Chapter
15:
PHYSICAL
AND ENVIRONMENTAL SECURITY
Physical
and environmental security controls are implemented to protect
the facility housing system resources, the system resources themselves,
and the facilities used to support their operation. |
The term physical and
environmental security, as used in this chapter, refers to measures
taken to protect systems, buildings, and related supporting infrastructure
against threats associated with their physical environment.103
Physical and environmental security controls include the following
three broad areas:
- The physical facility
is usually the building, other structure, or vehicle housing the
system and network components. Systems can be characterized, based
upon their operating location, as static, mobile, or portable. Static
systems are installed in structures at fixed locations. Mobile systems
are installed in vehicles that perform the function of a structure,
but not at a fixed location. Portable systems are not installed
in fixed operating locations. They may be operated in wide variety
of locations, including buildings or vehicles, or in the open. The
physical characteristics of these structures and vehicles determine
the level of such physical threats as fire, roof leaks, or unauthorized
access.
- The facility's general
geographic operating location determines the characteristics of
natural threats, which include earthquakes and flooding;
man-made threats such as burglary, civil disorders, or interception
of transmissions and emanations; and damaging nearby activities,
including toxic chemical spills, explosions, fires, and electromagnetic
interference from emitters, such as radars.
- Supporting facilities
are those services (both technical and human) that underpin the
operation of the system. The system's operation usually depends
on supporting facilities such as electric power, heating and air
conditioning, and telecommunications. The failure or substandard
performance of these facilities may interrupt operation of the system
and may cause physical damage to system hardware or stored data.
This chapter first discusses
the benefits of physical security measures, and then presents an overview
of common physical and environmental security controls. Physical and
environmental security measures result in many benefits, such as protecting
employees. This chapter focuses on the protection of computer systems
from the following:
Interruptions in Providing
Computer Services. An external threat may interrupt the scheduled
operation of a system. The magnitude of the losses depends on the
duration and timing of the service interruption and the characteristics
of the operations end users perform.
Physical Damage.
If a system's hardware is damaged or destroyed, it usually has to
be repaired or replaced. Data may be destroyed as an act of sabotage
by a physical attack on data storage media (e.g., rendering the data
unreadable or only partly readable). If data stored by a system for
operational use is destroyed or corrupted, the data needs to be restored
from back-up copies or from the original sources before the system
can be used. The magnitude of loss from physical damage depends on
the cost to repair or replace the damaged hardware and data,
as well as costs arising from service interruptions.
Unauthorized Disclosure
of Information. The physical characteristics of the facility housing
a system may permit an intruder to gain access both to media external
to system hardware (such as diskettes, tapes and printouts) and to
media within system components (such as fixed disks), transmission
lines or display screens. All may result in loss of disclosure-sensitive
information.
Loss of Control over
System Integrity. If an intruder gains access to the central processing
unit, it is usually possible to reboot the system and bypass
logical access controls. This can lead to information disclosure,
fraud, replacement of system and application software, introduction
of a Trojan horse, and more. Moreover, if such access is gained, it
may be very difficult to determine what has been modified, lost, or
corrupted.
Physical Theft.
System hardware may be stolen. The magnitude of the loss is determined
by the costs to replace the stolen hardware and restore data stored
on stolen media. Theft may also result in service interruptions.
This chapter discusses
seven major areas of physical and environmental security controls:
- physical access controls,
- fire safety,
- supporting utilities,
- structural collapse,
- plumbing leaks,
- interception of data,
and
- mobile and portable
systems.
15.1 Physical Access
Controls
Life
Safety
It is important
to understand that the objectives of physical access controls
may be in conflict with those of life safety. Simply
stated, life safety focuses on providing easy exit from a facility,
particularly in an emergency, while physical security strives
to control entry. In general, life safety must be given first
consideration, but it is usually possible to achieve an effective
balance between the two goals.
For example,
it is often possible to equip emergency exit doors with a time
delay. When one pushes on the panic bar, a loud alarm sounds,
and the door is released after a brief delay. The expectation
is that people will be deterred from using such exits improperly,
but will not be significantly endangered during an emergency
evacuation.
|
Physical access controls
restrict the entry and exit of personnel (and often equipment and
media) from an area, such as an office building, suite, data center,
or room containing a LAN server.
The control over physical
access to the elements of a system can include controlled areas, barriers
that isolate each area, entry points in the barriers that isolate
each area, entry points in the barriers, and screening measures at
each of the entry points. In addition, staff members who work in a
restricted area serve an important role in providing physical security,
as they can be trained to challenge people they do not recognize.
Physical access controls
should address not only the area containing system hardware, but also
locations of wiring used to connect elements of the system, the electric
power service, the air conditioning and heating plant, telephone and
data lines, backup media and source documents, and any other elements
required system's operation. This means that all the areas in the
building(s) that contain system elements must be identified.
There
are many types of physical access controls, including badges,
memory cards, guards, keys, true-floor-to-true-ceiling wall construction,
fences, and locks. |
It is also important to
review the effectiveness of physical access controls in each area,
both during normal business hours, and at other times-particularly
when an area may be unoccupied. Effectiveness depends on both the
characteristics of the control devices used (e.g., keycard-controlled
doors) and the implementation and operation. Statements to the effect
that "only authorized persons may enter this area" are not
particularly effective. Organizations should determine whether intruders
can easily defeat the controls, the extent to which strangers are
challenged, and the effectiveness of other control procedures. Factors
like these modify the effectiveness of physical controls.
The feasibility of surreptitious
entry also needs to be considered. For example, it may be possible
to go over the top of a partition that stops at the underside of a
suspended ceiling or to cut a hole in a plasterboard partition in
a location hidden by furniture. If a door is controlled by a combination
lock, it may be possible to observe an authorized person entering
the lock combination. If keycards are not carefully controlled, an
intruder may be able to steal a card left on a desk or use a card
passed back by an accomplice.
Types
of Building Construction
There are
four basic kinds of building construction: (a) light frame,
(b) heavy timber, (c) incombustible, and (d) fire resistant.
Note that the term fireproof is not used because no structure
can resist a fire indefinitely. Most houses are light frame,
and cannot survive more than about thirty minutes in a fire.
Heavy timber means that the basic structural elements have a
minimum thickness of four inches. When such structures burn,
the char that forms tends to insulate the interior of the timber
and the structure may survive for an hour or more depending
on the details. Incombustible means that the structure members
will not burn. This almost always means that the members are
steel. Note, however, that steel loses it strength at high temperatures,
at which point the structure collapses. Fire resistant means
that the structural members are incombustible and are insulated.
Typically, the insulation is either concrete that encases steel
members, or is a mineral wool that is sprayed onto the members.
Of course, the heavier the insulation, the longer the structure
will resist a fire.
Note that
a building constructed of reinforced concrete can still be destroyed
in a fire if there is sufficient fuel present and fire fighting
is ineffective. The prolonged heat of a fire can cause differential
expansion of the concrete, which causes spalling. Portions of
the concrete split off, exposing the reinforcing, and the interior
of the concrete is subject to additional spalling. Furthermore,
as heated floor slabs expand outward, they deform supporting
columns. Thus, a reinforced concrete parking garage with open
exterior walls and a relatively low fire load has a low fire
risk, but a similar archival record storage facility with closed
exterior walls and a high fire load has a higher risk even though
the basic building material is incombustible.
|
Corrective actions can
address any of the factors listed above. Adding an additional barrier
reduces the risk to the areas behind the barrier. Enhancing the screening
at an entry point can reduce the number of penetrations. For example,
a guard may provide a higher level of screening than a keycard-controlled
door, or an anti-pass back feature can be added. Reorganizing traffic
patterns, work flow, and work areas may reduce the number of people
who need access to a restricted area. Physical modifications to barriers
can reduce the vulnerability to surreptitious entry. Intrusion detectors,
such as closed-circuit television cameras, motion detectors, and other
devices, can detect intruders in unoccupied spaces.
15.2 Fire Safety Factors
Building fires are a particularly
important security threat because of the potential for complete destruction
of both hardware and data, the risk to human life, and the pervasiveness
of the damage. Smoke, corrosive gases, and high humidity from a localized
fire can damage systems throughout an entire building. Consequently,
it is important to evaluate the fire safety of buildings that house
systems. Following are important factors in determining the risks
from fire.
Ignition Sources.
Fires begin because something supplies enough heat to cause other
materials to burn. Typical ignition sources are failures of electric
devices and wiring, carelessly discarded cigarettes, improper storage
of materials subject to spontaneous combustion, improper operation
of heating devices, and, of course, arson.
Fuel Sources. If
a fire is to grow, it must have a supply of fuel, material that will
burn to support its growth, and an adequate supply of oxygen. Once
a fire becomes established, it depends on the combustible materials
in the building (referred to as the fire load) to support its further
growth. The more fuel per square meter, the more intense the fire
will be.
Building Operation.
If a building is well maintained and operated so as to minimize the
accumulation of fuel (such as maintaining the integrity of fire barriers),
the fire risk will be minimized.
Building Occupancy.
Some occupancies are inherently more dangerous than others because
of an above-average number of potential ignition sources. For example,
a chemical warehouse may contain an above-average fuel load.
Fire Detection.
The more quickly a fire is detected, all other things being equal,
the more easily it can be extinguished, minimizing damage. It is also
important to accurately pinpoint the location of the fire.
Fire Extinguishment.
A fire will burn until it consumes all of the fuel in the building
or until it is extinguished. Fire extinguishment may be automatic,
as with an automatic sprinkler system or a HALON discharge system,
or it may be performed by people using portable extinguishers, cooling
the fire site with a stream of water, by limiting the supply of oxygen
with a blanket of foam or powder, or by breaking the combustion chemical
reaction chain.
Halons
have been identified as harmful to the Earth's protective ozone
layer. So, under an international agreement (known as the Montreal
Protocol), production of halons ended January 1, 1994. In September
1992, the General Services Administration issued a moratorium
on halon use by federal agencies. |
When properly installed,
maintained, and provided with an adequate supply of water, automatic
sprinkler systems are highly effective in protecting buildings and
their contents.104 Nonetheless, one
often hears uninformed persons speak of the water damage done
by sprinkler systems as a disadvantage. Fires that trigger sprinkler
systems cause the water damage.105
In short, sprinkler systems reduce fire damage, protect the lives
of building occupants, and limit the fire damage to the building itself.
All these factors contribute to more rapid recovery of systems following
a fire.
Each of these factors is
important when estimating the occurrence rate of fires and the amount
of damage that will result. The objective of a fire-safety program
is to optimize these factors to minimize the risk of fire.
15.3 Failure of Supporting
Utilities
Systems and the people
who operate them need to have a reasonably well-controlled operating
environment. Consequently, failures of heating and air-conditioning
systems will usually cause a service interruption and may damage hardware.
These utilities are composed of many elements, each of which must
function properly.
For example, the typical
air-conditioning system consists of (1) air handlers that cool and
humidify room air, (2) circulating pumps that send chilled water to
the air handlers, (3) chillers that extract heat from the water, and
(4) cooling towers that discharge the heat to the outside air. Each
of these elements has a mean-time-between-failures (MTBF) and a mean-time-to-repair
(MTTR). Using the MTBF and MTTR values for each of the elements of
a system, one can estimate the occurrence rate of system failures
and the range of resulting service interruptions.
This same line of reasoning
applies to electric power distribution, heating plants, water, sewage,
and other utilities required for system operation or staff comfort.
By identifying the failure modes of each utility and estimating the
MTBF and MTTR, necessary failure threat parameters can be developed
to calculate the resulting risk. The risk of utility failure can be
reduced by substituting units with lower MTBF values. MTTR can be
reduced by stocking spare parts on site and training maintenance personnel.
And the outages resulting from a given MTBF can be reduced by installing
redundant units under the assumption that failures are distributed
randomly in time. Each of these strategies can be evaluated by comparing
the reduction in risk with the cost to achieve it.
15.4 Structural Collapse
A building may be subjected
to a load greater than it can support. Most commonly this is a result
of an earthquake, a snow load on the roof beyond design criteria,
an explosion that displaces or cuts structural members, or a fire
that weakens structural members. Even if the structure is not completely
demolished, the authorities may decide to ban its further use, sometimes
even banning entry to remove materials. This threat applies primarily
to high-rise buildings and those with large interior spaces without
supporting columns.
15.5 Plumbing Leaks
While plumbing leaks do
not occur every day, they can be seriously disruptive. The building's
plumbing drawings can help locate plumbing lines that might endanger
system hardware. These lines include hot and cold water, chilled water
supply and return lines, steam lines, automatic sprinkler lines, fire
hose standpipes, and drains. If a building includes a laboratory or
manufacturing spaces, there may be other lines that conduct water,
corrosive or toxic chemicals, or gases.
As a rule, analysis often
shows that the cost to relocate threatening lines is difficult to
justify. However, the location of shutoff valves and procedures that
should be followed in the event of a failure must be specified. Operating
and security personnel should have this information immediately available
for use in an emergency. In some cases, it may be possible to relocate
system hardware, particularly distributed LAN hardware.
15.6 Interception of Data
Depending on the type of
data a system processes, there may be a significant risk if the data
is intercepted. There are three routes of data interception: direct
observation, interception of data transmission, and electromagnetic
interception.
Direct Observation.
System terminal and workstation display screens may be observed by
unauthorized persons. In most cases, it is relatively easy to relocate
the display to eliminate the exposure.
Interception of Data
Transmissions. If an interceptor can gain access to data transmission
lines, it may be feasible to tap into the lines and read the data
being transmitted. Network monitoring tools can be used to capture
data packets. Of course, the interceptor cannot control what is transmitted,
and so may not be able to immediately observe data of interest. However,
over a period of time there may be a serious level of disclosure.
Local area networks typically broadcast messages.106
Consequently, all traffic, including passwords, could be retrieved.
Interceptors could also transmit spurious data on tapped lines, either
for purposes of disruption or for fraud.
Electromagnetic Interception.
Systems routinely radiate electromagnetic energy that can be detected
with special-purpose radio receivers. Successful interception will
depend on the signal strength at the receiver location; the greater
the separation between the system and the receiver, the lower the
success rate. TEMPEST shielding, of either equipment or rooms, can
be used to minimize the spread of electromagnetic signals. The signal-to-noise
ratio at the receiver, determined in part by the number of competing
emitters will also affect the success rate. The more workstations
of the same type in the same location performing "random"
activity, the more difficult it is to intercept a given workstation's
radiation. On the other hand, the trend toward wireless (i.e., deliberate
radiation) LAN connections may increase the likelihood of successful
interception.
15.7 Mobile and Portable
Systems
The analysis and management
of risk usually has to be modified if a system is installed in a vehicle
or is portable, such as a laptop computer. The system in a vehicle
will share the risks of the vehicle, including accidents and theft,
as well as regional and local risks.
Encryption
of data files on stored media may also be a cost-effective precaution
against disclosure of confidential information if a laptop computer
is lost or stolen. |
Portable and mobile share
an increased risk of theft and physical damage. In addition , portable
systems can be "misplaced" or left unattended by careless
users. Secure storage of laptop computers is often required when they
are not in use.
If a mobile or portable
system uses particularly valuable or important data, it may be appropriate
to either store its data on a medium that can be removed from the
system when it is unattended or to encrypt the data. In any case,
the issue of how custody of mobile and portable computers are to be
controlled should be addressed. Depending on the sensitivity of the
system and its application, it may be appropriate to require briefings
of users and signed briefing acknowledgments. (See Chapter 10 for
an example.)
15.8 Approach to Implementation
Like other security measures,
physical and environmental security controls are selected because
they are cost-beneficial. This does not mean that a user must conduct
a detailed cost-benefit analysis for the selection of every control.
There are four general ways to justify the selection of controls:
- They are required
by law or regulation. Fire exit doors with panic bars and exit
lights are examples of security measures required by law or regulation.
Presumably, the regulatory authority has considered the costs and
benefits and has determined that it is in the public interest to
require the security measure. A lawfully conducted organization
has no option but to implement all required security measures.
- The cost is insignificant,
but the benefit is material. A good example of this is a facility
with a key-locked low-traffic door to a restricted access. The cost
of keeping the door locked is minimal, but there is a significant
benefit. Once a significant benefit/minimal cost security measure
has been identified, no further analysis is required to justify
its implementation.
- The security measure
addresses a potentially "fatal" security exposure but
has a reasonable cost. Backing up system software and data is
an example of this justification . For most systems, the cost of
making regular backup copies is modest (compared to the costs of
operating the system), the organization would not be able to function
if the stored data were lost, and the cost impact of the failure
would be material. In such cases, it would not be necessary to develop
any further cost justification for the backup of software and data.
However, this justification depends on what constitutes a modest
cost, and it does not identify the optimum backup schedule. Broadly
speaking, a cost that does not require budgeting of additional funds
would qualify.
- The security measure
is estimated to be cost-beneficial. If the cost of a potential
security measure is significant, and it cannot be justified by any
of the first three reasons listed above, then its cost (both implementation
and ongoing operation) and its benefit (reduction in future expected
losses) need to be analyzed to determine if it is cost-beneficial.
In this context, cost-beneficial means that the reduction
in expected loss is significantly greater than the cost of implementing
the security measure.
Arriving at the fourth
justification requires a detailed analysis. Simple rules of thumb
do not apply. Consider, for example, the threat of electric power
failure and the security measures that can protect against such an
event. The threat parameters, rate of occurrence, and range of outage
durations depend on the location of the system, the details of its
connection to the local electric power utility, the details of the
internal power distribution system, and the character of other activities
in the building that use electric power. The system's potential losses
from service interruption depends on the details of the functions
it performs. Two systems that are otherwise identical can support
functions that have quite different degrees of urgency. Thus, two
systems may have the same electric power failure threat and vulnerability
parameters, yet entirely different loss potential parameters.
Furthermore, a number of
different security measures are available to address electric power
failures. These measures differ in both cost and performance. For
example, the cost of an uninterruptible power supply (UPS) depends
on the size of the electric load it can support, the number of minutes
it can support the load, and the speed with which it assumes the load
when the primary power source fails. An on-site power generator could
also be installed either in place of a UPS (accepting the fact that
a power failure will cause a brief service interruption) or in order
to provide long-term backup to a UPS system. Design decisions include
the magnitude of the load the generator will support, the size of
the on-site fuel supply, and the details of the facilities to switch
the load from the primary source or the UPS to the on-site generator.
This example shows systems
with a wide range of risks and a wide range of available security
measures (including, of course, no action), each with its own cost
factors and performance parameters.
15.9 Interdependencies
Physical and environmental
security measures rely on and support the proper functioning of many
of the other areas discussed in this handbook. Among the most important
are the following:
Logical Access Controls.
Physical security controls augment technical means for controlling
access to information and processing. Even if the most advanced and
best-implemented logical access controls are in place, if physical
security measures are inadequate, logical access controls may be circumvented
by directly accessing the hardware and storage media. For example,
a computer system may be rebooted using different software.
Contingency Planning.
A large portion of the contingency planning process involves the failure
of physical and environmental controls. Having sound controls, therefore,
can help minimize losses from such contingencies.
Identification and Authentication
(I&A). Many physical access control systems require that people
be identified and authenticated. Automated physical security access
controls can use the same types of I&A as other computer systems.
In addition, it is possible to use the same tokens (e.g., badges)
as those used for other computer-based I&A.
Other. Physical
and environmental controls are also closely linked to the activities
of the local guard force, fire house, life safety office, and medical
office. These organizations should be consulted for their expertise
in planning controls for the systems environment.
15.10 Cost Considerations
Costs associated with physical
security measures range greatly. Useful generalizations about costs,
therefore, are difficult make. Some measures, such as keeping a door
locked, may be a trivial expense. Other features, such as fire-detection
and -suppression systems, can be far more costly. Cost considerations
should include operation. For example, adding controlled-entry doors
requires persons using the door to stop and unlock it. Locks also
require physical key management and accounting (and rekeying when
keys are lost or stolen). Often these effects will be inconsequential,
but they should be fully considered. As with other security measures,
the objective is to select those that are cost-beneficial.
References:
Alexander, M., ed. "Secure
Your Computers and Lock Your Doors." Infosecurity News.
4(6), 1993. pp. 80-85.
Archer, R. "Testing:
Following Strict Criteria." Security Dealer. 15(5), 1993.
pp. 32-35.
Breese, H., ed. The
Handbook of Property Conservation. Norwood, MA: Factory Mutual
Engineering Corp.
Chanaud, R. "Keeping
Conversations Confidential." Security Management. 37(3),
1993. pp. 43-48.
Miehl, F. "The Ins
and Outs of Door Locks." Security Management. 37(2), 1993. pp.
48-53.
National Bureau of Standards.
Guidelines for ADP Physical Security and Risk Management. Federal
Information Processing Standard Publication 31. June 1974.
Peterson, P. "Infosecurity
and Shrinking Media." ISSA Access. 5(2), 1992. pp. 19-22.
Roenne, G. "Devising
a Strategy Keyed to Locks." Security Management. 38(4),
1994. pp. 55-56.
Zimmerman, J. "Using
Smart Cards - A Smart Move." Security Management. 36(1),
1992. pp. 32-36.
Footnotes:
103.
This chapter draws upon work by Robert V. Jacobson, International Security
Technology, Inc., funded by the Tennessee Valley Authority.
104. As discussed in this section, many variables
affect fire safety and should be taken into account in selecting a fire
extinguishment system. While automatic sprinklers can be very effective,
selection of a fire extinguishment system for a particular building
should take into account the particular fire risk factors. Other factors
may include rate changes from either a fire insurance carrier or a business
interruption insurance carrier. Professional advice is required.
105. Occurrences of accidental discharge are extremely
rare, and, in a fire, only the sprinkler heads in the immediate area
of the fire open and discharge water.
106. An insider may be able to easily collect data
by configuring their ethernet network interface to receive all network
traffic, rather than just network traffic intended for this node. This
is called the promiscuous mode.
|