Threat analysis in the design of technical security systems.
This option is the most well-known and the most developed.
Entire laboratories in several research centers are developing threat modeling software.
Special departments in law enforcement agencies collect statistics and try to predict possible terrorist attack paths.
Special security service units are trying to identify the plans of international terrorists.
Designers of technical security systems are required to include a section on threat analysis in the project. As always, more than half of the papers are filled with bureaucratic or pseudo-scientific scribbling.
Nevertheless, the massive pressure on all fronts is yielding results.
What useful conclusions can mere mortals, engaged in the protection of small shops, offices, cottage villages, draw for themselves?
The main positive result that a formal requirement for threat analysis contributes to is the absence of obvious holes in the defense system.
Even if you write an analysis for the sake of a formality, treat it as an empty formality — you will still write, for example, what means will be used to repel an attack from all four corners of the world (and as a result, you will not forget to design an equally strong defense from all sides).
You will not forget to consider pedestrian, wheeled and swimming offenders and therefore will not allow significant distortions such as a reinforced concrete fence breaking off on the shore of a lake at a depth of knees.
You will not forget to mention both external and internal accomplices of criminals and will be forced to consider means that prevent not only the opening of the main gate from the outside, but also their unauthorized opening from the inside.
Threat analysis in the recommendations of the British Ministry of Internal Affairs
Why the British?
These are some of the most elaborate recommendations, which form the basis of a series of European standards. In general, it is not surprising — Britain is one of the few countries that has lived in a state of civil war for the last 30 years (in Ireland).
Comparable attention to security systems is only given in Israel, but there is traditionally a more closed society, and even what is published openly, alas, is inaccessible to most of our compatriots without a translator.
So, the British recommendations. They are mainly developed in a special unit called the «Research Department of the Ministry of Internal Affairs» (a direct analogue of our Scientific Center «Security»). In addition, in most counties the chief of police issues his own recommendations (usually literally copied from the recommendations of the scientific department of the Ministry of Internal Affairs).
Strictly speaking, it is the recommendations of the chief of police that are mandatory in the county, for example, to obtain a license to trade in alcohol, weapons or medicines.
However, indirectly they are mandatory for everyone. Insurance companies have their own recommendations for categorizing clients by risk level. These recommendations are not published openly, but all of them include in the first lines the mandatory fulfillment of the requirements of the police chief, if, of course, the client wants to pay insurance premiums at the minimum rate.
This is how it turns out that the in no way mandatory research reports of the scientific department become mandatory in real life.
That's enough reasoning, I'll describe the essence of the recommendations themselves. The essence is similar to conducting a threat analysis.
The main requirement is to conduct an analysis of what criminals the facility is supposed to be protected from, under what conditions, and what premises (objects) at the protected facility are of interest to criminals.
Depending on the supposed qualification of the criminals and the social importance of the protected object, the danger to society of the criminal act (yes, yes! This term is not an invention of socialist legality — the danger of the act to society in all societies is considered an important criterion — gun shops, drug warehouses — are necessarily guarded much more strictly than would follow simply from the value of the items stored there).
A fairly simple classification is proposed.
Class 1 – low risk. For facilities where the potential criminal is not very familiar with security systems. In particular, this assumption is typical for facilities with low-value goods stored there, without goods valuable to criminals (drugs or alcohol), and not posing a threat to the safety of people around them.
Class 2 – medium-low risk. For facilities where the potential criminal is assumed to have some knowledge of security systems, but only with standard tools of wide application. This assumption is typical for facilities with an average volume of valuables or a small amount of alcohol. Class 3 – medium-high risk. For facilities with a significant volume of valuables, narcotics, or facilities that pose a threat to people around them.
The suspected criminal is equipped with all the necessary tools and portable electronic equipment.
Class 4 – high risk.
For objects with a particularly high volume of valuables or with a particularly high level of risk to the surrounding population. The suspected criminal is considered to be thoroughly prepared, have knowledge of the security system at this object and have samples of equipment similar to that installed at the object.
So, depending on the importance of the object and the supposed preparation of the criminal, special requirements are imposed on the security alarm. These are not requirements to use this or that sensor and not even quite requirements for the sensors themselves — after all, what difference does it make how many meters the sensor's range is if the guarded room is 2 x 2 m. The requirements are imposed mainly on the alarm response system (for wine stores, for example, it is necessary to output the alarm to the 24-hour security service control panel). In addition, there are requirements to minimize false alarms (no security service will seriously guard an object where there are false alarms three times a night).
Methods for reducing the number of false alarms are described.
Finally, requirements are made for the self-diagnostic system and the informativeness of messages to the monitoring station.
This section also includes some special requirements for sensors. For example, to comply with class 3, sensors must have not only the «alarm», «tampering» and «masked» outputs, but also a «malfunction» output signal.
From a formal point of view, the British recommendations boil down to numerous “checklists” that must be checked to ensure that the facility meets the requirements.
In addition, to simplify the work of designers, all equipment is certified for compliance with the requirements of the relevant classes, and at a class 3 facility, for example, only class 3 or class 4 equipment can be used – class 2 equipment will obviously not allow the system requirements for class 3 to be met.
However, the default assumption is that once an object is classified, the potential threats to it are «obvious» and not worth explicit analysis.
An exception is the task analysis for video surveillance systems. Since these systems are relatively expensive and cannot be designed based on a standard algorithm (a creative approach is required), for television systems it is prescribed to conduct an analysis of all protected zones and clearly indicate what the purpose of the video system in a particular zone is, what actions of which intruder should be detected and how and who will observe the image to achieve this.
Threat Analysis in RD-78
The equivalent of the British recommendations in our country are departmental R (recommendations) and RD (guidance documents) issued by the Scientific and Research Center «Security» and other organizations. They are also formally not mandatory even for non-departmental security. However, in the absence of other documents (some large companies like Gazprom have similar internal documents), these RD are actually mandatory for all creators of technical security systems.
What do they say about the need for threat analysis? Surprisingly little. For example, one of the main documents is RD RD 78. 36.003-2002 «Technical security equipment. Requirements and design standards for the protection of facilities from criminal attacks.»
Firstly, it introduces a similar classification of objects into 4 groups – A1 (especially important objects of high value or high danger), A2 (the most dangerous premises at these objects), B1 (retail facilities, etc.), B2 (category B objects containing alcoholic products or the most compact, easily sold goods – electronics, everyday goods).
For objects of group B1 (and in fact for the rest) it is allowed to create systems on the basis of a survey report (and not a full project). The report should include the classification of the object, a list of protected values, their location on the object, a list of vulnerable points of penetration, but it is implied that the actual threats to the object automatically follow from its classification and their analysis may not be carried out. It should be noted that, similar to its British colleagues, R 78.36.002-99 «Selection and application of television video surveillance systems» adds specifics. In particular, it introduces its own classification of objects into three groups: A (especially important), B (significant damage) and C (other). However, the threat analysis ends with the classification of the object. Further construction of the system is recommended to be carried out on the basis of an analysis of architectural and planning solutions, but the need for an actual analysis of possible threats is no longer explicitly mentioned.
Draft technical regulations on anti-criminal security
As you probably know, for several years now we have been living under a new law on technical regulation, according to which GOSTs, like any standards of enterprises or public organizations, are not mandatory in themselves. Only technical regulations that are adopted only on basic safety issues are mandatory. For example, environmental safety, road safety, etc. In the area of anti-crime protection, a technical regulation is also envisaged, first of all describing the classification of objects depending on the expected threats, and then recommending different levels of protection depending on the level of threat. I will quote the main provisions:
«Depending on the degree of potential danger, as well as the possible consequences in the event of the implementation of criminal threats, objects, their premises and territories are divided into three main groups:
critically important and potentially dangerous objects;
socially significant objects;
objects of concentration of material assets.
In addition, depending on the type and extent of damage that may be caused to the facility, people on it, and property in the event of criminal threats being implemented, all facilities are divided into the following classes:
Class I (high significance) – damage resulting from the implementation of criminal threats will be on a federal or interregional scale;
Class II (medium significance) – damage resulting from the implementation of criminal threats will be on a regional or intermunicipal scale;
Class III (low significance) – damage resulting from the implementation of criminal threats will acquire a municipal or local scale; Depending on the class of the object and the type of property located (stored) on it, classes of protection of objects are established.»
Further, the technical regulations propose to conduct an analysis of potential threats and vulnerable points of the facility, and taking into account the principles of adequacy to potential threats, zonality (multi-boundary) and equal strength, it is necessary to design a security system. It sounds very serious, in life, undoubtedly, in most cases the designer will decide that the classification of the facility is the analysis of threats. And after establishing the class of significance and the hazard group of the facility, then it is only necessary to use the types of equipment recommended for this class of protection.
Common sense
Most mid-size systems are not made on the basis of RD and regulations, but on the basis of common sense. During the design process, common sense often goes aside, and small details are discussed, but at the initial stage, when the customer first thought about installing a security system, he, of course, asks himself the question: what and from whom should this system protect and how, in fact, will it be able to protect? This is a threat analysis. Unfortunately, as already said, soon the contractor begins to ask specific questions: «where to put the sensors», «where to hang the siren», and if he also starts talking about video cameras, then there are so many questions that the main ones, with which it all began, are somehow forgotten and fade into the background. To prevent this from happening, it is useful to list on paper the answers to the main questions:
what are we protecting,
what kind of attack are we protecting against (random hooligan, repeat alcoholic or organized group),
what should the security system do to help prevent (or at least reduce) the damage.
And in the future, when discussing specific issues like «where to put the sensor», you just need to regularly come back and check this sensor: what threat will it protect against, when and how should it work, why this way, does it correspond to the probable enemy (criminal). Regulations, RD and GOSTs are written in a very bureaucratic language, but if you delve into the essence, it is quite consistent with common sense: be aware of what you intend to protect the object from, and use means adequate to the threats. And use them equally from all sides of the object (without obvious holes in the protection). And try to protect the most important premises with several means (many lines). And again, don't forget about equal strength — what's the point of bars on the windows if the room is separated by a plasterboard partition from the adjacent unguarded utility room.
And let the above methods of classifying objects help you correctly assess the degree of danger and serve as a starting point for analysis.
Character Methodology
When developing complex systems, especially software, the following method has become popular recently, which is designed to clearly imagine what is required from the system: you come up with several specific user personas (for example, for the well-known Microsoft Word, something like «secretary Lenochka», «journalist Sergey», «head of the stray dog accounting sector Marya Ivanovna»). And then you clearly imagine when, why and how they will use the software product you are developing. When developing a security system, it is quite appropriate to use the same method. In order not to shock the apologists of the Unified System for Design Documentation (ESKD) of personas, you can name conditional models of criminals and designate them with easy-to-remember words, for example, «Homeless», «bad manager» (internal thief), «gang», «spy (competitors)». And all sections of the security system project should be compared (at least mentally, so as not to generate endless paperwork) with the actions of the supposed main personas. The main thing is to imagine the enemy clearly enough, get into his role, and simulate his actions in specific situations.
Just don't forget to return the things you stole while you were getting into the role of the criminal.