Printer Friendly

The intrusion detection misconception.

SECURITY MANAGERS ARE FREQUENTLY led to believe that installing an intrusion detection system protects their assets from forced entry threats. That belief is a widely held misconception. Intrusion detection systems do not provide protection. They only provide detection, as their name implies. Such systems are, however, a major component of an integrated system to protect assets using a minimum of personnel.

An integrated system must also include means to assess the validity of alarms and to delay intruders until they can be intercepted by a response force. Effective protection without fixed guards depends on all those components.

Integrating detection, assessment, and delay elements into a protective system requires a logical, systematic approach. The procedure is divided into two phases-defense and detection. The defensive phase establishes delay elements and the detection phase sets up detection and assessment elements. The defensive phase must be addressed first.

Before we can lay out a protective system, however, we must know two basic facts: what assets need protection and the severity of the threat against them. In considering assets, we also need to know their location in the facility. The threat severity depends on the type of asset, which indicates the type of aggressors who are likely to be interested in it. Assets such as office equipment are relatively easy to dispose of and are likely to be targeted by unsophisticated criminals. Assets such as larger equipment or proprietary information are more likely targets of sophisticated criminals. Aggressors' sophistication also affects the tools they are likely to use to break into a facility. Unsophisticated aggressors tend to use simple hand tools such as hammers and pry bars while the more sophisticated may use power and thermal tools.

Knowing the general types of tools that may be used in an attempt to compromise an asset is important to determine the delay time various building elements offer against them. A detailed treatment of threat is beyond the scope of this article, however.

LAYING OUT THE DEFENSIVE ELEMENTS of an integrated protective system requires four basic steps: determining response time, identifying defensive layers, establishing delay times of those layers, and comparing delay time to response time.

Response time is the basis for the defensive phase. Without a reasonable response time, you cannot have an effective protection system. For example, in one project, the operators of a hydropower plant were concerned about terrorists breaking into their facility and sabotaging equipment. Their response force was a county sheriff's deputy on a roving patrol of a vast area of the county. The deputy's response time was between 15 minutes and two hours, depending on his location at the time of the call.

Plant operators planned to install an elaborate intrusion detection system to

protect" their equipment. Building two hours of delay into a facility is at least prohibitive and at most impossible. With their initial plan, which did not incorporate any delay, their protection would have been just as effective if they had allowed the sound of a bomb exploding to serve as their detection system. They needed a shorter response time.

The time in which guards or police can intercept an aggressor in response to an alarm must be established and must be within a reasonable range for protection to be practical. The response force must also be capable of defeating or containing an aggressor.

Once response time is established, the layers of building elements that can delay an aggressor can be examined. A defensive layer is an envelope surrounding an asset and includes walls, doors, windows, floors, and ceilings. A container such as a safe may also be a defensive layer.

We can establish three general defensive layers in a building: a safe or other container, the surfaces of an interior room, and the exterior surfaces of the building. A fence around the building can be considered another defensive layer. Building layouts that include rooms within rooms may have multiple interior layers. Recognize, however, that if the surfaces of one layer are part of another layer, one of those layers is effectively negated. For example, if a room in which an asset is housed shares walls with a larger room surrounding it, only one defensive layer exists for two rooms.

Next, we need to establish the delay time of each defensive layer by determining the delay times of each component in that layer. Doors, walls, windows, floors, and ceilings are likely to have different delay times against the same threat. The delay time of any defensive layer is limited to the shortest delay time of the components within it. Doors and windows are frequently the weakest components.

One "secure" room, for example, had a heavy, forced-entry-resistant door installed in a wall constructed of sheetrock on wood studs. Anybody dedicated enough to break through the door could much more easily break through the wall. In that case, the wall was the weaker component. Consider all possible entry routes in each layer.

Delay times can be found in manufacturers' literature for components such as doors, windows, and containers. Data bases of delay times are available for other components. In assessing delay times, work from the innermost to the outermost defensive layer. The cumulative delay time at any point in a facility is the sum of the delay times of all defensive layers between that point and an asset. The system delay time is the sum of the times of all defensive layers in the facility and represents the maximum delay time available.

When considering fences as defensive layers, recognize that they generally provide negligible delay. They are useful for deterrence, boundary demarcation, and sensor mounting surfaces. However, tests show that even fences with razor ribbon delay an aggressor climbing over them by only four seconds and one cutting through them by 10 seconds.

One manufacturer sells a fence that is difficult to climb and may delay cutting by up to a minute if fitted with a special fabric. The method appears promising but is quite expensive. Another manufacturer of prefabricated perimeter walls once stated his wall would provide up to 45 minutes of delay to forced entry. He had neglected to consider the short time needed to climb over it, however. In general, I recommend you ignore delay times of perimeter walls and fences.

Once delay times are established, compare them to response time. If delay time is greater than response time, the defensive system is sufficient. If the delay time is less, however, you need to find ways to increase it. If the cumulative delay time at some interior defensive layer is close to the response time without considering subsequent outside layers, consider upgrading that layer or layers interior to it. The smaller the area you have to protect, the better.

To increase a layer's delay time, begin with the component within that layer with the least delay time. You can upgrade component delay times by adding bars to windows or replacing a light door with a heavier one. Do not ignore hardware on doors and windows - it may be their weakest link. Similarly, walls, ceilings, and floors can be upgraded by adding wood or steel plates or replacing the component with different material.

Obviously, those steps are easier to take before a building is constructed than after, which underscores the importance of security professionals' getting involved in facility design at its inception. Also, activated barriers sold under the trade names FOIL (commonly known as sticky foam) and VOID (commonly known as cold smoke) can be added to a defensive system to increase delay.

NEXT WE MOVE INTO THE DETECtion phase, which will set up the intrusion detection system and an assessment system to verify alarms. This discussion will not delve into the complex issues of particular sensors or the advantages of one camera type over another. It will cover only the basic philosophy for integrating such elements with delay elements to form a protective system.

With a defensive system defined, a detection system will easily follow because they are interdependent. Detection must occur outside or at the defensive layer that allows adequate response time, which was previously established. You now need to determine where to place intrusion detection sensors and what type to use.

Detection must occur before an aggressor breaches a defensive layer for that layer's entire delay time to be counted. One all too common practice is installing interior motion sensors inside a room where an asset is stored in the open. In those cases, aggressors gain entry to the room before they are detected, providing no delay.

Another common practice is installing balanced magnetic switches on doors or glass breakage sensors on windows that lead into a room where an asset is stored openly. Again, once the alarm goes off, the aggressor is already in the room. In both cases, aggressors are likely to escape with an asset before they can be intercepted, unless response time is instantaneous.

In those cases, the sensors are misplaced. Exhibit 1 shows potential general locations for sensor application, which are referred to as detection layers. Exhibit 2 indicates which detection layers correspond to each defensive layer. Note that each defensive layer has two potential detection layers: one on the defensive layer and the other adjacent to it.

After determining where to place sensors, decide what types to use. Exhibit 3 shows the general categories of sensors used in the different detection layers.

Fence-mounted sensors include fence disturbance and electric field sensors and are applicable where a fence is the outermost layer of defense. Exterior sensors may be installed adjacent to a fence, between a fence and a building, or adjacent to a building. Since we ignore any delay time associated with fences, we are only interested in detecting aggressors before they reach the exterior surface of the building.

Note that the length of the sensored perimeter, and therefore the system's cost, decreases as we get closer to the building. Exterior sensors here include free-standing or buried electric field sensors, infrared or microwave beam sensors, and seismic sensors. Interior penetration sensors are placed on building surfaces and include shock, vibration, or grid-wire sensors for walls, floors, and ceilings. Ultrasonic and acoustic sensors could also be used.

Penetration sensors for doors and windows include balanced magnetic switches, shock sensors, and other glass-breakage sensors. Capacitance sensors can also be used when windows have bars. Recall that when balanced magnetic switches are installed on doors, the alarm goes off when the door is breached. A second door farther inside from the sensored door and laid out in a foyer arrangement can overcome that limitation. Interior motion sensors include microwave, ultrasonic, and passive infrared. Point sensors are applied immediately adjacent to or on containers and include pressure mats and capacitance sensors.

Selecting types of sensors within the broad categories requires detailed investigation of the environment in which the sensor will be placed. Such investigation is beyond the scope of this article but is part of the procedure for laying out a detection system.

In some cases, different types of sensors are installed in the same detection layer to increase the probability of detection. Sometimes a second layer of sensors is recommended when building elements either don't meet regulations or provide insufficient delay. Such an approach only increases the probability of detecting someone who has already compromised an asset.

If you install enough layers of sensors, perhaps an aggressor will get tangled in the conduit while attempting to break through the wall. Multiple sensor layers should only be installed to improve detection, not to compensate for an ineffective defensive system.

When an alarm registers at a control console, an operator must assess the alarm's validity. He or she can either dispatch a guard to investigate or use a closed-circuit television system to assess the alarm remotely. Since one goal in establishing a detection system is to reduce personnel, we will proceed with the remote assessment assumption.

Assessment systems that are keyed to the detection system must assess the presence of intruders where sensors are activated. Therefore, assessment zones must correspond to detection zones. Where possible, one camera should cover each detection zone, and zones should be small enough to be monitored by one camera. Although one camera can view multiple zones using a pan/ tilt mechanism, beware of such applications for assessment. Frequently the mechanisms are slow and an aggressor may be out of view before the camera can be aimed in the proper direction.

Selecting cameras and their peripherals is also part of this procedure in its complete form, but only the relationship between assessment systems and intrusion detection systems will be covered here.

The final step in this procedure is to determine lighting requirements to support assessment, if required. Requirements depend on the types, location, and desired resolution of cameras. Again, selecting lighting intensities and luminaire types is part of this procedure but beyond the scope of this article.

At this point, we have laid out an integrated system to protect assets against a forced entry attempt. A brief example should clarify the application of this procedure. Consider the single-story facility layout shown in Exhibit 4.

Assume the response time is 10 minutes. The enclosures labeled A and B are potential locations for a vault. Vault A is entirely separate within the room while Vault B shares a wall with the room enclosing it. The delay times in minutes for each of the defensive layers are shown in circles and represent the weakest elements within each layer.

The potential defensive layers associated with Vault A are the surfaces of the vault, the surfaces of the inner rooms, the interior surfaces of the perimeter rooms, and the exterior building surfaces. The total system delay time for that defensive system is 7 + 3 + 1 + 2 = 13 minutes. Note, however, that the response time- 10 minutesis met at the inner room surfaces, which becomes the outermost defensive layer.

The defensive system for Vault B is not the same as for A. The vault shares a wall with the inner room and, therefore, cannot take advantage of the three-minute delay time associated with that layer. The total system delay time for Vault B is 7 + 1 + 2 = 10 minutes. It is equal to the response time, but the outermost layer of defense is the facility's exterior, which requires a greater protected area.

Since the outermost layer of defense for Vault A is the inner room surrounding the vault, the detection layer is based on the inner room surfaces. Exhibit 2 shows that detection layers 4 or 5 apply where the outermost defense layer is an interior wall. Layer 4 is adjacent to and outside the room's surfaces while layer 5 is on those surfaces.

Exhibit 3 shows that interior motion sensors or interior penetration sensors apply to layers 4 and 5, respectively. Let's go with detection layer 4 and place motion sensors in the hallway to detect intruders before they get to the defensive layer. Note that we also need to put sensors above the room to detect intrusion through the ceiling.

Since the building exterior is the outermost layer of defense for Vault B, Exhibit 2 shows that detection layers 2 or 3 apply. Exhibit 3 shows that exterior sensors outside the building surfaces or penetration sensors on them apply.

The assessment system for Vault A would need to monitor the hallways and the attic above the room while the system for Vault B would need to monitor the perimeter and roof of the building. Vault A would probably not require special lighting while Vault B probably would since it would require exterior cameras. Clearly, Vault A has the superior location.

This article has outlined a procedure for integrating defensive and detection elements to create an overall protective system for assets susceptible to forced entry. The procedure, in summary, is as follows:

* Determine response time.

* Establish defensive layers.

* Determine delay time.

* Compare delay time to response time.

* Establish detection layers.

* Select sensor types.

* Establish assessment zones.

* Select assessment system equipment.

* Establish lighting requirements.

That is a shortened and simplified version of a procedure in the US Army Corps of Engineers Security Engineering Manual. The integrated system incorporates delay, detection, and assessment and is likely to be ineffective unless it considers all those elements.

Without detection, aggressors have all the time they need to break into a facility. Without delay, aggressors are likely to compromise an asset and escape before they can be intercepted. Without assessment, intrusion detection system operators lose confidence in the system due to nuisance alarms and staff requirements to assess alarms increase.

Do not allow people to convince you that an intrusion detection system provides asset protection. Ensure that your system incorporates the other components necessary to make it a true protective system. * About the Author . . . Curt P. Betts is a security engineer and program manager for the US Army Corps of Engineers Protective Design Center in Omaha, NE. He is a member of the Architect-Engineer Subcommittee of the ASIS Standing Committee on Physical Security.
COPYRIGHT 1990 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1990 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:intrusion detection systems alone do not provide asset protection
Author:Betts, Curt P.
Publication:Security Management
Date:Jun 1, 1990
Previous Article:Checked your infosec lately?
Next Article:The facts on the fence.

Related Articles
RealSecure 6.0.
RealSecure for Windows 2000. (Security Products).
Intrusion detection is failing: enter intrusion management. (Security).
Intrusion protection. (Quick Bytes).
Preventative medicine.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters