Sunday, December 17, 2017

Question You Should Ask Before Getting a
Home Security System For Christmas

Is a home security system on your wish list from Santa?  If so, here are a couple of things you need to ask before Santa puts your system in his bag.
The first two questions to ask yourself are, “What am I going to protect by buying this type of system?" Then, "Will it do what I want it to do?”  These sound like no-brainers don’t they?  Most of us would say, “I want it to catch the bad guy”.  Well, not really, because it won’t catch a bad guy.  It will let you know when there is behavior inside of your house or when your perimeter is breached. But it won’t tell you if the behavior is good or bad.  YOU have to do that.  YOU have to assess the behavior and determine if it's good or bad.  So, you want to be able to analyze the behavior, like your kids coming home from school or the mailman delivering a package and determine if it is friend or foe.  Which brings us to the next question, which is, “Who will monitor what the system 'sees' and who will respond when there is unwanted behavior?”
If you are relying on your local 911 or a police department response, then you need to find out what the local policy is for home invasion.  Some departments don’t respond immediately for a variety of reasons; sometimes due to competing priorities and sometimes because they don’t want to get there when the bad guy is still on the premises which may cause a “stand-off”.  They don’t want that and neither do you.
If you are relying on a service provider for response, you need to ask, “What is the guaranteed respond time?”  If it’s less than seven minutes the good guys will catch the bad guys.  If it’s more than that, the bad guy will get away with your stuff.  Actually you don’t want the good guys to get there while the bad guy is still there, as it increases the likelihood that someone is going to get hurt.
The National Institute of Justice reported a couple years ago that perpetrators of housebreaking/ burglary usually stay on site less than seven minutes.   I doubt it’s changed much in the last couple of years.
Many professional installers will swear up and down that home owners cannot do this alone.  But let’s face it.  Just about anybody can do just about anything, given the right tools and knowledge.  Most home kits include instructions, so they’re pretty simple.  Tab A goes into Slot B.  If you can put together IKEA furniture you certainly can install a couple of cameras and sensors around your house.  That’s the tools part.  Now for the knowledge part – where to put cameras and where to put sensors?  Think of your house as an onion.  Start on the outer skin (property line) and work your way in.  Use a combination of sensors and camera that overlap so that all areas are covered by at least two components of your system.  Say a sensor and camera, or two cameras.  By using a combination of different technologies and creating an overlapping system you will, in all likelihood, get notified that something’s going on.  The chances of both systems failing simultaneously is very low.  Make sure you get "real time" notification.  The ability to talk into the system and tell the perpetrator that you're watching him or her (sorry ladies) is a plus.  However, it also let's the bad guy or gal know you are not at home.  So make sure you system covers the perimeter and you can engage before they ever get to the house.
When Amazon recently announced that they would place your parcels just inside your front door if you signed up for this service many security folks cried “foul”.  They cited this service as basically allowing an intruder to enter your house.   Well, not really.  Amazon vets their delivery folks/employees during the hiring process.  If Amazon trusts them then why shouldn’t you?  Sure, there are always a few bad apples, but I see the risk of the delivery person rummaging through your house as a very low possibility since they don’t know if you’re going to come home suddenly and find them in the bedroom.  That just doesn’t make sense.  There are really two factors that are in play here that make this a good idea.  First, Amazon vets their employees and secondly the door lock and code is specific to your home. Additionally, the kit comes with a closed circuit television camera that you can set up to see if the person does more than deliver the package(s).   Plus there’s an electronic record of when the lock opened and when it closed.  Anything more than a minute or two, the amount of time to place the packages inside, would be cause for alarm and indicate something out of the ordinary happened.
If I ordered stuff on line and wasn’t home all day I’d use this service.
Just remember that no system no matter how sophisticated is fool proof or offers one hundred percent protection one hundred percent of the time.  There will always be some risks involved.  The goal is to reduce the risks as much as possible and accept some risk.   

Sunday, November 19, 2017

First Responders Require Specialized Training to Deal with

 Special Needs Individuals

By Patricia O’Connor (Guest contributor)

Death of individuals with alleged disabilities through the actions of law enforcement has been reported in the media and has contributed to citizens of the United States protesting and seeking changes in methods used by law enforcement agencies.

NBC News reported on March 14, 2016 that almost half the people who die at the hands of police officers have some type of disability. According to an investigation conducted by Portland Press Herald in 2012 approximately half of the 500 people killed each year by police were mentally ill.

Police officers have become the default responders for incidents, including those involving mental health calls. They often find themselves in situations where urgent medical care by trained and certified professional practitioners would be more appropriate.

Misdiagnosis of symptoms or the misinterpretation of displayed behavior as being aggressive, resisting arrest, or threatening by law enforcement and by medical responders has resulted in the unnecessary injury or death of persons with special needs. Communities are ultimately legally liable. The question for community leaders has to be, “Why is this misunderstanding occurring and how do we fix it?”

So let’s examine this phenomenon – lack of training for first responders.


First, let’s admit first responders do not face the daily challenges of their jobs with intentions of hurting, maiming or killing individuals with special needs. They are merely faced with circumstances which are unfamiliar to them. These circumstances require specialized training and knowledge. So often initial training has not been conducted and certainly, on-going training isn’t provided either.

First responders are required to have specialized training in other areas of their complex duties; i.e., weapons training, first aid, social behavioral skills, etc. in their particular field in order to serve their communities and respond appropriately to the needs of those whom they serve. Individuals with exceptional needs require exceptional care. First responders must have knowledge and training with the appropriate skill sets to deal with specific disabilities and needs so that their response is suitable. Interaction with people afflicted with mental disabilities requires specific and focused interaction just as interactions with people having other medical disabilities require special treatment.


As they say in the real estate industry, it’s all about “location, location, location”, well in dealing with mental health issues it’s all about “training, training, training”. Training must be relevant, engaging and consistent. Training sessions including both theoretical application and practical “role playing” exercises work best. Training is a continuous occurrence. It needs to occur routinely but not so often that it neither detracts from everyday duties nor develops into something so mundane that it becomes stale and ineffective. Training would save lives, both for the individuals encountered by first responders and the first responders themselves, especially those arriving on scene first – law enforcement officers.


Whether responding to a scuffle at a convenience store or a major natural disaster as witnessed recently in northern California those responding need to be equipped not only with the physical tools needed for the job but also with the mental tools for resolving these highly charged situations. People with mental disabilities present special challenges during these extreme emotionally events. First responders should be equipped to deal with them. We can prepare for these situations through a serious of preventive measures; such as, placing placards on doors or windows indicating that special needs individuals are inside, creating communication systems with access to databases that first responders can “call up” while responding in order to ascertain what they might find at the incident scene and to alert them to obstacles or challenges they may encounter upon arrival. Just knowing when and where won’t be enough. Responding units will need to have skills sets that de-escalate the situation and resolve them in an appropriate manner. Additionally, it is essential for communities (civil authorities, medical, fire, law enforcement and citizens) to come together to address these issues.

A humane society is measured by its care for those who are most vulnerable. How will we be judged?


Patricia is a Doctoral student in Educational Administrative, with emphasis on Special Needs Education. She regularly provides insight and input to the Department of Homeland Security as they prepare Federal Emergency Management Agency (FEMA) guidance for dealing with special needs issues during times of crisis.  She is the founder and CEO of SirenUSA, an on-line training tool for first responders. 

“I can do things you cannot, you can do things I cannot; together we can do great things” – Mother Teresa

Sunday, October 15, 2017

Is the Defeat of Terrorism Linked to Hidden Security?

Truly Effective Security Is Hidden

Image provided courtesy of Marshalls Landscaping Products

I’m truly amazed when I travel around the country and see closed circuit cameras everywhere; airports, shopping malls, street intersections – everywhere!   I read recently, that my image is captured several hundreds of times a day.  That’s scary.  So I guess, Big Brother is watching!  At least, that’s what I’m thinking and that's how I'm feeling.  The space makes me feel uncomfortable.  But should I be?

If I'm using the space shouldn't I feel comfortable while using it?  If the answer is, "Yes", and I believe it is, then the question is, “What makes good space?”  The factors range from access and linkage to other services, uses and activities within the space, comfort and image, and sociability.  All of these factors come in to play.  I'd like to focus on the comfort and image part of the equation.

Security as an Enabler and Not a Tax

A British friend of mine, says, “Security has to be an enabler and not a tax”.  By that he means, the environment must allow people to transit “freely and confidently”.   I hate to say it (after all he’s an Arsenal fan) but he’s right.  People will use the space because they can move within it freely and because of this freedom they feel confident that they are safe.

Where there is good quality of life, people want to live and raise their families.  The true measure of a Smart or Safe City is a place where the grandkids want to live and raise their families!

To make this happen Smart City planners will need a holistic approach.  They won’t be able to address a certain sector of society, say utilities for instance and voila’ everything is good.  It will require good infrastructure systems, good inhabited space design, good governance and good community involvement.  The right mix of technology from all sectors and behavioral sciences will be needed. Due to this holistic approach to community planning, companies wishing to compete in this space will need to bring in a variety of specialties in order to adequately meet the consumer’s needs.  As an example, inhabited space design cannot be a function of only architects and engineers.  It must also include security professionals, transportation experts, government officials, behaviorists, and even community members, both retailers and residents.

The reliance on physical security engineering will become paramount as we use inhabited space to mitigate unwanted behaviors and reduce its effects.  We cannot lose sight of the human aspect of using new technologies as we move forward. 

Electronic vs. Non-electronic Technologies

Unfortunately, electronic technologies are invasive.  They assault our daily lives as they collect more and more data about our habits, preferences and routine.  On the other hand non-electronic technologies are not invasive.  They “socially engineer” the space so that people using the space act how we want them to act.  Not because they feel threaten that “Big Brother” is watching but because good behavior begets good behavior.  The use of invasive technologies will need to give way to non-intrusive technologies.  This will take time.  But there’s no better time to start than now.

Immediately after the vehicle attack in Barcelona, jersey barriers started popping up in pedestrian zones and near sidewalk cafes.  This use of concrete barriers systems is extremely unsightly and only limitedly effective.  Instead of using barriers that worsen the quality of the space, we should think about the quality of space we are protecting and integrate aesthetically pleasing barriers into the environment that actually blend in and keep it picturesque – complimenting instead of spoiling.  Remember, no one wants security to be a tax, even if it’s only a visual burden.  Having ugly concrete jersey barriers right next to you while sipping your Brunello di Montalcino at an outdoor cafĂ© table doesn’t project the atmosphere we are trying to achieve; however, flower planters, benches, light poles, bicycle racks, trash bins and the like that have been crash tested and proven effective against vehicle-ramming threats can enhance the atmosphere instead of hindering it.
Recently, Stefano Boeri, Architect[1] was cited by Dezeen Magazine as saying, “Cities should be redesigned to include trees with bulky planters rather than concrete barriers to prevent vehicle attack”.  He went on to say, “A big pot of soil has the same resistance as a Jersey (modular concrete barrier), but it can host a tree – a living being that offers shade; absorbs dust, CO2 and other subtle pollutants; and provides oxygen and a home for birds”.  We agree.
Hiding Security in Plain Sight

I believe we can “socially engineer” inhabited space.  We can incorporate specific urban design strategies that cause positive behaviors so that there is less reliance on the invasive use of electronic means to keep us safe. 

As an example; the use of “crash rated” street furniture.  It provides a measure of security from a ramming vehicle threat without making the space look like a threat is anticipated.  Another example, and perhaps even more hidden, is the use of furniture that incorporates ballistic materials, so people have something to hide behind during an active shooter threat.  Both solutions are currently available and in use in many unsuspecting areas.

Ultimately citizens don’t want cameras that watch their every move; instead they want space that is functional and free of crime and unwanted behaviors.  By increasing the effectiveness in controlling the social behaviors of the people using or transiting the space, and adding “passive” defensive mechanisms the environments will become safer and need fewer electronic gadgets.

As the great migration from the country-side to urban centers becomes an increasing phenomenon, community leaders must meet the challenges that lie ahead.  As systems of urbanization become ever more complex so will the solutions to resolve the problems they cause.  It’s imperative that not only will smart cities be highly functioning and efficient but they must also be, first and foremost – safe. 

[1] Boeri is known throughout the architectural and design world for his “plant and tree” covered buildings. 

Sunday, September 17, 2017

Why People Are Wrong to Think That
CCTV is a Detection Tool

When we talk detection we are talking about observing behavior – all behavior both wanted and unwanted.  It is very common within the security field, and even outside of the security field, for people to think that detection means detecting the bad guy doing a bad thing.  Well, not really.  What we are trying to do is determine if the behavior we are watching is authorized or not.  If we assess it to be allowed, then we take no action.  If it’s not allowed, the security force responds.  Again, we can use electronic and non-electronics to assist us.  The thing to remember is technology is a tool to assist and it has to be treated that way.  It is not the “cure all”. 
Just putting a CCTV camera to watch a store shelf or a gas pump will not prevent crime.  The reality is, by putting a camera we are allowing someone who is monitoring what the camera sees to assess the behavior that is being seen.  Therefore, CCTV is actually an assessment tool.  Those installing cameras must remember how the system is going to be used for assessment and not how it will capture what happened.  An article in the Chicago Tribune a couple years ago mentioned that less than three percent of crime is solved by the use of a camera system.  Recent articles about the enormous number of cameras watching the public spaces in London puts that number somewhere around 22 percent.  I think it would be fair to say the numbers somewhere in between.  Just placing the camera is not enough it has to be monitored too, and in real time.  Otherwise, the bad guy will get away.

Other facts about CCTV discussed during Free webinar 12 December

The Security Industry Association (SIA) is sponsoring a webinar at 1pm (ET) on 12 December 2017, when I'll talk about the Five Pillars of Physical Security: Misconceptions, Myths and Truths at .  I will post a direct link once we get closer to that date.  We hope you'll join us.

Friday, August 25, 2017

"Don't Make Me Come Over There."

How many times did we hear that phrase when we were growing up?  Or, "You just wait 'til your father gets home!"  I know I did.  I was scared to death, at least, until I was twelve or so and my Grandma whacked me with a wooden yard stick and it broke.  Then I knew I was too big to get a spanking any more.  Besides, by then I figured out I could blame my younger brothers and they'd "take it for me".  Love those guys!
Well, the same holds true in corporate America.  Sure, the boss isn't going to paddle anyone.  At least, I hope not.  But "unwanted behaviors" in the work place must be dealt with and it doesn't always have to be the boss or the security folks to deal with it. 
When "unwanted behaviors" occurred someone needs to step in.  That can be a co-worker or colleague.  Not that they need to "tattle" but behaviors outside of what's acceptable puts everyone at risk - from both a safety and a security perspective.
Non Security Personnel Can Play a Part
Non-security members of the organization can play a major role in identifying behavior that is unwanted.  But, they must be trained on when to interact on their own and when to keep their distance and report.  Smart leaders will develop scenario based training that includes all the members of their organization and promotes the interactions of the groups.  This can go a long way in instilling confidence in each other and creating a culture of unity and capability.  Which in turn, creates a feeling of safety and security within the organization.
But sometimes, even the best trained staff member is not capable of responding or diffusing the situation.  In this case, security force personnel should be called in.
Security Forces Compliment Non-security Forces 
Security response forces actually compliment other staff members and not the other way around.  That said, security personnel must receive additional training and have ability to accurately assess and engage the threat.  The operative word is “accurately” assess.  If they misunderstand the actions of the threat or assume aggressive behavior when there isn’t any the situation will quickly spiral out of control and actually escalate.  How many time have we heard, “I thought he had a gun”?
With that in mind, training is fundamental and paramount.  Training must be physically and mentally challenging.   Virtual, “situation based awareness” scenarios can be developed so that they stress the participants.  Role playing is always a benefit. Unless stressful conditions are trained for, guard forces won’t react properly when confronted by them.
The mindset that the responding officer must always be in control is correct.  That doesn’t mean they are superior it means they have the skills to neutralize the threat, sometime that requires force and sometimes not.  The use of de-escalating tactics is a learned behavior.  As such, highly aggressive and chaotic training scenarios serve the response forces well in learning how to deal with these types of behaviors. 
Cultural norms also play a big part is calming the confrontation between response forces and perpetrators.  What works in Los Angeles doesn’t necessarily work in Amsterdam or New Delhi. 
Responding forces must remember, the continuum of use of force is scalable and that deadly force is only used as a last resort.

Sunday, July 16, 2017

Threats, Designs and Delphic predictions: Designing-in Security for Major Sporting Infrastructure and Other High-Occupancy Spaces (Part 2)

Building on the strategy

The first part of this article (published in our Blog 18 June) on this topic proposed four strategic guidelines that should influence the design, build and operation of a sporting venue:
·         Consider the security aspects at the beginning of the design process, not as something to be added at the end;
·         Place these security considerations in a wider context – e.g., as part of a national government’s overarching security strategy or policy;
·         Take an impact driven approach to the design – focus on the impact of a hostile event (e.g., terrorist attack) taking place, not its likelihood;
·         Consider security from a holistic perspective.  All security is a combination of people, procedures and technology, but an holistic approach goes further     – balancing the physical and cyber considerations and developing a positive culture amongst the staff so that their everyday actions work effortlessly     towards a safe, secure and enjoyable celebration of sport.
Early engagement between security professionals, designers and architects was stressed as being essential.  This can save money in the long term and produce a design that enhances the spectator experience by inducing a greater feeling of safety and security for both them and the competitors.  We will now consider the importance of continuing this process of engagement throughout the construction phase as the real venues start to emerge and the number of people involved in the project rises.  This throws up a seemingly different set of challenges, but most, if not all of the same guiding principles apply, combined with the need for good communication between those with the vision and those responsible for making it happen. 

Getting the security requirement right

The architects and designers of the sporting infrastructure should be seeking to build security features in to the very fabric of the structures themselves.  The best security is usually the most discreet, but there will be occasions when obvious measures will provide deterrence to those with malicious intent, as well as reassurance and comfort to competitors and spectators.   However, there will also be times when features separate from a main building will be necessary.  The most obvious example of this is a perimeter fence. 
All stadium systems should be designed and installed in a way which will maximise through-life flexibility to support both changing operational needs and emerging technology.  In order to achieve this it is important that a structured mechanism for the capture of the numerous requirements for the functioning of system components is agreed by all relevant stakeholders.  The temptation at this stage is to think in terms of solutions, rather than requirements, but this is a false economy.  Take the simple example of a perimeter fence.  The designer may ask for a fence of a certain height, but on what is that decision making based?  Is it just because a similar stadium had a fence of a certain height surrounding it?  Or, was that fence the most prominent in some catalogue?  It is important that rigour is applied to the specification of security components based on what they are seeking to achieve in the environment in which they will operate. 
The generally agreed best approach to this issue is through the drafting of an Operational Requirement (OR) for a security component.  This is a statement of need based upon a thorough and systematic assessment of the problem to be solved and the hoped for solutions.  A structured process for the development and agreement of ORs has been successfully used to deliver the security systems for numerous parts of the UK’s infrastructures and many permanent and temporary sporting venues.  Among the questions to be answered during the preparation of an OR are:
·         What is the output desired of the system / component?  For example, in general terms ‘a fence’ is a solution rather than a requirement.  What is seeking to be achieved?  Demarcating one area from another, giving one area more protection than another, channelling people in a certain direction?  All of these requirements could be solved in a number of differing ways.  It is also worth remembering that it is a mistaken belief that fences will keep people out of a certain area.  Whilst this is true for most law abiding people, the same does not apply for those determined to enter a restricted area.  In this case, the fence will only delay their entry (as it is climbed, burrowed under or cut through), although sensors will be able to detect this activity and alarms raised.  If the requirement was instead for surveillance, was this to provide continuous coverage of a particular area, or only at certain times?
·         What are the options by which the output could be achieved?  For example, fences come in all shapes and sizes.  Some are harder to climb; others more difficult to cut through.  Sensors to detect this activity can be discreet and sound silent alarms or noisy triggering claxons and spotlights.  In the case of surveillance, this can be achieved through the deployment of people, technology, or a mix of the two.
·         What are the key environmental and technical requirements for system components?  Harsh environmental conditions will affect the materials that a security component is made from, especially if it is part of a permanent structure.  CCTV cameras are particularly sensitive to the prevailing weather – those designed to function well in wet or damp conditions may not perform so well in hot and sandy conditions and vice-versa.  
·         What are the residual risks and weaknesses in the proposed solutions?  A fence might have sensors to detect when someone has cut it or is scaling it, but what happens then?  How are resources mobilised to respond to the intrusion and how quickly will they arrive?  In the case of surveillance, the effectiveness of this could be reduced during heavy rain, fog, sand storms, etc.
·         What are the interdependencies between various system elements?  This is a simple question, but the answers might be highly complex and take a long time to answer.  This article is not long enough to tackle this part of the process in anything other than a superficial level of detail.  For example, the level of security of a fence needs to be matched to the response time of the manned guarding. The shorter the delay the fence can provide, the faster the manned guarding needs to respond.  This may require more guards at shorter distances from the perimeter.
It is important that rigour is applied to the specification of ORs and the focus is not allowed to drift back to thinking in terms of solutions.  It is unlikely that the fundamental requirement for a security feature will change much (if at all) over the life-time of the infrastructure whereas the technologies that might be employed to achieve a particular outcome may change a lot.  It is important that the replacement technologies do not weaken the overall security stance or remove features that were present in the original build.  Focusing on the requirement rather than the solution is the best way to achieve this.
Designing for the future 
Once the ORs and interdependencies of security system components are understood and agreed, the system can be designed and installed.  However, remembering that any form of permanent sporting infrastructure will last a considerable number of years, it is necessary to adopt a strategy that seeks to maximise the capabilities of new technologies as they emerge and minimise the disruption and change necessary to embrace them.  Such a strategy is likely to include the following principles:
  • Modular.  Systems will be specified and delivered in a way which makes it easy to upgrade one element without changing numerous other components.Internet Protocol (IP) based. The historical separation between the physical and logical worlds is no longer applicable as so many of the physical entities in a stadium (entry gates, CCTV monitors, Public Address, display screens, etc.), will all be controlled across communications networks based on IP.  Modern stadia can all be flood-wired with IP networks to achieve this.  Such networks will be flexible and able to adapt to changing requirements of the terminating equipment.  However, care needs to be applied in the way in which such networks are configured and protected to prevent them becoming a weakness that can be exploited via cyber attack, rather than a strength that delivers flexibility and adaptability. 
  • Based on open protocols.  Wherever possible, system components will be specified to use open, rather than manufacturer-proprietary, protocols for interfaces and data transfer.  This will be particularly important for the control of numerous physical entities as discussed above.  It is inevitable that the degree to which a cyber environment is used to control physical entities will only increase over time and the number of manufacturers offering products in this area will increase.
  •  Flexible at the Security Management System – this is the point at which the inputs from the various systems are combined and then presented to the system operators. 
Ongoing operator training is an important element which is often forgotten or minimised after system commissioning has been completed.  Ongoing refresher training programmes need to be planned and executed to ensure that operators remain conversant with the latest aspects of the system.  These programmes will also be the best route to introduce new capabilities.
Designers of security systems need to devote time to keeping themselves up to date with developments in the technology market through a mixture of:
       ·         Attendance at trade shows, exhibitions and conferences.
      ·         Ongoing dialogue with suppliers and manufacturers to understand both new uses / improvements to existing products and new products / capabilities in development.
·         Regular engagement with relevant Government or national bodies responsible for research and applied science and technology.  Each national government will have slightly different structures and processes to cover this[1]. 
This engagement will allow the designers of sports infrastructure to understand the strengths and weaknesses of products as assessed by independent experts, as well as to aid the implementation of current best practice.  This will enable a judgement to be made as to whether an emerging capability offers a significant improvement (both technically and financially) over those currently proposed.  This kind of activity could be swept up in the design integration meetings that often take place in major projects when each engineering discipline determines how it is affected by security requirements and vice versa.
Information security aspects
It is during the design and construction phases that the layers of security for the venues will be specified and installed.  Once this phase starts and the number of people involved in the project starts to rise significantly, it is important that a structured approach to the handling of information is introduced.  The importance of this was highlighted in part 1 of this article.  Information in many forms will be vital to the successful design, construction and operation of all major sporting venues for the many years of their legacy use.  The protection of information will normally be achieved by the definition and implementation of an Information Security Policy (ISP) that needs to be written in collaboration with all relevant stakeholders.  This should be designed to ensure that sufficient information relating to security systems is incorporated into master designs, but that sensitive information (e.g., camera fields of view) is only released on a need to know basis.
To facilitate this process, a single authority should be established with the responsibility for writing the ISP and also deciding the relative sensitivity of information to be disseminated.  This authority should specify how sensitive information will be marked, stored, transmitted and handled by users.  Different countries will have their own established processes for this, such as some form of national protective marking scheme for sensitive documents (Restricted, Confidential, etc). 
The ISP needs to cover appropriate elements of the supply chain.  The challenge here is to ensure that information is appropriately cascaded down the chain to facilitate the purchase of the right goods and services, but without exposing the overall security posture of the venue.  This will be particularly tricky when dealing with overseas suppliers or organisations with an unknown or weak cyber security posture.  This is a new area which may require the venue designers and builders to seek specialist advice to ensure that they can balance the advantage of going to the market for goods and services against the exposure of potentially sensitive information through the same route.
It is important that the ISP covers the protection of the numerous industrial control systems that are necessary for the operation of physical systems at the venues, or that a separate policy is written to address these risks.  A modern venue will have innumerable systems such as those for crowd access, lighting, air-conditioning, display screens, etc., as well as many aspects of security (command and control rooms, CCTV networks), all of which will be controlled via data networks and electronic infrastructures.  Complete or partial loss of control of any of these types of systems would result in serious consequences for the safe and secure operation of the venue.  The challenges of securing these from cyber threats are brought into sharp focus when considering the projected life of the control units that turn cyber commands into real action on the ground.  On average, an item of corporate IT equipment (desk computer, etc.) will have a refresh or replacement rate of about 4 to 5 years.  A typical industrial control unit may have a refresh rate of 20 to 25 years.  The cost of replacing the remote control units and the disruption to essential services while this happens are among the reasons for this sharp difference in refresh rates.  Over that period of time it is impossible to predict what cyber threats may emerge.  This is why it is important to adopt an impact driven approach to security as described in part one.  Focusing on a threat that cannot be judged so far in advance may ultimately lead to an inaccurate assessment of the risks resulting in either inadequate or over specified security features. 
It is certain that those who wish to compromise information assets belonging to a sporting venue will be imaginative in their approach.  In response to this, it is necessary to understand the threat to assets and build solid defences against incidents that could ultimately impact the security of venues and/or supporting infrastructures.  In particular the ISP needs to have a flexible response that adapts to changing technologies and attack methodologies.  The pace of change in information systems is such that it will be necessary to keep the designs flexible and able to adopt appropriate new technologies as they emerge.  But new threats also emerge at a significant rate.  The ISP should ensure that venue owners can be confident that they are able to manage their risks effectively throughout the lifetime of the venues.   This reinforces the need to adopt an impact focused, risk based approach that will build the appropriate information security controls (for cyber and other mediums) into the fabric of the venue.  This will ensure that it is capable of deterring, detecting and defending against the inevitable attempts to compromise its operations.  It is impossible to prevent all compromises from internal and external threats, but an effective ISP will support a security architecture necessary to create a resilient operation; respond to incidents effectively; learn from security breaches; and most importantly, manage risk within proportionate tolerance levels. 
There are numerous internationally recognized Information Security standards and frameworks that could be adopted[2].  Most national governments also provide protective security advice through specialist organisations.
Building begins
The engagement of security specialists as part of the multi-disciplinary design team will ensure that all the physical infrastructures are inherently secure and resilient, and relatively easy to search for suspect devices prior to the public being admitted.  Once construction of the stadium is underway, it is important that there is a controlled process to review proposed design changes from a security perspective.  This process needs to encompasses both substantive changes to building layouts, (e.g. redesign of a layout), and changes to elements such as the cladding to be applied to a wall.  Such cladding could easily be seen as ‘cosmetic’, but might have been selected for the way it resists explosive blast.  However, this is unlikely to be known to the supply chain, who might propose a similar looking material that was less resistant to blast. 
During the construction phase it is important that: the site is physically segregated from the wider world; the workforce has been vetted prior to being allowed on site; goods and materials are screened prior to site admission;  and frequent verification visits are undertaken.  There are a number of models that could be adopted that could achieve this, for example:
·         An appropriate perimeter barrier, with supporting technology, will be specified to separate the construction site from the surrounding areas.  A typical set-up for a major sporting venue or site would consist of a perimeter fence, supported by CCTV, lighting, perimeter intrusion and an operational guard force around the whole of the construction site.  Individual areas within that, e.g., a Main Stadium, would have their construction site boundaries.  A central ‘Construction Command and Control’ location should be specified to be responsible for monitoring installed systems (e.g., CCTV and intrusion detection) and managing the guard force.  If deemed necessary by a threat assessment, measures to guard against vehicle attack will be installed to protect the construction site.  However, such measures need to be considered carefully to ensure that the barriers are suitable for that environment and their installation will not impede the required flow of constructions vehicles.
·         Deliveries of construction plant and materials should be controlled through the use of a Delivery Management System to record details of loads, delivery vehicles and their drivers.  To minimise risk to the construction site, one or more offsite centres should be used to process and check vehicles, drivers and their loads before they are sealed for final delivery to the site.
·         Checks on vehicles should then be undertaken at the boundary to the construction site. For vehicles entering the site, the checks should confirm that the vehicle and occupant details are as expected and that the load has not been tampered with since the offsite checks. For vehicles leaving the site the checks should confirm that no unauthorised goods are being removed.
·         Throughout construction, verification and assurance visits should be undertaken to confirm that potential issues are identified early and addressed. This will include a process for certifying that voids are empty before they are sealed.
Thinking of the staff
It should now be obvious that the number of people working on the project either in offices or on site has risen dramatically from the levels involved at the pure design stage.  This means more people with access to information (some of which may be sensitive) and more people with access to sites and systems that may be vulnerable to malicious activity.  It is therefore necessary to consider carefully the personnel aspects of the overarching security strategy.  This is so often overlooked with attention instead focused on the physical and cyber elements and the people who operate both forgotten about.  It is wrong at this stage to suggest that all staff need to go through comprehensive vetting in order to establish their bona fides and levels of integrity.  That is unnecessary and too time consuming and expensive.  However, care should be devoted to ensuring that, as a very minimum, the true identities of all staff and contractors are fully established and that they all have the appropriate right to work from the host country.  Some staff and contractors will require extra clearance to have access to more sensitive data. 
This is an area where the importance of taking an holistic approach and not operating in silos cannot be overstated.  The security professionals for the venue should take an active interest in this area and not simply leave the matter to the Human Resources or Personnel department.  High quality leadership from the top management layers of the organisation will be necessary to articulate a vision of how the everyday actions of all staff involved in the infrastructure and delivery contribute seemingly effortlessly to the overall security of the event.  If the leadership are clear about the type of event they want to achieve, then it is so much easier for staff to be clear about what they need to do.  So often, weak or absent leadership will be filled by staff doing what they feel is right.  Quite often they will get the tone wrong and this could adversely impact on the overall security stance or inhibit the spectator experience.
Let the games begin
Security does not end when the building phase is over.  Towards the end of this and prior to the venues being used, there needs to be a final process of assurance to test whether the various security infrastructures and systems are fit for purpose.  This is when their actual operation is tested against the original Operational Requirement.  The quality of finish should also be examined.  If the processes described here were followed, then the need for remedial action or reconstruction should be minimal, but as the case studies illustrate, this is not always the case. 
If security has been integrated into the very fabric of the building then it will also support the handling of incidents or emergencies.  An integrated design will enable the event organisers, Police, emergency services and others to respond to incidents, disrupt threats, etc.  The way that security is designed into the structure should aid this and produce an integrated response to a wide range of circumstances, e.g., through the location and functioning of control rooms.  This is the point at which people, processes and technology should all come together in perfect harmony.
So often, security is considered as an afterthought; something to be applied after the design is over.  Not only can this be expensive, but frequently it will not produce the desired levels of protection.  By considering security at the very beginning of the design process, taking an holistic approach, thinking in terms of impact and involving relevant experts throughout that and the building phase, it is possible to produce discreet yet effective measures at reasonable cost that can deliver high levels of assurance to event organisers and others that competitors, spectators and the venue itself will all be protected against malicious activity.  This takes dynamic leadership from general management, supported by appropriate security professionals.  Working together from the very beginning of a project they can make security enhance a sporting event rather than being seen as a tax upon it which is often the (wrong) perception.   

October 2013

The author (Roger Cumming) is the Technical Director of Atkins’ security business. Atkins, an international design, engineering and project management consultancy, was heavily involved in the design of the infrastructure for the Olympic Park and temporary venues for London 2012.

[1] In the UK the Home Office Centre for Applied Science and Technology is responsible for the testing and assessment of security equipment.  The Centre for the Protection of National Infrastructure (CPNI) provides advice to the companies that run the UK’s infrastructure on how to protect themselves from national security threats.
[2] For example: ISO: 27001 and ISO: 27002, Information Security Management Standards; the 800 series from the USA’s National Institute of Standards and Technology (NIST), in particular NIST 800-53 and 800-82 for Industrial control systems.  There may also be applicable standards from the International Society of Automation (ISA) and others such as IEC62443 which covers the protection of plant networks.