Information and Communications Technology exists in a realm of the virtual. The image that comes to mind when ICT is mentioned is that of software and codes, and devices that are secured by mind-boggling virtual complexity. This is a sexy and seductive image, but it is only part of the picture. ICT security also involves and requires – indeed, demands – physical security. ICT assets like hardware, networks, data,
personnel, and locations must be secured against unauthorized physical access. A prized ICT asset can be put of action virtually by being hacked or compromised, or it could just physically be stolen and taken away. The effect is the same, the asset is no longer available for legitimate ICT access. Unfortunately, physical security is often overlooked, usually to the peril of organizations when they realize, typically through experience, that an ICT asset can simply be taken away with very little or no technical knowledge on the part of the attacker. To protect ICT assets from physical threats and circumstances that can lead to significant losses to the corporate, physical security must be planned and executed to an exacting standard, and using several components that work together to deter physical attacks against ICT assets.
There are three components to physical security, and they work together to facilitate several aims. First, they aim at deterring potential intruders from attempting an attack in the first place. This is the most desirable outcome. Such an aim is only possible if the security system can distinguish between legitimate and unauthorized access attempts. A working security system should then stop the unauthorized access while allowing the appropriate level of legitimate access. If a potential attacker gives up even before attempting their attack in the first place, while legitimate users continue accessing desired resources according to their respective access levels, the system has worked fully.
If deterrence fails and the attacker goes ahead to attempt an intrusion, the physical security system must try to prevent the intrusion as a first option. This is the ideal situation, but a determined attacker will likely have done their homework and might be able to get beyond the initial defenses of the physical security system. In such a case, the system must delay the intrusion. This involves putting obstacles in place that frustrate the attacker. The delay gives the system time to trigger the appropriate notifications and responses to the attack, such as alarms to alert security guards and police of the attack, and various visual or audio diversions to further confuse the attacker.
While all this is happening, the security system needs mechanisms to record whatever is going on. These mechanisms can also include pre-emptive tools to carry out surveillance and therefore provide vital information to the corporate about potential threats to their ICT assets.
These three components can be actualized using various mechanisms. First, deterrence involves placing obstacles in the way of potential attackers at the sites at which ICT resources are located. Such obstacles include basic tools like warning signs, fences and walls, barriers, security lighting, vehicle restrictions and similar measures to restrict movement into and out of the secured sites.
After deterrence, preventing intrusion requires the use of mechanical access control mechanisms. These include doors, gates, locks and keys. Electronic mechanisms can be integrated into the mechanical access control system, ensuring that control of keys is easy and replacement of locks just requires reprogramming, and is hence cheaper than manual locks which require replacing the entire lock. Additionally, access control should involve the use of policies that facilitate the screening of everyone entering or accessing the secured site. This can be accompanied by security personnel or card-reading systems that match cardholder and biometric data to ensure that access is by the person so authorized.
Despite all these measures, intrusion can and does occur at secured sites. This is why intrusion detection is vital. Detection triggers notifications such as SMS alerts, site-wide door lock-downs and alarms upon the detection of any intrusion. Intrusion detection typically takes the form of sensors: accessing a secured site without using the right protocols and tools results in a sensor alerting the alarm system, which in turn alerts the response team to visit the secured site immediately. Detection can also take the form of visual or audio identification. Highly secure systems can be set up to recognize the facial or audio characteristics of people allowed to access them. In the case of an intrusion, surveillance cameras and audio challenges can be used to verify if the person within the secured site is indeed authorized to be there. If there is any doubt, the site can be locked down automatically pending the intervention of a human, who can then make the final decision as to whether to raise the alarm or not.
Finally, once the intrusion has been detected and the alarm raised, a human or other response is normally the final step. It should be noted that physical security can also be adapted to be used for environmental challenges like fires or flooding, or even electricity blackouts. The actual elements that perform the various steps in the chain of physical security might differ, but the aim is the same and the order of actions is also identical. Although largely ignored, physical security is just as important in securing ICT assets as its much-vaunted logical cousin.
The author is an ICT consultant working for Saudi Telecom Corporation in Riyadh, Saudi Arabia.
By Peter Wanyonyi