Sunday, July 16, 2017


Threats, Designs and Delphic predictions: Designing-in Security for Major Sporting Infrastructure and Other High-Occupancy Spaces (Part 2)



Building on the strategy

The first part of this article (published in our Blog 18 June) on this topic proposed four strategic guidelines that should influence the design, build and operation of a sporting venue:
·         Consider the security aspects at the beginning of the design process, not as something to be added at the end;
·         Place these security considerations in a wider context – e.g., as part of a national government’s overarching security strategy or policy;
·         Take an impact driven approach to the design – focus on the impact of a hostile event (e.g., terrorist attack) taking place, not its likelihood;
·         Consider security from a holistic perspective.  All security is a combination of people, procedures and technology, but an holistic approach goes further     – balancing the physical and cyber considerations and developing a positive culture amongst the staff so that their everyday actions work effortlessly     towards a safe, secure and enjoyable celebration of sport.
Early engagement between security professionals, designers and architects was stressed as being essential.  This can save money in the long term and produce a design that enhances the spectator experience by inducing a greater feeling of safety and security for both them and the competitors.  We will now consider the importance of continuing this process of engagement throughout the construction phase as the real venues start to emerge and the number of people involved in the project rises.  This throws up a seemingly different set of challenges, but most, if not all of the same guiding principles apply, combined with the need for good communication between those with the vision and those responsible for making it happen. 

Getting the security requirement right

The architects and designers of the sporting infrastructure should be seeking to build security features in to the very fabric of the structures themselves.  The best security is usually the most discreet, but there will be occasions when obvious measures will provide deterrence to those with malicious intent, as well as reassurance and comfort to competitors and spectators.   However, there will also be times when features separate from a main building will be necessary.  The most obvious example of this is a perimeter fence. 
All stadium systems should be designed and installed in a way which will maximise through-life flexibility to support both changing operational needs and emerging technology.  In order to achieve this it is important that a structured mechanism for the capture of the numerous requirements for the functioning of system components is agreed by all relevant stakeholders.  The temptation at this stage is to think in terms of solutions, rather than requirements, but this is a false economy.  Take the simple example of a perimeter fence.  The designer may ask for a fence of a certain height, but on what is that decision making based?  Is it just because a similar stadium had a fence of a certain height surrounding it?  Or, was that fence the most prominent in some catalogue?  It is important that rigour is applied to the specification of security components based on what they are seeking to achieve in the environment in which they will operate. 
The generally agreed best approach to this issue is through the drafting of an Operational Requirement (OR) for a security component.  This is a statement of need based upon a thorough and systematic assessment of the problem to be solved and the hoped for solutions.  A structured process for the development and agreement of ORs has been successfully used to deliver the security systems for numerous parts of the UK’s infrastructures and many permanent and temporary sporting venues.  Among the questions to be answered during the preparation of an OR are:
·         What is the output desired of the system / component?  For example, in general terms ‘a fence’ is a solution rather than a requirement.  What is seeking to be achieved?  Demarcating one area from another, giving one area more protection than another, channelling people in a certain direction?  All of these requirements could be solved in a number of differing ways.  It is also worth remembering that it is a mistaken belief that fences will keep people out of a certain area.  Whilst this is true for most law abiding people, the same does not apply for those determined to enter a restricted area.  In this case, the fence will only delay their entry (as it is climbed, burrowed under or cut through), although sensors will be able to detect this activity and alarms raised.  If the requirement was instead for surveillance, was this to provide continuous coverage of a particular area, or only at certain times?
·         What are the options by which the output could be achieved?  For example, fences come in all shapes and sizes.  Some are harder to climb; others more difficult to cut through.  Sensors to detect this activity can be discreet and sound silent alarms or noisy triggering claxons and spotlights.  In the case of surveillance, this can be achieved through the deployment of people, technology, or a mix of the two.
·         What are the key environmental and technical requirements for system components?  Harsh environmental conditions will affect the materials that a security component is made from, especially if it is part of a permanent structure.  CCTV cameras are particularly sensitive to the prevailing weather – those designed to function well in wet or damp conditions may not perform so well in hot and sandy conditions and vice-versa.  
·         What are the residual risks and weaknesses in the proposed solutions?  A fence might have sensors to detect when someone has cut it or is scaling it, but what happens then?  How are resources mobilised to respond to the intrusion and how quickly will they arrive?  In the case of surveillance, the effectiveness of this could be reduced during heavy rain, fog, sand storms, etc.
·         What are the interdependencies between various system elements?  This is a simple question, but the answers might be highly complex and take a long time to answer.  This article is not long enough to tackle this part of the process in anything other than a superficial level of detail.  For example, the level of security of a fence needs to be matched to the response time of the manned guarding. The shorter the delay the fence can provide, the faster the manned guarding needs to respond.  This may require more guards at shorter distances from the perimeter.
It is important that rigour is applied to the specification of ORs and the focus is not allowed to drift back to thinking in terms of solutions.  It is unlikely that the fundamental requirement for a security feature will change much (if at all) over the life-time of the infrastructure whereas the technologies that might be employed to achieve a particular outcome may change a lot.  It is important that the replacement technologies do not weaken the overall security stance or remove features that were present in the original build.  Focusing on the requirement rather than the solution is the best way to achieve this.
Designing for the future 
Once the ORs and interdependencies of security system components are understood and agreed, the system can be designed and installed.  However, remembering that any form of permanent sporting infrastructure will last a considerable number of years, it is necessary to adopt a strategy that seeks to maximise the capabilities of new technologies as they emerge and minimise the disruption and change necessary to embrace them.  Such a strategy is likely to include the following principles:
  • Modular.  Systems will be specified and delivered in a way which makes it easy to upgrade one element without changing numerous other components.Internet Protocol (IP) based. The historical separation between the physical and logical worlds is no longer applicable as so many of the physical entities in a stadium (entry gates, CCTV monitors, Public Address, display screens, etc.), will all be controlled across communications networks based on IP.  Modern stadia can all be flood-wired with IP networks to achieve this.  Such networks will be flexible and able to adapt to changing requirements of the terminating equipment.  However, care needs to be applied in the way in which such networks are configured and protected to prevent them becoming a weakness that can be exploited via cyber attack, rather than a strength that delivers flexibility and adaptability. 
  • Based on open protocols.  Wherever possible, system components will be specified to use open, rather than manufacturer-proprietary, protocols for interfaces and data transfer.  This will be particularly important for the control of numerous physical entities as discussed above.  It is inevitable that the degree to which a cyber environment is used to control physical entities will only increase over time and the number of manufacturers offering products in this area will increase.
  •  Flexible at the Security Management System – this is the point at which the inputs from the various systems are combined and then presented to the system operators. 
Ongoing operator training is an important element which is often forgotten or minimised after system commissioning has been completed.  Ongoing refresher training programmes need to be planned and executed to ensure that operators remain conversant with the latest aspects of the system.  These programmes will also be the best route to introduce new capabilities.
Designers of security systems need to devote time to keeping themselves up to date with developments in the technology market through a mixture of:
       ·         Attendance at trade shows, exhibitions and conferences.
      ·         Ongoing dialogue with suppliers and manufacturers to understand both new uses / improvements to existing products and new products / capabilities in development.
·         Regular engagement with relevant Government or national bodies responsible for research and applied science and technology.  Each national government will have slightly different structures and processes to cover this[1]. 
This engagement will allow the designers of sports infrastructure to understand the strengths and weaknesses of products as assessed by independent experts, as well as to aid the implementation of current best practice.  This will enable a judgement to be made as to whether an emerging capability offers a significant improvement (both technically and financially) over those currently proposed.  This kind of activity could be swept up in the design integration meetings that often take place in major projects when each engineering discipline determines how it is affected by security requirements and vice versa.
Information security aspects
It is during the design and construction phases that the layers of security for the venues will be specified and installed.  Once this phase starts and the number of people involved in the project starts to rise significantly, it is important that a structured approach to the handling of information is introduced.  The importance of this was highlighted in part 1 of this article.  Information in many forms will be vital to the successful design, construction and operation of all major sporting venues for the many years of their legacy use.  The protection of information will normally be achieved by the definition and implementation of an Information Security Policy (ISP) that needs to be written in collaboration with all relevant stakeholders.  This should be designed to ensure that sufficient information relating to security systems is incorporated into master designs, but that sensitive information (e.g., camera fields of view) is only released on a need to know basis.
To facilitate this process, a single authority should be established with the responsibility for writing the ISP and also deciding the relative sensitivity of information to be disseminated.  This authority should specify how sensitive information will be marked, stored, transmitted and handled by users.  Different countries will have their own established processes for this, such as some form of national protective marking scheme for sensitive documents (Restricted, Confidential, etc). 
The ISP needs to cover appropriate elements of the supply chain.  The challenge here is to ensure that information is appropriately cascaded down the chain to facilitate the purchase of the right goods and services, but without exposing the overall security posture of the venue.  This will be particularly tricky when dealing with overseas suppliers or organisations with an unknown or weak cyber security posture.  This is a new area which may require the venue designers and builders to seek specialist advice to ensure that they can balance the advantage of going to the market for goods and services against the exposure of potentially sensitive information through the same route.
It is important that the ISP covers the protection of the numerous industrial control systems that are necessary for the operation of physical systems at the venues, or that a separate policy is written to address these risks.  A modern venue will have innumerable systems such as those for crowd access, lighting, air-conditioning, display screens, etc., as well as many aspects of security (command and control rooms, CCTV networks), all of which will be controlled via data networks and electronic infrastructures.  Complete or partial loss of control of any of these types of systems would result in serious consequences for the safe and secure operation of the venue.  The challenges of securing these from cyber threats are brought into sharp focus when considering the projected life of the control units that turn cyber commands into real action on the ground.  On average, an item of corporate IT equipment (desk computer, etc.) will have a refresh or replacement rate of about 4 to 5 years.  A typical industrial control unit may have a refresh rate of 20 to 25 years.  The cost of replacing the remote control units and the disruption to essential services while this happens are among the reasons for this sharp difference in refresh rates.  Over that period of time it is impossible to predict what cyber threats may emerge.  This is why it is important to adopt an impact driven approach to security as described in part one.  Focusing on a threat that cannot be judged so far in advance may ultimately lead to an inaccurate assessment of the risks resulting in either inadequate or over specified security features. 
It is certain that those who wish to compromise information assets belonging to a sporting venue will be imaginative in their approach.  In response to this, it is necessary to understand the threat to assets and build solid defences against incidents that could ultimately impact the security of venues and/or supporting infrastructures.  In particular the ISP needs to have a flexible response that adapts to changing technologies and attack methodologies.  The pace of change in information systems is such that it will be necessary to keep the designs flexible and able to adopt appropriate new technologies as they emerge.  But new threats also emerge at a significant rate.  The ISP should ensure that venue owners can be confident that they are able to manage their risks effectively throughout the lifetime of the venues.   This reinforces the need to adopt an impact focused, risk based approach that will build the appropriate information security controls (for cyber and other mediums) into the fabric of the venue.  This will ensure that it is capable of deterring, detecting and defending against the inevitable attempts to compromise its operations.  It is impossible to prevent all compromises from internal and external threats, but an effective ISP will support a security architecture necessary to create a resilient operation; respond to incidents effectively; learn from security breaches; and most importantly, manage risk within proportionate tolerance levels. 
There are numerous internationally recognized Information Security standards and frameworks that could be adopted[2].  Most national governments also provide protective security advice through specialist organisations.
Building begins
The engagement of security specialists as part of the multi-disciplinary design team will ensure that all the physical infrastructures are inherently secure and resilient, and relatively easy to search for suspect devices prior to the public being admitted.  Once construction of the stadium is underway, it is important that there is a controlled process to review proposed design changes from a security perspective.  This process needs to encompasses both substantive changes to building layouts, (e.g. redesign of a layout), and changes to elements such as the cladding to be applied to a wall.  Such cladding could easily be seen as ‘cosmetic’, but might have been selected for the way it resists explosive blast.  However, this is unlikely to be known to the supply chain, who might propose a similar looking material that was less resistant to blast. 
During the construction phase it is important that: the site is physically segregated from the wider world; the workforce has been vetted prior to being allowed on site; goods and materials are screened prior to site admission;  and frequent verification visits are undertaken.  There are a number of models that could be adopted that could achieve this, for example:
·         An appropriate perimeter barrier, with supporting technology, will be specified to separate the construction site from the surrounding areas.  A typical set-up for a major sporting venue or site would consist of a perimeter fence, supported by CCTV, lighting, perimeter intrusion and an operational guard force around the whole of the construction site.  Individual areas within that, e.g., a Main Stadium, would have their construction site boundaries.  A central ‘Construction Command and Control’ location should be specified to be responsible for monitoring installed systems (e.g., CCTV and intrusion detection) and managing the guard force.  If deemed necessary by a threat assessment, measures to guard against vehicle attack will be installed to protect the construction site.  However, such measures need to be considered carefully to ensure that the barriers are suitable for that environment and their installation will not impede the required flow of constructions vehicles.
·         Deliveries of construction plant and materials should be controlled through the use of a Delivery Management System to record details of loads, delivery vehicles and their drivers.  To minimise risk to the construction site, one or more offsite centres should be used to process and check vehicles, drivers and their loads before they are sealed for final delivery to the site.
·         Checks on vehicles should then be undertaken at the boundary to the construction site. For vehicles entering the site, the checks should confirm that the vehicle and occupant details are as expected and that the load has not been tampered with since the offsite checks. For vehicles leaving the site the checks should confirm that no unauthorised goods are being removed.
·         Throughout construction, verification and assurance visits should be undertaken to confirm that potential issues are identified early and addressed. This will include a process for certifying that voids are empty before they are sealed.
Thinking of the staff
It should now be obvious that the number of people working on the project either in offices or on site has risen dramatically from the levels involved at the pure design stage.  This means more people with access to information (some of which may be sensitive) and more people with access to sites and systems that may be vulnerable to malicious activity.  It is therefore necessary to consider carefully the personnel aspects of the overarching security strategy.  This is so often overlooked with attention instead focused on the physical and cyber elements and the people who operate both forgotten about.  It is wrong at this stage to suggest that all staff need to go through comprehensive vetting in order to establish their bona fides and levels of integrity.  That is unnecessary and too time consuming and expensive.  However, care should be devoted to ensuring that, as a very minimum, the true identities of all staff and contractors are fully established and that they all have the appropriate right to work from the host country.  Some staff and contractors will require extra clearance to have access to more sensitive data. 
This is an area where the importance of taking an holistic approach and not operating in silos cannot be overstated.  The security professionals for the venue should take an active interest in this area and not simply leave the matter to the Human Resources or Personnel department.  High quality leadership from the top management layers of the organisation will be necessary to articulate a vision of how the everyday actions of all staff involved in the infrastructure and delivery contribute seemingly effortlessly to the overall security of the event.  If the leadership are clear about the type of event they want to achieve, then it is so much easier for staff to be clear about what they need to do.  So often, weak or absent leadership will be filled by staff doing what they feel is right.  Quite often they will get the tone wrong and this could adversely impact on the overall security stance or inhibit the spectator experience.
Let the games begin
Security does not end when the building phase is over.  Towards the end of this and prior to the venues being used, there needs to be a final process of assurance to test whether the various security infrastructures and systems are fit for purpose.  This is when their actual operation is tested against the original Operational Requirement.  The quality of finish should also be examined.  If the processes described here were followed, then the need for remedial action or reconstruction should be minimal, but as the case studies illustrate, this is not always the case. 
If security has been integrated into the very fabric of the building then it will also support the handling of incidents or emergencies.  An integrated design will enable the event organisers, Police, emergency services and others to respond to incidents, disrupt threats, etc.  The way that security is designed into the structure should aid this and produce an integrated response to a wide range of circumstances, e.g., through the location and functioning of control rooms.  This is the point at which people, processes and technology should all come together in perfect harmony.
Conclusion
So often, security is considered as an afterthought; something to be applied after the design is over.  Not only can this be expensive, but frequently it will not produce the desired levels of protection.  By considering security at the very beginning of the design process, taking an holistic approach, thinking in terms of impact and involving relevant experts throughout that and the building phase, it is possible to produce discreet yet effective measures at reasonable cost that can deliver high levels of assurance to event organisers and others that competitors, spectators and the venue itself will all be protected against malicious activity.  This takes dynamic leadership from general management, supported by appropriate security professionals.  Working together from the very beginning of a project they can make security enhance a sporting event rather than being seen as a tax upon it which is often the (wrong) perception.   

October 2013

The author (Roger Cumming) is the Technical Director of Atkins’ security business. Atkins, an international design, engineering and project management consultancy, was heavily involved in the design of the infrastructure for the Olympic Park and temporary venues for London 2012.





[1] In the UK the Home Office Centre for Applied Science and Technology is responsible for the testing and assessment of security equipment.  The Centre for the Protection of National Infrastructure (CPNI) provides advice to the companies that run the UK’s infrastructure on how to protect themselves from national security threats.
[2] For example: ISO: 27001 and ISO: 27002, Information Security Management Standards; the 800 series from the USA’s National Institute of Standards and Technology (NIST), in particular NIST 800-53 and 800-82 for Industrial control systems.  There may also be applicable standards from the International Society of Automation (ISA) and others such as IEC62443 which covers the protection of plant networks.