FROM outside Lawrence Livermore National Laboratory, the public sees a site protected by chain link fences and guards at entry gates. But this Department of Energy national laboratory, home to a variety of classified research, requires much higher level security measures. Therefore, it is guarded as well by a sophisticated, computerized security system called Argus. Argus was designed, engineered, and installed at Livermore and is continually being upgraded and enhanced. It is also available to other Department of Energy and Department of Defense facilities. Although named for the hundred-eyed monster of Greek myth, Argus security comprises much more than visual capabilities. A highly interconnected network engineered with comprehensive security features, Argus lives up to such stringent security requirements that DOE's Office of Safeguards and Security has cited it as the standard for physical security systems protecting facilities where the consequences of intrusion are significant. In addition to Lawrence Livermore, the Argus system has been installed at three other DOE sites and at one DOD site to protect top-priority assets or nuclear material. As it monitors and controls entry into the Laboratory's high-security buildings, Argus is simultaneously monitoring the entire site for security threats and can alert and direct security forces to those threats. Argus security is all-encompassing and omnipresent, but it is surprisingly noninvasive. Employees of Lawrence Livermore enter and move about the Laboratory campus with relative ease. Yet, the Laboratory's Top Secret documents, materials, and facilities are thoroughly protected, intruders can be detected in real time, and intrusions and emergencies get instantaneous response from police and investigative personnel. The Laboratory is provided with maximum security 24 hours a day, 7 days a week. This security results from a software system that comprises some 1.5 million lines of code, offering a wide range of security features. Extensive features are necessary, because Argus must accommodate many different configurations of security rules within one security complex, and sometimes one complex may have multiple geographical locations (for example, Livermore's Argus system controls the main site and the nearby Site 300 high-explosives testing facility). Moreover, Argus must be reconfigurable at any time. Extensive features also translate into flexibility and simplicity for end users. That's important because every authorized person in a high-security site accesses and interfaces with the Argus system. To ensure that designers, operators, and users understand Argus, DOE's Central Training Academy in Albuquerque, New Mexico, has 14 classes available, ranging from one hour to one week, that cover the complete set of Argus features. While protecting a security complex, Argus also protects itself. A high degree of redundancy has been incorporated to prevent system failure, and tamper-indicating devices and data encryption have been used throughout to protect surveillance equipment and data from intruders and thieves. Insider threats to weaken the system have been addressed with a comprehensive set of system-enforced and procedural measures, including consistency checking, captive accounts, and a rule prohibiting people from working alone. How Users Work with Argus Argus is implemented through four integrated computer subsystems. One subsystem controls access into buildings and areas. Another monitors alarms and sensors installed throughout the site. A third integrates and displays security data so security personnel can assess and control incidents. The fourth provides central computing and data storage to support the overall system configuration and databases. These four elements provide what Greg Davis, the manager of Livermore's Argus program, calls a "God's eye view" of the site. They connect into a real-time, interactive security assessment and response system. User interactions with the Argus network are made possible through two hardware components: a remote access panel (RAP) and the Argus field processor (AFP). The RAP (Figure 1) is a microprocessor-based, programmable input-output device connected to an AFP (Figure 2). It is the primary user interface to the Argus system. When Livermore employees are "badged," they are enrolled into the Argus system and can then use RAPs to gain entry into controlled buildings and areas on site. They swipe their badges, which have been coded with a unique identification number and a decryption key. The RAP communicates the badge information to the AFP, another microprocessor-based device, which verifies it against locally stored encrypted access authorization databases. Argus software allows access based on credentials (determined by a badge), a user's identity (determined by personal identification number and biometrics), clearance level, and privilege. Although access rules can be very restrictive, the access system provides flexibility by being able to make fine distinctions within those rules. Thus, it might allow a person into a high-security building within a classified area but prevent that person from entering an even higher level security vault within that building. The access system also allows changes in user privileges, within rule confines; for example, regular users can be enrolled to escort visitors through high-security areas. The system eliminates the need for labor-intensive badge checking, and it monitors, tracks, and logs all badge usage.

In addition to controlling and monitoring the RAP access controls, AFPs also control and monitor the networks of thousands of electronic sensors and other surveillance equipment that comprise the alarm stations of a security complex. The AFP determines the status of security in the alarm station by polling its sensors, controls station operating mode (that is, whether the station is open or secured, in maintenance, etc.), and provides entry authorization via the RAP interface. Alarm station caretakers can also use the RAP to modify access lists, change the rules of the alarm station, and authorize maintenance on the station. Alarm stations are of many types--outdoor perimeter exclusion zones, normal interior rooms, vaults of concrete or steel, or even entire buildings. They can have sensors and surveillance equipment installed on walls, floors, and ceilings. Because as many AFP modules can be installed as necessary to monitor alarm stations, site security is scalable. At the same time, its modularity restricts problems and makes maintenance and diagnostic work easier. Real-Time Command and Control Occasionally at the Laboratory, police cars with flashing lights and howling sirens speed through the streets in response to an alarm or other security incident. They have been dispatched by security personnel who monitor site security 24 hours a day from Argus consoles (Figure 3). The consoles integrate and display graphical data from controlled entryways and alarm stations, and they are linked to telephone, radio, and intercom systems. They provide Livermore security staff with a real-time command-and-control capability. At each console workstation, an operator controls two high-resolution, color display screens that show maps of security areas and the security equipment contained in them (sensors, entry control devices, cameras). The system display lists any security anomalies that are occurring and indicates the security status of surveillance equipment by color code. Green, for example, indicates normal or secure, while red indicates a potential security threat, an alarm, or a failure. When security anomalies occur, an operator is alerted by the lists and can view them on the screens; the views can be enlarged or adjusted for seeing additional details. Operators may also be able to zoom in on the anomaly. Consoles can be linked to closed circuit televisions. Console video subsystems have computer-controlled switches capable of delivering signals from any linked television camera simultaneously to any display monitor and to all recording devices. Video options also include pan-tilt-zoom cameras and video motion detectors. The consoles are ergonomically designed, providing comfort and ease of use to operators. The number of consoles in operation depends on site requirements and operator workloads; Argus can support any number of workstations without degradation.

Continuing Improvements, Ever More Uses The installation of Argus at a major DOE nuclear weapons storage and dismantlement site is nearing completion. There, Argus was modified to accommodate access authorization procedures that require observation of the two-person rule for entry and exit. In addition to RAPs, the entry portals have devices that read stored hand-geometry data, and booths may have special detectors to monitor the transport of sensitive materials. To serve this site and other users, Argus program staff are developing a 24-hour help line. They are also moving ahead to evolve Argus to the next technological level, with such features as topology-independent network-based sensors and capability to simulate intrusions and attacks. In the first, Argus staff are in the midst of developing a neuron chip that can be embedded into sensors, adding the capability to communicate with sensors instead of merely receiving signals from them. This feature will enhance AFP line supervision of alarm stations, enhance sensor security, and dramatically reduce installation costs. In the second, Argus staff are beginning research and development to endow Argus with simulation capabilities that can be used in conjunction with conflict simulation exercises. Argus console operators will soon be able to detect simulated attacks and send virtual security dispatches to contain and control them. Such simulation would hone a site's emergency response tactics and provide realistic training to console operators. --Gloria Wilt

Key Words: Argus, Argus field processor (AFP), remote access panel (RAP), security technology.

For further information contact Gregory Davis (925) 422-4028 (davis19@llnl.gov)