HDR's experience that including the operation representative in the site assessment allows the development of protection and monitoring concepts to more accurately accommodate the facility and operation.This example illustrates Crime Prevention Through Environmental Design (CPTED), where the pump station enclosure blends with the surrounding architecture.
The background information required for the vulnerability analysis is divided into physical, operational, and statistical. Physical information includes floor plans; site plans, staffing organization and job descriptions, and technical summary of the communication systems. Operational information includes company policies, operational procedures, existing security contracts, existing security plans, and description of the mission of the facility. Statistical information is obtained from reported crime incidents in the vicinity of the facility as well as operations reports. These reports could include customer complaint files, employee complaints, or other staff incidents.
Floor plans are used to gain a general understanding of the layout of the administrative office building, process areas, storage facilities, or maintenance areas. The site plan drawings indicate the boundaries of the facility, entrance points, and the various operating components. These operating components include the head works, aeration, filters, and tank farms. The site plans also offer the general arrangement of the various operating components as well as the general process flow of the operation and accessibility between operating areas. Reviewing this information allows the security professional to become familiar with the facility and the operation prior to visiting the site.
There are a number of real threats to facilities: criminal, malicious mischief, disgruntled employees or customers, and terrorism. A statistical background check identifies the various types of reported crimes in the vicinity of the facility. In light of recent events, terrorism cannot be disregarded, however, the impact of the facility and operation on a large scale (nationally or globally) must be taken into account to estimate the likelihood of internal or external terrorist threat.
Site Threat and Security AssessmentThe first step in conducting the site threat and security assessment is meeting with the management staff and other representatives of the operation. The purpose of this meeting is to discuss the management philosophy of the operation and define the goals and objectives for the security system or modifications. This provides the opportunity for the security professional to present various types of proven security technologies and their potential impacts on the operation. The ensuing discussion between the security experts and the facility management and operations team establishes the basic security approach, which is then applied during the facility and site inspection.The security professional should also present the crime statistics in the vicinity of the facility. The security professional's experience in law enforcement, crime prevention, design and implementation, or other security-related background provides valuable insight to the discussion. In addition, the operations- and facility management should state their perceived threat from employees or customers. As discussed above, terrorist threat cannot be discounted. This joint discussion ultimately provides the general threat assessment that makes the most practical sense. It is important to define the real potential threat to the operation, as it is impossible to defend against everything.
This example shows a head-works area that has not been secured against unauthorized personnel.
As part of this discussion, the operations and management team needs to identify the "mission critical" components of the facility or operation. Mission critical means those operations or components that would render the facility inoperable or would be very costly to bring the operation back on line. The safety and welfare of employees and staff is always of utmost importance. Therefore, in addition to staff, mission critical could be information and data, communications, power, chemical or operating components. Although some components may not be critical to the operation of the facility, failure or damage may pose a severe threat to the community.
Security of facilities or operations is designed in concentric circles. The site assessment begins with the perimeter of the facility. Each entry point to the facility is reviewed to determine its necessity and frequency of use. In addition the ability of the gate or fence to be scaled is also reviewed. There may be physical precautions that can be applied to the fence line that will impede ascension by an intruder. In addition, monitoring devices can be installed that will alarm if an unauthorized person enters the monitoring zone.
The primary entrances to the facility are also reviewed. If possible all access to the main entrance and parking facilities should be controlled. All employees and staff should be monitored as well as visitors. The parking area of the facility also should be monitored. This precaution not only helps monitor potential threats but also provides additional safety for employees, staff and visitors.
Crime Prevention Through Environmental Design (CPTED) methods are also proposed for the exterior of the facility. These methods employ protection by eliminating intruder access or hiding assets by landscaping or architectural treatment.
The next level of security is entrance into the administration building or operating area. The type of security implemented will depend on the established security philosophy. Security personnel could be used to monitor and control access, or other electronic means of security control could be used. The final layer of security is around the asset itself. This could be offices, computer server rooms, vaults, equipment, chemical storage, etc. Secure entrances allow only authorized personnel to enter and record each event. Areas around the asset can also be protected by monitoring equipment such as cameras or motion detection.
Photo documentation of all areas of the site perimeter, operating areas, building treatments, and interior areas is an important part of the site assessment. This information not only helps to assess the appropriate security measure it also aids in the design of the system to be implemented.
Staff interviews are another important component of the site assessment. These interviews help accomplish two goals: to better understand the performance of the existing system and determine the employees' general understanding of the use and intent of security systems. This knowledge helps in the final design of the new system or modification, and also helps to design the training program for employees and staff in the understanding and use of the new system.
Security AnalysisThe site assessment completes all the information needed to propose the security system applicable to the facility and the operation. Based on the security philosophy established at the site assessment meeting, several conceptual systems should be presented. Each alternative should be defined in terms of its intended function and the estimated capital, construction, and operating costs. Each option should be balanced with the established security philosophy and goals as well as the implementation budget.A draft report should be provided to the operator for initial review. A workshop should then be scheduled to discuss the conclusions of the assessment and review the various proposed options. Comments and direction from this workshop are then merged into the report. A final report is then submitted with full documentation and alternative recommendations for implementation. It is the facility operator's ultimate responsibility to select the security system to be designed for the operation.
ConclusionThe vulnerability assessment is a critical first step toward designing and implementing a new or modified security system for existing facilities. This process allows the security experts to merge their expertise with the knowledge of the operator. The result is the design basis for a new system that is consistent with the goals and objectives of the facility's management within their budget constraints.About the Authors: W. Douglas Fitzgerald is a senior vice president and director of security and technology services for HDR, one of the U.S.'s largest employee-owned firms providing architecture, engineering, consulting and project development services. He is a nationally recognized leader in the design and integration of security systems with more than 20 years of experience, including anti- and counter-terrorism protection for government facilities around the world. He currently serves on the American Society for Industrial Security's Security Architecture and Engineering Council. He has been widely published and is a sought-after lecturer. William B. Embree is the operations manager of security and technology services for HDR. He is a mechanical engineer with experience in site assessment for a wide range of public works projects including wastewater and solid waste. His articles have appeared in Public Works and American City and County.
