In the old days, chain link fences and junkyard dogs were enough to scare off intruders and trespassers. But times have changed. If you have a plant that might be the target of terrorists, industrial spies, activists, the anti-this or anti-that group, disgruntled employees or sophisticated thieves, your security problems have increased a thousand-fold.
“Although most companies acknowledge the need for greater security, few have the financial or human resources to deploy security staff at every possible point of vulnerability,” says David Shepherd, who has held security positions in the nuclear industry, worked for the FBI, and serves in several security organizations. Now head of security for the Venetian Hotel in Las Vegas, he says plant security takes more than fences and locks. “It must encompass all possible hazards — natural disasters, life safety, terrorism and health considerations,” he says.
Just thinking about the possible threats out there today can give you sleepless nights, but take heart — yours is not the only facility struggling with a new security reality. Here’s a calm look at principles, approaches and practical tools.
Deter, detect, delay
“There are so many sources of potential threats and so many points of vulnerability, no organization has the resources to provide 100% protection from all threats,” Shepherd cautions. “It is impossible to be everywhere at once, but the more preparedness one can take in advance of any security breach, and the more points that can be monitored, the more a company will be able to do to prevent or minimize damage and return to normal operations as quickly as possible.”
The U.S. Department of Homeland Security (DHS), its Federal Emergency Management Agency (FEMA) and other government groups have issued clear and valuable procedures for protective measures, says Shepherd. “Compounding the problem is that by DHS definition, 85% of the country is a ‘soft’ target, meaning that access is difficult, if not impossible, to control,” he adds. “Unlike ‘hard’ targets, such as the White House or the Washington Monument, which can be shut down and secured quickly and completely during an Orange security condition, closing a soft target like a large chemical plant can have significant economic consequences.”
Even if your plant is a soft target and securing it completely seems like an impossible task, there are still many things you can do. Peter Stickles, a partner at security consulting firm ioMosaic (www.iomosaic.com), says the focus of plant security should be a practical and doable risk reduction based on “deter, detect and delay.” The mechanisms to accomplish this should be incorporated into internal policies and procedures, perimeter security systems, and a rapid, robust response. “The recommended practice should also incorporate a risk-based assessment approach that puts terrorist attacks in context with other plant risks,” he advises.
The first line of defense, then, is good perimeter security.
On the perimeter
Robert Gruber, technology manager for the Security Solutions Group of Master Halco (www.fenceonline.com), a manufacturer of perimeter fences, says a good fence deters, detects and defends. “If my fence is more formidable than my neighbor’s, then the trespasser will attack my neighbor instead of me,” he says. “Fences are still designed with deterrence in mind. A fence can be built to withstand a 15,000 lb vehicle traveling at 50 mph with a penetration of only one meter. This is the U.S. State Department’s K-12 rating.”
Alas, a person can still climb such a fence. “Sandia Labs testing has determined that a highly skilled trespasser could get to the other side of a well-designed fence in about four seconds,” Gruber notes. “Typically, a fence designer will aim for a 40-second delay at the perimeter by using a series of fences, barbed wire, razor wire and other devices.”
With the security situation getting tougher, Gruber says it has become very important to detect, delay and respond at the perimeter. Fortunately, technology — including fiberoptic cables, taut wire, and buried cable — has come to the rescue (Figure 1).
Figure 1: A fence with a good fiber optic cable can deter and detect intruders. A good fence tries to delay intruders by 40 seconds with razor wire, secondary fences, etc.
“With a fiberoptic cable stretched along the fence, a bend or twist in the fiber would show a slight variation in the color of light,” Gruber explains. “An optical time domain reflectometer attached to the cable would locate the spot where the bend took place within a meter.”
The old standby, taut wire, is still one of the most efficient systems. “Wire is stretched tight, like a guitar string, typically at the offsets atop the fence. These wires are attached to sensors,” says Gruber.
Other sensors that can be attached to the fence include capacitive, inductive or magnetic sensors that can detect a human carrying metal, but ignore animals. Fiberoptic or electromagnetic coax cable can be buried in the ground in front of or behind a fence. Pressure on either cable produces a signal that can be detected by sensors.
Next up is delay. “Delay is a function of how long we need to respond,” Gruber says. “The response could be instant, such as turning on lights, sounding a siren or turning on a video camera. A longer response time can be expected if personnel have to rush to the area. In that case, we may have to design layers of perimeter security, such as an outer fence with barbed wire offsets, then bundles of coiled razor wire and inner fencing.”
You might ask: Why is perimeter security so important? If we have good security at the door, we can keep people out. “People only have to get next to the building to cause severe damage,” Gruber says. “Remember the Oklahoma City bombing? The perpetrator never even had to leave the curb next to the building.” In the case of a chemical plant, just getting close to a storage vessel or pipeline might be enough to set off an explosion.
In cases where you can’t completely surround critical areas with fences, you may need intruder detection systems.
Developments in video and infrared (IR) cameras are making it possible to monitor remote areas of the plant and remote sites, such as electrical distribution systems and transformers. You are probably familiar with using infrared cameras to detect maintenance problems on motors, electrical boxes and insulation. Similar devices can be used to detect intruders, day or night.
“The newest generation of systems combines visual and IR cameras with airborne ultrasound detection,” says Jon Chynoweth, director of marketing at Mikron Infrared (www.mikron.com). “The infrared and visual images can be blended and transmitted to a PC via wireless, enabling clearer, faster identification and pinpointing of both physical incursions and thermal anomolies at remote sites.” In other words, you can use the same camera to detect remote maintenance problems and intruders.
When the Barclay Group (www.barclaygroup.us), a security consultant in Anderson, Ind., upgraded the surveillance systems for a major energy company, it had to provide real-time video monitoring on a 24-hour basis around the perimeter of a power generation plant. The problem was how to get images under poor light conditions. “Although many of today’s cameras can get some video signal from dark areas, it usually is not enough,” says Mark Barclay, president. “For Homeland Security projects, it’s necessary to deliver the best picture possible and for that, you need to use IR cameras and IR lighting.”
Infrared lighting is used more in Europe than here, but it is catching on. IR lighting involves illuminating a scene with invisible light of a slightly longer wavelength than visible light. Intruders can’t see it, but IR-sensitive cameras can use it to take high-resolution video images that resemble normal black and white images taken during the day.
It’s not always necessary to use IR lighting. Thermal-Eye (www.thermal-eye.com), a manufacturer of infrared cameras, says it can spot intruders in complete darkness (Figure 2). In some installations, it integrates its cameras with an existing CCTV network so security personnel can see remote areas night and day. At night, it comes down to deciding whether you need high resolution to identify an intruder or just to detect the intrusion.
Figure 2: Infrared cameras can spot intruders in complete darkness.
In the past, intrusion systems worked individually. Today, all the perimeter defenses — fences, wires, cables, sensors and cameras — need to be connected to security stations such as guard houses or central command centers.
This can be done via wireless or a plant network. “Devices can be connected via TCP/IP over a plant network,” says Gruber. “The devices have their own IP addresses, so the perimeter can be connected to the company LAN or WAN and provide notification of a fence breach via a wireless PDA or a Blackberry device.”
With such capability, security can get sophisticated. “Perimeter security measures are so sophisticated, we can set up intelligent video systems that will look for certain situations such as someone walking in the wrong direction, starting to climb a fence, or dropping a bag that remains stationary for a period of time,” Gruber explains.
Shepherd likes wireless. “Wireless technologies reduce costs by eliminating the need to patch into cabling,” he notes. “For some applications, the relatively low cost of wireless transmitters enables a company to monitor activity at many more points.”
Good perimeter security keeps bad guys from breaking into the plant. But what happens if they get into the plant legally, right through the front door?
The inside jobLeslie Arnold, services marketing manager at Honeywell Process Solutions (www.honeywell.com), says a layered approach to internal plant security is needed. He suggests setting up security to:
- Identify and control who enters and exits a facility.
- Track movement of building occupants and assets.
- Control access to restricted areas.
- Track and locate equipment, products and other resources.
- Track the location of personnel on the site.
- Integrate security and control systems.
These recommendations apply to all key areas of a plant that are vulnerable to damage, such as control rooms, storage tanks, pipelines, shipping areas, laboratories, data centers, offices, etc.
Shepherd says equipment is readily available to perform such tracking functions. “These include GPS tracking systems, RFID monitoring of people and assets, vendor verification systems, license plate recognition systems and motion sensors,” he says. “It also includes biometric systems such as facial recognition, palm readers and retinal scanners.”
A simple card ID system (Figure 3) also can restrict access and track who comes and goes into restricted areas. For access to areas of highest security, you may want to require two forms of access, such as an ID card and a biometric.
Figure 3: A badge reader can track who comes and goes inside your plant.
Loading docks warrant extra attention because they are usually left open to employees, truck drivers and visitors, making the plant vulnerable to contraband being smuggled in and assets being taken out. “The list of security problems on the loading dock can run long,” says James Gompers, president of Gompers Technologies (www.gtdgrp.com) in an article published in Access Control & Security Systems (www.securitysolutions.com). “They can include dock doors being left open to provide airflow, employees who are reluctant to be the ‘bad guy’ and challenge unknown or unauthorized personnel, security staff who do not aggressively fulfill security initiatives, and a lack of clear procedures for items entering or leaving the facility.”
Gompers says it’s necessary to install equipment and procedures for access control, asset management, inventory management and video surveillance on the loading dock. “Chemical, biological and radiation detection systems may be appropriate if such risks and vulnerabilities exist,” he adds.
One of the key targets for bad guys is the control system. If they know what they are doing, they can overflow a tank, blow up a batch reactor, steal information from your system or otherwise wreak havoc. You should physically protect your control system from an internal assault by visitors, vendors or disgruntled employees.
Several years ago, a process control engineer explained to me the security procedures they follow when installing control systems in areas of the world where plants are vulnerable to sabotage:
- Put locked bars over the controller faceplates so no one can manually change settings.
- Lock the cabinet containing the controllers.
- Lock the room containing the cabinets.
- Control access to the building containing the controller room.
- Put the main control room on a different floor or in a different building.
- Control access to the main control room.
- Make sure that the HMIs in the main control room can only monitor the system, not change controller settings.
- Put HMIs that can change controller settings in a different locked room.
- Protect those HMIs with user names and passwords, so only a very few authorized people can change control settings.
While these may seem excessive for a domestic plant, such Draconian procedures make it very difficult for anyone to gain access to critical control equipment.
Cyber security is outside the scope of this article, but you should be aware that your control systems are vulnerable to attack from the outside (see sidebar, “A word about cyber security”).
The security operations center
The security control room is often seen as the “trophy” of an integrated security management system, says Gompers, and upper management may get carried away with it. “Senior management likes to see lots of flashing lights and “Star Wars”-like command consoles to help them feel better about their sizable security investment,” he says.
Unfortunately, what management likes to see may not be conducive to a well-laid-out security area. Gompers says the kinds of equipment normally installed in the security control area can include fire alarm control panels, video servers, DVRs, CCTV monitors, radio and communications systems, logging systems, workstations, terminals, key control cabinets, badging printers, 911 response systems and public address systems.
“The most effective control rooms are not defined by shoving every possible piece of equipment into the space,” he advises. “Instead, installers should place all equipment that does not require hands-on attention in an equipment room connected to the center. This provides a cleaner, less-cluttered environment and takes confusion out of the command center.”
He recommends that security control consoles and work surfaces be positioned in the center of the room to allow for movement on all sides, with the displays positioned on one wall in front of the work area, preferably on seven-foot screens “This will be where video is displayed for active and non-active monitoring,” he says.
Start with an SVA
To analyze your current state of security, you must do a Security Vulnerability Assessment (SVA). Fortunately, several industry groups have taken the lead. “Industry trade associations such as the American Chemical Council and AIChE’s Center for Chemical Process Safety (CCPS) have sponsored the development of SVA methodologies,” says Peter Stickle of ioMosaic. OSHA has gotten into the act with the OSHA Process Safety Management Rule (29CFR1910.119), and Sandia National Laboratories developed the Chemical Facility Vulnerability Assessment Methodology (VAM).
Depending on your industry, you may want to check with your industry trade association to see if they have similar programs and recommendations.
A team of researchers at the Department of Energy’s Lawrence Berkeley National Laboratory developed an interactive computer program that plant managers can use to assess their vulnerability to chemical, biological and radiological (CBR) weapon attacks or accidental toxic releases (see sidebar, “Where to get help”).
An SVA involves a review of a company’s assets for handling, storing and processing hazardous materials from the perspective of an individual or group intent on causing a catastrophic event, Stickle says. “It considers possible scenarios by looking at inventories or production steps involving hazardous material, potential pathways of attack, and existing security countermeasures or rings of protection,” he explains. “The scenarios are priority ranked using a system of risk-based factors which estimate the frequency and consequence of each scenario.”
Stickle says there are two main groups of adversaries — insiders and outsiders — and you have to address both. For internal threats, mitigation mostly involves administrative controls such as:
- Employee hiring screening
- Contractor screening
- Perimeter security
- Behavior observation
- Inventory reduction
- Emergency response planning
External threats tend to require engineered controls including:
- Inventory reduction
- Relocation of storage
- Obscuring storage or installing decoy tanks
- Improvements to physical perimeter systems
- Pre-planning and coordination with local emergency response agencies
As Table 1 shows, the degree of company control, effectiveness and cost can vary considerably.
Threats and Mitigation
Ability to control
Internal due to sabotage by third party or employee
Internal policies and practices:
Entirely within plant’s control. Generally low cost for implementation.
External due to unauthorized entry to plant site
Parameter security systems:
Entirely within plant’s control. Low to medium cost for implementation.
External due to munitions delivered from outside the fence
Storage inventory management and siting:
Mostly within plant’s sphere of control but fixes may not be practical nor completely effective and can be costly. Risk/benefit analysis needed for deciding action.
External due to munitions delivered from outside the fence
Increased policing by local law enforcement and/or improved ER coordination
Actions can be influenced by plant, but not totally controlled. Cost to plant may be negotiable.
Source: ioMosaic (www.iomosaic.com)
Procure and deploy
Once you’ve done an SVA on your plant, and you have an idea of what’s involved in improving security, now you have to specify and install the equipment. A team of security experts who worked on the Bay Area Security Enhancement and Port of Oakland Security Enhancement programs presented a paper at the ISC Expo containing the basis for this list of lessons learned (download the entire paper at www.infrastructure-security.org):
Pick the right people: You need help from a wide range of disciplines, from security to video encoding to Ethernet networks to wireless and so on. Their advice: “If one company comes to you and says they can handle it all, they are mistaken.” You need a team.
Vendors lie: White lies to be sure, but vendors tend to overstate their qualifications. Be sure to check out their specs.
Get involved in the details: Owner involvement is needed. The biggest mistake is companies that don’t commit the necessary resources because they are not involved in the project.
Over-communicate: With many people and companies involved in the project, good communication is vital. “We communicated four times more than we do on a typical project and it was still not enough due to the complexity, diverse team and multiple departments and agencies involved.”
Deal with dissidents: There will likely be dissidents on the team who disagree on a technique. “About half the time they will be right, and listening to them will save you time and money.”
Make a decision timeline: The project is complex. You need to make a decision schedule and stick to it, even if you don’t have all the information you need.
Pick the right project delivery method: Choose between design-bid-build versus design-and-build. Both have advantages and disadvantages. The team believes that design-and-build is the better method.
Power and communication infrastructure is your biggest challenge: The budget is not going to be broken based on camera costs, the team says. Instead, it will be made or broken based on how much it costs to connect everything together.
R&D, testing and a beta site are a must: This should take up about 50% of your total time, the team says. “If you execute correctly here and incorporate lessons back into the design…you will drastically reduce the time it takes to complete the system.”
Do not underestimate problems that can occur because of environmental conditions, interference with existing projects and operations, and politics between departments and agencies.
A word about cyber security
If you are in charge of security at your plant, don’t leave cyber security (protecting your computers) to the folks in the IT Department. They are not good enough to deal with determined hackers.
At a recent user’s group meeting, I watched three cyber security researchers from the Idaho National Laboratory (www.inl.gov) break into a “secure” control system. They got through two firewalls, onto a proprietary data highway, spoofed the operator HMIs and turned on a pump in about 15 minutes.
They proved that a determined hacker can get past cyber-security without blinking an eye, and either wreak havoc with your plant or steal your secrets. So don’t rely on your IT department to protect your computers. Bring in some pros to assess your cyber security measures.
Advice from the researchers at INL includes:
- Set up a layered defense using standard tools, such as anti-virus software, firewalls, DMZs (De-Militarized Zone), and IDSs (Intrusion Detection Systems).
- Enforce security procedures, including user names and passwords.
- Use virtual private networks (VPNs) and encryption.
- Hire someone to break into your system and find the vulnerabilities.
- Regard control system security as an ongoing problem, and take it seriously.
If you want to persuade upper management into taking cyber security seriously, hire the researchers from INL to come in and give a little demonstration. It’ll scare the bejeezus out of them.
Federal Emergency Management Agency (FEMA): The FEMA Web site (www.fema.gov) has several downloadable documents (FEMA 426, 427, 428, 429, 452 and 155) that provide guidelines for improving building security and protecting against terrorist attacks.
Department of Homeland Security: At www.ready.gov you can find downloadable posters and brochures on preparedness, terrorism and cyber security, and the complete text of the “National Strategy for the Physical Protection of Critical Infrastructures and Key Assets.”
Idaho National Laboratory: The SCADA & Power Systems Security Resources group at INL (www.inl.gov) supports the Department of Homeland Security’s Control Systems Security Center program. These researchers can break into your control system and counsel you on what to do about it.
Infrastructure Security: The site www.infrastructure-security.org was built by the experts who developed the Top 10 list of lessons at the end of the article. The site contains links, documents and descriptions of projects.
Department of Energy’s Lawrence Berkeley National Laboratory: The Building Vulnerability Assessment and Mitigation Program (BVAMP) can be downloaded free at http://securebuildings.lbl.gov/BVAMP.html.
AIChE: The Center for Chemical Safety (www.aiche.org/ccps/) has information on courses, books and SVA programs.
ISA: The CD, “ISA-99 Manufacturing & Control Systems Security,” contains info on protecting electronic control systems, including relevant ISA standards and technical papers ($229 from www.isa.org)