There are three steps necessary to protect the information infrastructure properly. The first step is to establish uniform and comprehensive policies and procedures for security planning, implementation, and management. The second step is to review the facilities design factors and security defenses needed to protect the information infrastructure as well as the people who use it. The third step is a cost-benefit analysis to determine which of the security defenses derived from steps 1 and 2 will be the most cost effective. Once all possible threat situations have been identified and assessed as described in Chapter 22, this chapter covers the remaining steps necessary to implement good security protection.

A uniform and comprehensive process for good security planning and management is no longer optional or accidental. Today, anything less than good security is likely to cost any organization dearly. And even more important today is that good security now requires compliance with many new federal laws, regulations, and directives, if only to ensure good risk management and to circumvent unnecessary and potentially costly allegations of negligence. Once insurance was enough to cover most threat situations. But today, disaster, workplace violence, and terrorism insurance coverage may not be available or affordable without an independent, outside security audit to ascertain a good security program is in place. The security audit will examine all facets of the planning, preparation, policies, training and exercises, management and oversight, and response and recovery plans and procedures. These are all the necessary components of step 1 for protecting the information infrastructure.

Some of the many new federal security requirements apply primarily to government agencies, others are industry specific, and a few others apply only to public companies. Many are confusing and some provisions overlap. In time, more groups may have to comply. But for now, every organization should comply, if only to achieve better risk management and less dependence on insurance.

There is one nearly iron-clad legal defense against negligence allegations, and this is to demonstrate that the organization is following the commonly accepted federal security planning and management procedures. Usually this alone is sufficient that negligence suits are not filed and that any remaining allegations are minor and easily covered by insurance. Conformity to the commonly accepted federal procedures can quickly be ascertained by a recent security audit.

Good protection starts in the boardroom and must involve management and everyone else with access to the information systems. All of the organization's stakeholders should be represented in the planning and preparedness process. The constituents include all information system (IS) users, key customers, suppliers and vendors, lenders and insurers, stockholders, the community, and government officials. Everyone involved must understand and support good security.

Good security results from good strategic planning and management. Simply choosing security products, vendors, or standard solutions is not enough and can easily be ineffective, risky, and wasteful. Protection by comparison shopping among vendors, services, and consultants is neither planning nor strategic. Security is an investment in the future of the enterprise that can be analyzed and implemented like any other investment for the best possible economic return, effectiveness, and efficiency.

23.2 SECURITY PLANNING AND MANAGEMENT.

There are many new laws, regulations, and federal directives that should now be incorporated into the security planning and management of any organization. Even when compliance is not yet mandated, it is highly recommended simply to avoid unnecessary and potentially huge costs of defending against allegations of negligence, and establishing in court that the security procedures in place are sufficient (see Section 22.2.7).

Some of the new requirements that may affect almost any organization are explained in the sections that follow.

23.2.1 National Incident Management System Compliance.

The National Incident Management System (NIMS) was issued by the Department of Homeland Security (DHS) in March 2004 in accordance with Homeland Security Presidential Directive 5. This was signed by President Bush in February 2003 following the events of 9/11. Implementation activities began in fiscal year 2005, and, for the most part, full implementation was required by the end of fiscal year 2006, which ended on September 30. All departments and agencies of the federal, state, and local governments must implement NIMS. And many are currently far behind.

NIMS is defined as an emergency response template to be used during any threat situation, large or small. It is intended to cover all possible threat situations and utilize all possible response and recovery resources efficiently and effectively. NIMS supplements and unifies the incident command systems long in use by most response agencies. Even though NIMS is basically a response plan, there are security planning and management implications here also.

Currently, every government agency must first declare itself NIMS compliant, implement both NIMS and the National Response Plan (NRP) (see Section 23.2.2) in all its emergency plans and procedures, then train and certify all officials and staff involved in emergency operations or response. Then, during fiscal year 2007, they were required to inventory and categorize response resources and supplies (using a Resource Typing list that is still unclear). Because the DHS and the Federal Emergency Management Agency (FEMA) in particular have been chronically underfunded since 9/11, many of the guidance and instructions required for compliance have been slow in coming. This greatly complicates and delays compliance and also impedes the private sector.

The best source of NIMS guidance and instruction is its home page at www.fema.gov/emergency/nims/index.shtm. This page is kept current, and links to printed materials and downloads explain what activities need to be taken, how, and when. NIMS is still a work in progress, which is why its Web site is the best current information source. There are also many books, white papers, and articles on the new federal requirements, some of which are oversimplified, incomplete, or out of date.

The federal government is beginning to reach out to the private sector to ask them to comply. However, progress is slow at best. An independent study by the Council on Foreign Relations issued in May 2006 reports that the “DHS, state and local governments are failing to mobilize the private sector” and that “security plans and procedures required for the public sector and recommended for the private sector are not being implemented.” The report is entitled Neglected Defense: Mobilizing the Private Sector to Support Homeland Security.¹ There have been many similar and authoritative reports for decades, reports that events have since proven all too true.

However, in July 2006, DHS also hosted a conference attended by many major corporations that are now endorsing NIMS and the NRP, and urging all private organizations to comply. The goal is to achieve uniform and comprehensive emergency response capabilities nationwide. However, it still appears that most of the failings in the Council on Foreign Relations report still apply.

23.2.2 National Response Plan.

Another new requirement is the National Response Plan (NRP). This replaces the Federal Response Plan and also augments many federal industry-specific plans. The NRP was issued by the Department of Homeland Security in November 2004, also in accordance with Homeland Security Presidential Directive 5 that created NIMS.

As a matter of interest, the previous Federal Response Plan was issued in April 1992 following criticism of FEMA in the aftermath of Hurricane Hugo and the Loma Prieta Earthquake in 1991. A uniform response plan was needed, even though the federal General Accounting Office determined in 1991 that FEMA had fulfilled its statutory obligations. The new plan assigned roles and responsibilities to 27 federal agencies and the American Red Cross in the event of a major disaster. Hurricane Andrew then struck south Florida in August 1992 and FEMA was once again criticized by the press. President George H. W. Bush bypassed FEMA and sent the secretary of transportation, Andrew Card (who was later White House Chief of Staff for the second President Bush), to Florida to head up a recovery task force. Both FEMA and the disaster response planning were greatly improved by James Lee Witt, the head of FEMA under President Clinton. It is therefore arguable that only a few tweaks were needed following 9/11 and not the time, money, and confusion to reinvent a new NRP.

The NRP was revised by a Notice of Change issued in May 2006. There were many changes—51 pages of them. As of this writing, neither the printed manual nor the online version has been updated, and they may not be for some time as more changes are expected. Therefore, each change must be manually cross-referenced.

As the 27-page Quick Reference Guide² also issued in May 2006 explains, the

National Response Plan establishes a single, comprehensive approach to domestic incident management to prevent, prepare for, respond to, and recover from terrorist attacks, major disasters, and other emergencies…. The NRP is always in effect and becomes activated during any Incident of National Importance,

which is where the need for response by one or more federal agencies arises. While NIMS applies to any incident, the NRP is activated only for those deemed to be of national importance.

Despite its title, the NRP is simply an emergency operations plan, which all state and local governments have long been required to have. But the NRP now unifies the content and format for all such plans. Compliance also requires certification of senior officials.

The potential value of the NRP was well illustrated by its absence during Hurricane Katrina in 2005 when federal officials did not think to activate the plan until days after the event. Similarly, New Orleans was said to have a very good response plan in place since 2002 that, among other things, determined that 90 hours would be needed to evacuate the city. The plan itself was largely ignored, and evacuation was not begun until 24 hours before the storm hit. The city, homes, and businesses were devastated; few had preparedness plans, and fewer still remembered to use them.

The lessons learned from Hurricane Pam the year before were also forgotten. This was an exercise conducted in 2004 that simulated a major hurricane hitting New Orleans. The flooding predicted was slightly worse than in Katrina; an estimated 60,000 people would have been killed if Hurricane Pam had actually occurred. The exercise would have used the new NRP, and the lessons learned would have been reviewed and implemented, but the funding that FEMA needed to do this was spent elsewhere within the DHS.

Yet another complication occurred in 2007 when the government revoked the NRP and issued a new National Response Framework. The new 90 page framework was issued as of January 2008. For current information, visit www.fema.gov/nrf.

23.2.3 National Infrastructure Protection Plan.

The National Infrastructure Protection Plan (NIPP) was released by the Department of Homeland Security in June 2006 with detailed implementation instructions due within six months. This plan results from Homeland Security Presidential Directive 7, signed in December 2003. (This superseded a similar document issued 10 months earlier that was unintelligible.) The NIPP states that “Protecting critical infrastructure and key recourses of the United States is essential to the Nation's security, public health and safety, economic vitality, and way of life.” There is more information at www.dhs.gov/nipp.

This plan is somewhat of a laundry list of good things to do and which agency should do them, but it also confuses and sometimes contradicts both NIMS and NRP responsibilities. Nonetheless, this first installment is an interesting reference for any organization. And it looks now that the DHS intends to enforce compliance.

23.2.4 Other Presidential Directives.

President Bush has issued 14 homeland security presidential directives since 9/11, plus many others that are still unknown or classified. Some of the directives are industry specific or only apply to some federal agencies. Many of the new directives are intended to displace previous ones that are already implemented, understood, and perhaps only in need of tweaking to bring them up to today's needs. For example, President Clinton's PDD/NSC-63, Critical Infrastructure Protection, is clear, well written, and contemporary. The problem is that the new directives do not amend the old ones or the existing laws. Collectively, all the new directives impose responsibilities that are vague and often contradictory. It may take many years to achieve a unified, cohesive process.

While government agencies can wrestle with which directives to follow and how, the private sector needs to know whether they must comply and how to do it, if only as a means of risk management. This chapter suggests a uniform, comprehensive approach that is achievable now.

23.2.5 Security-Related Laws and Regulations.

In addition to the presidential directives, there are also security-related laws in effect. The Robert T. Stafford Disaster Relief and Emergency Assistance Act of 1988 (Public Law 100-707) has evolved since the Civil Defense days of World War II. The act was last amended in 2002 to update the Disaster Mitigation Act of 2000 (Public Law 106-390), which was itself enacted to amend the Stafford Act.

Together, these acts require every state and community to have a current and FEMA-approved All-Hazard Mitigation Plan and a current and approved Emergency Operations Plan in place. The latter plan must now comply with the NRP already described. Together, these two plans serve the same purposes, respectively, as the threat assessment covered in Chapter 22 and the response plan suggested in Section 23.11.3.

The reason that private organizations should understand and comply with these two laws is to avoid liability issues. There are numerous state laws as well, where compliance may be necessary. But at least following the federal procedures should be a sufficient protection from litigation.

23.2.6 Some Other Regulatory Requirements.

The next industry-specific regulatory requirements can affect the security planning and management as well.

The Sarbanes-Oxley Act of 2002 (SOX) requires a public corporation to report all of its internal financial controls, which may include those relating to security management. The act also requires that any future event that can materially affect future earnings must be reported. Most of the threats identified in Chapter 22 can do this, so that the possible mitigated costs of each threat as determined at the end of this chapter may need to be included in the SOX reporting.
The Health Insurance Portability and Accountability Act of 2002 (HIPAA) applies to all organizations that receive personally identifiable individual health information, which must be kept private. Many types of organizations receive and supply such information and are therefore indirectly impacted by HIPAA. Unauthorized disclosure and lost or degraded data are all potential security threats that the information infrastructure must prevent. The fines, damage, and liability of a breach can be significant.
The Gramm-Leach-Bliley Act of 1999 imposes similar security responsibilities on financial institutions, lenders, advisors, accountants, and businesses that process or receive financial information.

23.2.7 Security Auditing Standards.

The only effective way to ascertain that an organization's security planning, implementation, and management comply with the generally accepted federal security standards is to have a current security-audit report. All that is needed is a brief summary and the auditor's opinion statement that the organization is compliant.

There is now a uniform standard for disaster/emergency preparedness that applies to any organization, public or private. This standard can be utilized as an internal self-auditing process and soon may be available to the private sector using independent outside auditors.

The Emergency Management Assessment Program (EMAP) standard (described in Section 22.2.9) was updated in September 2007, with a document provided to cross-reference the new standard to the current NIMS and NRP requirements. This new standard is endorsed by DHS and by FEMA, includes all of the essential functions that make up a comprehensive emergency management program, and should now have been accepted by ANSI as an approved standard. For information, see note 7 of Chapter 22.

Any organization can conform its emergency management program (or whatever terminology it chooses) to the new standard via an internal self-assessment. However, EMAP may also provide an on-site security audit that is independent, rigorous, and thorough. (Disclosure: The author is an EMAP assessor and has participated in the audit of a large, populous state. Note, however, that all of the EMAP assessors serve as unpaid volunteers and have no commercial interest in any EMAP activities.)

Another common corporate-security audit procedure utilizes Information Security Standard (ISO) 17799. This was last published by the International Standards Organization in June 2005 and can be administered by many independent auditors, accountants, and consultants. This process is lengthy but does not cover much about physical security and does not relate to the federal requirements just listed. Therefore, another audit specifically for protecting the information infrastructure is recommended. For information on ISO 17799, go to www.standardsdirect.org/iso17799.htm.

A good self-audit can be done using the Capability Assessment for Readiness (CAR) Report program jointly developed in 2000 by the National Emergency Management Association and FEMA. This was later revised in 2002 and then discontinued following 9/11, although many communities and regions still use the program. The state CAR Report process is downloadable software. The program presents a long succession of on-screen questions regarding compliance. Each is answerable with a value from 1 to 5. The program can then print a summary of about 35 pages. When states were required to use it, the program submitted a full report to FEMA. The CAR seems to be no longer available from the federal government. However, a search on the full title provides many possible links. Most appear to be only the reports, not the program itself. Anyone interested should ask the state officials for a copy first. The author also can provide a copy.

23.3 STRATEGIC PLANNING PROCESS.

The planning process must think ahead strategically to determine the best possible security options to add maximum value and contribute to profits, enhance productivity and performance, and avoid intrusiveness. The process of identifying all possible threat situations and a statistical method to predict the likelihood of injury or damage and the current vulnerability of the enterprise to each individual threat is described in Chapter 22. This chapter builds on the planning process, suggests ways to better protect the infrastructure and thereby reduce its vulnerability, and describes how to implement the security planning and management process.

The planning process should be uniform and comprehensive so that any organization, public or private, understands what others are doing and how organizations can assist one another during an emergency. For the enterprise doing the planning, its response and recovery activities must utilize all possible resources. Its plans should coordinate with any number of outside resources that can assist. Good planning must coordinate everything effectively and efficiently. Otherwise, there will likely be response delays and mistakes, resources may be overwhelmed, and needless injuries, damage, and infrastructure disruptions may occur. The consequences of poor planning will be costly and can be fatal.

Good security planning is an investment in the future of the organization. Good security can be expensive, but the potential benefits of mitigation are predictably far greater. The value added by good planning is approximate, but statistically valid to show how to invest in security as wisely as possible.

Some facets of good physical protection to consider in the planning process are outlined next. These suggest some critical elements and how to protect them, and some possible weak points in the information infrastructure. Section 23.11 completes the planning and mitigation process.

23.3.1 Attractive Targets.

Many types of physical threats are increasingly likely to target information systems. The infrastructure is attractive because it is widely disbursed and often easily accessible, and perpetrators are less likely to be caught. Often a physical attack is easier to inflict and much more costly than a logical attack. Spying, vandalism, and sabotage are becoming increasingly prevalent in the workplace, as is the threat of injury or violence—whether real or imagined—that can disrupt business productivity for extended periods. Systems old and new are becoming increasingly vulnerable to accidents, misuse, snooping, and equipment failures resulting from external events. Utilities and support systems can become undependable, while many types of threats, accidents, or attacks can occur elsewhere and disrupt the infrastructure. All these scenarios require effective defenses.

Much of this chapter deals with what amounts to physical hacking. As with its electronic counterpart, physical attacks cannot be predicted as to when, where, or how they will occur. Electronic hacking from within the organization, over its networks, or from anywhere in the world via the Internet is still the best way to break into most information systems. However, physical intrusion can be harder to detect and locate, and often is more damaging and costly.

All information systems must remain fully operational. To ensure full performance, the best defensive strategies must be in place to detect and identify all threat situations very quickly and also to minimize disruption.

23.3.2 Defensive Strategies.

There are many effective defensive strategies to consider. The planning process must evaluate each approach and how best to combine them strategically to maximize effectiveness and minimize costs. These defensive strategies are common:

Prevention so that specific threats do not affect the enterprise.
Deterrence so that specific threats are not likely to occur.
Mitigation to reduce each threat to tolerable consequences.
Redundancies so there are no critical links in the infrastructure that cannot be bypassed. There are many methods of redundancy, such as multiple data paths; bidirectional data loops; parallel or distributed processing; alternative support systems and utilities; and many more.
Early warning to detect impending trouble and delay onset, so that fast response can prevent or minimize any disruption.
Layers of security, which are like the concentric layers of an onion, so that several layers of security must be penetrated before a target can be reached. This adds reliability, because a failure or breach of one layer does not compromise the other concentric layers.
Insurance that can reimburse some of the recovery costs but usually few of the response costs. Insurance coverage often excludes many threats and can be costly. Insurance may not cover (or even be available for) gross negligence, some acts of God, flooding, terrorism, or acts of war.
Capital markets, which are less costly than insurance and better able to lay off larger and broader risks.
Self-insurance to establish retentions (which are funds accumulated for the purpose) in the hope nothing serious ever happens.
Contract security services that are performed in-house, which basically transfer risks but do not necessarily mitigate threats.
Outsourcing, which is another option that introduces still other and often unrealized threats and vulnerabilities.

23.3.3 Who Is Responsible?

Effective security requires both governance from the boardroom and oversight by senior management. Top management must also actively sponsor it and insist that everyone involved understands, supports, and respects the security plans and procedures. Accountability and oversight are essential, as is insistence on periodic security exercises, review, and updating.

Often the role of protecting the infrastructure is sloughed off to someone with little authority, experience, training, or knowledge of the threats. Many times this person is burdened with many other unrelated responsibilities. Given today's potential for catastrophic losses, the IS security manager must be well trained, highly experienced, and well motivated to create and maintain strong system security. There must also be a clear chain of command laid out in the plan: Who is in charge? And who in the organization has what responsibilities?

If possible, the infrastructure security manager should not also be in charge of IS or corporate or premises security. While managers of these areas face similar threats and their groups must work closely together, their priorities and levels of response to any incident are much different. It is best therefore that two or more specialized security groups report to one senior executive officer with clear lines of authority. Even if the role cannot be full time, an infrastructure security manager is a wise investment.

23.3.4 One Process, One Language.

There are now all too many proprietary programs, best practices, solutions, and systems to measure and manage security risks. These are applied with varying accuracy and the procedures, terminology, and often a myriad of acronyms that very few understand, let along accept or are likely to utilize during an emergency. The names of these procedures vary widely also. Some of the terms used include crisis-, disaster-, or emergency-management or response, disaster recovery, damage control, and contingency planning, yet the intent is basically the same. Instead of promoting good risk management, the many approaches and languages only serve to confuse and hinder people who otherwise might be of considerable assistance in an emergency.

While many of the diverse risk management procedures may indeed provide good security protection, most do not accommodate the many new laws, regulations, and directives that now affect public safety. Therefore, when trouble comes and anyone claims damage or injury, the time and money needed to defend such allegations can be enormous. So can the prolonged disruptions, reputational damage, and loss of business that may result. Like it or not, the organization is usually presumed guilty until it can prove otherwise, and this is usually a costly process.

As mentioned previously, the security planning and management process must be uniform and comprehensive, and applied effectively and efficiently. There should also be a current audit done by an outside, independent group to ascertain both security preparedness and compliance with the pertinent laws, codes, and regulations. The least costly and most effective approach is to follow federal guidelines.

23.3.5 Federal Guidelines.

The Department of Homeland Security and Federal Emergency Management Agency procedures provide a uniform and comprehensive methodology and generally accepted standard practices that are uniform, comprehensive, and most likely to deter liability as well. This process is recommended for any organization, public or private.

Regardless of other risk management precautions taken, few organizations can afford to defer compliance with the federal guidelines. An accredited auditor's report as evidence of compliance is likely to be accepted in court without further proof, whereas most other practices will be expensive to defend whenever negligence is claimed—which is likely to be increasingly often. Nonstandard security practices also invite allegations of gross negligence against officials personally as well as their enterprise, which insurance may not defend or cover and that can result in huge awards. It is well to consider the many benefits from adopting the DHS guidelines as standard procedures, not the least of which is that FEMA has far more experience than any other organization in the world and has no commercial bias.

The FEMA plans and procedures are the products of long years of experience and countless major disasters. They define today's best practices for emergency planning, preparedness, response, and recovery. The FEMA model has been developed by representatives from all government agencies, businesses and organizations, national standards groups, the insurance industry, medical service providers, and the many volunteer agencies, all with many years of disaster experience.

FEMA makes the distinction between an emergency, which is a situation that an organization can handle with its own resources, and a disaster, which is when internal resources are likely to be overwhelmed and outside help is needed. The distinction is not always clear-cut. “Crisis” is not a defined term. FEMA also recommends planning and preparation for worse-case situations, which often turn out to be what happens. Many threats can become disasters to a business, even when outside resources respond quickly. For example, the consequences of an equipment room fire can be disastrous when the local fire department responds with axes and water hoses, cuts off all electrical power to the building, and smashes out windows to vent smoke. Even a major incident that occurs away from the immediate premises can necessitate an evacuation, cutting off building power, and creating serious disruption.

Needless liability is a major issue already mentioned in Section 22.2.7. But how does one protect against liability? Whenever trouble comes—even minor, unimportant events—someone may claim damage or injury, and allegations of negligence will surely follow. Asserting such claims has become a large and very profitable industry, especially since juries are often hostile to business or government defendants. Defense is at best very expensive and disruptive, even when it is successful.

Three simple yes/no questions will likely determine whether a claim is quickly dropped or a lawsuit is filed:

Was the organization adequately prepared?
Was there a good emergency-response plan that was well implemented?
Did everyone follow generally accepted procedures?

Anything less than a clear “yes” to any of the questions can readily result in major damage awards. (See also Section 22.2.7.) Using the DHS/FEMA model is clear evidence of due diligence and also likely to dissuade most plaintiffs from filing suit. Any “yes” answer that has to be qualified, such as the use of a proprietary model, is likely to incur a very costly defense. Anything less than a clear affirmation of every question can trigger allegations of gross negligence that will expose both officers and organizations to large awards that liability insurance may not defend or cover.

23.4 ELEMENTS OF GOOD PROTECTION.

Protecting the infrastructure generally requires different and stronger defenses than premises security or IS logical security can provide. The infrastructure protection must be effective, efficient, and affordable. Yet it must also be nonintrusive and user friendly. Too much protection is unnecessarily costly and often counterproductive. Too little can be even more costly and endanger productivity, morale, and goodwill.

Some of the requisite elements for just the right amount of protection are provided in the sections that follow.

23.4.1 Segmented Secrets.

To maintain good security, no one person should know all the details or inner workings of the security systems and procedures. If total understanding of the security systems is segmented into several parts, there is much less likelihood of misuse, fraud, or error, and less dependency on a few key persons.

However, the more people with knowledge of the security systems and procedures, the more these systems become vulnerable. It is easier to compromise security through coercion or extortion, or by an unwise remark inadvertently disclosing information. The list of those with inside knowledge may include managers, administrators, maintenance personnel, users, partners, suppliers, customers, vendors, and consultants. Although many individuals must know at least some of the security protections, no one needs to know all of the details.

Secrets can be segmented among individuals, so that no one individual knows the entire security system, yet everyone shares the details needed to keep the systems performing efficiently. Usually a manager knows which subordinates understand which segments of the entire security system. The subordinates do not know each other's secrets, and if managed properly, the subordinates are not likely to share their secrets. The managers need know only enough information to be sure the subordinates are well trained and are following proper procedures and practices.

While there are significant benefits to segmenting secrets, the knowledge must be redundant also, so that no one person is indispensable. Redundancy is also needed to facilitate fast response when trouble is widespread or when key people are unavailable. Another benefit is that anyone leaving the organization cannot compromise the whole security system. No individual can be tempted, coerced, or extorted into spying, because the knowledge they possess is too fragmented. There is an intimidation factor also: If all the stakeholders believe that strong security exists, no one is likely to snoop or try to break it. Finally, mounting a successful attack requires collaboration.

Beyond segmenting, there is another precaution needed for good protection. If members of the same group must share sensitive knowledge, a “two-person” rule should apply. This is especially important when anyone is able to modify the security infrastructure, alarms, or event logs. The two-person rule says that any modification to the security system requires two authorized persons working together and that there will always be an audit trail showing who did what and when. This procedure also is used when two or more groups share responsibility for common elements of a security system.

23.4.2 Confidential Design Details.

It is often quite easy for others to locate and identify critical infrastructure components. Many times the information is clearly shown on public documents. The signage on infrastructure locations often clearly describes what is inside, and critical components are often put in spaces easily accessible to outsiders. These are all unsafe design practices.

Many types of documents clearly indicate IS areas, support systems, and other infrastructure. The documents may show the locations of equipment, wiring, utilities, and cable runs. Documents that are likely to reveal sensitive information include building plans that show floor and office layouts, furniture, wiring, and equipment locations. Architectural and engineering documents, drawings, and specifications often show sensitive information. These documents often list the function of each area, and even an occupant's name or title. Other types of documents breach security as well. Examples may be as-built plans, alteration and construction plans, electrical and communications wiring diagrams, patch-panel and cross-connect setups, as well as contract drawings or proposals, shop drawings, installation plans, maintenance diagrams, and, especially, documents filed with code-compliance and regulatory agencies. Good protection requires that all such documents be controlled and kept securely stored. Better yet, sensitive information should be removed and alphanumeric designations that are cross-referenced to sheets than can easily be kept classified should be shown.

All of the listed documents are routinely distributed to a wide range of sources, such as interested contractors and bidders, vendors, suppliers, and maintenance providers. Building managers, landlords, and often real estate offices are likely to keep copies on file, and many other persons can readily access the documents and copy them. Most such documents are publicly available or obtainable via the sunshine laws of each state, by court order, or simply by deception. Moreover, many legitimate persons obtaining or receiving the documents have no internal document control or security provisions.

All room and area designations should always be alphanumerical. Descriptive or functional names should not be used for any area. This caveat pertains to the entire premises, all public areas of the facility, and all building mechanical and core areas. Functional designations or terms such as “treasurer,” “marketing director,” “security desk,” “computer room,” “network closet,” or “telephone room” should never appear. Nor should the names of any occupants, departments or functional groups, or individual tenants' spaces be given. Use only alphanumeric designations. Never include floor plans, titles, or room numbers in a phone or floor directory, emergency egress plan, or anything accessible to the public.

Lists that correlate area and room numbers, functional areas, or any descriptive names should be kept secure in a locked file, as should equipment room drawings, patch panel connections, and wiring plans. All these must be readily available to system administrators in the event of a system failure or when doing maintenance or upgrades, but only on a need-to-know basis. Ideally, even managers do not have access to this information, except when accompanied by security personnel. As well as controlling access to such documents, it is equally vital that every document be kept current.

Finally, security personnel should review all plans, drawings, and documents for construction, alterations, equipment moves, or any other physical changes before the information is issued. Security personnel should also review the invitations to bid and all the drawings and specifications, review again the quotations received, and continue to review every as-built documents produced throughout a project. Internal security should review all these as a matter of policy. If the security personnel do not have sufficient time or expertise to review everything quickly and thoroughly, outside independent experts can be valuable. When properly chosen, these experts can provide broad experience, perspective, and evidence of due diligence, so that management cannot later be accused of negligence in protecting information, people, or property. Finally, the security leader should sign-off that no project documents violate any internal security policies.

23.4.3 Difficulties in Protecting the Infrastructure.

Not so long ago, most IS equipment was housed inside a single computer room, and most of the external terminals and peripheral equipment were located nearby. Cable runs were short and generally within secure areas, and access controls, alarms, and surveillance could easily cover the critical areas. There were often security guards as well. But in those days, there were fewer threat situations and less cost if trouble did come. Many organizations then were apathetic and security was lax. They were lucky, but a few incidents did occur and often at great cost. There were also likely many undiscovered security breaches and still more that were never reported.

Today, the IS infrastructure is much larger and more complex, and the potential costs of trouble are far greater. Today's infrastructure is much more interdependent, and it now includes many more equipment and network rooms. It extends to many more telephone and utility closets, and interconnects widespread and diverse desktop, peripheral, and remote nodes. Today's infrastructure is increasingly harder to protect, and the future outlook suggests many more threat situations with the potential to cause major business disruption.

To further complicate security, there are now many more and diverse IS interfaces and a complex infrastructure to protect. Interfaces now include direct and switched wiring, wireless topologies, and infrared coupling. Access to the Internet, LAN, and WAN networks may now utilize combinations of metal wiring and fiber optics, wireless, satellite, TV cable, microwave, and telephone dial-up connections. Some of these interfaces will be dedicated, others switched, and still others temporarily patched. It will be difficult to even locate all the interfaces, yet each must be protected, as must be their cable runs and the utilities that support them. Today, the early warnings from the security alarms and defenses must be so effective that most trouble can be prevented before it happens.

23.4.4 Appearance of Good Security.

The appearance of an armed fortress is usually counterproductive. This usually intimidates and obstructs both visitors and staff more than it protects them. The same is often true for too many guards and receptionists stationed to block entry points to internal areas (unless this is deemed absolutely necessary). Such barriers tend to enrage anyone who may be already anxious, and can provoke attacks. Barriers tend to be ineffective as well. Even if the glass is bulletproof and spray-proof, the pass-through holes likely are not. Most barriers can be breached as well, and the person(s) inside injured or at least traumatized. For example, some years ago most banks rushed to put their tellers behind thick glass panels. However, they soon discovered that the glass provoked trouble rather than deterring it. The banks quickly removed both the glass and the pass-throughs, which many businesses then bought and installed, with similar results. Anger and potential violence are best avoided by good facilities design, security systems and access controls, and training in security awareness and violence prevention.

There are also considerations whether security devices should be covert or appear in plain sight for all to see. Defenses that are in plain sight can serve as deterrents and promote a feeling of safety, but they can also be vulnerable themselves. Cameras can be spray-painted, shot out, or knocked aside with a club. Any exposed wiring (which is a security no-no in itself) can be cut or shot through. The alternative is to use concealed devices and/or dummy devices or “honeypots” that are obviously positioned. (Both are discussed later.)

23.4.5 Proper Labeling.

Good security requires quickly locating trouble spots, with certainty that the nomenclature of every cable and connector is clear and current. There must be proper and consistent labeling of all data and power cables, both inside and beyond the secure areas. No label or tagging should reveal confidential information. Many vendors, installers, contract personnel, and in-house staff tend to use their own labeling and tagging systems, some of which are clear and understandable, while others are not. The labeling and tagging must match the documentation, plans, and drawings as well. Sloppy wiring management is often the norm as changes are made but not marked or documented, or wiring abandoned and not removed. The status of in-house personnel, installers, and maintainers is likely to change frequently, creating all the more potential for misinformation and confusion. The inevitable result is poor protection and slow response to a security incident. There are generally accepted wire-management procedures, and a single method should be utilized throughout the information infrastructure. It is especially important that all authorized personnel understand and accept the labeling system.

The Telecommunications Industry Association/Electronic Industry Alliance (TIA/EIA) publishes the generally accepted authority, TIA/EIA Standard 606, Administration Standard for the Telecommunications Infrastructure of Commercial Buildings,³ which describes labeling of cables, connectors, patch panels, cross-connections, and equipment. This standard also requires labeling firestops, grounds, special-ground circuits, and neutral wires. The National Electric Code (NEC), published by the National Fire Protection Association,⁴ also includes standards for labeling cables and conduits. Copies may be available from electrical supplies dealers. Many books explain these codes. Local codes probably augment the national codes and may also impose other requirements. Generally, any substantial alterations, moves, or changes and usually all new construction will require full compliance with the current standards throughout the premises—which is probably a wise security investment as well.

23.4.6 Reliability and Redundancy.

The first requisite of reliable system performance is reliable equipment, systems, and infrastructure, properly installed and maintained. But carefulness does not always guarantee reliability or a long service life. Some components may be poorly designed, subject to erratic quality control, damaged in transit, or applied wrong. Much equipment now includes a fail-over mode to maintain full performance when a failure occurs. But good security requires more than good reliability. There must also be redundancy: parallel paths to take the load should one component falter. Effective redundancy also requires alternate sites that are off premises to process and store information. It is best that there be multiple alternate sites, each within a safe environment and well distant so that problems at the primary site will not affect any alternates.

Inside each computer room, storage systems should be Redundant Array of Independent Disks (RAID) compliant with any important data fully mirrored. For critical data, the RAID storage systems should themselves be redundant. Servers should also be redundant. Multiple parallel servers with load balancing are a wise investment, so that one server will automatically take over another's load if it falters or must go off-line for any reason. All critical equipment should have redundant power supplies, fans, and hard drives that can be diagnosed quickly and hot-swapped easily.

Other approaches to reliability and redundancy include outsourcing, hot and cold sites, and contract services, but there must be a thorough security evaluation of any of these options considered. Obviously, data paths to distant points must be secure and reliable. But redundancy, utilizing well-separated data paths, may also be a wise investment, rather than relying on fail-over circuits that often travel within the same cable.

For example, radio and TV stations often order redundant phone lines from their studio to the transmitters, at twice the cost or more of a single (and fairly reliable) phone line. One station did this and lost both lines when a traffic accident wiped out some utility poles in a city many miles distant. It seems that both the primary lines and the fail-over lines were within the same telephone cable where the accident occurred. The chief engineer, however, was cautious; it seems he also had a subcarrier circuit on a microwave link that activated itself immediately when the phone lines both suddenly died. Single redundancy itself may not accomplish much unless the pathways are well separated.

Good system manageability is another vital requirement. This includes hardware that can detect trouble before it happens and, if possible, pinpoint the exact location. It also includes good management software with warning and alert capabilities and good logging systems. Remote management capabilities must also be private and secure to preclude penetration or denial of service attacks. Good security management also requires that any changes or disabling of alarm parameters should require two authorized persons to be physically present inside the equipment room and simultaneously logged on. Good system management adds some cost but is a wise investment in effective security and oversight.

23.4.7 Proper Installation and Maintenance.

Good protection requires that all information systems, equipment, and wiring be installed properly, according to the manufacturer's instructions and the intended usage. All the wiring must conform to, or exceed, local code requirements. Data wiring should be independently tested and certified that it meets specifications, current standards, and, if possible, anticipated future needs.

Out-of-the-box equipment hookups and installations are common and the cause of many system failures. Most security features are disabled when components and software are shipped. Proper installation requires careful setup, customization, and performance testing, for which adequate time and resources must be allocated. Promptly installing the latest modifications, service packs, updates, and security patches is also vital to maintaining performance. Delays of days, weeks, and even months often intervene, while new threats emerge or threat levels escalate until the new defenses are in place. Once installed, the information systems and infrastructure must be periodically reviewed, tested, and kept up to date.

Administrators, installation, and maintenance personnel must be properly trained, experienced, and, in many cases, certified or licensed as well. Each person's credentials should be checked before being permitted on site. Given the limited staff, time, and budgets available, there is often more lip service than actual certainty in the process of reliability assurance. Management must understand that proper installation, upkeep, and maintenance together constitute cheap and effective assurance that IS performance is never compromised.

23.5 OTHER CONSIDERATIONS.

There are many other factors that are sometimes given short shrift that can significantly improve physical security. A few of these are discussed in the next sections.

23.5.1 Threats from Smoke and Fire.

Smoke and fire must be prevented within any equipment room. Otherwise, considerable damage and disruption will occur very quickly. No matter how small the incident, the effects of either smoke or heat are cumulative. Systems will eventually fail and usually without warning. Obviously, smoking must be prohibited—but it often occurs because an equipment room may seem to be a safe, cool place to sneak a smoke. Also, equipment room doors should never be propped open by cleaning, delivery, or maintenance personnel, or others working outside when the air conditioning is off.

The first level of prevention is to keep everything combustible outside of equipment rooms. Paper and supplies not in actual use should be stored outside, never within an equipment room. Any reference materials or documents that must be kept within the room should be stored inside fire-resistant files or cabinets when not in actual use. There should be no trash receptacles within an equipment room, and shredders should be outside, under strict control. There should be a clear and firm policy that nothing combustible can remain inside an equipment room, and frequent inspections should be held to verify compliance.

There should be no unessential furniture within equipment rooms, especially desks that can become cluttered and that are not rated as fire resistant. A metal table with one small drawer and one or two metal chairs with fire-resistant upholstery are usually sufficient. Because plastic accessories, furniture, and upholstery may burn readily and generate large amounts of toxic smoke, they must be excluded from most office areas and especially from equipment rooms. Fire prevention can never be absolute, but the possible heat or smoke damage from electrical fires will likely be minimal.

Equipment and suppliers storage contents rooms should be designed to protect and not to accommodate people. Regardless of the actual furniture or its intended use, any space that accommodates a workstation, or where people can congregate, is considered to be occupied space. Any area labeled as a computer room or data center is also usually considered to be occupied space.

This occupied-space designation is very important because building and occupancy codes, the Occupational Safety and Health Administration (OSHA), and other regulatory agencies require proper heating, ventilation, and air conditioning (HVAC), lighting, and easy means of egress for all occupied spaces. The requirements are many and varied. For example, the room air must be ventilated so that occupants continuously breathe some outside fresh air. HVAC systems are designed to accommodate people and do not necessarily protect equipment very well. HVAC systems can be unreliable in continuous use, inefficient, and unnecessarily costly in an equipment room. Yet HVAC is required by code within any occupied space.

Process-cooling systems, however, are designed specifically to cool equipment, not people. As a result, process cooling is reliable, efficient, and less costly to operate. Process cooling systems recirculate the same air within the room, and there is no need for makeup (outside) ventilation. This keeps out contaminants and cuts operating costs. Outside smoke can be sealed out, maybe sufficiently to avoid having to power-down any equipment. See Sections 23.8.7 and 23.8.8 for environmental considerations and smoke and fire protection within equipment rooms.

Inadequate firestops are a major threat that is often overlooked. A firestop is usually a sleeve and a special material to prevent smoke or heat from penetrating an opening in a partition, floor, or ceiling. It also stops the spread of flame. Many firestops are needed throughout the premises, including the building core and the mechanical, utility, and equipment areas—even within a one-story building. Firestops are rigorously required by most codes, but compliance is often inadequate and the devices often are breached by subsequent alterations or wiring changes.

Partitions, building walls, floors, and ceilings must all be fire-rated in accordance with the national and local building codes and other regulations. Proper construction usually is specified by an architect or engineer, and compliance is inspected or certified as soon as the construction is complete. Inspection often occurs before all of the mechanical systems and wiring installations are finished. Subsequently, if any penetration or opening is made through a wall, floor, or ceiling, its fire rating is thereby invalidated and should be recertified.

The Underwriters Laboratory (UL) or similar recognized authority rates and approves commercial firestops before they can be sold legally. Each manufacturer then specifies the approved applications, installation, and maintenance procedures necessary for compliance. It is therefore wise to utilize specialized vendors with extensive training and experience installing and inspecting firestops and to have them conduct periodic premises inspections and certifications.

Inadequate firestops are particularly common in the core areas of older buildings or where tenants occupy multiple floors. While proper firestops may have been provided during construction, installation of piping, cables, conduit, and subsequent wiring changes often breach them. Wires often poke through large, gaping holes hidden by a hung (suspended) ceiling or behind equipment racks or wire troughs. Proper firestops must be installed and inspected whenever changes occur. Many installers do not understand this, or cut corners hoping no one will notice, or assume others will take care of it.

Without proper firestops throughout, fire and smoke can, and probably will, spread surprisingly quickly. And so will dust. There can be substantial liabilities if any people are harmed or equipment is damaged because of improper firestops or inadequate fire-rated construction. The costs, time lost, and reputational damage will be huge. Periodic and thorough fire inspections by an independent and qualified expert will quickly discover building and firestop violations.

23.5.2 Equipment Cabinets.

Most IS equipment is now open-rack mounted to save floor space, for more reliable performance, and for easier access. Although enclosed equipment cabinets cost more than racks, they offer much better protection. Equipment mounted within a closed cabinet can be better ventilated and cooled, kept freer of contaminates, and may also escape damage from external particulates, water, smoke, or liquids. Should there ever be overheating or smoke generated within an enclosed cabinet, the condition can be detected quickly and usually resolved before equipment or wiring are damaged. Locks keep out those unauthorized, or at least delay access and leave evidence of trouble. Open-door alarms provide another strong layer of protection, and wiring conduits to cabinets can also be protected. Cabinets with redundant fans can better monitor and maintain ventilation and cooling, which, in turn, facilitates more equipment mounted in less floor space. In all, closed cabinets can provide an additional layer of protection against accidental or deliberate damage to the infrastructure.

A fire suppression system within any equipment room is usually required by code and often by equipment vendors as well—and is certainly needed for good infrastructure protection. With all of the IS equipment located inside of closed cabinets, a water system with mist sprinkler heads is an excellent, inexpensive fire suppression system for the room. This eliminates the very high costs of chemical fire suppression systems, and will more than pay for the best equipment cabinets. (See Section 23.8.8.)

23.5.3 Good Housekeeping Practices.

All food and drink must be kept out of equipment rooms, since they can cause considerable damage if spilled on equipment, a monitor keyboard, connectors, and wiring and cable harnesses. Food also attracts insects and rodents (which are found in many buildings), many of which also like to eat wiring. Space for food and drink should be provided outside the equipment room, where routine maintenance personnel can keep the food area clean.

Loose papers, books, supplies, newspapers, and trash are fire hazards and also must be banned from every equipment room.

23.5.4 Overt, Covert, and Deceptive Protections.

Effective protection of the IS infrastructure requires many hidden elements—such as concealed surveillance cameras, sensors, and detectors—and all of the wiring that supports them. But good protection also needs some clearly visible elements. It is important to consider which devices are best hidden to protect them and which should be visible as deterrents.

Overt devices are ones that are evident to workers and visitors, or whose presence is implied by other visible objects, such as warning notices. These visible devices, which suggest that some sort of security exists, are intended to deter troublemakers, so that all but the most determined attackers will go elsewhere. Examples are surveillance cameras, access controls, visible alarm boxes, and visible sensors. Although most overt devices are active and recording data, some may be inexpensive dummy devices that only look real, perhaps with slowly blinking indicator lamps to heighten the effect. Covert protection, however, must not be noticeable to either visitors or insiders. There must be no indication that these protections exist, what they are, how they might function, or where they are located. Most effective security systems operate covertly; examples include stealth and silent alarms, concealed early-warning systems, perimeter and proximity sensors, access monitors, and many other surveillance devices that are not readily seen.

It is important also to conceal the wiring that interconnects all protective systems and the utilities that support them. Whether any part of a system is visible or not, the wiring that connects it should not be. Although overt devices may themselves be vulnerable, they will generally advertise that there is good security here and everyone within the premises can feel safe. However, visible devices can sometimes be covered or spray-painted, knocked aside with a club, or shot to disable them. An expert thief can also defeat many hidden systems, if he or she knows what they are, where they are located, or how they are connected.

Another approach to protection involves deception. Dummy devices that look like surveillance cameras, access control devices, and alarm sensors can be placed to attract troublemakers, who may think they can physically damage, disable, or circumvent the system. These visible devices are intended to distract potential troublemakers and divert them away from vulnerable areas. Some devices are deceptive in that they are not what they appear to be but are actually alarm sensors to measure motion, proximity, sound, or anything that disturbs the device. Deceptive devices often are used to divert troublemakers away from vulnerable people and infrastructure, by offering them a “honeypot”: an attractive target to distract them, but often a target equipped with an alarm device, surveillance cameras, or other means of identifying a perpetrator and gathering evidence.

There is a gray area between what management can legitimately do to protect its information systems and what may be unethical or illegal actions. Management has a legal and fiduciary responsibility to protect people and property, and those who support deception say that these techniques are increasingly necessary to protect an organization. Others insist that this amounts to entrapment or violates privacy rights. State and local regulations and interpretations vary widely and are continually changing. It is necessary to check carefully with local officials, legal advisors, and insurers to determine what is acceptable and how to manage such risks. Management must then decide to what extent these techniques may be effective and whether less contentious approaches will suffice.

Whether the protection devices themselves are overt, covert, or deceptive, the security systems behind them must not be obvious. No one seeing or knowing about the elements of a security system should be able to deduce the details of the system, the functionality, or where and how it is monitored. An observer may notice a particular device or product or the suggestion of a vendor's standard security solution, but the particulars of the protection systems must remain obscure, and all the wiring that supports them must be hidden or disguised as well.

Everyone involved must be aware of the security policies and procedures. Conspicuous signs should advise that anyone entering the premises may be monitored, as may all communications. All of the security policies and procedures should be understood and accepted by everyone involved. Employees and other on-site personnel should receive periodic security-awareness training and briefings. And there should be periodic security exercises and drills to test the procedures and reinforce the training.

Finally, protection must not be intrusive. Security cannot limit productivity or IS performance in any way. Instead, the protection must contribute to a feeling of safety and security within the workplace and thereby enhance productivity.

23.6 ACCESS CONTROL.

Access control systems are but one layer of good infrastructure protection. They are usually used in conjunction with surveillance and perimeter control systems in order to provide sufficient early warning to head off trouble before it happens. Effective access control requires three tiers of support that are described next. The strength of each tier and its integration with other security layers determines the security effectiveness.

Privileges. This tier determines whether a person seeking entry is authorized. It is the initial entry-request process that may use an access or proximity card, radio-frequency identification (RFID), keyed or a combination lock. Since many of these devices can be lost, borrowed, stolen, or copied, and many can be quickly defeated, there is usually not much effort to ascertain just who is seeking entry. Therefore, privileges alone are not strong security.
Authentication. It is usually necessary to identify a person seeking entry with some degree of certainty. To do this, the person must possess or know something unique that others cannot readily duplicate. Examples include personal identification numbers (PINs), electronic keys, entry cards, and biometric devices. PINs and passwords may be used, provided they are strong and well implemented. Some of these approaches merely strengthen the privileges process but can still be copied or defeated.
Audit trail. A log is required for each entry attempt to show the date and time, the identification of the person, and the action taken by the access control system. Access-denied and unable-to-identify events should trigger immediate alarms. Logs must be analyzed in a timely manner for anomalies or unusual patterns. Where better access control is needed, each person's exit also must be authenticated and logged.

See Chapter 28 for more details about identification and authentication access controls.

23.6.1 Locks and Hardware.

Strong protection begins with high-quality locks, door hardware, and access control systems that are nonintrusive yet strong enough to deter most unauthorized entry. Lock types should be hard to pick and should use keys that are hard to duplicate. Examples are Medeco^® locks and keys with dimpled sides. Ace^® locks with circular keyways require special tools to pick but also tend to signal that there is something important beyond the door. Many types of keys can be created from lock numbers, so keep these numbers stored securely. No lock is completely safe. Someone with equipment, experience, and time can open any lock, often very quickly and without causing attention. Where key mastering is used, an experienced person with a key to any single door can open the lock cylinder and copy the mastering system. Therefore, additional layers of protection are needed.

Interior areas accessed only by a few people usually can be secured with a strong push-button combination lock. Key locks are not appropriate, because the keying cannot be changed periodically or quickly when a key is lost or someone leaves. And misplaced or lost keys may not be reported for days or weeks. However, key locks tend to be stronger and less vulnerable to vandalism, so keys may be the best alternative for outside areas or for doors that remain open during business hours. Wherever keys access critical areas, there should be spare lock cylinders and a new set of keys stored on site that can be utilized quickly when a change is needed. Once a lock cylinder is changed, the old cylinder should be rekeyed and a new set of keys produced.

Locks that use an electronic key are particularly effective. Electronically activated cylinders can replace existing mechanical cylinders, and many do not require any wiring, so the hardware and operating costs are minimal. Most electronic keys have a small cylindrical tip that is touched to the lock for access. Both the lock and the key can log each event, identify the specific lock or key used, the date and time, and whether access was granted. And conveniently, electronic keys are not much larger than mechanical keys. However, both can be defeated with the proper equipment and skill. Often two independent entry locks are utilized to provide stronger, relatively inexpensive protection.

RFID can provide good access control, provided the activating device is not lost or stolen. RFID can be an improvement over card entry systems in that it can activate a lock from several feet away. RFID access cards can include photo ID, name, and perhaps an optical stripe for encrypted identity information. As with other systems, RFID can be breached with the right equipment and skills.

Another inexpensive upgrade of key locks is the card-access lock similar to the ones used by hotels. Many do not require wiring and are battery operated, so the keying of each door remains unchanged and an old key remains valid. Therefore, without central wiring, most card-access locks offer limited security and cannot trigger an alarm although some do at least log events. No matter how strong the access control systems, doors have their limitations. Absent a vault-type door and hardware, a determined attacker with pistol and silencer can gain access readily. A small water cannon that is transported in what looks like a toolbox can breach a standard metal door, or the partition surrounding it, with one shot and very little noise.

23.6.2 Card Entry Systems.

The best means of access control is a card entry system, especially the newer systems that are increasingly capable and less costly as well. A central card entry system often controls the entire premises: all entrances, exits, elevators, rest rooms, and many other interior doors. Access cards are usually similar to a credit card and can be carried concealed or worn as identification badges. Access cards are usually imprinted with a full-face photo, the individual's name, the organization's logo, and often a printed stripe with biometric information. Access cards often show number codes to indicate authorized areas of access, and are usually color-coded to indicate status and whether the person must be escorted.

The means of encoding identification data on the cards include optical bar code, magnetic stripe, smart cards with embedded chips that store biometric data, and cards with embedded bits of metal. Most bar codes are not secure; the cards are easily duplicated. Although the newer, two-dimensional bar codes are nearly tamperproof, they cannot store much information. Magnetic-striped cards also have many drawbacks: They cannot store much data, and they are easily altered, copied, or erased (often by accident). In time, the magnetic data decays and must be reprogrammed. Magnetic card readers are not practical outdoors, because of weather and vandalism. Heavily used magnetic card readers and the cards themselves wear out quickly.

Cards with embedded metal bits are effective. The encoding cannot be seen except by X-ray, and it is durable and permanent. The cards must be held against, or inserted into, a reader that scans the card for the position of each bit. They hold very limited data, the coding is factory installed and cannot be changed, and spare cards must be inventoried. In addition, with the right equipment, these cards can be copied.

The RFID systems will be used increasingly and are a better solution, but most can be compromised or copied. These contain an embedded transmitter or transceiver chip. Smart cards hold more data, and most of the chips will accept new data. Some include miniature batteries to store more data and to increase the operating range, to avoid having to come into close contact with the card reader.

Many states and Canadian provinces now issue drivers' licenses with a photo ID and an optical or magnetic stripe, or a two-dimensional bar code. A few of the new licenses are becoming quite sophisticated, including some with embedded RFID chips. Federal policies now require multiple means of positive identification before issuing the new licenses. But, so far, just as fast as new “foolproof” documents are created, ways of cracking them are announced. For example, the new biometric e-passports being introduced by the United States, United Kingdom, and other countries can reportedly be cloned.⁴ Eventually, as drivers' licenses become harder to fake or copy, they can be used to identify retail customers, to verify citizenship and age, as charge or debit cards, and premises for access control.

Methods of using entry cards include proximity, touch, insertion into a slot that returns the card when it is authenticated, or swiping the card through a narrow channel or in and out of a slot. Swiping is fast, but the card must be hand held. Inserting a card has the same shortcoming as swiping and is slower. Wear, weather, or vandalism can damage the card and card reader.

23.6.3 Proximity and Touch Cards.

The best of the new card access control systems use proximity or touch cards. These cards communicate with readers using infrared or microwave transmissions. The reading device powers some types of cards, while others contain miniature batteries. Physically, the cards and card readers are weatherproof, vandal resistant, and do not wear out. Proximity card readers can be surface mounted, recessed flush into a wall, or entirely concealed within a partition so that they do not call attention to a security door.

Touch cards are functionally similar to proximity cards, but they must be held briefly against a reader that is usually visible. Touch cards cost a little less than proximity cards and are good only for entrances with little traffic. The touch-card system is slower, and the cards more easily lost, stolen, or forcefully taken.

Proximity cards (which include RFID cards as well) may be used while concealed inside a pocket, handbag, or wallet. Some are worn concealed or hung on neck lanyards. A proximity card that is also an ID badge that everyone in the workplace wears at all times can access both doors and workstations without being touched. Temporary badges customarily are issued to all visitors, even when escorted, and can be used for access control and to monitor areas entered. Temporary badges are quickly activated with specific privileges and can be revoked automatically and immediately when necessary. Increasingly, the visitor cards are created quickly on site with the visitor's picture and perhaps biometric data as well printed on the card. Longer-term temporary badges can be issued to vendors, contractors, and external employees, although it is best that security personnel store visitor badges safely while the person is off the premises.

The new systems provide many useful functions. They are usually laminated and sealed to prevent wear, damage, or alteration. Individual cards are quickly prepared, activated, and canceled—all on site. The system can restrict entry to specific places, days, and times, and holiday restrictions also can be programmed. Any card can be locked out immediately if lost or stolen, or when the owner leaves.

The newer 13.56 MHz proximity cards function up to three feet away from the card reader; older cards were limited to a range of about four inches. The newer cards are also faster, hold more data, and offer more functionality. Many of the card readers also can write data to the card. There is a trade-off, however, between useful operating range and the amount of data stored. The farther the range, the less the data stored. Most proximity systems are adjustable to optimize distance and speed. For example, on outer perimeter doors, where quick, convenient access is more important than tight security, the systems are set for maximum range. Inner doors that need higher security are adjusted to utilize more information and to function at a shorter distance, which is still far greater than the older systems allowed. It is not easy without very high-tech equipment, but proximity and touch cards can be compromised.

There are also self-expiring visitor badges that noticeably change color or prominently display the word “expired” after an elapsed period. Self-expiring badges are reusable and come with a fixed expiration period that is usually from two to 24 hours following each activation. These badges cannot be reactivated, except with very sophisticated equipment.

Cards are not the only proximity or touch devices. Keys or patches also are used. The keys can be small, rugged, and easily attached to a key ring or to a small handheld wand that a security guard might use. The patches work in place of touch cards, or with separate access control systems, to upgrade existing legacy systems. The patches are about the size and thickness of a quarter and are easily attached to anything a person normally carries, such as an ID card or badge, a pager or cell phone, or the inside of a wallet. The newer RFID devices will be even smaller.

Card access often is used for all equipment rooms containing servers, network components, or telephone gear; for off-hour access to information systems by users, technicians, and administrators, and for any areas where high-value items are stored. Card systems usually are integrated with premises security to control access to and egress from the building, elevators, service areas, parking, and rest rooms, and other parts of the information infrastructure that can also take advantage of the access controls. Plan ahead and consider where additional access control points may someday be needed. Piecemeal additions at a later date can be costly.

Each entry into a controlled area should be logged in a way that cannot be compromised. Logs should provide an accurate audit trail of everyone who sought entry, when, and whether access was denied. Where stronger security is needed, each egress should be logged in the same way. The logging system is best monitored by software that can review all system data in real time, flag trouble quickly, issue periodic summary reports, and quickly search and summarize unusual events. Reviewing logs manually is a cumbersome, time-consuming task. If only manual auditing is possible, there must be a firm policy to do this every few days.

Card entry systems by themselves do not provide strong protection. Therefore, some degree of authentication is required.

23.6.4 Authentication.

Anyone can use an access control card that may be borrowed, lost, copied, altered, stolen, or taken by force. Therefore, authentication is another layer of security that is needed to establish the identity of the person seeking entry with some degree of certainty. Authentication devices commonly include a biometric scanner, a numeric keypad, and visual or voice identification by a computer or by another person. All such devices come in varying security strengths and each can be used in combination.

When an access card is read, the system must verify that the card has the requisite privileges for that place, date, and time. If it does, it then becomes necessary to authenticate the identity of the person using the card. For this purpose, a numeric keypad was once the most common device whereby the card user entered a personal identification on a number keypad. Now most use a touch screen where the numbers will appear in random order. If the system validated the PIN, it activated an electric door strike to momentarily unlock the door. This system can be slow, cumbersome, and easily compromised. In some systems, everyone uses the same PIN and is supposed to keep it private. However, PINs can be forgotten, lost, or discovered by others.

Visual authentication is a better approach. This can be done by a computer or by a security guard or receptionist who can see the entrance or monitor it via a surveillance camera or a video intercom. Emergency-type video intercoms work well because they provide the remote authentication with a visual image and can monitor sound continuously, so that the authenticator can speak with and challenge whoever approaches the door. When identify is verified, the system or other person activates the electric door strike to unlock the door. This system offers stronger security and is faster than a keypad. It also facilitates recording and logging all entrances and exits, especially during off-hours. Breaches can happen, if the person seeking entry can deceive the guard or receptionist.

Biometric scanners offer the strongest security. They offer faster, more positive identification of every individual and do away with the need to remember a PIN. Biometric scanners can read any of these personal attributes, which are listed somewhat in order of their current popularity: fingerprint patterns, facial characteristics, voiceprint, handprint, signature, retinal details, or height and weight.

Most biometric systems can be adjusted to be highly sensitive (which is slower and may require repeated entry attempts, but is very hard to breach) or less sensitive (which is still fast but may result in some false authentications). Before choosing a biometric system, it is necessary to determine that the users understand and will accept it. For example, some people balk at having to use a retinal scanner, while others may feel that any biometric device invades their privacy. The latter reason is invalid because most biometric systems cannot be used to identify any person not already known to the system. Increasingly, especially in critical public places, these systems can check every individual against criminal and terrorist databases and quickly alert law enforcement. It is difficult to steal an identity using biometrics because one must also know the encoding algorithms used.

Fingerprint scanners are the most common and are becoming increasingly powerful. Initially, these utilized optical scanning, which could be fooled by photographs, wax impressions, or by a severed digit. The newer capacitive scanners use electronics rather than optics and can provide nearly certain identification. Usually, three of the user's fingers are “enrolled” in the system in case some fingers are later bandaged or dirty. If all the enrolled fingers are incapacitated, single-use passwords can be used to bypass the system.

Most fingerprint scanners cannot identify an individual by name, but only that a person seeking entry matches the person whose biometric identity has been enrolled. Most scanners do not conform to the uniform, automatic fingerprint identification standards used by law enforcement. Instead, they scan a small area of the finger and apply proprietary algorithms and encryption. A template from one system is usually meaningless to another.

Accuracy of fingerprint scanning is affected by the angle and position of the finger and by the pressure applied. Most systems allow sensitivity adjustment to optimize enrollment and verification times and success rates as well as to minimize delays and false negatives that require repeated access attempts. While well suited to most applications, fingerprint scanners may not be appropriate where the user could have dirty or thickly callused hands or must wear gloves (such as healthcare workers).

Facial recognition is the basis of another popular scanning system. It uses graphics technologies and any surveillance camera to measure the size and relationship of prominent facial elements. Most systems are proprietary and cannot be used to identify an individual by name, but some others are compatible with law enforcement standards. Sensitivity and accuracy are dependent on the distance, position, and angle of the head as well as on the background lighting. Cameras at all entry points must be positioned to photograph the subject at the same angle that their faces were “enrolled.” Not all facial recognition systems offer strong security; some can be fooled by a face mask or a photograph. Others are best left at their highest sensitivity settings to avoid spoofing, which may require multiple attempts at entry.

Voice-print scanning can be used, but mostly for access to a terminal or workstation. The better systems display random words on the monitor so a prerecorded response cannot be used. Most use the workstation's microphone or, increasingly, a cell phone. Voice scanners can be affected by hoarseness, so there should be a one-time password access provision. These systems can be useful for remote login, especially while traveling, although the low bandwidth of dial-up circuits may lessen the system's usefulness.

Retinal or iris scanners are considered the best security, but authentication can take a few seconds. For access control, the user must generally look closely into an eyepiece, which is traumatic to some people. But for access to a terminal or workstation, a Web camera is generally placed on top of the monitor, 17 to 19 inches from the eye. The user's head must be positioned to align a white dot within a colored circle. The user must hold still, without blinking, while the scan proceeds automatically. The camera can be used for surveillance to see who is near the workstation.

23.6.5 Integrated Card Access Systems.

Biometric scanners are used increasingly by other applications, and most can readily coordinate with an access control system. Applications include network user authorization, and access to terminals and workstations and to software applications and data. Biometric readers can be built into laptops, keyboards, mice, or peripheral readers. They can be used with access cards, badges, and proximity or RFID devices for authentication with some degree of certainty. Scanners that are mostly proprietary are currently integrated with encryption systems (e.g., virtual public networks, public key infrastructure, and smart cards) to authenticate transactions including credit cards, financial, banking, and automatic teller machines. Biometrics are increasingly used to identify hospital patients, welfare recipients, people who frequently enter the United States, and similar applications that involve identifying a diverse or widely dispersed group.

Infrastructure security protection can be independent of, or integrated into, a comprehensive premises security system. Either cards or badges can provide many other functions beyond basic access control. Applications include off-hour access to the building, elevators, and premises; control of building entrances, rest rooms, and parking areas (especially at night); purchases at a cafeteria or company store, or for charging stationery or materials picked up from a supply room. They can also be used to receive classified documents.

For greater protection and efficiency, an integrated enterprise-wide, Web-based system can control access to various premises, locked doors, infrastructure components, networks, workstations, applications, secure data, and Web connections. This arrangement offers comprehensive security by logging every event. Centralized logs can yield much more meaningful security information, because an integrated system provides better early warnings to head off trouble before it happens.

23.6.6 Portal Machines.

Airportlike security checkpoints are perhaps a wise idea in today's environment of increased threats and violence. A portal machine is the archway one must walk through during the airport security process. It detects concealed metal, such as guns and knives, and tools that might be used to cause trouble. A portal and can be used to detect IS components (such as storage media) being smuggled into or out of the premises.

Newer trace-portal machines can detect many explosives as well. The person entering is asked to stand still for a few seconds while the machine releases several puffs of air and captures samples that are then analyzed for a number of hazardous or explosive substances. When a guard is not present, a computerized voice instructs the person to proceed, or a turnstile can hold the person in place. The newer machines were announced in August 2006 for use at Midway International Airport in Chicago.⁵

Such devices might be appropriate for all who enter the premises and at entrances to critical areas or equipment rooms as well.

23.6.7 Bypass Key.

Whatever the systems used, there should be one bypass key that can open every door that uses electronic or electrical controls. The bypass key is for emergency use only. It is a unique key that is not on any mastering system and is available only to a few highly trusted people. The cylinders should be heavy duty and very hard to defeat, with the keys nearly impossible to copy. Careful control and protection of each key is essential. The loss of a key may not be discovered quickly, and the time and costs of rekeying every lock will be substantial. Meanwhile, every door on the access control system is vulnerable.

Bypass passwords for individual users also may be needed. These passwords should trigger a silent alarm whenever used, so that security can respond to the site or verify identity by telephone, surveillance, or intercom. One-time passwords provide the best security.

23.6.8 Intrusion Alarms.

Intrusion alarms are necessary to provide perimeter and early-warning alarms and are usually needed as extra layers of security. There are several methods of intrusion detection. Digital surveillance cameras with motion detection are best because they can monitor visually what is happening and record what they see. Other methods include proximity and pressure sensors mounted within the perimeter walls or floors or inconspicuously within the room. Most of these sensors can detect intrusion and forced entry and can pinpoint the location of trouble, but they provide no details, monitoring, or evidence-recording capabilities. Proximity and pressure sensors can protect long-distance perimeters, cable runs, and utilities inexpensively. Concentric layers of such devices are necessary for sufficient early warning to prevent trouble from happening.

The best motion detectors use digital closed circuit television (CCTV) surveillance cameras that can sense movement while observing and recording the event. Miniature cameras that are inconspicuous or concealed are particularly effective and increasingly inexpensive. Several cameras can record pictures from many angles and often can identify an intruder positively. In a larger area, cameras often use swivel-tilt mounts and zoom lenses, which can be controlled automatically and remotely as well. Color cameras are preferable, as are cameras that automatically adjust to light conditions, including near darkness.

Some CCTV cameras include a military-type night-scope mode, which is relatively inexpensive and functions well in near-total darkness. These cameras also work well in normal light and can switch automatically to night-scope mode when necessary to see clearly and to record evidence. Other types of cameras, such as infrared, work well where there is no (humanly) visible light.

Other intrusion detectors use radar technology or measure changes in capacitance or inductance to sense intrusion. Most cameras and detectors can trigger an alarm as soon as they are disabled or lose power. Detectors may be wall- or ceiling-mounted devices as an overt means of deterrence, but these may then be vulnerable to spray paint, wire cutters, a gun, or a club. Therefore, intrusion detection sensors are usually concealed, or at least inconspicuous.

Perimeter alarms are especially important in building core areas, or public areas within or outside a building, to provide ample early warning of an intrusion that might soon affect a secure area. Digital video cameras are best for this but may be ineffective over large areas or long distances. Therefore, many proximity devices are used to monitor intrusion. Most utilize long sensor wires that are surface-mounted inconspicuously or hidden within partitions, ceilings, and sometimes inside of conduit. These systems detect the presence of a standing adult or a large animal that may come within a few feet of the sensor wire. The sensor wires can be very long, so zoning is often necessary to pinpoint an incident at least within a general location.

A better and cheaper alternative can be fiber optic perimeter alarms. Developed for the military and national security installations, the fiber optic systems are very sensitive and can monitor, evaluate, and record events. The sensor wires can also be embedded inside drywall or masonry partitions, ceilings, floors, or conduit and will detect both pressure changes and ambient sound. Because they do not measure proximity and can monitor and evaluate events, false alarms are less likely. They can warn of an impending accident or efforts at forced entry, and may soon be able to locate the event as well. These systems use software that can discriminate between recognized events and situations that are unknown or potentially dangerous. All the events are recorded and can be replayed and reviewed by a remote operator at any time.

Increasingly, inexpensive monitors are available that connect wirelessly via Wi-Fi, mesh networks, cell phone, satellite, a radio channel or sometimes via microwave. Such devices save the high costs of direct wiring to remote areas and the need to protect and conceal the wiring. But there is also a trade-off with reliability and security, as any radio frequency device can be monitored or jammed and may also be spoofed.

In addition to intrusion alarms, environmental alarms should be provided to measure temperature, humidity, and smoke, fire and flood situations within all critical areas and equipment cabinets as well, as described in Section 23.8.1.

23.6.9 Other Important Alarms.

A duress alarm system is recommended within most critical areas. This is usually a large red button or an emergency intercom conspicuously mounted near the exit. It is used if someone is injured or ill, when trouble occurs that other alarms will not immediately sense, or if violence is threatened. The emergency intercom types are best because each party can talk and listen. Those with a CCTV camera are described here, but many inexpensive emergency intercoms that provide audio only can be useful. Security personnel can constantly monitor all sounds within a secure area, and anyone inside can readily talk with security personnel. Duress alarms are usually silent. And activation devices can be concealed or located inconspicuously in case a potentially violent situation erupts. Duress alarm activators inside of cash drawers, in the knee wells of desks, or under counters have been common for years.

Beyond access control and authentication, it is also important to know whenever a locked door is not fully closed. There should be a sensor that warns whenever an access-controlled door is open or ajar. The sensor is normally built into the door buck (frame) to provide a silent alarm. An open-door alarm system delays for a few seconds in order for one authorized person to enter or exit normally. A short delay prevents leaving a door ajar for someone else to push open, piggybacking when another person enters or leaves, and tends to prevent anything large being taken in or out. The open-door alarm also prevents a door from being propped open at any time. The door-ajar sensors should be concealed at all times so users are unaware of their existence. Otherwise, they may be taped or jammed or otherwise defeated.

A final security protection is to prevent “double-dipping” whereby an authorized person requests multiple entries in order to admit unauthorized persons. The access control system can prevent this; once persons enter a space, they must be logged out before they can try again to enter.

23.7 SURVEILLANCE SYSTEMS.

Today, surveillance systems are designed and laid out to document fully every event, to facilitate positive personal identification, and to provide legal evidence when needed. Today's digital cameras, controllers, and recorders can do all this and more. The old analog or film cameras and recorders are inadequate and should be replaced, especially since the new surveillance systems are much less expensive.

If the protection is designed well, cameras can provide an undisputable, accurate, historical record that is available instantly. Cameras never sleep and are not distracted by repetitive tasks or boredom. More important, cameras can provide early warning, and can document events from many perspectives, concurrently and synchronously. Cameras increasingly incorporate microphones and interface with emergency audio intercoms, better to assess a situation, assist people on the scene, or challenge suspicious persons. The very presence of visible but inaccessible cameras usually deters most troublemakers. Protecting the infrastructure requires both early warning and identifying the nature of trouble before it can happen. The new surveillance systems can do this effectively. And they can be integrated with other alarms and with premises security systems for strong, seamless protection.

23.7.1 Surveillance Cameras.

Surveillance cameras are far more effective and much less expensive than guards, watchmen, or extra receptionists. However, for strong, redundant, and flexible security protection at important locations, both cameras and people will be needed.

Surveillance capabilities are becoming increasingly effective protective devices. They can now see more, detect some dangerous hidden materials, and, increasingly, decide what is important to monitor. For example, General Electric recently announced a smart camera that can detect explosives by recognizing the telltale waves emitted and can also detect erratic or unusual body movements within a crowd to thwart possible terrorism.⁶

Equipment rooms and other sensitive areas once relied on motion detectors for security, but now digital cameras with motion detection work better. Digital cameras also function well indoors and outside, and under most light conditions, from sunlight shining into the lens to near, if not total, darkness. When used outdoors, digital cameras are immune to all but very severe weather conditions. They are, however, affected by heavy smoke, snow, ice, and rain. Wind-blown objects and sometimes birds or small animals can distract their motion-detection systems.

Today's digital systems are far more capable and reliable than the earlier analog or film cameras. Cameras were once the weak link because the details were not clear or too small. Many of the old cameras were needed to cover an area, and even then, necessary details were often out of focus. Now cameras are much smaller, less expensive, and take advantage of auto-focus, tilt, and zoom capabilities to yield much better pictures. Almost all cameras now use color as well for better clarity. Some also incorporate an inexpensive, monochrome, night-scope mode that works well in total darkness. Digital cameras automatically correct electronically and mechanically for varying ambient light conditions. Most can correct for background lighting conditions that would otherwise cause subjects to be underexposed, for sunlight glaring directly into the lens, and for unusual brightness that would otherwise wash out a useful image. All of the images can be viewed in real time, and one or more persons can simultaneously control the views and scroll back to freeze and enlarge frames. All viewers can adjust the brightness, contrast, colors, and zoom, and can apply filters to bring out foggy details. Any viewer can save anything viewed.

All but the smallest indoor cameras now include a microphone so that both video and audio are recorded. Outside the facilities, some installations interface with an emergency intercom so background sound is continuously monitored and dialog recorded. Emergency intercoms are particularly good deterrents because security personnel can confront possible troublemakers and advise them that they are being recorded. Most will back off or flee before trouble occurs. Although many camera control systems provide electronic zoom, the primary zoom function should be mechanical. Electronic zoom systems are inexpensive, but they lose resolution and images can quickly become unidentifiable.

Miniature cameras can be particularly useful and save money as well. Cameras less than one inch in diameter can provide sharp detail. Some units with zoom lenses and pan and tilt mounts can be hidden within any common object.

Opinions vary as to the ethics of using concealed cameras, and some state laws limit their use as invasions of privacy. Generally, the rules of good surveillance practice are the same as monitoring telephone conversations, e-mail, and Internet use. In order to protect itself, the organization has a right to see and hear whatever is going on in and around its premises. But signs should be posted so that workers and the public are advised that all persons entering the premises may be monitored for safety and security purposes. Company policies should explain this, and why surveillance is necessary.

23.7.2 Camera Locations and Mounts.

To serve as a deterrent, some cameras should be readily visible, but this may present some problems. Overt cameras placed too high are not good for identifying people, while cameras placed too low can be spray-painted, covered, or smashed. Any visible camera can be shot out (perhaps unnoticed using a silencer). Older cameras are good for overt use because they are large and may provide backup surveillance. Another option is dummy cameras, some of which have visible indicator lights or automatically pan to attract attention. Some dummy cameras are in fact alarms that will trigger if the unit is disturbed or if its wires are cut.

Surveillance systems should be able to identify troublemakers and must be able to gather evidence admissible in court if needed. The areas monitored, the camera angles, and the lenses selected are all important. Hundreds of millions of facial images are stored in government databases worldwide (including licenses, passports, and other official documents), so a good surveillance system may indeed be useful to identify troublemakers. But the police standard face-recognition technology requires a frontal full-face view, which is possible only when the camera position is not much higher than the person's head.⁷ Surveillance of a wider area requires an elevated camera that can see greater distances, zoom in on details (especially faces and vehicle license plates), and closely follow an event. Wide-area views are also necessary to spot multiple troublemakers. Several camera angles will likely be needed to gather good evidence.

Outdoor cameras are usually attached to a swivel, tilt mount, and inside of weather-proof domes or larger enclosures when large zoom lenses are needed. There is usually no attempt at concealment because the cameras are too high to reach, and they provide good deterrence as well. Many may be inconspicuous, however, or even disguised. When large cameras and enclosures are used, the direction the camera is looking in may be obvious. Often troublemakers will create a distraction to lure the cameras away from the real problems.

23.7.3 Recording Systems.

Once VCRs were the norm, but now most recording is done with hard drives that can store hundreds of hours of audio and video taken from multiple sources. And increasingly, solid state drives are also used.

Once, only one person could review the tapes and then, usually, only after the recording was complete. Now one or more people may access and analyze the information simultaneously. Once, 31 VCR tapes were recommended for each system: one tape for each day of the month, after which the tape was inspected and reused. Now one hard drive can record a month's data, which can then be inexpensively archived on DVDs or at remote storage locations. The VCRs often recorded in a lapse-time mode to save tape until an event occurred to trigger real time recording. Now everything can be recorded continuously in real time to examine fully the happenings before, during, and after an event.

23.7.4 Camera Control Systems.

Camera control systems commonly can direct the swivel (pan), tilt, mechanical zoom, aperture, and background lighting of each camera. Some control systems can automatically pan cameras back and forth across large viewing areas and also provide motion detection. Some control systems can also stop panning and zoom in on any unusual event. This is a valuable feature that must be carefully programmed so the system is not distracted by spurious events or deliberate diversions. Usually each camera can also be controlled manually and often from remote locations.

A major advantage of a digital system is that each camera provides continuous images, usually at about 30 frames per second, which fiber optic and other broadband connections bring to the recording system in real time and high resolution. The control systems usually allow one or more persons to roll back the images without affecting the real-time recording. Each viewer can scroll backward and forward, freeze frames, zoom, crop, or enhance the image electronically, and save any material to another medium or system as evidence.

23.7.5 Broadband Connections.

The advantage of broadband camera connections is that the information is available in real time and with high resolution, and that more camera control functions are possible. Fiber optic cabling does this best, but it should be dedicated and well protected. Remote cameras can also be connected via a LAN, wireless, or broadband Internet connection, if done carefully, so that the data is secure and other traffic is not impeded.

Digital multiplexing is another advantage of broadband connections. Multiplexing over metal wiring once necessitated delays, lower resolution, and fewer frames transmitted per second, even though each camera was providing continuous, high-quality images. Now digital multiplexing over fiber connections allows all data from all cameras to be transmitted simultaneously. Multiplexing is accomplished remotely as signals from several cameras are combined into a single broadband connection to the control system. Connections among control systems are also multiplexed to minimize line charges. The signal interfaces between each camera and the multiplexer can be fiber optic, microwave, a network, or the Internet. This way, hundreds of cameras can be networked economically.

Radio or microwave multiplexing is another option, but it is not very fast and is subject to interference or disruption during severe weather conditions.

23.8 OTHER DESIGN CONSIDERATIONS.

Good protection begins with good facility design that will ensure the safety of the information infrastructure and the people who use it. Protective systems become expensive and inefficient when the premises themselves do not facilitate good security. Proper interior design, facilities layout, engineering, and construction can maximize security effectiveness, minimize costs, enhance productivity and morale, and generally boost profits. The starting point is an inspection of all sites and review of all as-built plans and construction documents.

Premises security inspection and review are best augmented by using independent, outside security experts. Comprehensive and objective architectural, design, engineering, IS infrastructure, and premises security experience are all needed and may not all be available internally or from vendors. The inspection and review process always must be threat-specific and must relate to a thorough threat assessment (which is described in Chapter 22). The premises inspection can then serve to validate the vulnerabilities identified by the threat assessment. Once some of the vulnerabilities are corrected, the premises inspection should be repeated.

For organizations using classified information, or where very strong security is needed, reference should be made to the many publications of the federal National Institute of Standards and Technology (NIST).⁸ Begin with FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems. Also look at the many publications from the Computer Security Resource Center (CSRC) within NIST, beginning with the Automated Security Self-Evaluation Tool.⁹ Understanding these standards may require outside expertise to independently certify compliance.

Effective infrastructure protection can prevent trouble from happening. To do this, there must be ample early warning, which, in turn, requires good facilities planning and design, effective premises and infrastructure security in place, and the awareness and vigilance of everyone in the area. All must work together seamlessly, efficiently, and proactively.

Good facilities design can be efficient, nonintrusive, cost effective, and inexpensive—even within existing facilities. Here are some guidelines and suggestions.

23.8.1 Choosing Safe Sites.

Sites for equipment rooms and utility closets should be protected from possible threats. Infrastructure sites should be located far away from all piping, tanks, or equipment that uses any liquid that could possibly leak or spill. Most plumbing tends to leak unexpectedly at some time or can be intentionally breached, so it is well to assume that any pipe, connection, container, or pump will eventually burst or leak. Placing sensitive sites at a distance from such threats is safer and cheaper than any other form of protection. The danger zone where leaks may spread must include an ample vertical distance and horizontal area. Begin the danger zone with a pyramid from any leak source, downward several floors, and outward horizontally well beyond the infrastructure areas.

Most buildings require fire-suppression sprinklers in all areas. Any may activate by accident, vandalism, or an actual fire, and may cause considerable flooding. Also, infrastructure sites should be located away from windows, exterior walls, roofs, skylights, building setbacks, and storm drains, which are all potential sources of flooding. Treated water used in heating, air conditioning, and solar systems presents a worse problem, in that the chemicals can quickly destroy electronic equipment, connectors, and wiring.

If all of the infrastructure cannot be positioned at a safe distance from all liquids and hazardous materials, there must be special protections and alarms. Protections include sealed, waterproof construction, drains, berms or other diversion devices, and proper materials close at hand to control any spill. There should be environmental alarm sensors near where leaks or spills could occur. Floor drains must also protect the equipment areas, especially those that use sprinklers; otherwise, cleanup will be difficult.

Infrastructure sites should not be visible or accessible from any public area. Infrastructure wiring or cables should not run through the building core, public, or mechanical areas, including rest rooms, slop sinks, janitorial closets, and stairwells. Avoid placing equipment or cables where any persons might loiter. All equipment room entrances should be clearly visible from workplaces where employees can readily observe all comings and goings. Choosing inherently safe sites and entrances greatly reduces both risk and costs because less security is needed.

For effective security control, there should only be one access point to each critical area, used for both entry and exiting. However, if local fire or building codes require a secondary means of egress, a delayed-access panic bar is usually acceptable. Such a system delays releasing the exit lock for a few seconds, while an alarm sounds and a surveillance camera is triggered. There should also be surveillance cameras with motion detection throughout all secured areas. All locked doors should look as alike as possible from the outside and be identified only by a room number that looks similar to that of any other premises door. No functional name, person's name or title, or any other means to identify what is inside a locked area should be apparent. No signage or directory should include a functional, personal, or departmental name, but only area or room numbers and directional arrows if needed. Only floor, room, or suite numbers should appear on premises signs, on floors.

23.8.2 Physical Access.

Physical access to all parts of the information infrastructure should be restricted. All information system and network equipment must be inside equipment rooms that are always locked and accessible only to those who need to be there. All utility and wiring closets, power distribution panels, patch panels, wiring blocks, and terminations should be located inside equipment rooms that are always locked. If possible, do not allow unrelated systems, equipment, or utilities inside a restricted area, so that a technician working on an unrelated system cannot access the information infrastructure. If this cannot be avoided, IS personnel should always escort others entering these areas. In high-security areas, all persons entering should be escorted, or use two-trusted-person teams where each person observes the other. Guards and facilities-security personnel are good premises-security escorts but probably do not know the infrastructure and are not the best choice here. IS personnel are better escorts, even though they may not know all the security details. In any event, all persons entering must be positively identified and each visit logged.

It is wise to put critical electrical distribution panels inside an equipment room, so they are quickly accessible and also protected. This is a safety issue as well; someone working on equipment or wiring can readily see that the circuit breaker is off. Otherwise, electrical distribution panels should be located inside a locked area that is unmarked from the outside other than by a coded location number. Panels are often located in public areas in many buildings; they must then be securely locked and alarmed as well. Whenever an electrical panel controls anything critical, access to the area should be restricted and the room alarmed. These precautions reduce any loss of power to critical systems by accident or intentionally.

A mantrap can best control access to critical equipment rooms. A mantrap is a two-door arrangement with an inner door, outer door, and a short corridor in between. Both doors are interlocked; one must be closed before the other can open. The corridor usually is constructed with a shatterproof, full-height glass partition (often one-way glass) on one or both sides for surveillance. Both the doors are usually windowless. And each door must have a strong access control system. But for safety, the outer door can usually be opened from inside the corridor using an alarmed panic bar. Usually one or more surveillance cameras are positioned to identify anyone entering or leaving the mantrap.

Emergency intercoms within the mantrap corridor and at the entrance and exit points are strongly suggested. Conspicuous duress/assistance buttons should activate silently, so security personnel can monitor the area and speak with or challenge anyone who cannot pass through properly. The alarms are best silent so that anyone under duress is not further threatened. Emergency intercoms often include small cameras that are inconspicuous or concealed, so that security personnel can see what is happening, assist if someone is ill or somehow becomes trapped, and avoid public-safety issues. A well-designed mantrap can be valuable for all but heavily traveled entrances.

Mantraps can tighten security in many ways and are usually not intrusive. They can detect “piggybacking,” when one or more extra persons closely follow someone who is authorized to enter. Mantraps in themselves do not preclude propped-open doors, but they make removal of objects from the room difficult and risky. The access control log and surveillance recordings can identify troublemakers and provide strong evidence to convict those who might otherwise be suspects or persons unknown.

23.8.3 Protective Construction.

Equipment rooms require sturdy partitions for good security and to support the considerable weight of wiring and equipment. Moreover, the partitions and walls must remain safe and stable during any seismic activity, such as heavy road traffic or a sonic boom, explosion, or earth tremor. Floors may also need to be reinforced. Sturdy partitions deter forced entry, which may be otherwise accomplished with little more than a pocketknife and a fist. Existing walls, partitions, and floors should be inspected and any subsequent alterations approved by a structural engineer. Consider too what might be needed long into the future; changes later may be very costly or simply impractical.

Security doors should be sturdy also. They should be metal, fire-rated, and relatively heavy duty and use heavy-duty hardware. Try not to call attention to controlled doors by any distinctive external appearance. If many occupied areas use wood doors, the security doors should not stand out. Use wood-faced metal doors and hardware that looks similar to all the other doors. Sometimes secure-looking dummy doors that lead to nothing important are used for deception or as an alarmed honeypot to draw troublemakers away from secure areas.

Well-constructed partitions and ceilings will also seal out smoke and contain smoke in the event of an interior fire. Weatherstripping around the perimeter of each door is recommended to keep out dust, contaminants, and humidity and to trap any smoke.

If possible, wiring that must run inside a door should be routed within the hinges so that no wires are visible at any time. Exposed wires can be damaged by accident by cutting, or compromised in many ways. The major hinge manufacturers can supply special hinges to conceal most wiring and match the appearance of other premises hardware.

Masonry partitions are usually unnecessary unless there are special structural or very high security requirements. Drywall partitions with metal studs are usually sufficient but should be extra sturdy. Type-X fire-rated drywall panels at least three-quarters of an inch thick are recommended. Better yet, use double half-inch- or five-eighths-inch-thick panels. Existing drywall partitions can easily be double-paneled for added security and strength. Masonry partitions, especially, and often drywall as well are usually faced with sturdy fire-rated plywood for attaching equipment supports and wiring. Whether the plywood is mounted on stand-offs so that wiring can be run behind it is a matter of preference. Usually it is more efficient to run all wiring exposed inside a secured area.

Do not use a suspended (hung) ceiling in any equipment room. Suspended ceilings just add cost, inconvenience, and diminish the volume of the room. The plenum space above the suspended ceiling is a fire hazard, and everything inside it must be fire rated, including any exposed cables, which adds unnecessary costs. Most building codes require separate fire detection zones and suppression heads within every plenum, which is a major cost. Remove any suspended ceilings and get more useful space for cables, better air circulation, and easier maintenance.

Avoid raised floors for the same reasons. They are very costly, functionally unnecessary for most installations, and take up extra floor space for ramps. Like suspended ceilings, raised floors create a plenum space that needs separate fire detection zones and suppression heads. Raised floors usually restrict the ceiling height because the space was not designed for this, so the room must be enlarged to accommodate everything, and often with little expansion provision for the future. Raised floors soon become dust traps and, in time, usually a clutter of new, old, and abandoned cables that no one can figure out. Many equipment failures have been caused by overheating due to airflow restricted by too shallow a raised floor or by too many obstructing cables. A raised-floor plenum is rarely needed to supply cooling air. Surface-mounted ducts and registers usually can do the job better and much cheaper, and are easily cleaned and modified. All of the wiring can usually be routed efficiently above and between the equipment or by using inexpensive cable troughs mounted on walls and ceilings. If needed, floor outlets can access trench ducts in the floor, which may already exist, unused. Conduit can be installed through the floor slab and along the ceiling below for special needs.

It is important for all wiring outside of equipment rooms to be protected inside of metal conduit. This conduit should not be thin-wall or plastic but rugged, heavy-duty metal. Thick-walled metal conduit is strong, harder to damage or breach, and provides good magnetic and electronic shielding as well. Metal conduits can easily be, and should be, well grounded. Obtain expert advice on where and how to connect the grounds to avoid interference. Metal conduit also may serve as a proximity sensor to warn when something gets too close. Alarm wire concealed within the conduit offers early warning of trouble and often can pinpoint where it is located. Sometimes an inert gas or gel is used to pressurize conduits to protect the wires; a pressure drop indicates a leak or a breach but does not indicate where it may be.

All conduits should look alike whether they carry power or data, or control security systems. Although the diameter of the conduit must vary, the general appearance should be the same. Do not label or mark the outside of any conduit except with an alphanumeric code. Cables inside of a conduit should not be marked either, except alphanumerically. Generally, any wires within conduit should emerge only inside of a secure closet, equipment room, or junction box, where the wires should be labeled.

Data cables and wiring are fragile, whether copper or fiber optic. Any undue pressure, bending, stretching, vibration, or crimping can alter transmissions or cause failure. Fiber optic cables are especially fragile; metal conduit is usually the best and least expensive protection. This avoids special sheathings that are often cumbersome and costly.

Any wiring, whether metal or optical fiber, can be improperly specified, installed, or terminated. Substandard wiring or installations may function well temporarily, but future failure is likely, possibly hard to locate quickly, and will be costly to fix. Therefore, it is important that all cables be acceptance-tested and certified by an independent expert before the installer is fully paid.

Critical cable runs should be alarmed from end to end, whether the conduit carries power, data, or security. There are several ways to alarm a cable run. Outdoor conduits are often pressurized with nitrogen to keep out humidity, or with a special gel to keep out oxygen and humidity and to stabilize the wires inside. Interior conduits can be pressurized and alarmed in the same way. Monitoring the pressure provides an alarm when trouble starts (including failed seals that must be fixed quickly). The system is effective and provides early warning, but breaches cannot be pinpointed, and any future wiring changes may be difficult.

Proximity and pressure-sensitive sensors also can alarm the entire length of critical cables. A monitored run of conduit can be very long and may continue through areas that are difficult to protect or offer no concealment. While surveillance and intrusion detectors can protect most vital areas, there is often much infrastructure that can be protected only by sensor wires running the full length of the conduit. Mechanical pressure sensors will detect unusual vibration, while proximity sensors indicate a change in the magnetic or electronic environment surrounding the cable or conduit. Newer systems utilize fiber-optic sensors that monitor sound pressure. Some of these systems are smart enough to distinguish routine, harmless events from possible trouble, and many can roughly pinpoint the location as well. Sometimes the conduit itself is the sensor, or an external wire is attached to the conduit, but these approaches are often ineffective.

23.8.4 Using Existing Premises Alarms.

Various codes require workplaces to have visible and audible fire alarms. And most workplaces have voice paging, emergency intercom, surveillance, and premises security systems as well. All of this equipment can be utilized effectively to augment and support information infrastructure security. Audible alarms are used when persons at the scene must take immediate action, such as to lock down or to evacuate. Conversely, silent alarms provide early warning and allow security to monitor the scene discreetly, gather evidence, and respond and assist as needed. All these alarms can be integrated into infrastructure protection systems to provide better early warning and extra layers of protection.

All alarms and alerts should be transmitted to a central security desk or guard station. The purpose is to document and manage incident response, summon assistance quickly, monitor the scene, accumulate evidence, and support all of the response resources. Central management is especially necessary when threats cascade or multiple events occur, as they often do. Security managers, IS managers, the infrastructure security manager, and key department heads also should be notified immediately. Some of these people may be offsite or at remote locations but will need to communicate effectively with at least the operations center. Notifications and the subsequent communications should be quick, private, secure, and logged to document the events. One or more online backup security control and operations centers provide redundancy, support and assistance, and strong security. (See Sections 23.2.1 and 23.2.2 for the federal incident management requirements.)

An effective method of premises-wide alert uses voice codes broadcast over a paging system. These are usually scripted and often prerecorded so that alerts can be initiated automatically, remotely or manually. Hospitals do this effectively with their color-named codes, which are equivalent to silent alerts, that do not seem unusual to the public. An effective system of alert codes in a large organization also uses the names of fictitious persons. In a smaller setting, such as a school, where the names of all personnel are known, there can be alert messages to an individual to take an innocuous action, which is understood to be an alert code. Additional alphanumeric information in a message can identify the general location of an incident. As in a hospital, it is well to add similar codes for other routine purposes, so the public will generally tune out all the paging. This system is particularly useful when violence is threatened or has erupted.

Although most security personnel now have portable radios, there may be many areas of no reception, and few use earpieces so others cannot readily hear what is happening. However, all security personnel must know immediately when trouble looms, and they must be alerted in a way so as not to excite others. Also, everyone inside the premises needs to know when an emergency threatens. Indeed, everyone has a legal right to know and to promptly receive instructions for their own safety. Anything short of this will result in considerable liability. Therefore, effective procedures, clear simple instructions, good preparation, and periodic training can protect everyone and provide strong security.

23.8.5 Clean Electrical Power.

Protecting electronic equipment requires a source of electrical power that is consistently “clean.” Power outages and brownouts can cause obvious trouble, but numerous other disturbances can disrupt or damage the information infrastructure. Some of these include dips and sags, spikes, transients, and magnetic or radio frequency interference. Most of these are intermittent and not necessarily present when the circuit is tested. Understanding each term is not as important as knowing that a wide variety of problems commonly occur in power lines, randomly and without warning.

Brownouts are particularly harmful. These are voltage reductions by the electric utility that can cause air-conditioning equipment, cooling water pumps, and ventilating systems to malfunction or to shut down. The associated equipment may be damaged unless it is quickly shut down or switched over to an uninterruptible power supply or a motor generator.

Few power disturbances will destroy circuits or crash systems immediately, but most can cause cumulative damage. Each incident can weaken electronic circuits that will eventually fail for no apparent reason. Poor equipment quality is often blamed, because the cumulative effect was not recognized. Worse, replacement equipment will probably soon fail also.

Power disturbances can be measured to determine whether a particular circuit seems to be clean. Usually a recording device is left in place continually for at least a week to measure and log the details of every event that occurs. (Avoid any test instrument that merely logs an unnamed event but provides no details.) An independent engineer who is not a vendor may best provide testing that is objective, comprehensive, and covers the entire facility.

Some circuits are likely to show intermittent disturbances caused by something nearby or within the building and sometimes by faulty wiring. Knowing what power problems arrive via the main service helps to determine whether the utility is at fault and to isolate where in the building other disturbances may originate. There may indeed be numerous causes of power disturbances, and all of them may be intermittent, which is why continuous seven-day, 24-hour monitoring is the minimum recommended.

Another major electrical problem is improper grounding that can damage sensitive equipment and cause interference in cables. Electricians must comply with national and local electrical codes, but they do not necessarily understand or provide the special grounding necessary for sensitive IS platforms. Most heavy equipment manufacturers require that each unit have an isolated ground connection with a dedicated wire all the way back to the central building ground bus. A few manufacturers do not provide installation specifications unless asked, and some installers disregard them to remain price competitive.

Opinions vary as to the best building ground configuration for information systems, and as local conditions can vary significantly, no one approach is best. It is wise to consult an independent engineer to inspect the grounding configurations, and to recommend and certify local code compliance. It is also important to provide separate circuits for all IS equipment, and where the equipment plugs into a receptacle, there be no more than a single receptacle. Separate circuit breakers are usually required for all equipment that can draw high current, especially if the load may cycle on and off. This is required by code for large motors, such as pumps, air conditioning, and elevators, whose cycling can cause dirty power on other branch circuits. But copiers and large laser printers (especially older ones) can also create electrical disturbances when starting and when the fuser-heaters cycle. All types of lights can cause a dip or a surge when many fixtures are switched on or off at once. (The newer fluorescent light fixtures with electronic ballasts conserve power and cause much less interference.) A separate circuit connection somewhat isolates the hot and neutral wires from other circuits, but interference may be generated through the grounding connections that often are daisy-chained with many other circuits to cut costs.

Do not share a dedicated circuit with any of this equipment, which can readily disrupt and damage electronic equipment: time stamps, electric staplers, coffeepots, refrigerators, heaters, fans, or any other device with a motor or solenoid. Even if inaccessible, a dedicated outlet should be a single receptacle, not a duplex. It is all too easy for vacuum cleaners, power tools, or maintenance equipment to use the other half of the duplex outlet. This will cause a severe disturbance and may trip the circuit breaker. There must be plenty of convenience outlets that are readily accessible for all noncritical needs.

Yet another cause of power problems is excessive solar activity. These events can be measured only when they occur, which is randomly during an unpredictable interval of several years that peaks about every 11 years. Solar disruptions occur only during daylight hours. High solar activity occurred in 1988, causing major power outages and radio interference in Montreal, Canada. Daily solar activity reports, forecasts, pictures, and historical records are available at www.dxlc.com/solar and other sites. (See also Section 22.6.7.)

There are several remedial options when power disturbances are suspected, encountered, or even possible.

Eliminate the problem at the power distribution panel. Better grounding, more separate circuits, suppressors, filters, and isolation transformers may help. But this type of remediation can be difficult, costly, or unreliable.
Use a surge suppressor near the equipment it protects. This is inexpensive but useless against brownouts, outages, and severe disturbances.
Employ an uninterruptible power supply (UPS), which provides battery backup power, for each piece of critical infrastructure equipment. One type of UPS is activated only when the incoming power fails, although its battery is always being charged. A better type is always online, acting to filter the incoming power, suppress most surges, compensate for minor brownouts, and maintain full system power for five to 10 minutes following an outage—enough time to allow an orderly system shutdown. A third and best type of UPS always powers its load from its batteries, thus isolating the load from the power line and providing optimum protection.
For systems that draw high wattage, a motor-generator (MG) set will eliminate most power problems. An MG set is an electric motor driven by the utility power. The motor is coupled to a generator that will always supply clean power to the load. The generator is usually voltage-regulated automatically, although the frequency can vary, which may disrupt some timing circuits. Usually if there is a power outage, mechanical momentum of the unit will provide sufficient power for an orderly equipment shutdown. Motor generators are still used for the ultimate in filtration and regulation, but there must be an electrical bypass to facilitate maintenance.

UPS units should power and protect the servers, network and telephone equipment, computers, and critical monitors. Most UPS units provide outlets with no backup power but with noise suppression for printers, transformer “bricks,” fax machines, and peripherals that do not need to be kept running. Most of these devices are somewhat expendable and quickly replaced by spare units if one is damaged.

Individual UPS units, placed near the equipment they protect, cost less and can be powered off by the operator to better protect equipment that may be vulnerable, even when the equipment is already shut down. This can provide an extra layer of protection where lightning might strike. Larger UPS units are used in equipment rooms where they can also monitor and log all power events and trigger remote alarm indications. Most good UPS units can initiate an automatic equipment shutdown when the power fails, the UPS batteries are low, or someone intervenes manually. There can be an issue, however, when some of the protected equipment cannot be restarted until the UPS batteries are fully recharged. Some UPS units are also network devices that can report their condition to a remote location.

Many UPS units also provide telephone and Ethernet line filtering and suppression, and this should be utilized if possible. Lightning transmitted over communications wires can readily damage telephone instruments and modems. Power and communication line spikes can occur asymmetrically, and can devastate equipment that one disturbance alone would not damage. A good UPS unit with communications line suppression is best able to stop both types of spikes.

Another benefit of UPS units is that when an emergency generator is on line, the electrical power would be much dirtier than before. The extra filtration and stabilization provided by the UPS units may be the difference between IS equipment operating or crashing.

23.8.6 Emergency Power.

Most of the critical systems and infrastructure must remain fully operational during any electrical power problem. Filtration and suppressors cannot compensate for power outages, handle most brownouts, or cope with major electrical interference. Disturbances might come from lightning (even when it is too distant to be seen or heard), severe solar activity, or radio-frequency interference corrupting the utility power. UPS units can deal with some of these conditions, but only briefly. Therefore, a backup emergency generator may be the only way to continue operations during sustained power problems.

Although backup generators are often the only alternative, they are not a panacea. Generators are expensive and complex to install, require at least monthly “exercise,” and are not always reliable. Their voltage regulation is marginal; during sudden load changes, the output voltage and frequency may fluctuate as well. As the load increases, more current is drawn, and, if the generator is overloaded, the voltage will drop and the frequency may drop below 60 Hertz (which can disrupt IS timing circuits). Because the load current increases to meet the power demand, the amount of heat generated by the equipment being powered will increase as the square of the current. Much of the IS equipment powered is inductive, and there can be a large starting power surge when it is turned on or restarted. Generators, therefore, must have ample reserve capacity beyond the anticipated equipment loads. And given their cost, generators should have ample reserve capacity for the future as well.

Another issue is whether a particular generator can provide sufficiently “clean” electrical power to operate IS equipment as well as power for the other emergency needs of the facility. Be sure, therefore, that the generator specified has ample capacity and that it is intended for use with electronic equipment. Even then, interference from large motors or lighting systems can affect the electronic equipment.

Because backup generators are expensive and complex, planning is often short-sighted, and many installations are not well designed or adequately tested. The inevitable result is that many generators do not perform as expected. Here are a few examples of what can be overlooked.

After considerable discussion at a major money-center bank in Manhattan about what seemed to be the excessive cost of a backup generator, the project was begrudgingly approved. The generator was to power two identical computer systems running in tandem to support a critical securities trading operation. Because the generator would actually cost more than the two computers, cost was an issue until the bank realized that the generator would pay for itself within one day of use. Soon after completion, a sudden citywide blackout erupted and the outage lasted for three days. Despite much inconvenience carrying fuel from the elevator up a flight of stairs to the rooftop generator, the unit performed flawlessly—one of the few systems in Manhattan that did.

Many other generators did not start or cut over properly, despite warm, clear weather conditions. And others did not support the necessary infrastructure. Some installations did not think to include the power requirements of HVAC so the computers had to be shut down within a few minutes to avoid overheating, even though there was ample electrical power for them. Generator power for other necessary support functions was neglected. These included network components and communications systems, lighting for users, an elevator for access by key people and to carry fuel to the generator, security and access control systems, and at least basic electrical provisions for food and rest for those keeping the vital systems running. Very few businesses thought to include all of the necessary support functions on their emergency power systems. This incident happened some years ago when power outages were considered very unlikely in Manhattan. Generators then were somewhat of a status symbol. But today, sudden blackouts anywhere are far more common.

A related example of shortsightedness occurred recently in a large suburban luxury hotel operated by a prestigious hotel chain. Following a severe thunderstorm, the power utility advised the hotel that they must lose power for several hours to repair a damaged substation. Given ample notice, the hotel set out hundreds of candles in the corridors, dining, lounge, reception, and pool areas, and started their emergency generator, which then cut over automatically as soon as the blackout occurred. Emergency exit signs and emergency lights in the corridors and stairs all worked properly. As expected, their batteries soon died but the candles functioned long and well. The generator also powered one elevator, the computer and telephone systems, the access control system, and all the room locks. The generator performed as expected, but the emergency response process did not.

Even with ample warning, no one thought to shut down the other elevators or to post signs to use the stairs. Two very frightened people were trapped in the dark, between floors, proving that a generator can be a liability and not a benefit unless operating procedures are carefully planned, well implemented, and periodically reviewed. There should have been a security checklist used whenever the generator started.

Another recent example involved a state's emergency operations command center, designed to remain safe and fully operational no matter what events might occur. A large generator powered all the critical systems. Everything had been tested many times and had operated smoothly as expected. But then trouble came during a heavy thunderstorm in the vicinity. Electrical power for most of the city flickered several times and then returned to normal. However, the generator tried to start at the first sign of trouble and then faltered as the power returned. A few seconds later when the power again flickered, the generator system had been damaged and was unable to start. The state was lucky that the generator was not needed then, but it was out for several days for repairs.

Most power failures begin with flickering and momentary outages, which can incapacitate a generator system that is not set up properly. Most mission-critical generators are set up to start the engine automatically, and many transfer power automatically as soon as the generator comes up to speed. Manual start-up and transfer are more reliable and cheaper, if trained personnel are always available. The best way to sequence automatic operation follows.

After the first start-up signal, the start-up sequence must continue until the engine starts, a failed-start timeout occurs, or the sequence is terminated manually.
Power does not transfer until the generator is fully up to speed, at a reliable operating temperature, and the utility power is unusable. All three conditions should occur before transfer, and there can be manual overrides as well.
All transfers back to utility power and the generator shutdown should be done manually. It is best also to be able to transfer each circuit individually to utility power.

There are countless examples of critical backup generators failing to operate as expected. Here are some suggestions to determine whether a generator is necessary for protecting information systems and how to utilize a generator efficiently and economically.

Investigate the outage history of the utility feeders that serve the premises. The electric utility can usually provide this data; if not, the state's Public Utilities Commission usually can. Be sure to ask how the terms are defined, because an “outage” may only include interruptions that continue for more than several minutes. Also ask whether more reliable feeders are available. Loop feeders that are powered from both ends are more reliable and often serve critical equipment. Ask whether the distribution transformers isolate and filter out power disturbances, whether they can also regulate the incoming voltage, and, if so, the specifications.
Find out which other customers share the same feeders, and visit them to discuss their experiences and to determine if they use heavy machinery. Although some safeguards are possible and may be at little or no cost to the utility customer, past history is not always a reliable guide to the future. The distribution grid changes as more heavy loads are added. Today, the threat of extended power problems is far greater than in the past and is increasing rapidly. UPS units, motor-generator sets, and backup generators may all be a necessity in mission-critical applications.
Determine which of the IS infrastructure components need backup power from an emergency generator. Most critical information systems, equipment, networks, and infrastructure must be at peak performance at all times. And so must all the office areas, support systems, utilities, and personnel needed to operate them. Outages can drag on for days or weeks with key people isolated and living inside the facility to keep the systems running. The generator power must serve all of these needs.
Consider these support systems that may require emergency power:
- All the IS security systems, protection and monitoring devices; perimeter surveillance, and access control systems, the security stations and consoles.
- Fire stairs (which may become the primary means of entry and egress), emergency exit doors, fire alarms, and intercoms whose batteries will quickly discharge. Also the need for these batteries to begin recharging immediately as soon as backup power is available.
- Heating, ventilation, air-conditioning (HVAC), and process-cooling systems, including all the controls, fans, pumps, and valves needed to operate the critical and support systems. In addition to equipment cooling, it is best to provide room comfort for users, operators, and administrators. Area air conditioning may not be possible, but at least supplementary heating in winter and adequate ventilation will be needed.
- Sufficient lighting for key personnel, equipment rooms, utility closets, corridors, rest rooms, and food service. Many individual light switches can conserve power and generator fuel. Battery-powered lights are suitable only for immediate emergency egress and cannot provide area lighting.
- Enough live convenience outlets for test equipment, work lights, and any accessories that must be used. Live receptacles may also be needed for portable fans.
- Sufficient food service equipment and refrigeration, running water and sanitary facilities, and a sleeping area for 24/7 operations that may have to continue for several days.
- An elevator for critical access to the site, for medical emergencies, delivery of food and supplies, and to carry fuel for the generator.
Compile a list of all the items a generator must power. Then total the rated power of each item to determine the size of the generator and the number of circuits needed. Power ratings for equipment usually are shown on a nameplate near the power connection and listed in the instructions. Ratings may be given in watts, amperes, or volt-amps. Generally, watts and volt-amps are assumed as equivalent. The latter value is the product of multiplying the rated voltage (e.g., 120 volts) by the rated amperes, while the former multiplies that number by the equipment's power factor. Large generators are rated in kilowatts (1,000 watts) of power. Units intended for short duty cycles cost less and may fail during prolonged, continuous duty. An experienced engineer should review this process.
Consider the costs per hour of lost productivity, business, and goodwill if any information systems are disrupted. Add to this the recovery costs. In the example of the bank given earlier, the first day that the generator was needed saved the entire cost of the backup power system. The second and third days of that particular outage were sheer delight to the bank as most of their competitors faltered.

Electric codes may require, and good practice dictates, that a generator be sized to handle the sum of the individual start-up loads. This may seem wasteful because not all loads start up at once and average operating load will be somewhat less than the sum of the parts. It is nonetheless a wise practice to provide for the maximum rated load, with additional spare capacity for improved reliability and future additions. There are several reasons for oversizing the generator. When power is first transferred to the generator, the sum of the initial surges can far exceed the anticipated load. All of the UPS units and other battery-operated devices will begin to recharge, and all equipment motors may concurrently draw their maximum surge currents. Extra generator capacity ensures a smoother transfer with better voltage regulation, and enhances the system's reliability.

Most large generators produce three-phase power. And each of the three outputs should be balanced so that each “leg” draws about the same power. To do this, heavy motors, multiple light fixtures controlled by one switch, and other surge-producing equipment may have to be divided among the three legs. Existing wiring at the distribution panels probably will need changing to balance the legs. It is desirable, but not always possible, to reserve one leg for clean power to critical single-phase electronic systems. Balancing each leg is a tricky business best done in consultation with an independent engineer.

As many electronic systems as possible that are powered by a generator should also be protected by UPS units as discussed earlier, even though these add to the generator's load. There will be large voltage surges, dips, sags, and over-voltage conditions as the generator loads are switched and constantly change. Power disturbances will be much greater because electrically noisy motors and lighting cannot be isolated. The UPS units should include noise suppression and voltage regulation as well. And even with all of this, IS equipment will be stressed and may fail.

Locating the generator is the next challenge. The choices are on a roof or setback, inside the premises, or outdoors. Each site has advantages and obstacles. Outdoor generators can be the easiest and cheapest to install but also more expensive to operate. Outdoor generators are noisy, often unsightly, subject to vandalism, and local ordinances may restrict them. When located outside, weatherproof housings are needed to protect the engine, generator, and fuel tank. Most engines used outdoors need to be kept heated, which can become a high overhead expense. Noise is another problem, and persons nearby may object. It is important to use good mufflers and to get written permission from nearby property owners and other tenants. Outdoor units should be fenced with plenty of room for maintenance and fueling. A generator shed is best, if possible, but this does not reduce the need for heating and a good muffler. The whole installation should be securely locked and protected by an open-door alarm and motion detectors, and be in the view of surveillance cameras. Floodlights may deter vandalism and will assist refueling.

Generators on roofs or building setbacks present other problems and these installations too may be restricted by local codes. The first problem is weight. Structural reinforcement probably will be needed. The next problem is getting the unit in place, which may require a crane or a licensed rigger. Very few building elevators come up to the roof level, and they may not be able to handle even a disassembled generator's parts. All the generator components may have to be rigged up outside of the building or manhandled up the fire stairs.

Installations on top of building setbacks will need a special access door, and moving heavy equipment across a finished floor requires heavy planks and floor protection (e.g., sheets of Masonite or plywood) under the casters to avoid considerable floor damage. There must be sufficient space on the roof or setback to fuel and service the generator safely. Noise will usually be a problem and vibration as well.

Indoor installations offer both advantages and challenges. An indoor location that is sometimes feasible is a heated garage-type ground-floor room with a standard garage door to open when the generator operates. This arrangement is good because it is inconspicuous, fireproof, easily protected, and convenient for fueling and maintenance. And, should a generator fail, a trailer-mounted unit can be hooked up easily.

Inside generators may be prohibited by building or fire codes. Large rooms are needed to facilitate fueling and maintenance, and large ventilation systems to dissipate the considerable engine heat. The engine exhaust can be well muffled and piped outside, while engine-intake air is ducted in from outside. Heating and ventilating the room must be designed correctly, for both very hot and very cold weather. The room must be fireproof and soundproof with fire alarms and a suppression system that uses chemicals or dry-head sprinklers that cannot freeze. The floor may need reinforcement and vibration isolators. A floor drain is advisable and must be environmentally approved.

There are advantages to indoor installations. The generator and its fuel can be kept warm easily. Starting is easier and more reliable. Fueling is easier without having to brave the elements. There is less chance of water in the fuel, which can be fatal to diesel engines and maintenance is much easier.

Problems with building installations include building codes that allow only small day tanks for fuel. Every few hours, a lot of fuel must be carried in to keep the generator running. Fuel cannot be stored inside most buildings, and an elevator may not be running or available to help bring in fuel cans.

There are many possible fuels for emergency generators. Diesel fuel is the most efficient, and diesel engines can operate continuously for days but are hard to start, especially in cold weather, and cannot be hand cranked. Home heating oil is basically the same as diesel fuel and can be substituted at any time that diesel fuel is not available, but this requires extra fuel filtering.

If liquid fuel is used, the fuel tank should be full at all times to avoid condensation. Fuel additives can prevent gumming and assist starting. Make sure all diesel fuel is treated for use in a cold climate. Refiners normally do not use this process except in winter, but untreated diesel fuel turns to a gel near freezing temperatures and the fuel will not flow. Never let a dealer “cut” diesel fuel with kerosene, which is corrosive. Diesel fuel also requires additives to avoid bacteria buildup that will clog fuel lines. There should be OSHA-approved cleanup materials ready for any future spills or leaks.

Natural gas or propane are the most convenient fuels. Either one eliminates the day tank and refueling. These engines are the least polluting, and they start much easier, require no preheating, and can be hand cranked. But most are not designed for prolonged continuous duty. Gasoline engines are prohibited by many building codes and are rarely used except for small, portable generators. Gasoline is far more dangerous to handle and store, and gasoline engines do not hold up well under heavy loads.

Continually monitor the engine oil level and be ready to add oil as soon as it is needed. Most generators automatically shut down when the oil level is low. Some also shut down when overheated. Any unexpected generator shutdown will be catastrophic, so monitor closely for early warning signs of trouble.

Once the desired size and type of generator is decided, there are other considerations:

Automatic engine controls and load transfer switches can be unreliable and may cause damage. Avoid these if possible. However, generators can be monitored and controlled remotely, as well as on site.
Automatic starting can be unreliable. If the engine does not start quickly, the battery will quickly discharge, especially diesel engines in cold weather, which require glo-plug heaters. If at all possible, someone should be present during the starting process, using a checklist to verify proper operations and then transferring the load manually when the generator is ready. Switches that automatically transfer the load are expensive and sometimes fail. Always transfer back to utility power manually, and do this only after sensitive systems are put into a standby mode. Automatic transfer can cause major damage if the utility power flickers and goes out again or if the voltage or the frequency fluctuates during transfer, as it often does. Do not shut off the engine automatically. This is best done manually, and not until utility power is flowing smoothly.
The best transfer switches allow each of the major circuits to be transferred individually to minimize the inevitable fluctuations likely to occur when everything is switched over simultaneously.
An emergency generator must be exercised regularly. The manufacturer will specify when and how the units should be exercised. Usually this must be done monthly and at medium to heavy load. When critical systems are involved, good security practice is to exercise the generator weekly. There should be a written, initialed log entry for each event, including each exercise, inspection, maintenance, oil check, and refueling. Always log operating hours.

Despite the cost and complexity, there is a great feeling of contentment in having a good emergency generator system that functions smoothly, especially when other organizations may be floundering. Once the generator performs well during a real emergency, even skeptics realize the value added.

23.8.7 Environmental Control.

Even though today's information systems do not need as much cooling or the precise environmental controls that legacy systems once demanded, good control of temperature and humidity, good ventilation, and clean air are still important. Information systems can function reliably only when proper environments are maintained in both equipment rooms and user workplaces. But each area requires a different approach.

Air conditioning is basically intended to cool people; equipment should be cooled by a functionally different system, which is best called process cooling. The systems should not be intermixed, nor should either one substitute for the other. Building codes require (HVAC) within all occupied spaces, where people may congregate, or where there are workstations. Building codes also set minimum ventilation requirements for occupied space, including a minimum percentage of makeup (outside) air to be constantly brought into each occupied space so the inside air does not become stale. Most codes do not consider the needs of electronic equipment.

Electronic equipment has many special needs, and many are incompatible with the people comforts required by the codes. Most electronic equipment operates continually, whereas air conditioning operates mostly during business hours. Air-conditioning cooling systems may be shut down for maintenance, during a power brownout, off hours, or in cool weather. By contrast, process cooling must operate continuously and every day, so parallel and redundant systems are often used. The same air should be well filtered and recirculated with no makeup air added to introduce dust or contaminants. This also reduces the cooling capacity needed, so process-cooling equipment can be of smaller capacity and cheaper to operate.

Electrical equipment and wiring also need good humidity control, which process-cooling systems are designed to provide. These systems are designed to be easier, and faster to clean and maintain. Often many components are redundant and hot-swappable. Increasingly, the cooling unit is on the floor or ceiling of the equipment room, so that few ducts, dampers, or registers are needed.

All IS processing, storage, and network equipment should be inside dedicated equipment rooms, which also should be designated as unoccupied spaces to avoid the code-imposed air-conditioning requirements. Avoid using terms such as “computer room” or “data center,” which are usually construed to be occupied spaces.

Both the process cooling in equipment rooms and the air conditioning in work areas must provide humidity control. It is important that relative humidity be controlled between 40 and 60 percent at all times, regardless of the climate or season.

When the relative humidity falls below 40 percent, which can easily happen in cold weather, static electricity is generated as people move about. Static charges can quickly accumulate to become many thousand volts, and a spark will jump to any object a person touches that is differently charged. Even though such a spark may not be felt, several thousand volts can annihilate electronic circuits. For example, a static charge jumping from a fingertip to a keyboard can cause serious damage to storage media and circuits. Much of the damage may not be readily apparent. Actual failure may be delayed, so the cause is not identified. Grounded strips can be installed on workstations, and service personnel should wear grounded wrist straps, although these do not completely stop the problem. The only effective solution is always to keep the relatively humidity above 40 percent.

Relative humidity above 60 percent also causes problems that will eventually destroy equipment and wiring. Above 60 percent, condensation and mold will begin to damage some components. Above roughly 80 percent, galvanic action occurs and will eventually cause serious trouble. The process is often called silver migration because most electronic connections are silver-plated. The phenomenon is similar to electrolysis (electroplating), but here the two metals are immersed in high humidity rather than a liquid and there is no external current needed for galvanic action to occur. Molecules of one conductor begin to physically move toward and attach themselves to another less active metal. Even though both surfaces may be gold or silver or copper plated, it is likely that they differ slightly in composition. Therefore, galvanic action will occur whenever the humidity is too high. Connector pins and sockets can disintegrate, fuse together, or fail electrically due to pitting. Printed circuits can also fail. Although this galvanic action happens slowly, it accumulates and is irreversible. The failures are usually without warning, and almost always, poor quality is blamed, rather than high humidity.

The only protection is to control humidity in both equipment rooms and work areas. Process-cooling and air-conditioning systems commonly do this by several methods. Both systems dehumidify naturally when cooling and can use a reheat coil to warm output air if the humidity is too low. Also when the humidity is too low, water is added using a spray, atomizer, or a wet screen through which the supply air is pumped.

There are additional protections, which are wise to install and maintain. In a cold climate, all areas and workplaces with electronic equipment should have low-static floor surfaces. This can be low-static carpeting or floor tile made for this purpose. Do not rely on sprays to control static electricity; they soon dissipate. Be sure that equipment room walls and doors are well sealed so that humidity, dust, and contaminants cannot migrate. Be sure the walls are well sealed from slab to slab and that the slabs themselves are impervious to dust and humidity. See also the need to properly seal firestops in Section 23.5.1.

23.8.8 Smoke and Fire Protection.

Smoke is far more dangerous than flame. And all smoke is toxic! It contains high levels of carbon monoxide, which is invisible, odorless, and quickly fatal. Smoke is the product of the combustion of many materials, and most of these are dangerous to breathe. Some are immediately fatal. Even a little smoke can do considerable harm to humans and much harm to electronic equipment. Smoke is deceptive; even when there does not seem to be very much smoke or heat, and visibility looks good, people within or passing through the area quickly become disabled and some may soon die.

The first priority is the safety of people. Get everyone away from any smoke immediately, and keep everyone away. Only trained responders with proper protective clothing, equipment, and self-contained breathing apparatus should enter any smoky area. Generally, respirators are not enough protection and may leak as well. There must be no heroics; crawling through smoke on the floor or breathing through a wet rag are desperate measures that should be attempted only when unavoidable to escape the area. Everyone should wait in a safe place until firefighters arrive and then follow their instructions.

The best way to prevent an equipment room fire is to keep anything combustible outside the room. Documents, manuals, and supplies should be stored outside the room in closed metal cabinets. Inside furniture should be limited to a metal table and a chair or two. All waste receptacles should be outside. Once combustible materials are eliminated, the only smoke that develops will be from electrical overheating. Electrical fires rarely occur in an equipment room, and those that do occur are likely to be very small, brief, and cease as soon as electrical power is removed. (Note that most computing components now operate on five volts or less, so that a short circuit is no more dangerous than, for example, a shorted flashlight, which presents no smoke hazard.) While sometimes noticeably acrid, there is usually little visible smoke. Therefore, sensitive fire and smoke detectors and an effective means of fire suppression are needed and required by most building and fire codes. Good detectors can provide enough early warning to ward off trouble and injury.

Enough smoke or heat to cause actual equipment damage requires an electrical current higher than most components can draw. Circuit breakers and fuses usually will open before there is much smoke or damage. Perhaps the greatest risk is smoke from the ballasts in low-quality fluorescent light fixtures, which can put out considerable black smoke. Any smoke is corrosive and may condense on connectors and printed circuits, which may then eventually fail.

There should be smoke detectors in every equipment room that are connected to a central alarm system. There should be enough detectors to cover the entire volume of each room. Each detector should include an electric eye to look for haze or smoke, ionization sensors to detect products of combustion well before any are noticed by humans, and rapid-rise-in-temperature detectors in case there is enough heat buildup to cause damage. Even though detected, nothing will stop smoke generated by overheated wiring or components until the electrical power is cut off or other heat source is removed.

There must be a fire suppression system in every equipment room. Both code compliance and good security practice requires this. Fire suppression is best accomplished with sprinkler heads that spray water mist, even though some unprotected equipment may be damaged if the water is not effective quickly. Special waterproof protective covers are often kept near equipment in case of accidents such as ceiling leaks or a damaged sprinkler head. But if an area is already smoky, no one should attempt to place the covers.

Wiring, connections, and most components will dry themselves, even when soaked. The process may be hastened with lint-free towels and careful use of hair dryers. Key-boards, monitors, UPS units, power supplies, some disk or tape drives, and especially printers may be damaged and should be replaced until they can be inspected. Hard drives are usually hermetically sealed and unaffected. A few other components could be damaged by excessive heat, although water mist is very effective in quenching heat sources. Plenty of replacement items should be safely stored nearby. Handling damaged low-voltage components (such as most circuit boards) presents little risk to people—provided there is not too much water and the persons know what they are doing and how to avoid damaging the components. If in doubt, shut down the components temporarily.

Enclosed equipment cabinets offer the best protection regardless of the room's fire suppression system. Enclosed cabinets can monitor temperature and humidity, detect and contain smoke, sound alarms, and often contain systems to suppress a fire before trouble occurs.

Halon 1301 fire suppressant was once widely used in critical areas. But Halon is a fluorocarbon whose manufacture has been banned for many years. Today's chemical systems are designed differently; one example uses the FM200 Suppression Agent made by Siemens. The claimed advantage of the chemical suppressants is that humans can breathe the agent, at least while they are exiting the area. Another fire suppression system uses carbon dioxide, which is effective and less expensive, but can extinguish people as well as fires. The problem with all chemical agents, including carbon dioxide, is that they quickly mix with smoke and become very toxic. The agent itself may be safe to breathe, but the smoke mixed with it is not. These systems are also very expensive.

Regardless of the suppression system, there should be controls and a shutoff near the room's exit, but not accessible to a perpetrator. Generally, an audible, continuous alarm indicates that the suppression system is about to activate. There should be postpone buttons on the control panel, and perhaps remotely as well, that will delay activation for about two minutes while someone intervenes. The postpone mode generally pulses the audible alarm. A silent alarm indication should remain activated whenever a fire suppression system is disabled or the alarms are silenced.

The next level of protection utilizes several fire extinguishers. These are the most useful protections because the suppressant can be aimed where it is needed and not throughout the room. Carbon dioxide is best because it does not leave a residue. Chemical, powder, and foam extinguishers also work well but are hard to clean up. ABC-type extinguishers are best because they are effective for combustible materials, flammable liquids, and electrical fires, respectively. Several handheld extinguishers are better than a few large, heavy units. All fire extinguishers should be conspicuously wall-mounted or placed immediately inside and outside of entrances. An OSHA-approved red patch placed on the wall nearest to every extinguisher highlights its location. Also, check other OSHA, local code, and insurance requirements that may apply.

Supply air from the process-cooling equipment should be shut down quickly and automatically to avoid recirculating the smoke. The IS equipment may have to be shut down soon thereafter before it overheats. It is best to shut down everything promptly and automatically in an orderly sequence—cooling, IS equipment, electrical power, and lighting—and then evacuate. Shut down the lighting, in case it is part of the problem. Shut-down should occur automatically with manual intervention from controls inside the room or remotely. Battery-powered exit and emergency room lighting are advisable so responders do not need flashlights.

A so-called crash cart is a good investment. This is used during a smoke condition, a water leak, and, it is hoped, before a fire suppression system activates. A crash cart is kept outside or nearby major equipment rooms and rolled to where it is needed. The cart usually contains covers to keep smoke and water out of racks and off equipment, large fire extinguishers, and sometimes respirators or self-contained breathing apparatus. The crash cart should include quick-reference procedures, and a checklist for protecting and shutting down the room, as well as safety and notification procedures—usually printed on plastic. The crash cart should be inspected and the procedures reviewed monthly, and there should be periodic training and exercises to practice using the equipment. Before the smoke and water covers are used, be sure the equipment is first powered off. Crash carts were important for yesterday's computer rooms but are increasingly unnecessary in a well-designed equipment room.

Finally, be sure to have smoke-exhaust systems available to quickly purge the areas of smoke. Most fire departments have portable purge fans with long fabric and wire hoses to reach outside. Do not allow anyone to use a respirator or breathing apparatus unless it is approved for this purpose and has been properly fitted to a trained person.

23.9 MITIGATING SPECIFIC THREATS.

Several other threats should be considered before good infrastructure protection is possible. Some of these situations are unlikely but potentially very costly if they should ever occur.

23.9.1 Preventing Wiretaps and Bugs.

Most wiretaps are placed at wiring junction points. Vulnerable spots are within equipment rooms, wiring closets, junction boxes, wiring blocks, or data receptacles. See Section 22.4.5 for methods of tapping into copper or fiber wiring. The tap wire can be fiber or coax or utilize a pair of unused conductors inside an existing cable. It is likely to be a small wire that is hardly noticeable, running to an inconspicuous place where monitoring and recording can occur. Once removed to a safe place, the data can be extracted by phone, wireless, Internet, or manually. Tapped data may even be encoded and stored on the victim's own network. Video and/or audio bugs used for spying are similar to wiretaps in that once the data is monitored, it must then be sent elsewhere for retrieval.

Unless all system data are encrypted—including all data, voice, and video traffic—wiretap protection must be strong because detection is difficult at best. First, determine which cables are critical and inspect the entire cable run. All cables should be inside of metal conduit. Data and power conduits should look similar and with no markings or labels except alphanumeric codes. Keep critical conduits as inconspicuous as possible, and away from places the public might access. There must be strong access controls, intrusion alarms, motion detectors, or surveillance where terminations, connectors, or wires can be accessed. Critical cable runs must be protected over their entire length. See Section 23.8.3 for ways to protect conduit and exposed cables.

Data cables between the desktop and wall or floor outlets are potential wiretap sites. Cables, harnesses, and connectors within office furniture systems may also be compromised. Reasonably good protection is possible with careful design, with devices that harden the data cabling against the possibility of a wiretap, and that detect disconnecting or tampering with any data wires.

For continued protection against wiretaps and bugs, even when all data are fully encrypted, there must be periodic and thorough visual inspections, sweeps for any unusual radio-frequency transmissions, and careful cable testing to determine any anomalies. Everything done must be logged and quickly analyzed. Unfortunately, most spying is never detected and can continue undetected at the will of the perpetrators.

23.9.2 Remote Spying Devices.

There are very sensitive radio receivers that can monitor information system data through walls or from outside the building without the use of an inside bug or wiretap. These devices can simply listen to the data from afar. Such equipment is not available publicly and is well beyond the means of all but the best-financed spies. However, there are many such systems in use today, and many more will be available as prices drop. Any organization whose data are very valuable is a potential target. The best protection is good shielding around equipment rooms and thick-wall metal conduit for data cables, and everything must be properly grounded. There are also interference transmitters that may help; these broadcast white noise that can overwhelm signals radiated from the IS infrastructure.

23.9.3 Bombs, Threats, Violence, and Attacks.

Violent events are unpredictable and potentially devastating. These are not accidents, but deliberate attacks, intended to disrupt, cause damage, and spread fear. The tragic attacks of 9/11, and their aftermath, have proven the vulnerability of people and of their infrastructures. The vulnerabilities remain today, and the risks are even greater.

Protection against violence must be threat-specific, and all possible threats must be addressed as described in Chapter 22. Effective deterrence and mitigation then become a matter of strengthening the protections described throughout this chapter, which need not be very costly considering the response and recovery costs that could otherwise result. Premises or corporate security must deal with most threats of violence, but the infrastructure needs special protections to avoid disruption and to mitigate the downtime and cost consequences of any such event.

Bomb or terrorist threats now happen frequently within the United States. Most are unreported. Many threats are hoaxes or the result of harmless objects discovered. Some threats are prevented before they occur. And many devices fail, but a few do not. The motives to incite violence can now include hate, revenge, a compulsion to eradicate perceived evil, disgruntled and deranged persons (including children), copycat thrill seekers, religious, political, or secular interests, and often extortion or blackmail. Sometimes there are no clear motives. Although such events are statistically unlikely to happen, the potential costs and wide areas of disruptions are too great to be ignored. Protections and preparation will at least reduce the otherwise huge liabilities when any event occurs. The Department of Homeland Security and the Federal Bureau of Investigation both offer considerable information on preparation, protection, and dealing with bomb or other serious threats, including checklists for anyone receiving a warning phone call or a suspicious letter or package.

Powerful can be made with at home materials that are readily available from local stores. Car bombs can destroy whole buildings. Strong explosives may be put into harmless-looking objects, such as sports balls, books, dolls or teddy bears, or concealed as a cell phone, camera, or radio. Devices can be detonated by a fuse, mechanical or electronic timer, radio signal, or trigger mechanism when anyone moves or touches the device. The railroad bombings in Madrid in 2004 were detonated by cell phones used as alarm clocks so they all detonated together. Calls to a cell phone or a digital watch used as a timer are often used as well. A suicide bomber can manually trigger an explosion when it is most effective. A new device showing up in schools is a tennis ball that will explode with considerable force when it is thrown. Other ways to trigger weapons, especially chemical or biological weapons, use a package or a backpack left unattended that will detonate automatically or when touched. For example, consider the threat to an organization from a carton labeled copier paper left unattended near the IS infrastructure.

Reasonably good protection and mitigation measures can be simple and inexpensive. Details cannot be described publicly, but state and regional bomb squads or explosives units can advise and assist in many ways, including current briefings. Weapons of mass destruction (WMDs), other than nuclear weapons, are fast becoming a real threat, especially because many such devices are small and easily concealed. WMDs include chemical and biological agents and incendiary devices, while even small amounts of radioactive materials disbursed by an explosive “dirty bomb” can spread panic. The government considers these devices very serious threats, with businesses and their infrastructures as likely targets.

New federal office space must now be certified as bomb resistant, so that an explosion or the impact of a truck bomb cannot collapse the building. Officials can usually provide a current threat briefing and suggest protective measures. Although small areas may be destroyed, the structure will not collapse.

Small-size bombs are a major concern. A few ounces of a chemical agent can kill hundreds of people, and the victims are usually stricken within minutes or hours, and for no apparent reason. Chemical agents are usually not contagious. Biological agents are even harder to detect quickly. A small vial the size of a lipstick can kill every person within a large metropolitan area. Biological victims usually do not react for several hours or days, and they may be highly contagious. With either agent, death is likely unless the right medical procedures and antidotes are administered quickly.

Should any suspected WMD event occur, call for government help immediately and stay well away from the scene (at least 600 feet upwind, uphill, and upstream) until properly trained and equipped specialists arrive. Make sure the FBI is informed quickly. Advise state and regional emergency officials that mass decontamination may be required before victims can be transported or enter hospitals. Decontamination requires copious amounts of water (fire hoses set on a gentle spray), plenty of detergent, and, possibly, diluted household bleach. Provisions should be made to keep victims comfortable and to protect their modesty. The water runoff may itself be an environmental hazard.

FBI, fire, police, and emergency management officials, trained in WMD and terrorism, should be consulted to better understand the possible threats and how best to deal with them.

23.9.4 Medical Emergencies.

The possibility of a flu epidemic or something like an outbreak of anthrax poisoning can cause enormous disruption to the information infrastructure. People cannot or will not come to work, or will have evacuated the area. This can go on for months, possibly years. The only mitigation is for them to telecommute, work from a safe and remote location, or outsource to organizations that can fill in. (See Section 22.4.3.)

Other medical emergencies can also cause big problems. (See Section 22.6.5.) Although medical emergencies are primarily premises security problems, preventing them is vital to avoid disrupting the performance of information systems. A serious medical emergency is very likely to happen eventually. Any such event can devastate morale and productivity and severely affect IS performance for an extended period. The event can be excessively costly if not promptly treated.

Mitigating medical emergencies requires a first aid room on the premises, first aid and some medical supplies, a registered nurse if possible, and many workers trained in first aid and cardiopulmonary resuscitation (CPR). All security personnel and guards should be certified in first aid and CPR.

Cardiac arrest occurs in the workplace and can hit anyone, visitors, vendors, or staff. Fast response, adequate equipment, and proper training are essential—minutes count. Waiting for a 911 response can result in death or permanent impairment, even when emergency medical technicians arrive quickly. An automated external defibrillator (AED) on site will save lives and can be operated by anybody in an emergency. A portable AED currently costs about $1,000, and the suggested training is inexpensive. An AED is now required in all federally managed buildings. Many shopping malls, places of public assembly, and commercial aircraft are now equipped with one or more units.

Oxygen is often necessary to save lives and prevent permanent impairment. Most sites equipped with an AED also have oxygen units. Good portable units cost $800 or less and can be operated by almost anyone, without training.

23.10 INFORMATION NOT PUBLICLY AVAILABLE.

Many special threat situations cannot be mentioned publicly because the materials and tools are readily obtained, inconspicuous, or easily concealed and disposed of after the crime. It is not possible to describe these threats without explaining how anyone can perpetrate them. Apprehension is difficult, sometimes impossible, so the only protection is deterrence and detection before trouble happens. Chapter 22 excludes these types of threats, and it is equally inappropriate to discuss their specific mitigation in this chapter.

Generally, however, there are effective ways to mitigate these threats as well as some more common ones. It is best to compile a comprehensive list of special threat situations and how to mitigate them by talking with a wide array of experienced consultants, contractors, installers, maintenance personnel, and vendors. Most of these people have long lists of easy and effective ways to disrupt, snoop, or attack the information infrastructures, along with practical countermeasures. No protection can be comprehensive until these resources have been interviewed for their experience and suggestions.

Just like some possible threats, there are also effective protection devices that cannot be mentioned. These are not marketed publicly and therefore are unknown to dealers, resellers, or distributors. The costs can be reasonable because they are only sold direct. Developers may supply classified systems for military or government use and offer declassified versions to other selected users. In this way, developers can restrict knowledge of their products to as few people as possible, so that others cannot discover how to recognize or circumvent them.

Many consultants who have worked with financial, regulated, or very large private companies know some of these specialty vendors. Usually a consultant will approach the vendor and discuss what is needed; the vendor may then contact the customer directly.

Finally, given today's environment of violence, get to know key local, state, and federal law enforcement and investigative officials, and ask their suggestions how best to protect an organization.

23.11 COMPLETING THE SECURITY PLANNING PROCESS.

The last step necessary to protect the information infrastructure has four components. Absent any of these components completed thoroughly, good security is not possible. They include:

Develop an all-hazard mitigation plan.
Develop all of the mitigation options for each identified threat and perform a cost-benefit analysis to determine which options are best.
Develop an overall security response plan to show who is responsible for what.
Complete the necessary implementation, accountability, and follow-up procedures.

It is not possible to fully explain each step within the confines of this chapter, but the information that follows at least outlines some of what is needed to complete the security planning process and where to find additional information.

All of the five available FEMA State and Local Mitigation Planning How-to Guides referenced in Section 22.9 can be helpful in this final step. Particularly so is FEMA Publication 386-2, Understanding Your Risks, that shows a method of cost-estimating potential losses due to flooding using tables rather than by calculation. These tables quickly show that losses can be far greater than expected. In addition to the five available guides, an Internet search for the series title is also suggested as portions of the four unreleased guides (386-5, 386-6, 386-8, and 386-9) may be available from state agencies.

23.11.1 All-Hazard Mitigation Plan.

Once all possible threat situations have been identified and assessed as described in Chapter 22, the next step is to develop as many options as possible to prevent, deter, or mitigate disruption, injury, or damage from each threat. Although some threats cannot be prevented, there are always ways to prepare for and mitigate their impact. Usually there are many mitigation options, so the objective is to determine which options are the most practical and affordable. The only objective way to do this is with cost-benefit analysis (described in Section 23.11.2).

In actuality, the options to protect against many different threats will be similar, but each option should be retained until the best mitigation strategy for each threat is determined. Here also there is likely to be one common mitigation strategy that covers many different threats. All credible threats should be listed in the mitigation plan, but the mitigation projects laid out will be far fewer in number.

When the next step is finished, the All-Hazard Mitigation Plan can be completed. The FEMA 386 how-to manuals listed in Section 22.9 provide the suggested format and content.

The complete mitigation plan should be for official use only, and not released except to those with a need to know this information. The complete plan would be very helpful to a potential troublemaker because it shows where the organization is vulnerable, and to which threats. If disclosure of the complete plan is not well controlled, its contents could be leaked by, extorted from, or sold by an insider. However, the executive summary of the plan and abbreviated findings should be circulated widely, so that all stakeholders know that much is being done to protect them.

23.11.2 Cost-Benefit Analysis.

Security is pointless unless it is cost-effective and also adds value: that is, the cost of mitigating each threat must be less than the potential benefits and savings of the event not occurring, because if the protection is effective. The costs of every option can easily be determined; these are the initial and ongoing costs. Some future benefits, though, will be intangible, and all will have to be approximated. The long-term benefits of something not happening must reflect the approximated costs of:

Disruptions that would reduce the productivity of the business and the performance of its information systems
Morale and performance that could plummet, and remain very low because people feel unsafe and unprotected
Loss of business or customers until operations could be restored to normal
Response and recovery costs including extra time and overtime, expenses including lodging and meals, temporary facilities, public relations, and legal defense costs that are all likely to be incurred
Legal, public relations, and other services and expenses to repair reputational damage, and fallen stock price, and to restore goodwill

Not all of these costs will follow every threat. But then again, there may also be additional, unexpected costs as well. In general, the response and recovery costs of any major security event tend to be far greater than expected. Nonetheless, each situation can be studied and some costs determined in order to facilitate a statistically-valid cost-benefit analysis.

Cost and benefit information have no meaning unless each is associated with a common time frame. The likelihood of each threat should be assessed on an annualized basis (see Section 22.3.4), so that both the mitigation costs and the potential benefits can be amortized over the same life cycle.

There are many methods for cost-value analysis, and most are beyond the scope of this chapter. However, for those who are not financially trained, the federal government has a good system, freely available, that is widely required within the government. The government calls this system “BCA,” which stands for benefit-cost analysis. It is based on the federal Office of Management and Budget's Circular A-94. Information is available at www.whitehouse.gov/omb/circulars/a094/print/a094.html. But this is best gotten on the Mitigation BCA Toolkit CD-ROM, which is available free by telephoning 1-866-222-3580. This CD includes manuals, programs, training documents, and some case studies as well.

One particular advantage of the BCA system is that the OMB publishes current cost-of-funds data needed to project any costs. Some of the private models tend to use wildly optimistic (or grossly out of date) future interest rates, which invalidates meaningful results. Again, it is wise to use a federal government model simply as a matter of risk avoidance. And the BCA model is widely used and required for many grant applications.

FEMA has developed a series of eight Cost Effectiveness Tools, which are programs to assist grant applicants with financial analyses, such as net present value. For details go to www.fema.gov and search for the title.

23.11.3 Security Response Plan.

A hazard mitigation plan is needed to document the threat assessment done in Chapter 22 and to list the mitigation options and the predicted costs and benefits associated with each; a security response plan is also needed to direct each stakeholder according to the type of threat experienced. The purpose of the security response plan is to define clearly who is in charge and who will do what, when and how, when any threat occurs. The new and comprehensive NRP format is strongly recommended for uniformity. (See Section 23.2.2.) Begin with this format and table of contents and add more ESFs, annexes, or appendices as needed. Also utilize a current local emergency operations plan (LEOP) and a current state emergency operations plan (SEOP) for guidance and uniformity.

The new NRP format revises and reestablishes the Emergency Support Functions (ESF) concept for each support activity that each organization may need. There are now 16 numbered ESFs, beginning with ESF-1, “Transportation,” ESF-2, “Communications & Alerting,” and on through ESF-16, “Animal Health.” It is recommended that the standard ESF titles be retained, even though many may not be applicable to a nongovernment organization, if only to maintain a uniformity and language that everyone understands. Additional ESFs will be needed to mount an effective response, but number these as “17” and upward. (As mentioned in Section 23.2.2, the NRP may soon be replaced with a new framework, yet to be released. However, the NRP and NIMS [Section 23.2.1] are still instructive.)

The same is true with the NRP's new appendices, support annexes, and incident annexes (which are still confusing as to what information is put where). For uniformity and consistency, it is best to keep the NRP titles and their sequence, edit these to suit the organization's needs, and add more appendices or annexes as needed at the end of each section. Details are beyond the scope of this chapter; look at the actual plan and ask those who are certified in the new processes and know how to implement them.

One useful quick reference in the new response plan format is an Emergency Support Function Assignment Matrix (which is often Figure 1), a one-page graphic that shows which agency or department has primary, secondary, or support responsibility for each ESF. This is a handy quick-reference guide for management and staff when trouble comes.

Once a response plan is ready, “standard operating procedures” should be written by each affected department to outline the procedures it will use to respond. The term is in quotes because these are usually issued as guidelines so that there can be some flexibility to adjust to the actual conditions. The requirement for rigid adherence to a procedure is an invitation that invites litigation.

The complete security response plan should also be for official use only, and released only to those with a need to know. After all, this plan shows troublemakers just how the organization will respond. However, a press release summarizing the plan should be widely circulated so that all stakeholders know the organization is trying to protect them.

23.11.4 Implementation, Accountability, and Follow-Up.

Once all the plans are completed and signed off by management and key officials, the job of implementation begins. Of the How-To Guides mentioned earlier, FEMA 386-4, Bringing the Plan to Life, will be helpful here.

This first implementation step is the most critical to the security-protection process. It begins with training so that everyone involved understands and accepts the procedures. There must then be periodic exercises and drills to test the response plan and to validate that the training has been effective. Plans that are not periodically tested are soon forgotten.

Every exercise and drill must be reviewed to determine what went right and, more important, what did not, and how to do better in the future. So too should every emergency response be reviewed. Documentation before, during, and after the event is important. There will be some lessons learned from each event, and these lessons should be used to update and improve the security systems to work better in the future.

It is also critical to establish accountability for the infrastructure security. There should be only one person in charge of each function. Responsibility cannot be spread among management or departments, nor can responsibility be worn as a second hat for someone with many other duties. The senior responsible authority must set up schedules for periodic review and update of the plans and procedures, training, and exercises to make sure that the security program remains current and effective.

Good security management must also include oversight. Good planning must begin in the boardroom, and the directors must also provide continuing oversight to ascertain good security. Outside, independent, auditors who are directed from the boardroom are best able to validate the current condition of the security program. The auditor's written opinion is evidence of whether the organization is fully compliant or not. The best procedure for an infrastructure security audit is suggested in Section 23.2.7.

For management's own peace of mind (and possibly as a requirement for maintaining insurance and obtaining credit), there may be periodic security inspections, testing of defenses, and some penetration tests, including deceptions to gain access done by independent professionals.

23.12 SUMMARY AND CONCLUSIONS.

Here are some parting thoughts and final suggestions how best to protect the information infrastructure.

Looking back on the events since 9/11, the question is often asked: Are we safer now? The only honest answer is mostly no. There are still many gaps in our security processes and procedures, much confusion and inconsistency about what to do, and still many threats not yet identified or addressed.

The question here is therefore: How can any organization best protect itself and still manage its risks most affordably and effectively?

23.12.1 Federal Guidelines and Instructions Are Still Deficient.

This chapter advocates the DHS/FEMA methodology as the best means of risk management for any organization. Compliance with the many new laws, regulations, and directives that can affect security is advocated also. But, as yet, none of these procedures is either uniform or comprehensive. Nearly all of them remain as works in progress that are incomplete, cumbersome, confusing, and misunderstood. Instead of trying to fix, better implement, and follow the systems that worked quite well during the 1990s, the new administration chose to abandon everything and start anew with new directives and procedures, forming new organizational structures with many more layers of bureaucracy. And currently, the administration has even revoked some of its own procedures in favor of new ones yet to be publicly available. Very few of the people involved have much management experience or any background in security or emergency management. The results so far have been to add confusion, impede progress, constrict the channels of communication, and stovepipe (i.e., compartmentalize) information that should be shared among other agencies. In the process, the capacities of FEMA have been stripped, marginalized, and increasingly underfunded.

The system was supposed to be fixed following the events of 9/11 and Hurricane Katrina. Instead, the new regime has gone off in many directions to pursue terrorism, without recognizing that many other serious threats are likely to happen. Is the system better now than it was before? Probably not yet, but it is slowly improving. Will they ever get it right? Yes, probably, eventually. But when big trouble comes, how much help can an organization expect from the government? As of now, any help may be limited, slow in coming, and unrelated to the immediate response needs. So when trouble comes, it may well be very costly to organizations that are not well prepared.

23.12.2 Good Risk Management Is the Answer.

Then why advocate the federal methodology at all? The answers are: (1) better risk management, (2) better able to minimize costs, and (3) by achieving a high level of security planning and management, an organization will be much better able to protect itself and less dependent on help from others. For these reasons, good, effective, and efficient security as described in this chapter is still the best protection.

Good security is an investment that must be carefully planned, analyzed, and implemented, well maintained, and quickly changed when necessary to maximize the investment return. The whole process represents a large investment in time, money, and resources. Management, all who use the infrastructure, and all of the many stakeholders must be involved. Preparedness cannot be relegated to others. Otherwise, security is not a good investment but merely an expense to be tolerated.

The need for security changes and improvements is an ongoing certainty. Threats are always changing and often the information infrastructure is as well. And so too are the many regulations that affect the security process and procedures. Nonetheless, it is possible to maintain good security. Every threat situation can be mitigated to some extent to minimize its potential for injury, damage, and disruption—even though the event itself cannot be prevented. Good security planning and management are required, as is compliance with the many and ever-changing regulations and requirements that directly address indirectly affect security, if only to avoid the high costs of liability. Good risk management seeks to avoid liability. Today, good security is necessarily an integral part of good risk management.

Good security can provide the best possible protection at the least long-term cost for any organization. Anything less than good security is a waste of time and money.

23.13 FURTHER READING

The further readings suggested in Chapter 22 will also be helpful in this chapter.

The Congressional Research Service report to Congress dated June 2006, entitled Federal Emergency Management and Homeland Security Organization: Historical Development and Legislative Options, is interesting reading for anyone burdened with security planning and management. This outlines the federal government's struggles since 1947 to get the system right. It also lists legislation before the 109th Congress to fix the problems. The report can be downloaded from http://fpc.state.gov/C4763.htm. The order code is RL33369.

For an interesting discussion of the inner workings of federal response systems and how better security planning and management can be implemented, see Christopher Cooper and Robert Block, Disaster: Hurricane Katrina and the Future of Homeland Security by (New York: Times Books, 2006).

23.14 NOTES

1. ISBN 0-87609-358-6 ($10) is available for download at: www.cfr.org/publications/10457/.

2. The Quick Reference Guide of FEMA & NRP is available at www.fema.gov/pdf/emergency/nims/ref_guide_nrp.pdf or search for Quick Guide on FEMA. Gov/nrf.

3. Telephone Communications Industry Association/Electronics Industry Alliance, 2500 Wilson Boulevard, Arlington, VA 22201. Tel: 1-703-907-7700. E-mail at www.wiaonline.org.

4. National Fire Protection Association, 1 Batterymarch Park, Quincy, MA 02169-7471. Tel: 1-800-344-3555. Online catalog at http://catalog.nfpa.org.

5. Cloning e-passports may now be possible because the data cannot be encrypted until all countries implement a common infrastructure. Visit www.vnunet.com/computing/news/2161836/kacers-crack-biometrtic.

6. Trace portal machines deployed at Midway International Airport, www.tsa.gov/press/releases/2006/press_release_0807206.shtm.

7. Announced 08/07/2006 by General Electric's research center in Niskayuna, NY. Visit http://edition.cnn.com/2006/TECH/08/07/terrorism.technology.ap/

8. Electronic Privacy Information Center (EPIC), http://epic.org/privacy/facerecognition/.

9. NIST publications are available free at http://csrc.nist.gov/publications/nistpubs/index.html.

10. NIST's Automated Security Self-Evaluation Tool is available at http://csrc.nist.gov/asset/.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for CHAPTER 23: PROTECTING THE INFORMATION INFRASTRUCTURE

Create new playlist

Sign In

Sign Up

CHAPTER 23

PROTECTING THE INFORMATION INFRASTRUCTURE

23.1 INTRODUCTION.