Journal TZ — Methodology for assessing the state of engineering and technical security of objects.
Author: Alexander MALTSEV, Technical Director of Intel Tectum, PhD in Engineering
When planning capital expenditures on equipping facilities with engineering and technical security equipment, there is always the task of rational spending of material resources. To determine the need to additionally equip a particular facility with security equipment, it is necessary to focus on assessments of the security of facilities from potential threats.
Assessment of the state of security is an act established by the organization's regulations, consisting of an analysis of the security system of protected facilities in order to determine its ability to resist the actions of potential violators.
The final result of the assessment is a conclusion on the level of sufficiency of the adopted security measures, which is made on the basis of a set of security indicators based on the results of the assessment.
The proposed methodology establishes a unified approach to the analysis and assessment of the sufficiency of measures for the physical protection and security of facilities from existing or predicted internal and external threats.
The assessment of the state of security of the facility is determined based on the results of:
monitoring the fulfillment of established requirements for the physical protection and security of the facility;
determining the model of potential intruders and analyzing the vulnerability of the facility.
Conducting an analysis of the vulnerability of the facility, determining the models of potential intruders is aimed at checking the adequacy of protection against existing and predicted external and internal threats by identifying vulnerabilities in the protection system that may occur even when the established requirements are met. The results of the assessment provide grounds for developing rational solutions to ensure the required security of facilities of various hazard categories.
1. Security status indicator system
Security as a set of organizational and technical measures aimed at ensuring the protection of an object is assessed by indicators of its two properties: integrity and vulnerability.
Integrity is a security property that characterizes its compliance with the requirements established in regulatory and organizational and administrative documentation.
Vulnerability– a property of security that characterizes its shortcomings in the ability to withstand threats established for the protected object.
Integrity indicators:
1) completeness of implementation of established organizational measures for physical protection and security of the object from sabotage and terrorist threats;
2) level of qualification of personnel involved in ensuring measures for physical protection and security of the object;
3) completeness of equipment and technical condition of the complex of engineering and technical means of physical protection or security.
Integrity indicators are qualitative indicators.
Vulnerability indicators
Vulnerability is assessed by qualitative and quantitative indicators.
Qualitative indicator – the possibility of penetration by an intruder.
Quantitative indicator – the probability that an intruder will be able to overcome security barriers (engineering and technical means and security forces) and reach the object of interest.
The adequacy of the adopted protective measures is determined by the magnitude of the risk posed by the vulnerability of the object and the magnitude of the possible consequences of the intruder's actions in relation to this object.
The degree of risk of the object is determined by the obtained values of the vulnerability of the object and the significance of the consequences of the intruder's possible impact on the object determined for the object.
The scales of qualitative indicators contain from 3 to 5 gradations. The values of the indicator assessments are linguistic and numerical.
The reduction of particular indicators into a generalized (integral) indicator is performed using reduction matrices, by the average numerical value using certain logical rules. To find the average value, the numerical values of the indicator assessment are used.
A number of assessments are taken directly from the «Declaration of Industrial Safety» (the magnitude of the socio-economic consequences of accidents at critical elements of the facility) and materials (act and protocol) categorizing the facility by the degree of potential danger and terrorist vulnerability.
2. Formation of an intruder model for an object
Intruder model is a formalized or informal description of an intruder and his actions in relation to a protected object.
An intruder model consists of the following components:
— categories of intruders that can affect the protected object;
— objects of protection on which the appearance of an intruder of each type is likely;
— motives for the actions of intruders of each category;
— the number of violators of each category;
— technical equipment of violators;
— possible level of awareness of the facility, its security system;
— level of qualification and preparedness to commit illegal acts.
3. Integrity assessment
Requirements for physical protection and security of facilities are established by regulatory documents, including departmental ones. Requirements for physical protection and security are differentiated depending on the category of the facility. When monitoring requirements for physical protection and security, it is necessary to provide for an inspection of:
the completeness of the implementation of established organizational measures for the physical protection and security of the facility from sabotage and terrorist threats;
the qualifications of the personnel involved in ensuring measures for the physical protection and security of the facility;
completeness of equipment and technical condition of the complex of engineering and technical means of physical protection (ETM FZ) or security.
The generalized integrity assessment has four values:
— «full integrity» (4);
— «satisfactory integrity» (3);
— «partial integrity» (2);
— «unsatisfactory integrity» (1);
and is a summary of assessments of the level of personnel qualifications, the degree of documentary provision and the degree of technical equipment of the facility's security means.
The convolution is carried out in two stages. First, using the convolution matrix, a convolution of the assessments of the level of personnel qualification and the degree of documentary provision is obtained, then the obtained result is convolved with technical equipment. The convolution rule of indicators assumes that the indicators are distributed by significance as follows:
«documentary provision» <"personnel qualification" <"technical equipment".
4. Vulnerability analysis
Vulnerability analysis of security is carried out in order to assess the possibility of unauthorized access by an intruder to protected objects. Vulnerability analysis is the most complex and labor-intensive stage, requiring a detailed study of the construction of the security system, knowledge of the operating principles of technical security equipment, and their technical characteristics.
The first stage of vulnerability analysis is the stage of forming probable routes of movement of suspected intruders to certain protected objects. Theoretically, there can be quite a large number of routes, but in practice it is always possible to determine the most probable of them. Most likely, these will be routes that use gaps in the protection system, in other words, use its vulnerable spots. Identifying such spots during the assessment is already, to a certain extent, an assessment of vulnerability.
The second stage of vulnerability analysis evaluates how easy it is for an intruder to follow the established routes. In a qualitative evaluation, at this stage it is necessary to compare the capabilities of a particular intruder with the technical characteristics of the ITS FZ standing in his way and with the capabilities of the security personnel to prevent the intruder's actions and draw a conclusion about the vulnerability of the security system. In a quantitative evaluation, the probability is calculated that the security forces and means will allow the intruder to reach the protected object of interest.
Probabilistic calculations are based on the technical characteristics of detection means (the probability of missing the target), on estimates of the intruder's delay time by engineering means and natural barriers, and on estimates of the security forces' response time.
The probabilities of preventing the intruder's actions on the route are calculated using approved departmental methods, for example, in accordance with the requirements of the Gazprom OJSC standard STO 2-1.4-082-2006.
Qualitative assessment determines the most probable routes of movement of intruders to the protected object. Qualitative vulnerability assessment ( ) has 4 values:
1 – vulnerable (protection is clearly insufficient or absent);
2 – most likely vulnerable (protection is most likely insufficient);
3 – possibly vulnerable (protection is possibly insufficient);
4 – no vulnerabilities identified (protection is sufficient).
The vulnerability of each route is assessed, the assessment is designated by the symbol , where the upper index K means that the assessment is qualitative, the lower indices: M — means that the assessment relates to the route, j is the index (number) of the PFZ to which the route is defined, i is the number of the route to the given protected object. Moreover, the route index consists of the index of the route itself and the indices of the intruders who are expected to use the given route.
For example, if it is determined that intruders will use two routes to the protected object, and the first route will be used by three types of intruders, and the second by four, then i will have seven values from 1 to 7.
A qualitative assessment of the vulnerability of the protection of the PFZ is determined by the criterion:
,
The general assessment of the vulnerability of the object is determined by the criterion:
The assessments are determined not on the set of all intruders, but for each category of intruders separately. This is done because an internal intruder may have authorized access to the protected object, and the object is quite vulnerable to an internal intruder. At the same time, it is difficult to expect serious terrorist or sabotage acts from an internal intruder. The aggregate intruder is identical to an internal intruder in terms of openness of access to the protected object, and approaches an external intruder in terms of the severity of the consequences of his actions. Therefore, it is inappropriate to collapse vulnerability indicators for different categories of intruders into an integral indicator; security means and forces are, first of all, protection from an external intruder. All further assessments will be conducted separately for each category of intruders.The obtained qualitative vulnerability assessments are entered into the final report document. To compare the protected objects by the degree of vulnerability, they are ranked. Ranking is performed for each category of intruders according to the lexicographic rule: first, the objects are arranged in descending order of the number of vulnerabilities (the number of intruder's routes to them), characterized by minimal protection (assessment — «no protection or clearly insufficient»), multiplied by the number of intruders of the considered category, determined for this protected object. If this number is equal, the objects are distinguished by the number of vulnerabilities of the next gradation (protection is most likely insufficient), multiplied by intruders, then the number of vulnerabilities «protection is possibly insufficient», multiplied by the number of intruders, and, finally, by the total number of routes to the protected object, multiplied by the number of intruders. The ranking results are presented in the form of report documents.
Thus, the security of an object is characterized by three qualitative vulnerability assessments:
— vulnerability to external intruders ( );
— vulnerability to internal intruders ( );
— vulnerability to a combined intruder ( ).
The quantitative vulnerability indicator (VI) is the probability that an intruder will be able to overcome the security barriers and reach the protected object of interest. This indicator is related to the security quality indicator by the expression:
UV = 1 – C,
where C is the probability of the intruder’s actions being stopped by the security system.
A distinction is made between the vulnerability of the security on the route – , the vulnerability of the security of the protected object – , determined on the set of routes to the given object, and the vulnerability of the security of the object – , determined on the set of protected objects.
The vulnerability of the security on the i-th route to the j-th object is determined by the expression:
,
where is the probability of stopping the intruder's actions on the i-th route to the j-th protected object. In this case, the route index i is determined in the same way as in the qualitative vulnerability assessment.
are calculated according to the methodology approved by the department.
The vulnerability of the j-th protected object is taken to be equal to the maximum vulnerability of the routes to this object:
The vulnerability of the object is taken to be equal to the maximum vulnerability of all protected objects:
Quantitative vulnerability assessments are calculated separately for each category of intruders. Vulnerability assessment data are designated by adding the appropriate letter to the superscript:
— for an external intruder – ;
— for an internal intruder – ;
— for a combined intruder – .
5. Integral indicator of the state of security
The integral indicator of the state of security (I) is a vector indicator. Its components are the qualitative generalized indicator of integrity and the qualitative and quantitative indicators of vulnerability.
I = <Ц, , , , , , >
6. Determining the level of sufficiency of the adopted protective measures
The sufficiency of the adopted protective measures should be determined by the magnitude of the risk posed by the vulnerability of the object and the magnitude of the possible consequences of the intruder's actions. The maximum level of sufficiency is achieved with the least vulnerability of the object, which has the least significance of socio-economic consequences; the minimum level of sufficiency is achieved with the greatest vulnerability of the object, which has the greatest significance of socio-economic consequences. All other levels of sufficiency lie in the range from maximum to minimum and are determined by the ratio of vulnerability and significance of consequences. With this approach to the concept of sufficiency of the adopted protective measures, it can be identified with the concept of risk, in which case the degree of risk will determine the level of sufficiency: low risk — the adopted protective measures are sufficient, high risk — the measures are insufficient.Risk is a measure of danger associated with the actions of an intruder and characterized by both the possibility of committing an unauthorized action and the severity of their consequences. The possibility of committing actions by an intruder is determined by the vulnerability of the object.
The measures taken to protect against one intruder may be sufficient, while insufficient against another, more powerful intruder. Therefore, it is advisable to consider the sufficiency of the measures taken for protecting against each category of intruders (internal, external, aggregate). For this purpose, we will introduce the concept of «attack object», which groups objects of protection by categories of intruders. By an attack object we will understand a set of objects of protection, against which unauthorized actions of a given category of intruders are assumed.
Thus, for one assessed object there are generally three attack objects: the attack object of an external intruder, the attack object of an internal intruder, and the attack object of a combined intruder. Note that one and the same protection object may belong to all three sets (attack objects).
For each attack object, we will determine the significance of the socio-economic consequences of possible actions of the intruder with respect to the attack object. We will designate the significance of the socio-economic consequences of possible actions of the intruder with respect to the attack object of an external intruder as , with respect to the attack object of an internal intruder – as , with respect to the attack object of a combined intruder – as .
We define the significance of consequences according to the rule:
, where j belongs to the set of indices defined for the external intruder;
, where j belongs to the set of indices defined for the internal intruder;
, where j belongs to the set of indices defined for the aggregate intruder.
The degree of risk is determined by the degree of significance of the socio-economic consequences of possible actions of the intruder in relation to the target of attack and the vulnerability of the defense of the target of attack for these intruders.
The vulnerability of the defense of an attack object of an external intruder is denoted by , the vulnerability of an attack object of an internal intruder is denoted by , and the vulnerability of an attack object of a combined intruder is denoted by .
We define the vulnerability of attack objects by the rule:
= , where j belongs to the set of indices defined for an external intruder;
= , where j belongs to the set of indices defined for an internal intruder;
= , where j belongs to the set of indices defined for a combined intruder.
It is advisable to introduce six degrees of risk of attack objects, assuming: 1st degree is the maximum risk, 6th is the minimum. The risk level assessment of an attack object is formed using a convolution matrix from vulnerability assessments and the significance of the consequences of possible actions of an intruder in relation to the attack object.
The value of the risk assessment is taken as the value at the intersection of the row corresponding to the vulnerability value and the column corresponding to the degree of significance of the consequences of possible actions of the intruder in relation to the attack object.
We will assume that the first (maximum) level of sufficiency of the taken protective measures corresponds to the sixth degree of risk and further; the second level corresponds to the fifth degree, the third — to the fourth, the fourth — to the third, the fifth — to the second, the sixth — to the first.
For each object, three assessments of the sufficiency level of the taken measures are determined:
a) sufficiency for actions of an external intruder ( );
b) sufficiency for actions of an internal intruder ( );
c) sufficiency in the actions of a combined intruder ( ).
Note that qualitative vulnerability indicators participate in determining the degree of risk, as well as the level of sufficiency of the adopted security measures. Quantitative vulnerability indicators in this case can play an additional role as a certain measure of confidence in the assessment of the sufficiency level.
Let us determine the vulnerability of each of the three attack objects.
The vulnerabilities of attack objects are determined by the rule:
= , where j belongs to the set of indices defined for the external intruder;
= , where j belongs to the set of indices defined for the internal intruder;
= , where j belongs to the set of indices defined for the aggregate intruder.
The level of trust is determined by the value:
= 1 – , for the external intruder;
= 1 – , for the internal intruder;
= 1 – , for the aggregate intruder.
This is nothing more than the effectiveness (quality) of the protection system (the probability of preventing the intruder's actions).
Psychologically, it is easier to perceive not digital designations of levels, but verbal designations, therefore each level of sufficiency can be assigned its linguistic meaning:
full level of sufficiency (1st level);
high level of sufficiency (2nd level);
average level of sufficiency (3rd level);
satisfactory level of sufficiency (4th level);
low level of sufficiency (5th level);
unsatisfactory level of sufficiency (6th level).
The forms of reporting documents are developed in the organization based on the requirements of departmental standards or internal regulatory documents.
It is advisable to use the obtained assessments as a basis for developing a step-by-step plan for the modernization of engineering and technical means of physical protection of the assessed objects.
Link to the resource http://www.tzmagazine.ru