This chapter describes the wide array of possible physical threats that can impact information systems (IS) infrastructure. The infrastructure affected can be any component of a computer system or communications network, any of the cables or wiring that transport power or data, or any of the support services or utilities needed to sustain full IS performance. The speed and accuracy of any system is dependent upon the performance of a long chain of physical components as well as upon the productivity of all of the people who utilize or maintain each component. Anything less than full system-wide performance can be very costly.

A physical threat is any event that can degrade the performance of an information system—whether such an event is actually occurring or imminent, or credibly likely or possible, or completely unexpected and without warning. The list of possible threats is a long one beginning with natural and man-made external events that can impact IS performance. Many other possible threats are internal, resulting from accidents or misuse, snooping, vandalism, or deliberate attack. Internal threats also include reliability failures, installation or maintenance issues, or lack of proper testing. Threats can also be caused by situations within the facility, building, or complex, or as a consequence of local or regional events, or, increasingly, events worldwide and even from outer space. Threats happen and can come from almost anywhere, so it is prudent and far less costly to try to anticipate all possible threats.

This chapter begins a threat assessment process, which starts by identifying all possible threat situations. This process must be comprehensive and rigorous and involve all stakeholders. It is not enough simply to assign likelihood and an impact for the usual or the obvious threat situations. There must be a full risk analysis, so that risk, vulnerability, and response and recovery costs can be quantified, as explained in Chapter 23 in this Handbook. Otherwise, the whole process is valueless. Absent comprehensive planning, security becomes an irrational selection of vendors and solutions, which can only add cost and increase liability risks. Alternatively, a strategic risk management process can maximize future profits and add value, protect morale and productivity, enhance goodwill, and improve relations with customers and communities.

The events of September 11, 2001, sounded a shattering wake-up call that unexpected threats can actually happen and that even the best security practices, products, and services are of little value without proper planning, implementation, and support. Hurricane Katrina, four years later in 2005, demonstrated again that both business and government are still unprepared, even though such an event was predicted many times.

This chapter suggests a comprehensive perspective on physical security that can add value and help avert disaster. Chapter 23 in this Handbook goes on to suggest physical security implementation and management that can protect people and property while optimizing morale, productivity, and profitability.

22.2 BACKGROUND AND PERSPECTIVE.

Historic data and statistics are of limited value in predicting future threats. For a discussion of the unreliability of computer-crime statistics, see Chapter 10 in this Handbook. The past is no longer prologue because many new risks are emerging and many types of incidents are increasingly severe, widespread, complex, damaging, and costly. Proliferating and increasingly dispersed infrastructure system components are often vulnerable and hard to protect. And hybrid configurations of new and legacy systems vastly complicate the protection process.

There are few threat statistics that can reliably predict the infrastructure future. Computer crime reports mostly cover logical security, while general crime statistics often do not relate directly to computer security. Historic information is further flawed because many incidents are never detected and far more are not reported for fear of embarrassment, liability, or loss of business. Many security incidents are masked as quality-control problems for the same reasons, or are misdiagnosed because no one had time to determine the true cause(s). Lacking reliable precedents, predicting future threats is especially difficult—yet increasingly necessary. Chapter 10 discusses computer crime statistics in more detail.

Most incidents happen suddenly, without warning, and often where least expected. Many threats, once thought to be unlikely, now occur widely and strike with surprising intensity and devastation. Other contributing factors include poor risk management due to inexperience, denial, or complacency that can quickly turn routine threats into costly incidents. Businesses with good security preparedness can usually survive, while many others will not.

22.2.1 Today's Risks Are Greater.

Today's risks are increasingly sophisticated, unpredictable, potentially serious, and increasingly commonplace as well. Disruptive incidents can result from mistakes or accidents, snoopers or hacking, vandalism, disgruntled or disruptive persons, labor disputes, demonstrations, or civil unrest, extremists of many stripes, and, increasingly, both domestic and international terrorism. Although violent crime statistics have decreased in recent years, these data are misleading because they rarely include workplace-related events. Violence in the workplace is now common and often without warning. Incidents can include harassment, bomb scares, robbery, hostage situations, shooting, or arson. And each and every one of these risks can seriously affect IS performance.

The possibility of catastrophic events utilizing weapons of mass destruction is also increasing. Among these, the threat of biological or chemical agents is extremely dangerous, can impact wide areas, and may be contagious as well. An emerging concern is a flu pandemic threat, which can be a natural hazard or a terrorist attack. Flu is highly contagious, spread by many possible vectors that are at best hard to control, and can quickly incapacitate many workers. A 2006 study by the National Governors Association suggests that as many as 40 percent of all workers might stay home for a period up to 14 months if a major pandemic hit.¹ If an anthrax scare, a West Nile outbreak, or a full bird flu pandemic does eventually occur, the affect on unprepared organizations and their information infrastructure could be disastrous.

To make matters worse, today's would-be perpetrators tend to be well trained and funded, determined, persistent, and patient. Many also have the best and latest technology, equipment, and programming skills. And except for a few misguided amateurs, most troublemakers cover their intentions very well. Almost anyone working inside the organization can cause trouble: full-time employees, temporary or contract workers, service personnel, maintenance or construction crews, repair persons, inspectors, meter readers, building personnel, visitors, vendors, consultants, or anyone posing in any of these roles. Externally, there are many local, regional, national, or secular groups sworn to wreak vengeance.

Physical threats can extend beyond direct attacks. Many scares do not result in actual violence, and disruptive incidents can occur outside of the workplace. However and wherever they happen, violence-related incidents are increasingly commonplace, disruptive, and costly.²

All too many people with access to the workplace have backgrounds, allegiances, or emotional drives that are entirely unknown. Even previously trustworthy people may be forced to undertake espionage, sabotage, or other criminal activities. Chapter 15 in this Handbook discusses such social engineering methods in connection with penetration of computer systems and networks. Some seemingly trustworthy people may be ideologically motivated, while others are simply duped. Still others are drawn by opportunities for personal gain or vengeance. And there is very little risk of detection or apprehension for most well-trained, would-be perpetrators. Government officials can substantiate some of the incidents, but much of this information is not public. Based on consistent conversations among security experts who compare the cases they work on with the cases that are published, what is published is probably only the tip of the iceberg—perhaps a tenth or so of the real rates of attack.

Informed opinion suggests that such crimes are already widespread and rapidly increasing. Yet few incidents are detected and fewer still ever reported. Worse yet, there are scant data on the extent of crimes against information systems, theft of data, espionage, or similar activities that can clearly cause huge business losses.

Those who threaten the IS infrastructure must at least gain access to some physical part of it, but often this can be done inconspicuously, by trickery, deception, or simply forced entry. A physical attack may be the best way to compromise an information system—much more effective and less likely to be detected than a logical attack. Often many vital system components are vulnerable, exposed, or easily accessible. These components include wiring and cable runs, connection and junction points, system and network equipment, and the utilities that support them. Attacks or spying by physical means are often easy, fast, safe, and sure.

22.2.2 Likely Targets.

Businesses and organizations are increasingly likely to be the targets of hackers, disgruntled employees, competitors, disturbed persons, demonstrators, hate groups, extremists, and even terrorists. Motives may include a conspicuous, tempting, or challenging target, rage or revenge, an opportunity to cause reputational damage or at least adverse publicity, to make a political statement, for extortion or blackmail, or for personal gain or profit. Often there are no discernable motives. And beyond being likely targets, most businesses are convenient, easy, and safe targets as well, because most are unaware and unprepared for today's threats, much less for future ones. Although government facilities remain preferred targets, many are now better protected than most businesses, thanks to new procedures that are covered in Chapter 23 in this Handbook.

Another likely threat arises from the need of extremists and terrorists to finance their activities. Many groups and all independent, self-directed cells are dependent on crime to finance their operations. Today's crimes can include robbery and holdups, counterfeit currency and credit cards, Internet phishing and scams, theft, extortion, blackmail, and selling pirated software and other knock-offs. In addition, many foreign governments, businesses, and criminal organizations are actively engaged in spying. Although these are mainly corporate security and logical security problems, they also represent potential physical threats that must be deterred.

22.2.3 Productivity Issues.

Good security can be directly correlated with high productivity, which, in turn, can improve performance, customer satisfaction, and goodwill. Good security is measurable and can strategically enhance each of these factors to add both value and profit. Anything less than good security invites wasted time and money.

People who do not feel safe will not be productive. This applies to employees, visitors, vendors, and others on premises, as well as to customers, vendors, stockholders, and other stakeholders at remote locations. Everyone using any information system must be comfortable that physical safety and privacy is assured and that the system is uninterruptible, secure, and operating at full performance. Everyone concerned must be involved in the planning process, generally understand the risks, and support the security procedures. Otherwise, performance inevitably suffers.

Whenever a security incident occurs, morale and productivity are likely to plummet, and can remain low for many weeks, or even months. Whether the infrastructure is actually affected or not, significant disruption of operations is likely. Even when there is no injury or damage, the perception of a potential event can be costly; it can disrupt productivity, lose business and customers, and jeopardize goodwill. Even an unrelated incident, accident, nearby event, or a medical emergency can cause significant and prolonged disruption before productivity eventually climbs back to normal. The costs of recovering from any such event can be enormous.

Some examples of incidents include:

An outside accountant died from a heart attack during a client meeting with several managers. No one knew enough first aid to be able to help him until an ambulance arrived, too late.
A construction worker collapsed with a heart attack in a large office building. Many employees saw the man collapse, and word spread almost instantly through hundreds of office workers nearby. Again, no one offered immediate help, and the man died just as an ambulance crew arrived.
The CFO of a large bank who was in his early 40s choked at a company reception and died in front of over 100 guests and employees.

All three persons died in the workplace, and all three might have been saved had there been proper medical equipment and trained people. In each case, morale and productivity plummeted and remained low for many weeks. The business costs were enormous. There must be thousands of such incidents each year. Good security might have saved lives, money, and reputation.

In another incident, an executive was robbed at gunpoint in a men's rest room that was publicly accessible. Although he managed to flee without injury, the entire office was traumatized, and little work was done for weeks. To make matters worse, there were rumors of similar robberies within the building complex. Here again, morale plummeted and took even longer to restore. Little work was done. Customers who were initially sympathetic soon took their business elsewhere. Again, the cost was high and the damage could have been mitigated or even prevented with effective and honest communications.

None of these incidents related directly to information systems. Yet each incident caused significant and prolonged disruptions that good infrastructure security might have prevented. Prior to each event, senior management had reviewed some security risks but then decided that no special protections were needed. Their premises security people viewed such threats as unlikely, based on assurances from the landlords that the buildings were amply protected. The threat assessments of each tenant were clearly flawed. Furthermore, having downplayed the possibility of some risks, tenants probably ignored many other potential threats.

No one knows how often productivity-related events occur. Businesses generally do not report them, and neither do the media. But these things do happen and probably with considerable frequency. Yet all threats can be mitigated to some extent and many more prevented at far less cost than the consequences by effective technical preparations, adequate employee awareness and training, and well-planned and well-rehearsed responses.

22.2.4 Terrorism and Violence Are Now Serious Threats.

Acts of terrorism and violence are now a reality that can occur anywhere in the world. September 11, 2001, and the events that followed have brought home the stark reality that violence can happen anywhere and can cause massive damage and disruption. And most major disasters can disrupt information systems far removed from the actual incidents.

Workplace violence is also happening with increasing frequency and often at facilities assumed to be safe.³ Bomb and biological or chemical scares, personal threats, harassment, hostage situations, and shootings are all happening with increasing regularity. Whether actual violence occurs or not, the threats alone, the many rumors generated, and the imagined proximity to danger are all productivity-related events that can seriously disrupt the performance of information systems for a long time. Therefore, these become infrastructure security issues that require special planning and should not be left to premises security personnel to prevent.

There are other serious threats from foreign intelligence, terrorists, and domestic groups generally unknown to the public. Some of these are explained well in the Project Megiddo report published by the Federal Bureau of Investigation (FBI) in 1999 in anticipation of the millennium. The report provides “an FBI strategic assessment of the potential for domestic terrorism in the United States undertaken in anticipation of or response to the arrival of the new millennium.”⁴ The risks cited then are basically unchanged today, except that more previously unknown threats have since been added. There are consultants with FBI contacts who can offer valuable advice.

Attempted violence is now a serious threat to all IS infrastructures. However, thorough security planning can do much to avoid trouble and needless expenses.

22.2.5 Costs of a Threat Happening.

Direct costs of system downtime can exceed many thousands of dollars per hour. The losses include the slack-time costs of people who cannot use the systems, costs of support and maintenance people diverted to restoring operations, recovery expenses, overtime, and often lodging, food, and travel expenses during recovery. Usually, many outside resources are needed for response and recovery. Everything becomes very expensive, very quickly. Often, to further compound the costs, needed resources are just not available immediately.

Indirect costs can also be significant. Reestablishing and keeping good public relations can be expensive. Often public announcements, news releases, and briefings to the news and financial media and to stockholders are needed to neutralize public embarrassment and control rumors. Key customers must be contacted and reassured, and pending orders rescheduled. Still more costs include lost business or market share and dropping stock prices. Competitors often will take as much advantage as they can, which necessitates further costs defending brands and reputation.

Any number of such costs can devastate an enterprise unless strong security measures are deployed effectively and quickly. Ad-libbed responses are often disastrous. In reality, an infrastructure outage of more than a few hours is often fatal, and the enterprise can never fully recover. Good security usually can prevent disastrous costs.

22.2.6 Who Must Be Involved.

Many threats to information systems also involve corporate or premises security personnel, whose role is to protect people and property within and surrounding the workplace. The CEO and the CFO are also involved, because they must now comply with the laws and regulations (covered in Section 23.2.6), in particular the Sarbanes-Oxley Act. This requires that events that might materially affect financial performance must be included within an organization's financial filings and statements. Major security incidents are clearly such events whose impact must now be predicted—as described in this chapter.

Premises security often includes little more than guards, access control, and some surveillance. Their understanding of the IS infrastructure's special security needs is often minimal, lumped in with overall physical security procedures, and rarely extends much beyond the immediate premises. Yet IS security requires additional knowledge, experience, protection, and support. Good security must be strong, fast-acting, focused on specific targets, and closely monitored. Effective early warning systems are necessary in order to prevent threats from happening. In reality, each security function will have its own needs and priorities and use its own resources. During a serious incident, security for the premises, occupants, information systems, and the infrastructure must all coordinate efficiently and effectively. They must also work smoothly with local fire and police departments, with other emergency responders, and with many outside resources.

Who, then, should manage the process of determining the threats to the IS infrastructure? And who are the stakeholders who should be involved in this process?

The best person to manage the physical security of information systems is one who knows a great deal about possible threats and about the IS infrastructure. The office manager, facilities manager, or corporate security director or their staffs are usually ill-equipped to determine or manage IS security. Often, too, the chief information officer (CIO) and IS security officers deal with protecting data and data processing, and are not the best persons to understand IS physical security, especially in a large installation. Therefore, the best person is a trusted individual with the right knowledge and experience and with enough time to manage the process well. Planning and managing infrastructure security, implementing and testing it, training and security awareness, monitoring, and periodic updating of the system and procedures are a full-time job in most organizations, and require a support staff in larger organizations.

Another consideration is that no one person should know all the secrets, which is a rule that has become especially important in dealing with the IS infrastructure. When trouble comes, many experts must mobilize very quickly, efficiently, and effectively. To do this, the responders must be familiar with all the information systems and have fast access to the infrastructure. No matter how well trusted, no one person should know everything about the physical and logical defenses. (If need be, such information should be safely stored with strong access controls.) It is wise to divide the secrets so that no one group knows or has access to them all. Having done this, multiple persons can then share each portion of the secrets and observe each other, so that no one person is indispensable.

But only the security vulnerabilities and defensive implementations should be secrets. There is no point is letting others know about the defenses and where the organization is vulnerable. However, the process of determining the underlying threats should be common knowledge among all the stakeholders involved. By identifying a large number of risks that have been assessed—but keeping the likelihood, vulnerability, and impact information secret—we can discourage would-be troublemakers by at least providing some idea of the number of risks that have been considered. With any luck, they will attack less-prepared sites.

22.2.7 Liability Issues.

Aside from the need for efficient emergency response, another issue is becoming increasingly important, is potentially very costly, and is often overlooked. This is the issue of liability. Every organization has a legal and fiduciary duty to protect the people and property within and surrounding its premises. If any injury or damage occurs in or around a workplace—even long afterward—allegations of negligence will likely follow. The motive is often that damages awarded by the courts can be very large and lawyers often take on these cases on speculation, in hopes of receiving very large fees. And whether the organization was actually at fault or not, the resultant legal fees, the time and costs needed to defend the organization, bad publicity and possible loss of business, and the eventual fines and awards can be devastating.

If negligence is alleged, the issue is whether the organization was properly prepared for the emergency and was its response effective. The question is simply: Did management perform its duty to protect the organization? An affirmative answer would require at least:

Evidence of a thorough threat assessment process
Good security plans, policies, and procedures that have actually been implemented
Proper training and current security awareness
Periodic drills, exercises, security reviews, and feedback from known events
Periodic updates to assure that security remains effective

If it can be demonstrated that all these measures were not taken, or that there were deviations from generally accepted standards, the result could be punitive as well as compensatory damage awards. Gross negligence will probably be alleged as well, in which case insurance may not defend the accused organization or individuals, who would then be personally liable. Even with insurance in effect, it may not be sufficient to cover the very large penalties that juries commonly award.

Even when all the correct answers are given, the accused often find they are considered to be guilty until they can prove themselves innocent. And this can be a long, painful, and costly process.

However, a nearly iron-clad defense against liability is that federal procedures were followed. And the most comprehensive of these are from the Department of Homeland Security (DHS) and its Federal Emergency Management Agency (FEMA) Directorate.⁵ Of all of the other security planning and management procedures, which are many and varied, only the DHS/FEMA methodology is likely to become generally accepted. The procedures are already well known, uniform, and comprehensive, and they consider all threat possibilities and all response resources. It is unlikely that a plaintiff's attorney will ever allege that these procedures are deficient, or ever bring a case once it appears that an organization is compliant. This is not to remove all liability, merely to reduce the scope to situations usually covered by insurance. Chapter 23 in this Handbook outlines how to plan, implement, and manage the DHS/FEMA procedures.

22.2.8 Definitions and Terms.

Information infrastructure security is simply a means of IS performance assurance. Good security precludes any IS disruption that might degrade performance in any way. Any slowdown or loss of productivity, loss of data, breach of privacy, or disruption of the systems, networks, and utilities that support any information system diminishes performance. Good security assures that all systems remain fully operational, robust, and accurate, and that all their data remain private and cannot be compromised.

There are three elements of information systems security. Each element must be especially designed and maintained to protect against different threats of varying scope and intensity. The three elements include:

Logical security, which is also known as information systems security, protects only the integrity of data and of information processing.
Physical security, which is also called infrastructure security, protects the rest of the information systems and all of the people who use, operate, and maintain the systems. Physical security also must prevent any type of physical access or intrusion that can compromise logical security.
Premises security, which is also known as corporate or facilities security, protects the people and property within an entire area, facility, or building(s), and is usually required by codes, regulations, and fiduciary obligations. Premises security protects broad areas. It often provides perimeter security, access control, smoke and fire detection, fire suppression, some environmental protection, and usually surveillance systems, alarms, watchmen, and guards. Premises security is often an extension of law enforcement.

Clearly, there is much overlap between each element, and a threat to one is often a threat to the others as well. However, each element is likely to perceive and handle each threat differently. Although the remainder of this chapter deals with physical security, some threats that are usually considered the realm of logical or premises security must also be covered.

Clarification is needed also on what constitutes a “threat.” This is any credible situation—whether actual, imminent, predicted, or simply possible—with the potential for causing harm, damage, or disruption. The terms “threat,” “hazard,” and “risk” are used synonymously and have the same meaning.

22.2.9 Uniform, Comprehensive Planning Process.

The threat assessment process can go by a number of names, which are all functionally similar. Among the terms: are emergency, disaster, operations, contingency and crisis-response planning, and damage control. Some processes are proprietary and do not share a common language or standardized procedures that can be understood by everyone involved. Many regulated industries must develop emergency response plans using terms and formats dictated by the regulating agency, which makes these terms and formats proprietary as well. There are many diverse examples of regulated industries that use hazardous or nuclear materials or operate dams.

Many organizations that are involved in emergency response—such as hospitals and emergency medical services, schools, the American Red Cross, and many volunteer agencies, National Guard and military units—may still use other terms and models. Government agencies at the local, state, and federal levels still use a wide variety of security plans and procedures, even though there is now one standard methodology required, as explained in Chapter 23. Most of these procedures are not uniform or comprehensive. And they can be incompatible, present major communications barriers, and cause unnecessary misunderstandings, delays, and wasted resources. In turn, most private organizations are not aware of the government procedures in place or of the many resources that can assist them.

Every organization experiences essentially the same threats and has limited response capabilities and resources. Almost every organization is likely to be overwhelmed in a major emergency, and everyone can benefit enormously from outside resources. Yet each venue tends to use dissimilar models, terms, and procedures that are often unintelligible to the others. In many cases, their models become file-and-forget plans and procedures that no one understands or accepts.

If only as prudent risk management strategy to avoid liability issues, a single, uniform, and comprehensive standard for processes, procedures, and language is needed. The best way to do this is to adopt the DHS/FEMA methodology, which encompasses all hazards, coordinates all resources efficiently, and is clear, concise, understood, and accepted by everyone involved. Details are given in Chapter 23. This is now required for all federal government departments and agencies, and for state and local jurisdictions as well, if they wish to continue receiving federal grants and assistance.

A useful public/private standard for evaluating disaster/emergency preparedness is published by the Emergency Management Assessment Program⁶ (EMAP), which is a nonprofit professional organization. The EMAP standard covers all the current DHS/FEMA methodology and provides a clear and concise method to determine compliance, as well as a self-auditing process. EMAP also provides an independent, outside security audit of any government organization to ascertain that its emergency management program complies with the federal requirements; it may soon be able to audit private organizations also. The audit is done at the applicant's facility by professional, well-trained volunteers. The whole security-audit process is both rigorous and inexpensive. EMAP is therefore a suggested alternative to a CPA-provided security audit as well as to the audit procedures of other professional organizations that generally do not include either infrastructure security or compliance with federal procedures.

Security preparedness that is compliant with these standards may become a requisite for the private sector to obtain insurance, to avoid liability and excessive costs, to establish innocence, or to use capital markets for risk management. Knowing these standards will help the threat assessment process and, later, can provide better protection.

22.3 THREAT ASSESSMENT PROCESS.

Effective security planning begins with a thorough threat assessment. This process begins by establishing an ad hoc organization, obtaining budget approval and the sponsorship of senior management, and formation of a steering committee that represents all the stakeholders.

The first tasks are to:

Identify all potential threat situations.
Determine the likelihood and estimate the direct and indirect costs of each threat.
Evaluate and prioritize each threat.
Prepare and present a final report that each committee member signs.

This report becomes evidence of due diligence to avoid liability, and becomes the basis for protecting the infrastructure, which is described in Chapter 23.

The way not to go through the planning process is for a few people to decide the risks and then write the security plan. This is the opposite approach to good and effective planning. And it will not work. Very few of the key personnel will accept or even understand the plan, and it will probably be ignored or overlooked when the next emergency arises. Good examples of failed planning are the emergency management plans for New Orleans and Baton Rouge areas that were put in place before Hurricane Katrina in 2005. Apparently, both were good plans. But few officials understood the plans or remembered to use them.

The threat assessment planning process must be done thoroughly and completely. For additional perspectives on risk assessment and risk management, see Chapters 62 and 63 of this Handbook.

22.3.1 Set Up a Steering Committee.

The security planning process is not effective unless all of the stakeholders are represented, and the best way to do this is to establish a steering committee. The committee will help identify and evaluate potential threats, and help develop a comprehensive protection plan.

The committee should represent all stakeholders and include as much experience, knowledge, and perspective as possible. Stakeholders should include users, administrators, management, key partners, customers, vendors, and service providers (such as maintenance, repair, and cleaning personnel). A project manager should participate, as should legal, financial, and human resources representatives. Independent experts and facilitators are recommended as well. The best committee chair is usually an outside facilitator who is immune from political or cultural bias, loyalties, or product preferences. It is also wise to seek input from stockholders, lenders, insurers, and community and government officials.

This can be a virtual committee that rarely needs to meet in full session. Communications by e-mail or phone should be sufficient, and an in-house staff can gather data, issue reports, and work with individual committee members. Confidentiality is not an issue at this point. The committee's purpose is to identify threats and to assist in planning. No member need have full knowledge of the actual vulnerabilities or the resulting security systems and protections. Each member, however, should sign off on the committee's final report.

Once its initial mission is completed, it is best for this committee to convene at least annually to review new and changing threats and to assess how well the security systems have performed. This committee not only represents all concerned stakeholders, but it can provide oversight so that management does not neglect to exercise, review, and update the security plan. In effect, the committee provides due diligence that management has fulfilled its fiduciary responsibilities.

22.3.2 Identify All Possible Threats.

The first step is to identify all possible threat situations that might affect the information infrastructure. This is not to say that each threat will someday happen but that, conceivably, it might, nearby or even at a distance. The causal connection could be tenuous at best and the event most unlikely, but it could someday happen. It is far better to think objectively about such things and to plan effectively than to simply write them off as events that could “never happen here” or to claim that, if such a disaster does happen here, “there is nothing we can do to mitigate it.” Both statements are patently false and potentially very costly.

The threat list can be very long. The format should tabulate each specific threat with a one-line description to clarify what is meant. For example, “flooding” is too general a term to meaningfully assess its risk. Instead, one might list “riverine flooding,” which could be the result of heavy rains, snowmelt, or a breached dam or levee; “local flooding,” such as a water-main break, severe storm, or a major fire nearby; “premises flooding” due perhaps to leaking pipes, drains, or leaking windows, roofs, building setbacks, a burst water tank or cooling tower, or fire suppression. The purpose is to have a long list of specific threat situations that can be individually assessed. There can easily be 100 or more threats listed. As the project proceeds, those involved will surely add still more threats and fine-tune the definitions. The threat list should include threats that are direct as well as indirect and threats affecting the general area, the region, or the whole country. It is best to list all threats, including those that are deemed unlikely to occur, as a precaution against inadvertently omitting some that might have more importance than is apparent at first glance.

Unfortunately, threats tend to cascade: One threat situation can create others, and these, in turn, can create more threat situations. For example, severe flooding can close roadways and keep people away from work, impede delivery of supplies necessary to operate (such as food or water or fuel for an emergency generator), disrupt communications, cause mud slides, ignite fires, trigger looting, or cause civil unrest. As another example, during a fire there will likely be loss of electrical power for equipment cooling, ventilation, or communications and released water or chemicals that must be contained. Each of these conditions is a separate risk in itself. In reality, few hazards occur in isolation, and many of the cascading events may be unexpected and unpredictable, and can themselves trigger still more events.

Therefore, the tabulation of each threat should also include two other columns: (1) events that could trigger the threat, and (2) cascading threats that could result from the threat. This is easily done by numbering each threat and referencing the numbers that may interconnect the various threats. The information is needed to evaluate the impact of each threat. It can only be a general indication for planning purposes of what might happen. The actual cascading will probably be different, but the analysis of the threats will still be valid.

Do not rely on force majeure—for example, a major earthquake—as an excuse that a particular threat may be unavoidable. Force majeure does not limit liability because such events can be anticipated and some steps taken to minimize injury and damage. Nor may acts of war serve as an excuse, for the same reasons.

Finally, the threat list should be divided into major categories such as natural events, man-made events, vandalism, attacks, support system failures, and so on. The remainder of this chapter builds on the threat list and establishes categories best suited to particular needs.

22.3.3 Sources of Information and Assistance.

The next step is a compilation of past events: historical records and details as to what happened, when, and how, what injury and damage resulted, was there warning, how fast was the onset? The compilation should include events in both near and distant areas that could possibly cause damage and disruption, either directly or indirectly. Perhaps the 2005 subway and bus bombings in London or the earlier commuter-train bombings in Madrid could affect American workers who commute and become concerned about their own safety.

As the threat list gets bigger, it is necessary for everyone involved to think out of the box and to look for scenarios that past trends suggest could eventually happen. This thinking can be productive when it examines possible scenarios objectively. The author, as a security consultant in New York, worked with tenants in the World Trade Center and tried to suggest disaster planning but was overruled by the landlord who assured everyone that this was “the safest place on earth.”

Information sources to investigate include the weather bureau, libraries, local fire and police departments, state and county officials, utility companies, newspaper files, and local knowledge of past events within the region. Power and communications utility companies can provide outage reports, but their terminology must be clearly understood. For example, an electrical “outage” may only include interruptions lasting more than five minutes. Regional and state regulatory authorities, public utility commissions, industry and professional organizations, and business development groups may also provide useful information, once their perspective and terminology are clarified.

All local, regional, and state emergency management agencies should now have an all-hazard mitigation plan that lists all threats that have occurred throughout their jurisdiction. There should also be dates, descriptions, and map locations in their plan; this information may go back historically for a century or more. And each agency should have a local emergency operations plan that lists all potential threat situations within their jurisdiction. Look particularly at the appendices and annexes that discuss particular types of threats. In addition to what is in their plans, each agency should be of considerable assistance describing possible major threats that are man-made, involve hazardous materials, or are major health risks. The threats they identify are probably your threats as well.

Also work with each stakeholder for advice on threats they know about or perceive. Ask each person to reach out to their customers, vendors and suppliers, service providers, business neighbors, and consultants and academics as well. There will be much expertise, perspective, and good advice gleaned from these sources. The time seeking it will be well spent.

At the end of this chapter is a list of some reference books that can be helpful. Although most of the procedures are outdated, there is still much useful source data.

22.3.4 Determine the Likelihood of Each Threat.

The steering committee should consider the likelihood that each risk may happen. The best way to estimate likelihood is as an annual probability on a relative scale (for example) from 0 (none) to 5 (very likely). A perceived likelihood of once every 100 years (which equals a 1 percent annual probability) could be rated a 1. A 5 percent annual probability might be rated a 2, while an annual probability of 20 percent or more had best be rated as a 5. Threats from severe weather should be rated higher than historical data suggests in order to account for the world's changing weather patterns. Threats with a likelihood of 0 should also be included, as this value can be used later to show the relative vulnerability of each and every threat.

The steering committee can adjust each rating as it deliberates so that the final results are useful and meaningful.

22.3.5 Approximate the Impact Costs.

Once all the possible threats are determined and the likelihood of each is estimated, the next step is for the steering committee to deliberate the impact of each threat. Impact considers the potential losses and costs associated with each risk. (Do not consider cascading threats at this point.) Here also, a relative scale of 1 (very low) to 5 (very high) is suggested. A 0 impact rating is probably not relevant, because, in reality, some response and recovery costs will occur.

There may well be individual factors needed to clarify the importance of the overall impact. Such factors might include the likelihood of injury or death, the amount of property damage, the relative response and recovery costs, and, especially for a private organization, the costs of loss of business. The parameters of each factor and the scope of each rating can be adjusted as the planning proceeds, so that the results are realistic and meaningful. The purpose now is to show which threats are potentially the most dangerous or costly if they occur.

Threat assessment planning is best done using a worst-case scenario because this is what tends to happen in reality. Even then, actual costs incurred can be much higher than anticipated. Although the steering committee has only limited knowledge of possible costs, with some discussion the committee should reach consensus as to which rating to apply to each listed threat. Their findings will be reviewed later by others better able to predict potential costs and in a better position to realize that the impact of some threats is much more costly than others.

The impact costs are both direct and consequential. The direct expenses can include costs to locate the trouble(s), stabilize the systems, repair and install replacement infrastructure, reboot, restore databases, and thoroughly test both the data and the systems. Other direct costs that can result from each event include loss of productivity of system users, overtime needed to regain production schedules, temporary contracted services, and interim facilities, or materials and supplies needed immediately.

Add to these potential indirect or consequential costs such as food, sanitation, and lodging; loss of business, customers, or market share, falling stock price, and the costs of public relations efforts to control rumors and adverse news reports. Costs will continue to accumulate during the response phase, throughout the recovery period, and possibly long after. The totals can far exceed expectations.

22.3.6 Costs of Cascading Events.

The possibilities and indeed the likelihood of cascading events have been described. Each event adds to the impact costs, but determining how likely is the cascading, and how much the extra cost, is at best an educated guess. If the causative events for each threat are shown on the threat list and the potential cascading events are there also, the impact costs of each individual event should be estimated. However, cascading may invalidate the likelihood factors. If one threat is already occurring, others may be imminent, regardless of the likelihood shown.

The total impact cost will probably be somewhat less than the sum of the parts. There may be some economies of scale during multiple events, as the response activity for one event can take care of another event for little extra cost. Here is where the experience and perspective of the steering committee, security professionals, and management become valuable. However, the combined costs must still be realistic, or the cost-value analysis described in Chapter 23 will be flawed.

22.3.7 Determine the Vulnerability to Each Threat.

Deciding which threats are the most important can be subjective and controversial and based on un-proven assumptions. The approach suggested here yields quantifiable data that are realistic and will clearly indicate which threats are the most important and why. Individual opinions will vary considerably. The steering committee reports can yield approximations that are statistically valid—if the rules are followed and everything is done carefully. The committee's deliberations should be reviewed by experts and senior management, using calculations to be described, followed by the cost-value analyses described in Chapter 23.

One other common alternative is a matrix showing likelihood vertically and impact horizontally, rating both factors as high, medium, or low. This yields nine levels of vulnerability for each threat ranging from high-high to low-low. Such an arrangement is neither useful nor realistic. Since allowance need to be made for those impact factors that are potentially more costly than others.

Once everyone settles on the likelihood and impact of each threat, the current vulnerability of each threat can be calculated. Fundamentally, vulnerability is a calculation combining the likelihood of an event with how much damage it might cause. The method suggested yields six levels of vulnerability, from 0 (none) to 5 (very high). The next two steps are oversimplified but can be adapted to most needs.Simply multiplying the likelihood times the impact will yield vulnerability values from 0 to 25, which would not reflect the relative impact costs of most threats. Neither does simple addition, as some models suggest.

It is best to use several impact cost factors, as described earlier, and then combine each factor using constant multipliers for each so the relative importance of each impact cost is preserved. Combination by averaging each cost factor may not yield useful results. Combining the mean value of each factor (or sometimes the highest value) can yield more realistic data.
Finally, convert vulnerability calculations to a 0-to-5-point relative scale by choosing a range of results for each scale value.

Working through this procedure for all threats will show that the formulas, multipliers, and ranges of scale values may need to be adjusted slightly to yield meaningful results. As already mentioned, simple multiplication and/or addition or otherwise linear formulae will not yield realistic results.

The importance of calculating vulnerability is that it can be done in real time, and the multipliers can also be adjusted in real time as threat levels change. For example, this can immediately reflect the daily Homeland Security Threat Levels by locale or by possible target types. It can also input warnings from local police and intelligence sources. (Some threat information is probably classified, but the multiplier it can provide is not restricted or even sensitive information.) All the data can be displayed on a spreadsheet, even to the point of color-coding each vulnerability level. Everyone involved in security or emergency management can have real-time access to the same screens, which will update continually as conditions change.

It is well to provide a choice of display screens summarized or in detail by regions and threat categories, or prioritized by vulnerability.

Finally, the complete vulnerability data should be restricted and available only to those with a need to know. This information is highly sensitive; it shows potential wrongdoers where the IS infrastructure is well defended and where it is not.

22.3.8 Completing the Threat Assessment Report.

Once the detailed threat assessment is completed, a general report should be prepared for circulation to all stakeholders. The report is mostly textual and does not suggest weak spots or what the security defenses may be. Each steering committee member should sign off on this report, and so should the senior management and security staff. The purposes of this report are to develop security awareness, for use in training, and as evidence of due diligence that a thorough threat assessment was indeed performed.

More on how to evaluate and manage the vulnerabilities is described in Chapter 23 of this Handbook.

22.4 GENERAL THREATS.

A wide array of threat situations can affect the IS infrastructure, degrade productivity, and cause anxiety that will reduce performance and morale. The list suggested earlier begins to identify some of these threats. Some other possible situations that are not generally associated with the IS infrastructure are listed in this section. However, the various threats suggested in this chapter are far from a complete list. Therefore, expert advice, local knowledge, and analysis of current events should all be utilized to customize the threat list to the particular needs of each jurisdiction and then to review and revise the list periodically.

As mentioned before, specific threats are usually divided into broad categories that can easily be summarized to provide situational awareness. Generally, threats are categorized as natural hazards, technical and man-made risks, civil unrest, vandalism, and attacks. Other less likely but potentially more serious possibilities include bombs, hazardous materials release, a pandemic, and threats relating to weapons of mass destruction. A final grouping could be local events that are specific to the sites being protected. The groupings themselves are not important as long as all possible scenarios are covered. Some allocations will be arbitrary, as some threats could be put into any of several categories. (But never list any specific threat more than once.) There is as yet no single, uniform, comprehensive threat list format. As the planning process continues, the best threat groupings will likely evolve.

22.4.1 Natural Hazards.

Natural hazard events are becoming ever more frequent, damaging, and widespread, as their patterns seem to be changing. Increasingly recent events include major flooding, severe thunderstorms; hurricanes and tornadoes; blizzards, heavy snowfall, and ice storms; wildfires and heavy smoke; contamination of air, water, buildings, or soil; and the increasing threats of disease. Although earthquakes tend to occur in cycles, these too seem more prevalent currently. Any of these can disrupt business in any number of direct and consequential ways—many unanticipated—depending on the locations of information systems, networks, terminals, data storage, cables, and utilities. Natural hazard events cannot be prevented, but their impact can be mitigated. A closer look at each category follows.

Atmospheric hazards. These can include severe weather events, such as tropical cyclones and hurricanes; severe thunderstorms with hurricane winds, strong lightning, and large hailstones; tornadoes; windstorms; blizzards, and heavy snows; ice storms; air pollution and high ozone levels; nuclear fallout (which is always occurring, but at low levels); extreme cold weather; and extreme hot weather.
Geologic hazards. These are mainly landslides and mudslides, land subsidence (sinkholes), and expansive soils due to water.
Hydrologic hazards. These hazards include riverine flooding and flooding of low-lying areas due to heavy or prolonged rains; rapid ice or snowmelt; ice jams or debris obstructions in waterways; coastal damage due to storm surge; erosion of streams; and collapse of roadways, bridges, and buildings. Hydrologic events can cascade to disrupt water and sewage systems, cause food and fuel shortages, and even trigger fires or explosions.
A dam or levee failure is a major hazard that must be carefully considered and then reviewed with experts. Most dams are well maintained and protected from natural hazards but not from vandalism or terrorist attack. Nor are most reservoirs well protected from chemical attack. The consequences of such events can be far more devastating than imagined. The 2005 failure of levees in New Orleans caused by Hurricane Katrina produced catastrophic results over wide areas.

A prolonged drought can be particularly disruptive. There may be many fires and heavy smoke that require evacuation. Potable and cooling water may be in short supply. Both people and equipment must be protected from dust or smoke that cannot be done effectively within many facilities. Hydroelectric power may be rationed and rolling blackouts imposed.
Seismic hazards. Such hazards include earthquakes and tsunamis. Many areas of the United States are at moderate or even high risk of a large earthquake. There were major events in these areas hundreds of years ago, and it is believed the time is nearing for a recurrence. For example, the Ossipee Fault in central New Hampshire produced a “San Francisco-size” earthquake about 300 years ago and may occur yet again, which would cause significant damage to Boston and its suburbs. At the least it would topple equipment cabinets, break cables and wires, and probably disrupt cooling and ventilation to IS systems.
Tsunamis, which are caused by undersea earthquakes, could at some time hit U.S. shores, based on historic events. And like Hurricane Katrina, a major seismic event anywhere in North America could impact businesses throughout a wide area.

22.4.2 Other Natural Hazards

Major volcanic eruptions. Volcanic eruptions can spread atmospheric dust worldwide, which can affect weather and cause severe storms, damage cooling systems, disrupt radio and satellite transmissions, and restrict air travel.
Wildfire. Fire can close transportations routes, disrupt utilities and support systems over a wide area, require evacuations, and create heavy smoke that is dangerous to people and equipment.
Blight or infestation. Caused by disease, weather, or insects, blight or infestation can create health problems and disrupt food supplies, which can indirectly impact business.

22.4.3 Health Threats.

Of increasing concern is the possibility of health emergencies, such as a SARS or an anthrax outbreak, or West Nile virus in relatively small areas. Such outbreaks can probably be contained with antiviral medicines and vaccines. However, business disruptions will surely result. Of greater concern is the threat of another pandemic that could quickly spread through large populated areas. As yet, there are no effective means to prevent either the onset or the spread of a pandemic, other than isolation and quarantine, which includes closing businesses and schools and perhaps many municipal offices as well. As mentioned earlier as a possible worst-case scenario, personnel refusing or unable to report to work during a major health emergency might total as much as 40 percent of the workforce, and they might remain away from the workplace for as long as 14 months. Consult local health officials how to access detailed information about these threats.

22.4.4 Man-Made Threats.

Accidents cause most security problems. Accidents, sloppiness, and blunders are the consequences of bad design, poor quality control, improper installation, failure to update, and poor maintenance. Disruption often occurs during maintenance. Deliberate actions such as snooping, pranks, vandalism, and spying are all increasingly prevalent and sophisticated but are still overshadowed by accidental, unintended events.

Moving furniture or equipment (unless done by trained professionals) can damage wiring, connectors, and other equipment sufficiently to crash systems. And while it rarely happens, substantial “accidental” damage can occur during a labor dispute or when nonunion personnel are brought on site.

Construction work, alterations, repairs, and wiring changes often cause damage to information systems. Crews often drape drop cloths over workstations and equipment to keep off dust and debris. But no one thinks to shut down the equipment first, so it becomes overheated and probably fails either immediately or soon after. Crews also plug in power tools, floor waxing machines, or vacuum cleaners in whatever electrical outlets are handy. If these happen to be dedicated circuits for systems equipment, damage may well result. In like manner, workstation users often plug time stamps, electric staplers, refrigerators, fans, and immersion heaters into outlets intended only for information systems. Such mistakes can cause intermittent problems that are difficult to locate.

Wiring runs and exposed wire can also create threats. Wiring and cabling are vulnerable in many ways—and are becoming increasingly moreso. Data cables tend to be fragile and easily damaged by accident, moving furniture, cleaning and maintenance, improper connections (such as unauthorized equipment), rage, or deliberate attack. Metal wires are also vulnerable to electrical and magnetic interference from nearby light fixtures, motors, transformers, or RF emitters, as will be explained. Lightning is attracted to, and electrical power surges may be induced onto, any metal wires.

Fiber optic wiring, which is fast replacing metal connections, is especially fragile. Any unusual pressure or a sharp bend in any fiber cable can alter its transmission characteristics and may cause failure. However, fiber is not affected by any electrical or RF inference.

Cables, patch panels, cords, and connectors are often exposed to accidental damage during routine premises maintenance and cleaning. Vacuum cleaners and shampooing and waxing machines can easily damage both signal and power wiring. Carpet shampooing can soak connections and flood underfloor wiring. The casters on chairs and equipment or the moving of furniture often damages cables and connectors.

Intrusions are a major threat. There are many ways to gain access to the infrastructure of information systems. Once an intrusion is successful, repeated disruptions may follow due to accidents, mistakes, snooping, hacking, spying, vandalism, extortion, or deliberate attack. Intrusion is not usually prevented by premises access control. The infrastructure's vulnerability points are different, and early detection is necessary to prevent trouble before it happens.

Intrusions via wiring and cabling are covered in the prior section. Here the emphasis is on preventing access to hardware, distribution and termination panels, patch panels, or any of the utilities that support them. Assessing the possible threats first involves inspecting the existing infrastructure and the defenses already in place. It is also necessary to determine what physical threats and vulnerability points are not sufficiently covered by premises and logical security.

Unauthorized persons should not be allowed access to any type of equipment room, rack, or closet. Everyone granted access, including visitors, should be logged in and out. And as a second layer of protection for critical areas, a gatekeeper should be at hand to observe everyone who enters and leaves, to authenticate each person's identity, and to know why access is needed. Gatekeepers may include guards, receptionists, supervisors, or managers. Except where high security is required, the gatekeeping functions can be performed remotely using surveillance and access control systems, and monitored by motion and proximity detectors.

Workstations located outside of equipment rooms are generally protected logically—using login procedures, tokens such as smart cards, and biometric devices—depending on the sensitivity of the data the system handles. Theft of equipment, components, or removable media is possible, especially during nonbusiness hours. Substitution, rather than theft, is a much more serious threat. The only safe defense is that all data must always be fully encrypted. Should a theft occur, spare units should be immediately available from nearby secure storage. To save time, thieves often cut signal cables rather than disconnect them. It is therefore wise to keep spare cables in a nearby secure storage.

There are various theft-deterrent devices to clamp or tether equipment to nearby partitions or furniture. These devices can be cumbersome and intrusive, may hinder maintenance or repairs, and most are quickly defeated with bolt cutters or a pry bar. Intrusion alarms are more effective but only detect an attempted intrusion rather than deter theft. Intrusion alarms are usually silent and triggered whenever a case or cabinet is opened. Software can trigger alarms also when a cable is disconnected or broken, or when equipment is removed or fails. Good, sturdy equipment and cabinet locks are more effective and can dissuade theft, provided the equipment and cabinets themselves are not easily removed.

22.4.5 Wiretaps.

Wiretaps are another means of intrusion whose purpose is to copy data and sometimes also to change it surreptitiously. Most taps can be placed quickly and inconspicuously even in occupied office spaces. And most wiretaps are very hard to detect—if not impossible—except by close visual inspection of all possible entry points, which is time consuming and cumbersome, and must be repeated periodically. Very often, wiretaps are simply not noticed.

Taps are used for surveillance and spying, changing or erasing data, stealing software, theft of service, injecting worms or viruses, or planting decoys to trick responders into thinking they have found the true cause of an incident. Any physical access to the interconnect points, cable runs, servers, clients, or network equipment is a major vulnerability. An experienced person can place a tap within a couple of minutes, unobtrusively, even when under escort and closely watched.

A wiretap is basically a monitoring device. It may be a small box connected directly into a circuit to tap off and record its data. The data can then be retrieved manually or be transmitted by wire or radio signal to a remote location where the information can be permanently stored and analyzed. The monitoring device may be a splitter that can tap off some of the signals traveling through the circuit and reroute them to a remove location or to a small transmitter that is close by and well concealed. The better tapping equipment uses system power, not batteries, so its service life is unlimited. Monitoring the data obtained can occur within the building or outside, via the Internet, from a nearby vehicle, or via a telephone connection to anywhere in the world.

Wiretaps have long been illegal in America without a court order. Years ago, an illicit phone tap in New York City, for example, was patched to a leased telephone line to Mexico where the actual surveillance could take place legally. The patch connection was made by someone at a telephone company central office and was not likely to be discovered. But if it eventually was found, the network could be traced and disconnected. This procedure suggests the lengths and expense that a determined adversary will go to, and it also suggests the high value of the information that could be gleaned. This was years ago, long before today's easy access to the Internet, cheap long-distance calls, Wi-Fi, microwave, satellites, and other broadband systems.

Fiber optic circuits are difficult and expensive to tap and sometimes impossible without breaking the circuit or changing their parameters, which can be detected quickly. There is new high-tech gear available for optical taps. But even with this, good results are problematic.

The first method is to create a sharp bend in the cable and detect some of the light rays that may leak from the outside of the bend. The signal is at best very weak. Cable can be constructed to prevent this. Or cables can be run through metal conduit to make access and then creating a sharp bend very difficult, even at junction boxes. Last, a sharp bend will change the optical impedance of the cable run and will slightly degrade its performance, perhaps enough to effectively crash the circuit. The change in optical impedance can be measured, including the approximate location of the anomaly. The cable-bending method may work, but it is hard to accomplish, detectable, and readily observed by inspection. This method can monitor data, but it cannot inject data.

The only direct method to tap a fiber cable is to open a connection, quickly interpose an interface device, and then reconnect the circuit. Alarms should be triggered immediately when a circuit breaks or otherwise fails, and these may also give some idea where the problem occurred. But with a good interface device and by working quickly, the tap can be inserted and conditions restored to look normal before anyone can respond. If this method succeeds, the intercept quality will be excellent, and data can be injected into the tapped line as well.

Spying on what is carried by fiber circuits may be possible from within equipment rooms or at other points where the optical data are converted to electronic form or to radio waves. The equipment to do this and its capabilities are highly classified and generally unknown to most security experts.

Wireless transmissions do not need to be tapped, but the process still applies. All that is needed is a very sensitive radio and a high-gain antenna, often situated in an outside vehicle.

Metal wires are relatively easy to tap into undetectably. Small, inconspicuous induction coils placed next to a wire can easily pick up the signals without penetrating the insulation. Sometimes the taps are done with tiny probes that reach around the circumference of a wire. Induction taps are generally undetectable, except visually. However, induction taps are difficult when multiconductor, twisted-pair cables are used, especially those where each pair is shielded and the entire cable is metal clad, as are some aerial telephone cables to protect them from radio-frequency interference.

When induction is not practical, bridged taps easily placed within an accessible junction box, cross-connect or patch panel, test box, or termination strip. Bridged taps employ a physical connection. On long cable runs, usually one or more inline terminal strips interconnect two cables. These are good locations for taps, especially where there may be unused wire pairs within the cable itself that can be used to route the tapped data to a safer location. Bridged wiretaps can also be inserted anywhere along a wire by penetrating the insulation with a needle or cutting away a tiny piece of the cladding and insulation in order to splice in a tap wire. Bridged taps are usually very high impedance, so they do not alter the circuit; therefore, like induction taps, they are undetectable, except visually. However, skill is required to place them to avoid damaging the tapped wires. As with fiber wiretaps, there are also high-tech methods of monitoring what metal wires carry, the details of which are classified.

Today, the biggest threat from wiretaps is that they are usually done by foreign intelligence, organized crime, or terrorist groups that are very well equipped, highly trained and experienced, and have almost unlimited funding to carry out their work. It is high likely that most of their surveillance is not detected, located, or removed until long afterward—if ever.

22.4.6 High-Energy Radio-Frequency Threats.

A controversial area of research involves high-energy radio-frequency (HERF) weapons, which some experts claim pose a serious threat to disrupt, damage, or destroy electrical and electronic systems and equipment over a very wide area. There are several scenarios.

A prototype HERF weapon demonstration at security conferences some years ago showed that a bulky apparatus constructed from easily obtained components can cause personal computers to malfunction while the device continues to operate. And it can perhaps cause some system failures as well. There has been no more public information since then as to whether a smaller, portable version could emit a radio-frequency beam of sufficient power to disrupt systems dozens of meters away. Such a device is possible but may not be very practicable, except possibly from a large vehicle.

Along with this is another threat called high-intensity radio-frequency flux, which is simply interference from other electronic devices. These can be nearby transmitters, such as high-powered radio, TV, or radar systems, or transmitters in vehicles. Or there may be interference from close-by RF emitters including cell phones, computers, and devices designed for this purpose. Some of these possibilities are design issues, but when portable RF emitters are involved, the situations become infrastructure threats.

In 2004 another approach was reported that is potentially able to destroy unprotected electric and electronic system nationwide by way of an electromagnetic pulse attack (EMP). This report⁷ comes from a commission finding that a low-level nuclear explosion by a missile in the upper atmosphere could cause a massive electromagnetic pulse wave that could wreak catastrophic damage throughout most of the United States. Without extensive shielding, electrical and electronic systems could be destroyed, and power transmission systems as well. However, it appears that such an explosion must be done just right or the damage would be minimal.

The defense against all such RF threats is to shield equipment and wiring effectively. A Faraday cage can envelop and protect everything. This is usually one or more layers of copper screening that are well grounded. There also are Faraday bags to protect and store small items like cell phones or circuit boards.

However, once shielding is installed, it is wise to test that it actually works as expected. The author once toured a large, new data center of a major money-center bank. In touting the huge sums spent on extensive security protections for the new facility, someone mentioned that an impenetrable Faraday shield enveloped the entire room. The only problem was that a transistor radio on top of a cabinet was playing clearly and loudly. Had the room actually been well shielded, no broadcast signal could have penetrated.

Hazardous material incidents can include a release within a building or industrial plant, or from an aircraft, railroad, highway, or waterway accident. Many hazardous substances are routinely transported, stored, and processed throughout the United States. Many of these materials are extremely dangerous when released. They can quickly affect a wide area and may require immediate evacuation. In addition to accidental or deliberate release, these materials may be stolen to become part of an attack elsewhere. And those who attempt to steal, transport, and process the materials into a weapon may accidentally endanger others along the way.

Toxic threats include a buildup of radon within occupied space or in a water supply. Radon is released naturally by many types of rock. It is very prevalent and extremely dangerous if it can enter the body. Radon is an alpha particle that cannot be detected by most traditional measurement devices. Similarly, many toxic substances can accumulate in drinking water or building air. Any of these substances will be disruptive and cause anxiety far beyond the affected areas. Consult local health officials to identify and assess these threats.

Fire and smoke from remote events can be troublesome in several ways. Smoke from events hundreds of miles distant can cause health problems, delay supplies and deliveries, and cause food or fuel shortages. Workers may be unable to get to or from work, and may also be concerned about their families, friends, and homes. Electronic equipment is particularly susceptible to environmental damage from smoke or other airborne particles. And there may be utility problems or loss of cooling caused by a large, distant fire.

Nearby fire or smoke can be particularly troublesome. In addition to the problems just mentioned, an immediate system shutdown and personnel evacuation may be required. Power and data lines may be broken or damaged by heat or water. There may be flooding as well, and hazardous materials released that are potentially injurious to people and equipment. There will also be the need to contain the threats and to clean up the environment before full business can be resumed.

Smoke, dust, or other airborne particles can cause equipment failures, as these block cooling systems, clog filters, and build up inside equipment, constricting ventilation and convection cooling. Although these are mostly maintenance issues, they are also potential threats.

22.5 WORKPLACE VIOLENCE AND TERRORISM.

The use of force, harassment, or physical violence is an increasing reality within the workplace. Drug-and alcohol-related incidents are on the upswing, as are workplace crimes necessary to support and conceal such habits. Adding to the threats is the increasing presence of rage within or upon the workplace. Any of these incidents can cause widespread trauma and disrupt business operations for months. Actual violence or terrorism, or simply the threat or the fear of this, can be extremely costly and disruptive.

Any violence situation—whether threatened, imagined, actual, or peripheral—can seriously disrupt information systems, whether the infrastructure is actually in danger or not. Performance, productivity, and morale will all plummet and remain low for a long time following any perceived or actual threat. Full recovery can take many months—assuming that more incidents do not occur in the meantime. Therefore, a safe working environment, good security planning and implementation, and security training exercises are essential so that everyone feels safe.

The likely tools of choice for inflicting widespread injury and damage may soon be the weapons of mass destruction (WMD) rather than the old-fashioned knives, guns, bombs, or arson that inflict only limited damage. WMD devices are far more dangerous, and many are small and easily concealed in a pocket, package, or briefcase.

A small, common-looking object containing biological toxins, and powered by a flashlight battery, can theoretically kill every person within the largest of office buildings. A vial no larger than a lipstick can contain enough virulent hemolytic viruses to kill every person within a 20- to 50-mile radius, if it is dispersed efficiently. Because few chemical or biological WMD compounds have much odor or color when they are disbursed, occupants, visitors, bystanders, and responders are all likely to be innocent victims. Illness can begin within minutes, hours, or days. Laboratory analysis is needed to identify many of the substances. More time is needed to determine the scope and spread of the damage. Ordinary personal protective gear and breathing apparatus can provide little or no protection.

WMDs can be enormously destructive. A national FEMA, Department of Justice training exercise called TopOff I conducted in May 2000, simulating a biological attack on Denver, Colorado, resulted in an estimated 57,000 fatalities. Since then, similar exercises have not released fatality estimates.

WMD threats can be grouped by the mnemonic B-NICE. They include biological agents, such as anthrax, cholera, pneumonic plague, tularemia, Q fever, Ebola, small-pox, botulism, ricin, and some others. These are all living bacteria whose incubation periods (the time of onset following exposure) are measured in hours or days.

Nuclear and radiological releases can cause widespread panic but are not likely to cause mass casualties, except to persons nearby. Radiation levels can easily be monitored, and building structures will often serve as an effective shelter.

Incendiary devices are utilized mainly to cause structural fires. A device can be planted surreptitiously and then triggered remotely or by a timer. Rockets and small missiles are increasingly an incendiary threat, as are 9/11-type incidents: airplanes, vehicles, or boats used as bombs.

Explosive devices are similar. These may be stolen or smuggled ordinance or, increasingly, improvised explosive devices made from commonly available materials.

Combined attacks are possible such as explosive devices used to disburse chemical agents (but not biologicals, which are live bacteria that would be killed by an explosion) or the so-called dirty bombs, which are explosives used to disburse radioactive material.

In a worst-case scenario, all WMD events can be exceedingly dangerous and disruptive, and any of these events may someday happen within the United States. Even the rumor of a WMD event can be damaging and cause widespread hysteria, panic, and create a large army of the walking well. Whether the threat is real or imagined, WMDs are costly to combat.

Most details on WMD and extremist or terrorist threats are classified, but state and federal authorities should be able to provide some insight for an effective threat assessment. The authorities should at least be asked about perceived threats, possible target areas, and regional and local incidents and security concerns.

22.6 OTHER THREAT SITUATIONS

22.6.1 Leaks, Temperature, and Humidity.

Threats involving water and other liquids that may be hazardous should be considered also, as well as temperature and humidly conditions where equipment is located. Sprinkler systems in nearby spaces can cause equipment damage, as can liquid leaks from storage tanks, cooling towers, or pipes near equipment areas. Atmospheric conditions near equipment are threat situations as well. Air temperatures that are either too high or too low can cause equipment failure. High humidity can cause condensation within equipment and, worse, a form of galvanic action that degrades connectors that will then fail eventually. Also, low humidity is a threat because this promotes static electrical discharges that can be deadly to electronic gear and is often undetected until the equipment fails without warning. (See also Chapter 23, Section 23.8.7.)

22.6.2 Off-Hour Visitors.

Cleaning and maintenance personnel usually work off hours and are often hired by a contractor or landlord who rarely provides much, if any, background checking, supervision, or training. Very few of the personnel are aware of security precautions and most know very little about the IS systems their work can damage. Many are poorly paid, forced to rush their work, and may understand little English.

Waxing floors and shampooing carpets are usually done off hours by outside services. Moving furniture and changing workstations are often done after hours, as are repairs, alterations in occupied office space, and other major maintenance. Almost always, these people are unescorted, and many are not even logged into or out of the premises or identified in any way. Worse yet, many of these people prop open doors so they can work faster and sometimes so they can take advantage of air-conditioning in adjacent spaces.

Persons who are unknown often come into the premises without proper authorization. Some work for the landlord or the service organization. Some are delivering food. Some are messengers. And some are snooping, spying, looking to steal, or perhaps bent on violence. Even daytime workers may show up after hours. Therefore, the best security policy is to admit no one after hours until identified positively, logged in, and a need to be there is established. Everyone should be stopped at a reception or delivery desk, with no further access into the workplace until properly cleared. Anyone leaving should be logged out as well, especially if they have been out of sight of where they first entered. Screening visitors at any hour has the added security benefit that outsiders do not see where any IS infrastructure may be located or where money, wallets, or handbags are kept. A night bell or intercom outside an always-locked door should be used to prevent entry to a sensitive facility.

22.6.3 Cleaning and Maintenance Threats.

A floor-waxing machine abrades everything it touches and will very quickly destroy unprotected wiring, connectors, dangling cords, or unseen power extension cords (which, by the way, are illegal according to most electrical codes). The waxing machine operator often cannot see any of these items or may not have time to look carefully at what is plainly visible. Carpet shampooing uses a lot of liquid and can flood floor-level outlet boxes and drain into underfloor ducts and conduits. Electrical plugs, receptacles, and unauthorized extension cords for critical equipment are often unlabeled. The cleaning staff does not know they are critical and can unknowingly unplug servers to power their cleaning equipment. Therefore, the threat assessment must first determine whether premises design invites problems, even though cleaning and maintenance personnel do their work carefully.

Users often compound these threats. Many workstations may be logged off but are left running continuously. No one tells users to shut down and cover their equipment before major cleaning or maintenance.

22.6.4 Storage-Room Threats.

Rooms used to store computer supplies, paper, or forms are especially dangerous if a fire occurs. For example, stored cartons of paper, forms, or stationery expand when they burn, then burst into a conflagration that spreads quickly and burns at a very high temperature. Such a fire occurred in a high-rise office building in Manhattan. Even though the fire department quickly contained the fire, some steel building columns were so weakened by the heat that the building nearly collapsed. The cause of this fire was determined to be a cigarette butt that fell between stacked cartons of paper. This was assumed to have been accidental but could well have been arson.

Any storage room containing sensitive or inflammable materials must have smoke detectors, sprinklers, or other approved fire suppression systems designed to protect both the room and its contents. There must also be fire extinguishers nearby. Storage rooms should be kept locked, and access should be limited to trusted persons, if only to protect the value of the contents. There should be access control systems with admittance limited to authorized persons only, with open-door alarms provided as well. Delivery persons should always be continuously escorted. Loitering, smoking, drinking, drugs, snoozing, or any social activities must be kept out of and away from all storage areas.

22.6.5 Medical Emergencies.

Most medical emergencies will cause business disruptions. People stop work to see what is happening, and if they know the victim may remain demoralized and unproductive for weeks afterward. Many will fixate on the circumstances and increasingly involve others to compound the problems. Even minor medical emergencies can cause large and long disruptions. In many medical emergencies, the first five minutes can decide life or death, and professional medical assistance is very likely unavailable that quickly. Any death that occurs in the workplace will result in long-term, widespread, and lasting trauma and disruption. (See also Chapter 23, Section 23.9.4.)

There must be first aid supplies, oxygen, and automatic electric defibrillators (AED) handy in every workplace. And there must be people nearby who are trained and currently certified in cardiovascular resuscitation and first aid. The costs of a disruption alone are far greater than those for providing ample medical supplies, equipment, and training. In addition, a first aid room and a trained nurse are wise precautions and probably a cost savings as well.

Prompt medical attention is essential for senior executives, visitors, and all workers and visitors. Medical threats will happen and will be very costly if medical assistance is not immediately available.

22.6.6 Illicit Workstation.

A convenient method to set up a logical intrusion or attack is to unplug a desktop terminal or workstation that has limited functionality and substitute a full-featured machine well programmed with spyware and analytic utilities. Anyone with a full-featured notebook computer and physical access to the network may be able to connect easily.

Illicit users may then be able to log onto the network, possibly entering the user's own trusted password. They could then search for restricted information and use the full-featured machine to copy network data. Then the illicit user simply connects to a nearby telephone receptacle to export network data via a dial-up connection. (An Internet connection would likely be blocked by the firewall.) The illicit user may use hacking programs to gain supervisory status and spyware to access more sensitive information, crack passwords, steal software, or infect the network with malicious software. The illicit user may install a backdoor entrance into the network that an accomplice can use to spy, monitor network traffic, and modify or destroy data. An experienced user may then erase all evidence of any intrusion.

The intrusion might be done by an in-house employee, contractor, service technician, vendor, or consultant who could breach the network while ostensibly checking a user's machine or LAN connection. It could also be done within a hot zone using a Wi-Fi connection where there may be few, if any, firewall or security protections. Maintenance personnel working off hours also could substitute a terminal inconspicuously. However it is done, intrusion is a serious physical threat.

Security awareness is the best prevention. No one should be swapping equipment or connections unless a manager, supervisor, or nearby workers know the person's identity and what he or she is doing. If there is any possible doubt, the activity should be reported. The second best prevention is good network security, with alarms when any desktop systems is opened, disconnected, or shut down.

22.6.7 Other Local Threats.

There are many threat situations specific to a group, organization, or community. Usually many of these situations are identified and assessed as planning progresses. For example, for a community, important local threats might include vandalism or actual damage to school buildings, schoolyards, or school buses, a building or bridge collapse, interrupted power or energy transmissions systems, damaged fuel storage facilities, or a communications failure. Many possible specific situations will likely be discussed during the planning process, while review and advice by outside experts and government officials probably will lead to more important situations. Some considerations for local threat situations include:

Utility disruptions. Disruptions happen more frequently than reported. Power outages can last a few minutes, hours, or days, caused by storm damage, equipment failure, tree branches hitting power lines, highway accidents that topple utility poles, digging accidents that break transmissions lines, and vandalism or worse, such as toppling transmission line towers. There are increasing reports of transmission towers and utility poles deliberately toppled, power outages caused by insulators smashed or wires cut by bullets, and outages that occurred when wires and bus bars were stolen for the value of the metal in them. There can be static or RF interference or spikes on a utility line at any time due to atmospheric conditions, lightning, or the utility switching their feeders.
Communications outages can be even more problematic, and few of these situations are widely known. Communications providers are for-profit enterprises and cannot provide much fail-safe protection, backup, or redundancy when severe weather, vandalism, deliberate attacks, or equipment failure interrupts their services. Although there not many alternate suppliers to choose from, the only security protections are redundancy and alternate suppliers.
Civil, political, and economic disruptions. Such disruptions may be indicated by an elevated Homeland Security Threat Level or by state or regional alerts. Other possible disruptive events include a demonstration, march, disorderly group, or an unruly crowd. Other economic emergencies include a plant closing, a strike or a lockout, a transportation failure, or a shutdown. There are also the threats of violence of any kind; a hostage incident or kidnapping; sabotage of any infrastructure (e.g., power lines); contamination of food, water, air, or soil; a food or fuel shortage, a spike in energy costs or a shortage; and the repercussions of a major evacuation somewhere in the region.
Coordinated attacks. These attacks are also possible, perhaps even by terrorists. Here, many points of the infrastructure are attacked at once, and many forms of attack may be used. There may be diversions in order to plant surveillance devices, place stronger weapons, or simply to distract response teams and stretch their resources more thinly. And whether spying is intended or not, the goal of a coordinated attack is to inflict maximum damage and disruption.
High solar activity. Solar activity can also cause large problems. Sunspots affect electrical distribution systems as well as electronic systems, and they can severely disrupt satellite, microwave, and emergency communications, and radio, TV, and radar transmissions.

22.7 CONFIDENTIAL THREAT INFORMATION.

Many other threat scenarios should not be described publicly because they are easily done by anyone with a grievance, and they tend to incite copycats. Other threats that will not be described utilize simple tools or devices that are readily obtained, are inconspicuous while in use, and can be safely hidden after a crime. Avoiding such threats is difficult, and apprehension is unlikely. Nonetheless, mitigation is possible, and sometimes even deterrence, once these threats are known and understood.

Most vendors, installers, and consultants have long lists of such unmentionable threats and ways they know of to disrupt, snoop into, or destroy specific types of information systems. No threat assessment can be complete without asking all these information sources for whatever attack methods they can suggest as well as for methods of preventing or mitigating each threat.

Many useful sources of information and guidance are not generally public—many sources, indeed, that Internet search engines have not discovered. Some of this material is simply not publicly available, and other sources may be derived from classified documents. But briefings or redacted information may be made available to those who need it. More information may be available from local, state, and federal authorities, regulatory bodies, peer groups, business or vendor associations, professional groups, and security experts and consultants. Each of these sources may be willing to share information not available to the general public.

The Department of Homeland Security announced in July 2006 the establishment of 38 regional fusion centers to facilitate the “two-way flow of timely, accurate, actionable information on all types of hazards.” Here, federal, state, and local intelligence analysts can share and evaluate information of common concern.⁸

The FBI is the ultimate source of threat information. But this information is mostly classified, and without the proper security clearance and a need to know, the FBI will not divulge much. A nationwide group of people involved in IS security is sponsored by the FBI and does provide some useful (sensitive but unclassified) information, once each member is vetted and approved. This group is called InfraGard, and there are chapters in most states. Visit www.infragard.net for a list of local chapters, and contact them about membership.

22.8 SUMMARY.

A vast array of possible physical threat situations can disrupt the infrastructure of information systems and thereby also disrupt business productivity and performance. The list of specific threats may identify several hundred situations, and each one should be included and considered during a threat assessment process that is well done and thorough.

Some of the threat situations are obvious and well known, while many others are much less so. Many are newly emerging, suggested by recent events worldwide and by reexamination of historic data. There also are issues of apathy, denial, and ignorance, where some persons feel that such things will never affect them or that nothing can be done to prevent a disaster. Both assertions are patently false and potentially very costly if pursued. Most threat situations can and will happen somewhere, someday. But whether they do or not is a matter of statistics and not conjecture.

Every possible threat situation can be mitigated to some extent by careful security planning and concerned management to minimize injury and damage. In fact, good physical security can be affordable, effective, and efficient. The first step is a thorough threat assessment to identify and consider all possible threat situations. The next step is to determine the likelihood that each threat may occur, the potential impact if it does, and the vulnerability of the organization within the context of its current security protections. Each step can be calculated statistically to determine the best possible options.

This chapter begins a threat assessment process that takes all these factors into account. Chapter 23 then suggests some ways to protect the information infrastructure and completes the threat assessment process with a cost-benefit approximation to determine the vulnerability of each threat.

These chapters are based on a uniform and comprehensive methodology recommended by the federal government and now required for all federal, state, and local agencies and departments. Compliance is strongly recommended for the private sector, if only as an effective means of risk management.

The value of this approach is that good security is a wise investment. Anything less than good security is a waste of time and money.

22.9 FURTHER READING

Emergency Response Guidebook (2004). A useful quick reference to the characteristic of hazardous materials, including some WMDs, with a table of isolation and initial-response guides. Free copies may be available from state or local officials or downloaded from http://hazmat.dot/gov/gydebook.htm.

IT-Grundschutz Baseline Protection Manual 2004, published by the (German) Federal Office for Information Security (BSI), available to download in English from www.bsi.de/english/gshb/index.htm. This is a comprehensive reference document in three volumes: Introduction and Modules, Catalogues of Threats, and Catalogues of Safeguards.

Jane's Chem-Bio Handbook is a good quick reference to chemical and biological weapons. Visit www.janes.com for details and see their Emergency Response to Terrorism Job Aid and other handbooks they publish.

Multi-Hazard Identification & Risk Assessment, FEMA Publication 9-0350 released in 1997. This in an excellent reference manual, 355 pages. All types of natural hazards are described in detail, and maps show the likelihood of each threat throughout the country. Printed copies may still be available from FEMA Publications or downloaded from the U.S. Printing Office (www.gpoaccess.gov) or downloaded from www.floodmaps.fema.gov/fhm/ft_mhira.shtm.

State and Local Mitigation Planning, How-to Guide: There are nine manuals, FEMA Publications 386-1 through 386-9. Each is available as a printed book or CD-ROM from FEMA Publications (P.O. Box 2102, Jessup, MD 20794-2012 Tel: 1-800-480-2520) or access and download copies from the U.S. Government Printing Office at www.gpoaccess.gov. Search for “FEMA 386-1” and so on. These guides were published in 2002 and 2003 and provide clear step-by-step instructions how to do a threat assessment. Unfortunately, numbers 5, 6, 8 and 9 were never released.

22.10 NOTES

1. National Governors Association report 07/19/2006, www.nga.org/Files/pdf/0607PANDEMICPRIMER.pdf.

2. See, for example, Duncan Chappell and Vittorio di Martino, Violence at Work, 3rd ed. (Geneva: International Labour Organization, 2006). Review available from http://www.workplaceviolence911.com/docs/20060624.htm.

3. The International Labour Organization of the United Nations provides a good view of the rise of workplace violence worldwide. For example, look at the paper at www.ilo.org/public/english/protection/safework/violence/violwk/violwk.htm.

4. www.cesnur.org/testi/FBL004.htm. Every U.S. police department received a copy of the Project Megiddo report and may provide access.

5. As a result of the FEMA shortcomings following Hurricane Katrina, there are currently many bills before Congress to separate FEMA from DHS or to change its name. Possibly, the Collins-Lieberman Bill will prevail, which will make FEMA independent and elevate it to cabinet status, much as FEMA was during the Clinton administration. The current DHS/FEMA methodology, however, probably will not change.

6. EMAP, P.O. Box 11910, Lexington, KY 40578, Tel: 859-244-8222; www.emaponline.org.

7. “Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse Attack.” Available at www.globalsecurity.org/wmd/library/congress/2004_r/04-07-22emp.pdf.

8. The DHS news release is at www.dhs.gov/dhspublic/display?theme=43&content=5760&print=true.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for CHAPTER 22: PHYSICAL THREATS TO THE INFORMATION INFRASTRUCTURE

Create new playlist

Sign In

Sign Up

CHAPTER 22

PHYSICAL THREATS TO THE INFORMATION INFRASTRUCTURE

22.1 INTRODUCTION.