Beyond the Fence: Why We Need to Redefine Perimeter Protection
Your perimeter is where your legal responsibility for security begins, but it is not where your security should start. The perimeter defines your property, resources, and people being protected. Your perimeter protection is effectively the first line of defense in your physical security program and can include lighting, barriers, guard posts and patrols, as well as electronic security systems. It is the electronic systems, however, that have a unique ability to project your security beyond your perimeter.
Traditionally, a perimeter is marked by a fence, wall, hedge, warning signs or some other type of defining feature. To improve security, these features are often augmented with lighting, intrusion-detection sensors, security cameras, and access control devices. Unfortunately, despite the best integration efforts, gaps in the perimeter often persist and gaps beyond the perimeter are often the norm.
When it comes to perimeter protection, the most common purpose is to deter, detect and defend a facility from threats. But in recent years, we have seen security threats grow beyond the physical world as bad actors have learned how to challenge a defined perimeter using cyberattacks, like malware and data breaches. Data breaches exposed 36 billion records in the first half of 2020 alone. While cyber threats carry a large financial risk for businesses, the threat to a company’s reputation is far greater: If a company’s cybersecurity is overcome by a hacker, why would customers continue to buy their goods and services?
In this article, I want to introduce another objective to perimeter protection: to disrupt threats entirely. Rather than simply reacting to events as they happen, your perimeter security should take a proactive approach so you can identify threats and prevent them from impacting your organization in the first place. We will discuss the essential elements of perimeter protection, why we need to redefine the perimeter, and how you can protect your organization from threats beyond the fence.
Your Perimeter as the First Line of Defense
When you picture a perimeter, your first thought might be a physical barrier, usually a fence or a wall. From there, we can think of different ways to reinforce the perimeter, like adding access control points, surveillance cameras, floodlights and guard patrols. The intent is always the same: to make the perimeter very difficult to breach so it takes time and effort to get through. The difficulty and time needed to breach the perimeter usually, but not always, act as a deterrent.
Deterrence is an effective way to reduce the risk of theft and vandalism, but it is limited to physical threats. The problem is the passive nature of deterrence rather than an active role of disruption. Instead of outlining a perimeter by its physical characteristics, let’s define a perimeter by the risks you might face: threats and hazards.
Threats and hazards require different approaches to security. A threat is a deliberate attack driven by independent will, like an intruder or a hacker. A hazard is a naturally occurring or accidental event, like an animal or a lightning strike. Unlike a hazard, a threat will adjust according to the security in place, so knowing the threats your facility might face is a critical part of developing a security program.
By identifying threats and hazards, you can better understand the space being protected. Defining a space is a central tenet of crime prevention through environmental design, or CPTED, a long-standing doctrine in the security industry. CPTED states that territoriality, or how we define ownership of a space, can communicate to adversaries that they are entering a protected space. In other words, territorial definition increases deterrence.
If a perimeter is the most concrete method of defining a protected space, how you secure a perimeter determines how you protect an entire site? While many businesses invest in traditional solutions for perimeter protection (usually at least a fence line, lights and some security cameras), today a bad actor can affect a facility without ever setting foot in it. So what happens when a physical perimeter cannot adequately protect an organization?
Why Traditional Perimeters Are No Longer Enough
Technology has evolved rapidly in just the past few years, leading our society to become highly dependent on critical infrastructure that often lies outside the boundaries of a perimeter.
One common example is data centers, which are the intersection of the physical and cyber worlds. Because data centers are physical locations that house equipment for telecommunications and data storage, cybercriminals can infiltrate them to gain control over data, cost people and businesses money and possibly endanger the world.
Bad actors already know that they can take down critical infrastructure without entering a site. In April 2013, a group of gunmen attacked a Pacific Gas and Electric Company substation near San Jose, Calif., knocking out 17 electrical transformers and causing over $15 million in equipment damage. While energy grid officials were able to reroute power to prevent a blackout, the attack showed how the national electric grid was vulnerable to security threats beyond its perimeters.
In July 2020 a small recreational drone carrying copper coils and nylon cords was used to successfully attack electric utility substation in Hershey, Pennsylvania. The damage caused by the drone was not extensive, but it demonstrated how a drone, which is relatively inexpensive and widely available, could be used to disrupt critical infrastructure.
In February of last year, a group of hackers remotely accessed a water treatment plant in Florida and changed the levels of lye in the drinking water, which could have badly sickened thousands of residents if the attack hadn’t been caught in time. For years, cybersecurity experts have warned of attacks on small municipal systems, such as water plants and oil and gas pipelines, that rely on technology to monitor sites and often do not have the resources for a comprehensive cybersecurity plan.
In May of last year, a ransomware attack forced the closure of the Colonial Pipeline for six days which impacted gasoline supplies in 17 states. This was the largest cyberattack on oil and gas infrastructure in U.S. history and cost Colonial Pipeline $4.4 million.
Cyber is only part of the problem. With the ever-changing nature of security threats, we need a proactive approach to perimeter protection. This means that defending the perimeter needs to be human-aware and self-adapting. A successful perimeter security program needs to inform human decision makers of what’s happening and must be flexible and easy to adjust in response to changing threats, physical or cyber.
3 Steps to Looking Beyond the Perimeter
Now that we know that a successful security strategy cannot only react to threats within a perimeter, how can we shift our strategy to be more proactive? It’s not enough to add some new cameras or alarms to your perimeter. To protect your organization from today’s threats, you must fundamentally change how you identify threats, create your security strategy, and execute your plan. To disrupt threats effectively you should use a three-step approach.
1. Gather Intelligence and Analyze Data
How you detect threats plays an important role in how you prevent them from affecting your business? In January 2021, rioters breached the U.S. Capitol, forcing members of Congress into lockdown and resulting in the deaths of four people. The U.S. Capitol Police Force was completely unaware of the planned attack, despite numerous reports from different federal law enforcement agencies which reported threats for a planned attack on the Capitol before it occurred.
This is an important example of why proactively identifying threats is not an optional part of your security strategy. Older models of security deploy passive patrols and cameras evenly across the landscape without considering specific variables, such as location, current events, and targeted threats. However, the newer approach emphasizes the need for intelligence-based security.
Your security team needs to know who is talking about your organization and why: Are you dealing with minor complaints, or could there be an organized plan to infiltrate your facility or breach your network? You must gather intelligence from multiple sources, like social media, law enforcement reports, and even the dark web, to create a complete view of the threats you could face. But the real challenge is finding useful information in a sea of irrelevant data, so you determine which threats are viable.
If you responded to every potential threat without investigating the validity or danger of each one, you could end up wasting a lot of time and resources. For example, you can deploy analytics to comb through your data and identify credible threats. By automating this part of the process, your team can respond to threats and even prevent them from happening, making your security strategy both effective and efficient.
2. Put the Red Hat On
If you’ve ever evaluated your cybersecurity system, then you most likely did some type of penetration testing. A penetration test is a deliberate attack against a system to identify any vulnerabilities, like the potential for hackers to infiltrate your system, to complete a full risk assessment. Penetration testing is an effective way to evaluate all areas of your security program, not just your network.
Most organizations perform “white hat” penetration tests, which is when a security expert is authorized to infiltrate a facility or hack into a system to discover any weaknesses. In white hat penetration testing, you are made aware of the hacker’s presence and can prepare to ensure your security program performs well.
In comparison, “red hat” penetration testing is when a security expert arrives unexpectedly and actively tries to defeat your security measures by any means necessary. Red hat testing is unannounced, and as such, is often a better measure of your security strategy’s performance on an average day, without the aid of extra preparation.
Both white hat and red hat penetration testing should be used to measure the effectiveness of your security program. White hat testing is most useful as a training tool to make sure your team is familiar with security and incident response procedures. It should be a “no fault” exercise where mistakes are viewed as learning opportunities and immediate retraining is provided without consequence. Red hat penetration testing should come with careful planning and oversight to ensure safety and limited objectives and should only be used after your site has been properly trained. Unfortunately, most organizations only discover their system’s vulnerabilities after a breach or an incident of theft or violence. After you investigate the incident, there is still the cost of recovery, along with the unquantifiable damage to your organization’s reputation.
I highly recommend that you invest in both proactive threat monitoring and penetration testing to avoid the greater cost of a bad actor successfully infiltrating a site or system to steal sensitive data, destroy property or even cause harm.
3. Leverage New Technology
Many security solutions, like surveillance cameras and alarm systems, often fall into a more passive role, acting more as investigative tools after something has happened. But the latest in emerging technology enables us to prevent threats from affecting an organization entirely.
I can’t remember a time in my career when technology has become so advanced in such a short amount of time. In just the last five years, we have seen rapid advancements in emerging technology such as artificial intelligence and machine learning.
Video analytics has completely revolutionized how we use technology in a security program. The latest video analytics can be programmed to recognize specific objects; for example, video analytics can tell you if a person in your facility is carrying an umbrella or an assault rifle.
While radar has existed since World War II, today we can combine radar with advanced video analytics to distinguish legitimate security threats from false alarms. Recent advancements in thermal imagery have led to the development of powerful night-vision security cameras that can monitor your facility even better than standard security cameras in the daytime.
Remote monitoring has become a more popular solution for businesses that want around-the-clock security at a more affordable price. As the latest generation technology standard in cellular networks, 5G creates near-zero latency from a camera to a video feed. Today, you can monitor sites remotely and respond to events in real time by triggering an alarm, engaging with an intruder via a speaker or contacting the authorities.
Placing these advanced electronic security capabilities along your perimeter extends your influence beyond the legal boundaries of your site. There will always be some limitations caused by terrain and other obstructions, but with today’s technology it is possible to see threats as they approach your perimeter and dispatch security to meet them. This same technology allows you to activate powerful spot lighting and even initiate “talk-down” voice communication. There is nothing more settling to a potential intruder than to have a voice announce that law enforcement has been notified.
While it can be tempting to add all the newest gadgets to your arsenal and see how they perform, security technology performs best when you know exactly what role each solution plays in your security strategy. Evaluating your current security program and threat landscape can help you make more informed decisions about what kind of security solutions to invest in.
A successful security operation needs to have a forward-thinking strategy. Your security should tell you what threats you might face, where you are vulnerable and how you can respond. Rather than waiting for adversaries to breach your perimeter, you can disrupt their plans and get them to rethink their attack entirely.
By transitioning to an approach that empowers your team to respond to events and adapt your program to a changing security landscape, you can operate beyond the fence line. If you have thorough testing, protocols and response drills, you could even argue that you don’t need a physical fence — your security program will identify and prevent threats before they even get close.