Introduction to Physical Security

[khofo]

Written By: Khofo
For: Evilzone.org
Date: 2015-11-13
Rev: 1.0
Title: Introduction to Physical Security

Introduction to Physical Security


Table of Contents:

0. Preamble
1. Risk
2. What is Physical Security
3. The Different Aspects of Physical Security
4. Where to Begin


0. Preamble:

I am writing this introduction since I think Evilzone lacks information on this topic, a topic that I deem very interesting and growing in importance.
All the information in this document are part of the public domain, and can be used, copied and shared on any platform and for any purpose, credits are appreciated.
The Writer or Evilzone.org cannot be held accountable for any misuse or damage caused by the use of this documentation.

1. Risk:

Risk Assessment and management is key in the security role, since at all times 3 security goals should be followed: Confidentiality, Integrity, Availability. These 3 principles are in fact key, that's why instead of talking a lot I'll just pop in a picture showing exactly what i am talking about, Risk Assessment:



And thus to maintain Security a certain set of procedures, policies, standards, and Guidelines are put in place, we can organize these in a diagram, and thus creating a secure environment by gradually going up the pyramid:




2. What is Physical Security:

Physical security is the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism

Physical Security is a very broad term, covering a lot of fields. Physical Security is everywhere, it is the window in your house, the cameras at the local groceries store and the fences in a nuclear power-plant. But it is not limited to windows, fences and cameras, it is also in the locks you use, the microwave and the aeration system. Basically it is anything in a given facility, since nearly everything can be used against you. Of course a PPS (Physical Protection System) will be designed by calculating how valuable is an asset, therefore your local groceries shop will not have the same PPS as your local Bank.
Physical Security is very important but has been underestimated lately, since the rise of "cyber" threats, the trend has been to focus on those instead of enforcing tangible assets, but now companies seem to take it more seriously and Physical Security is very advocated and a talked about subject nowadays.

Here is a little Diagram that basically sums everything up:




3. The Different Aspects of Physical Security

Physical Security has a multiple aspects, not all will be covered here, but the ones I deem the most important for an intro to the subject:

I would like to point out that in this Intro I will focus on Security and not Safety, Safety designating events that are not perpetrated by humans to intentionally cause harm, this includes natural disasters and accidents related to the activity such as machinery dysfunction for e.g

I- The Structure:

"The Structure" designates anything around the asset(s) subject of a PPS, it can be a thousand acres facility or a cupboard.

Ideally you build a structure with your Security needs in mind, but most people just have to deal with existing buildings, rooms, etc.. In this Intro I will talk about Green Fields, where you build everything from the ground up, and Brown Fields, where you have an existing structure to deal with/secure. In both cases there is a lot to do, since construction by nature is made to be practical, fast and efficient but not necessarily secure, even though a green field gives the designer more flexibility the concerns remain the same.

You can divide the PPS into layers, and naturally more layers correspond to better security, keeping in mind that it will be harder to manage. Which means that adding layers without having the capacity to manage the whole PPS will most probably compromise the PPS. "Structural Obstacles" will describe components that physically protect the structure, to not turn this Intro into a book I'll just enumerate components of Structural Security:

- Barbed Wire
- Electrical Fence
- Reinforced Concrete Walls
- Fences
- Signs
- Watchtowers               
- Single Vehicular Sally Port
- Single approach
- Airlocks
- EMP Shielding

And these are just few components that may be used, the designer shall select the most suitable component "package" and create an adequate Structure, I know I sound like a paranoid person, but I am sure most businesses do not need electric fences or Sally Ports, and as said above these are just examples, and obviously the Structure is only a very little part of the PPS.

As a side note: I will divide this sections into even smaller subsections to describe the different components in the most comprehensive way. You may notice that I might bring up a subject and not develop it a lot, and that's for the sake of keeping this a simple Intro and not a complex tutorial on the construction of a PPS.

II- The Electrical Components:

"The Electrical Components" designates all the components in the PPS that need electricity to operate or generate electricity, these include generators, temperature control units, computers etc..

Everything that needs/produces electricity is not safe by nature and can me compromised quite easily, I will not get into the details of how everything might be a liability but

I will give some examples, they may seem far fetched but still realistic:

- An attacker puts poison through your aeration system, this one is a movie classic but nonetheless realistic since most cooling/aeration systems do not contain biochemical filters/sensors.

- Your electric gate's contain manual backup
- EMP (Electro-Magnetic Pulse)
-  Electrical Fires

ICT components on the other hand are another part of the critical infrastructure, of a PPS, in fact some people consider this to be THE most critical part, in fact it's a flawed statement, since everything is linked, even in a DataCenter, the racks are not the most critical asset, in a way they are the core, but if a party compromises the temperature control system, and turns it off for e.g, the whole ICT equipment will be destroyed. I won't develop too much about this, but in places where the compromise of ICT components is vital for the whole country (like a nuclear power plant for example), the computers are usually air-gapped. And connectivity is usually forbidden. Possible scenario if connected devices are allowed inside: An attacker targets an employee, compromises his phone which can send wireless signals. When the guy goes to work, the attacker sends certain packets via Bluetooth to a certain device giving it destructive instructions. This might sound weird or science fiction, I just created this scenario but I do not think it's in any way "impossible", anyways, what is impossible ?

III- The People:

It is agreed upon that the human is always the weakest link, so a truly secure facility should have no humans inside, that reasoning by the absurd. There is some truth in this but current technology is so that there should always be a human monitoring and taking critical decisions. So how can you limit the negative impact of a human being in a secure facility. The answer is Information, if staff members do not know what phishing is it might compromise the security of the company, on the physical side, security staff should be trained according to the risk, on the other hand normal employees shall pay attention to not "loose" their RFID badge, or report it immediately if they do.
You can imagine endless scenarios where human deception is key to compromising the security of ANY facility/PPS.


4. Where to Begin:

There are countless ways of getting into Physical security from studies to parkour, passing by lock-picking, there is no real "certification". It also depends what do you want to do:

- Do you want it to be your job ?
- Is this just a hobby ?
- Are you interested n the hardware or human side of things ?
- Is it for you pure and simple Social Engineering ?

In my opinion as for anything else in life, documentation and information are the most important parts of it all, no one will ever just give you everything on a plate, and that's why i say if you want something you'll get it if you work hard enough (typical capitalist I know), to help you out a bit, I just starting out with lockpicking, ockpicking is really fun, is practical and much more accessible than testing the security of a nuclear power plant. If you more of a Social Engineer I'd suggest you start on the Human side of the thing, in a sense you work on the deception of the people to get access. If you are more of hardware guy, maybe experience with forging RFID or getting into an alarm system, or fire suppression system. In fact the possibilities are endless.
If you want a book about Physical Security, i suggest picking up The Design and Evaluation of Physical Protection Systems By Mary Lynn Garcia, it's a larger large book with in depth info, not a beginner's guide though.

The Design and Evaluation of Physical Protection Systems

[kurp]

I'm interested in getting into this field, what other resources do you recommend?