1. Principles of Security
SAND No C
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

2. Objectives Review the Definition and Objective of Security
First Steps - Security Awareness
Describe four Principles of Security
Impart the importance of Performance-Based Security
Provide a Model for a Systematic Approach to Security

3. What is security?

4. Security Definition Security is:
a combination of technical and administrative controls to deter, detect, delay, and respond to an intentional, malevolent event

5. Security Objective
Security intends to prevent intentional acts which could result in unacceptable consequences
Death/Severe Injury
Chemical contamination
People
Environment
Political Instability
Economic Loss
Industrial capacity loss
Negative public psychological effect
Adverse media coverage

6. Process Security is Similar to Process Safety
Hazards
Cause
Deviation
Prevention
Impacts
Loss Event
Mitigation
Regain control or shut down
Mitigated
Unmitigated

7. First Steps in Chemical Security: Low Cost Principles
Chemical Security Awareness
Property-Vehicles-Information-Personnel
Work Area - Changes
Behavior - Suspicious
Procedures - Followed
Access Controls
Have (credential), Know (PIN), Are (biometric*)
Manual (guards), Automated (machines)
* Can be expensive

8. Basic Security Awareness
Work area changes
Hole in fence
Suspicious packages
Inventory discrepancy
Door unlocked
Symptoms of others behavior who are attempting to compromise security
Elicitation
Surveillance
Ordering supplies
FROM DHS Chemical Security Awareness
Bomb threat dialogue
Suspicious package
No badge
Taking pictures of security camera/system
Looking in dumpster
Hole in fence
Piggy back through (use own pass)
Inventory discrepancy
Confirming user name over phone
No details about work-names-schedules –layout-change subject
Leaving workstation unsecured-fire alarm
Leaving sensitive document
YOU are the first responder
MTSA
CFR 33 part 104, 105-port, 106-offshore Marsec level security measures increase
Perimeter-monitoring –cargo – movement of personnel.
Security awareness is the first step to making your facility safe from malevolent acts
Source: DHS Chemical Security Awareness Training

9. Awareness- Suspicious Behaviors
Testing security – walking into, wait for discovery
Mapping, loitering, staging vehicles
Taking pictures of security system
Looking in dumpster
Trying to enter on your credential
Asking for user name over the phone or by
Asking about plant layout – workers names – schedules
FROM DHS Chemical Security Awareness
Source: DHS Chemical Security Awareness Training

10. Security Involves Systematic Diligence- even in Small Things
Missing badge
Leaving workstation unsecured - fire alarm
Leaving sensitive document
Bypassing security
Know what to do - who to call
Communicate anything unusual to supervisor
Remember - YOU are the first responder
FROM DHS Chemical Security Awareness- similar to safety
Source: DHS Chemical Security Awareness Training

11. Access Control Integrated with Areas and People
HAZARD
Owner Controlled Area
Restricted Area
Vital Area
Plant locations
Administration
Control rooms
Server rooms
Switchgear
Process Units
Rail / truck yards
Stores
Plant employees
Administration /Engineering
Operations
Computer specialists
Control room operator
Process interface
Shipping and receiving
Maintenance
Security / Safety
Special employees

12. Features of a Good Entry Control System
Integration with boundary
Cannot be bypassed
Block individuals until access authorization verified
Interfaces with the alarm system
Integration with the guards/response force
Protects guard
Area is under surveillance
Personnel integrate with system
Easy to use for entry and exit
Accommodates peak throughput (loads)
Accommodates special cases
Slide Purpose: Discuss features for a good entry control system.
Instructor Notes:
There are some general good features of an entry control system.
Protecting the guard at the entry portal is important. If the adversary tactic is to overpower the guard and simply move through the door, then he will be successful if the guard is not in a protected position. In addition the entry portal should be under surveillance by the central alarm station at all times so that if an adversary attempts to force entry, the response force can be called.
There are always some people who cannot use an entry control system and therefore a PPS must have a secondary inspection station to accommodate these people.
Secondary inspection must be provided for people who cannot pass through the first time (this is actually assessment of a nuisance alarm).
It is desired that all entry control portals use video cameras to provide assessment and surveillance by the central monitoring station.

13. Types of Personnel Entry Control
Personnel Authorization Verification
Manual
(Protective Force Guards)
Have -
Credential
(Photo)
Automated
(Machines)
(Coded)
Know -
Memorized
Number
(PIN)
Are -
Personal
Characteristics
(Biometric)
Exchange
Slide Purpose: Discuss features for a good entry control system.
Instructor Notes:
There are some general good features of an entry control system.
Protecting the guard at the entry portal is important. If the adversary tactic is to overpower the guard and simply move through the door, then he will be successful if the guard is not in a protected position. In addition the entry portal should be under surveillance by the central alarm station at all times so that if an adversary attempts to force entry, the response force can be called.
There are always some people who cannot use an entry control system and therefore a PPS must have a secondary inspection station to accommodate these people.
Secondary inspection must be provided for people who cannot pass through the first time (this is actually assessment of a nuisance alarm).
It is desired that all entry control portals use video cameras to provide assessment and surveillance by the central monitoring station.

14. What Kinds of Chemical Facilities Need Security?
Potential consequence severity will determine which facilities need to be secured
Small-scale research laboratories
Many different chemicals used in small amounts
Large-scale manufacturing plants
Limited types of chemicals used in large amounts

15. Chemical Industry Security Based on Release, Theft and Sabotage
Risk to public health & safety release
In-situ release of toxic chemicals
In-situ release and ignition of flammable chemicals
In-situ release/detonation of explosives chemicals
Potential targets for theft or diversion
Chemical weapons and precursors
Weapons of mass effect (toxic inhalation hazards)
IED precursors
Reactive and stored in transportation containers
Chemicals that react with water to generate toxic gases
Source: DHS Chemical Security

16. Principles of Physical Security
General Principles followed to help ensure effective, appropriate security
Defense in Depth
Balanced Security
Integrated Security
Managed Risk

17. Principle 1: Defense in Depth
Layers
Physical
Administrative and Programmatic
Deterrence Program
Pre-Event Intelligence
Personnel Reliability
Physical Security
Mitigation of Consequences

18. Principle 2: Balanced Protection
Physical Layers
Adversary Scenarios
Adversary paths (physical)
Protected Area
Controlled Room
Controlled Building
Target
Enclosure
Path 2
Path 1

19. Balanced Protection Each Path is composed on many protection elements
Walls, fences, sensors, cameras, access controls, etc…
Protection elements each possess delay and detection components
For example:
Fence delays adversaries 20 seconds, and provides 50% likelihood that adversary is detected
Wall delays adversary 120 seconds and provides a 10% likelihood of detection
Guard delays adversary 20 seconds and provides a 30% likelihood of detection
Balanced protection objective:
for every possible adversary path
cumulative detection and delay encountered along path will be the similar
regardless of adversary path
NO WEAK PATH

20. Principle 3: System Integration
Detection alerts Response
Access Delay slows the adversary to provide time for Response
Response prevents the consequence

21. Integrated Security
Contribution to security system of each can be reduced to its contribution to:
Detection of adversary or malevolent event
Delay of adversary
Response to adversary
Integrated security evaluates composite contribution of all components to these three elements
Assures that overall detection is sufficient and precedes delay
Assures that adversary delay time exceeds expected response time
Assures that response capability is greater than expected adversary

22. Principle 4: Managed Risk
How much Security is enough ???
Cost of Security
Benefit of Security

23. Managed Risk Benefits of Security is Reduced Risk What is Risk?
Risk = Consequence Severity * Probability of Consequence
What is Security Risk?
Probability of Consequence Occurrence 
Frequency of attempted event X
Probability of successful attempt
Probability of successful attempt is
1 - Probability of security system effectiveness

24. Managed Risk Cost of Security Risk
0.0
1.0
The benefit (risk reduction) increases with increased security investment (cost)
However, there is a point where the increased benefit does not justify the increased cost

25. Level of Risk acceptable
Managed Risk
How much Security is enough ???
Government Decision
based on Managed Risk
Cost of Security
Level of Risk acceptable
Risks are managed holistically across spectrum of industries for risk to public and to national security. Managing risks permits prioritizing and justifying allocation of resources.
Provides sufficient confidence that materials appropriately protected

26. Objectives Review the Definition and Objective of Security
First Steps - Security Awareness
Describe Four Principles of Security
Impart the Importance of Performance-Based Security
Provide a Model for a Systematic Approach to Security

27. Performance-Based Security
Requirements Driven
Engineering Principles used for Security
What are requirements for system?
What are constraints of system?
Like any engineered system, security is developed following an engineering approach where constraints and requirements are optimized. Constraints might include operational conditions, cost, etc. Requirements might include loads, frequencies, lifetime, etc

28. Requirements-Driven Security
Design Constraints
Understand Operational Conditions
Design Requirements
Consequences to be prevented
Identify Targets to be protected
Define Threats against which targets will be protected

29. Operational Conditions
Characterize the facility considering:
Mission
Operations
Budget
Safety
Legal Issues
Regulatory Issues
Facility characterization includes all of the terms listed on this slide and the next. This is information that must be known about a facility before any PPS Design and then subsequent Analysis can be started.
It will be important to understand the mission or products of the facility. This gives indications of assets to be protected.
Operations must be understood, so we design a PPS that will protect but minimize impact on the work of the facility.
Clearly, the design must be affordable to the facility.
We need to understand safety issues at the site and not allow the PPS to compromise this.
Legal issues are another consideration of the PPS design. We don’t want to violate any legal requirements when we implement the system.
In a similar manner, regulatory issues are another important concern when proposing a design.

30. Target Identification
What are the unacceptable consequences to be prevented?
Death/Severe Injury
Chemical contamination
People
Environment
Political Instability
Economic Loss
Industrial capacity loss
Negative public
psychological effect
Adverse media coverage
Next, we need to understand something about the assets that are being protected. Targets are usually identified based on the consequence of their loss and on the adversary goal. Certain assets may be sabotage targets, while others may be theft targets. Occasionally, a target will seem to be both (perhaps a chemical agent is stolen from a research facility and then released at a shopping mall). In this course, a theft event is considered removing the asset from the controlled area, and sabotage is doing something with the asset at the facility or somewhere lese.
If looking at sabotage targets then you must identify the vital areas where sabotage may be caused by an adversary. If theft is the goal, you must identify the location of material or information. It is also important to note that once a piece of information has been identified as critical, it must be protected in all forms—paper, electronic, in the brain, etc. If all forms are not protected equally, the target is vulnerable.

31. Target Identification
What are possible sources of unacceptable consequences?
Dispersal
Identify areas to protect
Theft
Identify material to protect
Next, we need to understand something about the assets that are being protected. Targets are usually identified based on the consequence of their loss and on the adversary goal. Certain assets may be sabotage targets, while others may be theft targets. Occasionally, a target will seem to be both (perhaps a chemical agent is stolen from a research facility and then released at a shopping mall). In this course, a theft event is considered removing the asset from the controlled area, and sabotage is doing something with the asset at the facility or somewhere lese.
If looking at sabotage targets then you must identify the vital areas where sabotage may be caused by an adversary. If theft is the goal, you must identify the location of material or information. It is also important to note that once a piece of information has been identified as critical, it must be protected in all forms—paper, electronic, in the brain, etc. If all forms are not protected equally, the target is vulnerable.

32. Target Identification
Characterize Types of Targets
Form
Storage manner and location
Flow of chemicals
Vulnerability of Chemicals
Flammable
Explosive
Caustic
Just going to give a brief overview here. There is a lot of work that has been done. Most of it is probably too complicated for an academic environment, but some of the ideas should be useful.
Criticality / Effect
Access / Vulnerability
Recoverability / Redundancy
Vulnerability

33. Define the Threats The Art of War, Sun Tse
If you know neither yourself nor your enemies, you will lose most of the time
If you know yourself, but not your enemies, you will win 50%
If you know yourself and your enemies, you will win most of the time
Knowing your threats permits proper preparation

34. The Physical Protection System Must Have a Basis for Design
Threat Assessment: An evaluation of the threats- based on available intelligence, law enforcement, and open source information that describes the motivations, intentions, and capabilities of these threats
Design Basis Threat: A policy document used to establish performance criteria for a physical protection system (PPS). It is based on the results of threat assessments as well as other policy considerations

35. Define the Threats In physical security:
Knowing adversary permits customizing security to maximize effectiveness
As adversary not known, develop hypothetical adversary to customize security
Hypothetical adversary description should be influenced by actual threat data

36. Design Basis Threat
A Design Basis Threat (DBT) is a formalized approach to develop a threat-based design criteria
DBT consists of the attributes and characteristics of potential adversaries. These attributes and characteristics are used as criteria to develop a customized security system design.
The DBT is typically defined at a national level for a State.
At the facility level, also:
Consider local threats
Local criminals, terrorists, protestors
Consider insider threats
Employees and others with access

37. Objectives Review the Definition and Objective of Security
First Steps - Security Awareness
Describe the Principles of Security
Impart the Importance of Performance-Based Security
Provide a Model for a Systematic Approach to Security

38. Model: Design and Evaluation Process Outline (DEPO)
Accept
Risk
Evaluate
PPS
Response
Weaponry
Communications
Tactics
Backup Forces
Training
Night Fighting Capability
Access
Delay
Vehicle Barriers
Stand-Off
Protection
Fences
Target Task
Time
Intrusion Detection
Systems
Alarm
Assessment
Alarm Communication
& Display
Entry Control
Characterize PPS
Physical Protection Systems
Detection
Define PPS
Requirements
Facility
Characterization
Threat Definition
DBT
Target
Identification -
Vital Areas
Upgrades
Evaluation of PPS
Gathering Performance Data
Scenario and
Path Analysis - LSPTs
Overpressure
Analysis
JCATS
Simulations
Process of PPS Design and Evaluation
ASSESS VA Model
Blast Simulations
Insider Analysis – Personnel Reliability
Risk Evaluation
Cost Benefit Analysis
Contraband and Explosives
Threat definition is a very important part of the process. Some say it is the most important part of the process, because if you do not know who you are protecting against, how can you design a protection system?
Be sure to note that security systems are designed against malevolent human threats. Security systems do not protect against acts of God, nature, or accidents. These events fall more into abnormal conditions or the safety environment.
You can imagine that perhaps the most difficult combination to defend against is Collusion between an insider and violent outsider. An insider can be passive (give information) or active (open doors) or violent (shoot plant guards), and if this is accomplished in conjunction with an outsider, the facility could be very vulnerable.

39. Detect Adversary Technology Supporting elements Intrusion Detection
Entry Control
Contraband Detection
Unauthorized Action Detection
Supporting elements
Alarm Assessment
Alarm Communication
Alarm Annunciation

40. Delay Adversary Delay Definition :
The element of a physical protection system designed to slow an adversary after they have been detected by use of
Walls, fences
Activated delays-foams, smoke, entanglement
Responders
Delay is effective only after there is first sensing that initiates a response

41. Respond to Adversary Guard and Response Forces
Guards: A person who is entrusted with responsibility for patrolling, monitoring, assessing, escorting individuals or transport, controlling access. Can be armed or unarmed.
Response forces: Persons, on-site or off-site who are armed and appropriately equipped and trained to counter an attempted theft or an act of sabotage.
Guards can sometimes perform as initial responders as well
(both guards and response force) 41

42. Summary
Security systems should attempt to prevent, but be prepared to defeat an intentional malevolent act that could result in unacceptable consequences at a chemical facility
Security awareness is an essential element
An effective system depends on an appropriate integration of:
Detect
Delay
Respond
Threat definition is a very important part of the process. Some say it is the most important part of the process, because if you do not know who you are protecting against, how can you design a protection system?
Be sure to note that security systems are designed against malevolent human threats. Security systems do not protect against acts of God, nature, or accidents. These events fall more into abnormal conditions or the safety environment.
You can imagine that perhaps the most difficult combination to defend against is Collusion between an insider and violent outsider. An insider can be passive (give information) or active (open doors) or violent (shoot plant guards), and if this is accomplished in conjunction with an outsider, the facility could be very vulnerable.

43. Summary
Principles for security can lead to more effective security system
Defense in depth
Balanced security
Integrated security
Managed risk
Performance-based approach will yield the greatest confidence that security is adequate
Threat criteria
A model for systematic security design and analysis will enable application of principles and performance based approach
Threat definition is a very important part of the process. Some say it is the most important part of the process, because if you do not know who you are protecting against, how can you design a protection system?
Be sure to note that security systems are designed against malevolent human threats. Security systems do not protect against acts of God, nature, or accidents. These events fall more into abnormal conditions or the safety environment.
You can imagine that perhaps the most difficult combination to defend against is Collusion between an insider and violent outsider. An insider can be passive (give information) or active (open doors) or violent (shoot plant guards), and if this is accomplished in conjunction with an outsider, the facility could be very vulnerable.