Introduction to Physical Security

Physical security protects people, property, communities, and the environment. Physical security incorporates everything from who enters your properties and facilities to properly storing equipment and assets. Understanding all security domains will allow individuals and businesses to mitigate threats.

Why it matters

Physical security in most cases is a life-or-death matter for a company's infrastructure, personnel, and surrounding communities. Compliance is required to prevent an intentional, accidental, or environmental crisis. The consequences of poor physical security can be catastrophic; therefore, investing in the proper infrastructure, personnel, and policies is essential. (see DoD Directive 2000.12 – DoD Antiterrorism Program)

Understanding the Basics of Physical Security

Before we dive into the specifics, we'll need to discuss what is incorporated inside the physical security domain. Firstly, what is physical security? Physical security is a measure designed to protect against unauthorized access and harm to people, assets, property, and the environment (see Pelco's guide to physical security).

The physical security domain incorporates site layout, site visibility, access control, perimeter protection, IDS (Intrusion Detection System), environmental protection, incident response (fire, medical, natural disaster, terrorism, etc.), awareness, and availability. Truthfully, this list is much longer, but today we are covering the basics, so keep these in mind moving forward. These components are outlined in: UFC 4‑010‑01 – Minimum Antiterrorism Standards for Buildings, UFC 4‑020‑01 – Security Engineering Facility Planning Manual, along with Crime Prevention Through Environmental Design (CPTED) principles (see CPTED.net) and structural considerations such as in UFC 4‑026‑01 – Design to Resist Forced Entry.

Just like cybersecurity, the nature of physical security is industry-specific. What I mean by this is that a financial firm has different priorities and threats than a retail store. Even though other industries have specific needs, at their most basic level, physical security policies will share standard functions across all sectors.

Physical Access Control Systems

PACS (Physical Access Control Systems) can incorporate any of the following: turnstiles, gates, locking doors, PIV (Personal Identity Verification), credential readers, keypads, biometric readers (fingerprint, facial, iris), control panels, or control servers, access control servers, credential repositories, fire alarm systems, evacuation systems, camera systems, sensor/alarm systems, and many other technologies.

As mentioned earlier, controlling who enters and exits your properties, facilities, and installations is a requirement for any security plan. The National Institute of Standards and Technology (NIST) in SP 800-53, control PE-3, mentions enforcing access and maintaining strict audit logs at all entry and exit points. To maintain audit logs of such events, you must verify credentials (smart cards, badges, biometrics, etc.), control doors, utilize guards and patrols, and escort visitors when required. Maintaining logs for these systems is just the first step; auditing these logs regularly to determine unusual or unauthorized access should be noted in your facility policy.  

Facilities, installations, and properties hosting/handling sensitive information often have more compartmentalized and restricted access areas that require a higher level of clearance or authority to enter. These zones are classified as public, reception, operations, and restricted access. (see NJCCIC) These zones may be classified differently depending on policies, regulatory agencies, etc. Restricted zones often utilize a complex layered security infrastructure that includes biometrics, Radio-frequency Identification (RFID), mantraps, Closed-circuit Television (CCTV), and security guards. Of course, this varies depending on how restricted the environment is and what type of facility or room someone tries to access.

Surveillance and Camera Systems

Surveillance systems are a core component of any physical security posture. Cameras act as both a deterrent and investigative tool, offering visibility for facilities, properties, and installations. When surveillance systems are properly deployed, they allow for the monitoring of critical zones, the enforcement of access control policies, and the coordination of responses to various incidents. These systems also allow for the collection of evidence after an incident has occurred on a site; this allows law enforcement or responding agencies and investigators to document findings with real-time evidence from the incident. Furthermore, these systems allow a single operator to monitor and manage an entire site from a control room.

The key functions of a camera system include detection, assessment, deterrence, and documentation.

• In real-time, detection lets an operator identify intrusions, tailgating, loitering, crime, and policy violations.
• Assessment refers to the visual verification of alarms and incident reports.
• Deterrence is the discouragement of committing a crime through visible surveillance.
• Documentation is storing recorded footage and logs for use in investigations, legal proceedings, and compliance audits.

Most people assume installing a camera system is enough; it's not. Camera systems are only as strong as the established physical security plan and response. What I mean by this is, let's say you install a $15,000 state-of-the-art camera system with AI tracking, Forward Looking Infrared (FLIR), and zone detection. This system can monitor your entire facility automatically and will trigger alerts and notify authorities of irregular activities on your behalf. An incident occurs where three individuals with masks, gloves, and all black clothes run up to the front of your facility, shatter a glass window with a brick, and enter your site. These individuals managed to steal $42,000 worth of equipment and tools within 5 minutes. What good is this camera now that a standard commercial window compromised your physical security?

Surveillance is a highly cost-effective and scalable defense in modern security, but that doesn't mean it's the end-all solution to defense when it comes to stopping threats. Incorporating surveillance and camera systems properly in a layered security plan can ensure a swift response and accurate monitoring of failed attacks on properly installed security infrastructure.

Point and Area Security

Point vs area security is a concept that determines asset/personnel management when responding and guarding a specific installation or facility.

Point security is focused on a specific location within a larger facility, installation, or property. Think about a security guard operating the front gate of a facility; this is point security. The guard stationed at this gate will not patrol or abandon this position should something else occur elsewhere on the facility.

Area security is focused on an entire section of a facility, property, or installation. Let's refer back to our guard at the gate. While that guard is stationed at gate A, two more guards are patrolling between gate A and gate B, which is located on the opposite side of the facility. While guards at gates A and B cannot leave their posts, the two guards on foot are responsible for all the facility space between gates. Area security aims to consolidate many assets into one specific area. This is an effective tactic to maximize your response with minimal resources.

Both point security and area security have their issues, which will not be covered here. However, it's important to remember that security plans incorporate point and area protection. A proper security plan will minimize the issues presented when dealing with each type of coverage (see UFC 4‑021‑02 – Electronic Security Systems and UFC 4‑022‑03 – Security Fencing and Gates for guidance on integrating systems and perimeter controls).

Threats

According to a report published by Allied Universal, physical security incidents caused the loss of more than $1 trillion USD in 2022. (see World Security Report 2023).

Some of the most common physical security threats include unauthorized access, theft, burglary, vandalism, workplace violence, natural disasters, tailgating or piggybacking, terrorism, active shooters, unaccounted visitors, sabotage, insider threats, and natural disasters. These threats range in complexity and can be both opportunistic and well-orchestrated. The type of threat will also heavily determine the impact on the victim.

Unauthorized Access & Insider Threats

Insider threats are the potential for an individual or group to use authorized access or knowledge of an organization to create issues or directly harm that organization. An insider threat can be classified as an unintentional or intentional act, either malicious or complacent, that directly affects an organization.

Damage can be caused through espionage, terrorism, unauthorized disclosure, corruption, organized crime, sabotage, workplace violence, degradation of resources or capabilities, both intentional and unintentional, and collusion. While the definitions of an insider threat vary due to regulatory agencies, companies, and policies, the basics are the same. (see CISA Insider Threat Guide).

Just like many forms of cyber attack, an insider threat can be identified through backdoors, hardware, or software that enables access, changed or locked passwords, modified antivirus, changed firewall states or rules, malware, unauthorized software, failed access attempts to sensitive data, damaged or tampered physical security systems, and unknown individuals present in secure locations. While an insider threat isn't strictly cyber or physical, it's essential to recognize the signs and act swiftly to mitigate further damage.

Terrorism

The Department of Homeland Security highlights that facilities of all types, and public events, must be prepared to defend against active shooters, bombings, vehicle ramming, and drone-based warfare. Terrorist groups seek to inspire or conduct attacks within the US and attacks on its partners abroad. Monitoring local groups, social media, and game networks can often reveal motivation or inspiration that may lead to future attacks; facilities should be hardened physically to defend against attacks.

Defending facilities, installations, and property against terrorism depends on the budget, target type, and the site's complexity, which needs hardening. If we consider protection, a school will not have anywhere near the same budget or importance as a military base. Most industry professionals know this reality, yet we allow soft targets to continue being acted upon by bad actors.

Natural Disasters and Environmental Threats

The Federal Emergency Management Agency (FEMA) national protection framework recognizes environmental risks such as hurricanes, tornadoes, earthquakes, droughts, wildfires, floods, and winter storms. It explains that a physical plan is needed during risk management to protect and mitigate such disasters. While natural disasters in most cases occur without warning, it's crucial to analyze the potential for each type of event to occur at your location and create a plan specific to each type of event (see FEMA).

What does this mean from a physical security standpoint? Let's say you own a bagel shop in Miami Beach. This area is prone to hurricanes and flooding. As a bagel shop owner, you do not have an allocated physical security budget; your doors, locks, windows, and walls are standard for the area building code and are not hardened. During a natural disaster, your bagel shop is flooded due to improper seals and weather proofing on the doors and windows, and your structure is leaning due to severe damage to load-bearing beams. Once the natural disaster has passed, new risks such as fire, theft, or burglary can present themselves due to the opportunity. While the primary risk is natural disaster, the secondary risks are presented during a time of opportunity when the business is vulnerable.

Final Thoughts

From standard operations to emergency response, physical security will always be at the forefront of any facility, property, or installation. Physical security isn't about locking doors and hanging cameras; it's about creating an effective strategy and acting on it with physical access control systems, policies, and plans. With evolving threats, a strong physical security posture relies on training, planning, and leadership committed to continuously improving and protecting people, assets, and the environment. As new technologies emerge and risks become more complex, you must adapt or risk being a statistic. If you wait until something happens, you've already lost; Stay proactive, stay secure.