Qualitative Approach to Evaluation of Critical Infrastructure Security Systems

Qualitative Approach to Evaluation of Critical Infrastructure Security Systems Tomáš Loveček University of Žilina Tomas.Lovecek@fsi.uniza.sk Juraj Vaculík University of Žilina Juraj.Vaculik@fsi.uniza.sk Ladislav Kittel University of Žilina Ladislav.Kittel@fsi.uniza.sk ABSTRACT Article describes structure of complex security system dedicated to protection of critical infrastructure elements, such as strategic state objects, from intentional actions of persons that aim to steal, damage or destroy their objects of interest. It defines basic factors of security system that should be taken into account in case of its qualitative evaluation technical effectiveness or reliability, reliability of human factor, economic efficiency or optimality. Main part of the article is analysis and comparison of tools for quantitative evaluation of security systems of critical infrastructure elements such as SATANO, EASI, ASD, SAVI, ASSESS, JCATS, SAPE, SPRUT, Vega-2 and Analizator SFZ. Keywords Security system, critical infrastructure, technical effectiveness, economic efficiency. INTRODUCTION System which includes individual subsystems of protection of material or immaterial property managed or owned by particular subject and which is created by purposeful arrangement and utilization of protective measures is in practice labeled by different definitions. Most used terms are security system, property/object protection system, physical protection system, safety system or integrated security system. Generally a system can be understood as purposely defined set of elements (with specific attributes) and set of their relations that together define attributes, behavior, and function of system as a whole. Based on this definition, a system for protection of material or immaterial property of particular subject may be understood as purposeful arrangement of set of protective measures and their attributes, which are meant to create state of security. If protection of property is process that induces status of security by utilizing protective measures that aim to defeat or stop any activities (e.g. burglary connected with vandalism) or events (e.g. electric short-circuit and following fire), which are in conflict with interests of owner of this property, then protection system is a tool utilized for achievement of this status. In this article we will use term security system for such protection system. Therefore under term security system we will understand system realized by mechanical, technical, personal and regime protection measures or elements. Protective measures may be divided into: passive protection elements: o o o passive protection elements of item protection, passive protection elements of shell protection, passive protection elements of perimeter protection, active protection elements, physical protection elements, regime and organizational measures. Passive protection elements belonging into group of classic protection represent mechanical means of protection (Barriers) such as building construction, opening fillings, security deposit objects, lock systems, security glass or sheets, and other barriers (e.g. retarders, fences). Active protection elements belonging into group of technical European Journal of Security and Safety 1

protection represent alarm systems that include Intruder Alarm System, Surveillance Monitoring System, Access Control System and Fire Detection System. Physical protection may be divided into self-protection (e.g. neighborhood watch) and protection provided by security services (private and government). From the viewpoint of their evaluation, in process of design, realization or operation of security systems we may speak about their technical effectiveness, economic efficiency, reliability and optimality, or quality. EFFECTIVENESS, EFFICIENCY, RELIABILITY, QUALITY AND OPTIMALITY OF SECURITY SYSTEM According to technical definitions, effectiveness is dimensionless number that expresses how close to ideal process a process in evaluated system or device runs. Ideal process is 100% effective [2]. Effectiveness of security system then may analogically express how close the real processes are in security system to ideal processes. Ideal processes are understood as processes that completely or in acceptable degree eliminate risks that were identified and against which the security system was designed. For expression of security system effectiveness it is necessary to utilize specific output variables that are created ad hoc for this purpose and their definition is not unambiguous. According to [2] one of these for example is coefficient of protective measures which basically calculates ratio of breach resistances of passive protection measures and time of response force. From economic point of view, the efficiency of system may be defined as effectiveness of funds invested into security system and evaluated by their results. Economic efficiency of security system may be defined as relation between influence the system has on reduction of economic losses that arise as result of criminal activities and resources spent (capital and operational) on this system. Sometimes it is possible to say that results of application of appropriate protective measure are not only elimination of losses, but also gain (e.g. increase of reputation). Technical reliability of system characterizes its complex characteristic that expresses general ability to retain functional attributes in given time and conditions. Most important partial attributes of reliability are: no-failure operation ability of technical system to continuously fulfill required functions during set period under defined conditions, sustainability attribute of object that characterizes capacity for failure prevention by prescribed maintenance, reparability ability of technical system to detect reasons for failures and their removal by repair, readiness characterized in technical systems by its no-failure operation and reparability, safety ability of technical system not to threaten human health or environment while fulfilling required functions, service life ability of object to fulfill required function until it reaches limit state (unrecoverable failures, that is to say safety, loss of attribute values, lowering of effective operation). Reliability is indicator that is many times expressed as probability that the system (e.g. alarm system, camera surveillance system) or his element (e.g. detector, central unit, communicator) will provide required function for given time and under circumstances defined ahead. In practice reliability is stated as number of failures in time unit during monitored period. Reliability of alarm system, specifically of camera surveillance system, may be determined by utilization of Mean Time Between Failures variable given in hours. This variable is defined by producer of camera from exactly registered statistic data about failures occurred. In many cases reliability of alarm systems depends on human factor (e.g. operator of urban camera system). Most important types of human errors and their reasons are [2]: errors caused by momentary inattention the intention is right, but it is not properly executed, errors caused by insufficient vocational training, lectures and instructions employee does not know what to do and thinks that he knows these errors are called errors caused by wrong intentions, errors caused by insufficient physical or mental abilities by unsuitable preconditions of employee for particular activity, errors caused by insufficient motivation or by violation of work procedures these mistakes are sometimes called work offenses, because employee that causes the error is aware of violation of regulation or procedure, errors in management wrong leadership, utilization of plans, trainings or experience. European Journal of Security and Safety 2

Quality of security system represents total sum of security system characteristics that make it able to satisfy given or expected needs of customer (e.g. owner, operator, manager), and so to create security in given environment, time and for given purpose. [5] Quality of security system may be defined by sum of its parameters: functionality security system has all necessary functions implemented, effectiveness security system is able to fulfill its functions quickly and effectively, reliability elements that fulfill particular functions are failure-free/redundant, applicability all functions of security system are optimized for practical use, sustainability all elements that fulfill particular functions are continuously controlled and kept in required technical state, expandability it is possible to easily add new elements and functions of security system as need arises. QUANTITATIVE AND QUALITATIVE EVALUATION OF SECURITY SYSTEMS FOR SUBJECTS OF CRITICAL INFRASTRUCTURE According to decision of European Council from 2007, critical infrastructure should encompass mostly those physical sources, services, devices of information technologies, networks and communications, whose damage or destruction would seriously influence critical societal functions including chain of supply, health services, security, protection, economic and social well-being of citizens or operation of EU and its member states [13]. Protection of some objects of critical infrastructure is at present individually solved in different legislative acts, but with different approach to their protection (e. g. protection of classified information, protection of nuclear facilities, protection of financial institutions). Critical infrastructure yet includes other objects, whose methods of protection are not covered by law (e.g. operators of linear constructions, chemical factories, different energy suppliers, water management objects, food businesses, manufacturing companies). Responsibility for their protection should be in hands of public administrations along with owners and operators of individual elements of critical infrastructure. Different approaches to design and evaluation of security systems are used in European Union, Russia and USA. Generally there are two approaches used: quantitative approach, qualitative approach. Qualitative approaches to design and evaluation of security systems are based on expert estimations by evaluators, where it is not possible to exactly calculate effectiveness, reliability or efficiency of these systems and it is necessary to rely on competence of creators of standards who utilized this approach during design of generally binding legislation, methodics or software applications (e.g. RISKWATCH Campus Security, RISKWATCH Nuclear Power, RISKWATCH Physical & Homeland Security, RISKWATCH NERC, by Risk Watch International, USA). Quantitative approach which with its flexibility allows to propose or evaluate security system to best suit the demands, conditions and possibilities of given subject and allows to exactly prove its effectiveness, reliability or efficiency, is deemed to be more effective. This approach is based on assumption that it is necessary to use as many passive and active protection elements to detect and detain intruder by response force before he is able to reach his target, that is to say that total sum of times on adversary path to protected assets must be greater than response force time. TOOLS FOR QUANTITATIVE EVALUATION OF SECURITY SYSTEMS OF CRITICAL INFRASTRUCTURE SUBJECTS In EU conditions there is at present no adequate tool that would use quantitative approach to evaluation of security system. European Journal of Security and Safety 3

SOFTWARE TOOL SATANO (FACULTY OF SPECIAL ENGINEERING) An exception of this statement is software tool SATANO, which is being developed since the 90 s at Faculty of Special Engineering of University of Žilina in Žiilina. SATANO provides four basic models: - pragmatic model, - optimistic model, - pessimistic model, - realistic model. Output of these models is evaluation of technical effectiveness of security system based on comparation of breach resistance times of passive protection elements with maximal response force time. [2] Some of the models determine paths of least resistance, other determine most probable intruder paths. Method that is used for determination of path of least resistance is shortest path problem from graph theory. These models are suitable mostly for calculation of most probable breach resistance time of all passive protection elements, while systematically implementing different situation types (knowledge/unfamiliarity of system, favorable/unfavorable conditions, etc.). Models calculate length of shortest part in graph (intruder path through protected area to protected asset) or length of most probable path in graph depending on two types of input parameters. Input parameters (breach resistances) may be entered as constant or through normal probability distribution. Product of these two couples creates four models. Program SATANO uses matrix form of graphic user interface for creation of two-dimensional field, what resulted in fact, that two different security zones could be connected at the most by one connecting line. Figure 1. Fulfillment of two-dimensional field as part of Graphical User Interface (GUI) of SATANO program This approach may be rather limiting, for example, two rooms are usually connected by multiple elements (door and wall, etc.). European Journal of Security and Safety 4

Figure 2. GUI of SATANO program EASI, ASD, SAVI (SANDIA NATIONAL LABORATORIES, USA) These three closely interconnected methodics are based on detection of path with lowest cumulative probability of detection up to critical point of detection and are intended for evaluation of technical effectiveness of nuclear facility security. They utilize central division of security zones with one zone containing protected asset in middle of whole system and are based on intruder s familiarity with the security system. According to terminology used in these methods the path with lowest cumulative probability of detection up to critical point of detection is called critical path or path with lowest cumulative probability of interruption. [8] Detection before critical point of detection is called timely detection. [6] EASI method (Estimation of Adversary Sequence Interruption) allows calculation of probability of interruption only on one predefined path. ASD Method (Adversary Sequence Diagram) is method for graphic representation of possible intruder paths in security system. ASD describes facility and its security system as layers that separate external intruder from his target inside facility. Individual physical areas are separated by protective barriers that include everything that may delay or detect intruder. [8] Figure 3. Protected area (left) modeled with ASD Method (right) European Journal of Security and Safety 5

SAVI method (Systematic Analysis of Vulnerability to Intrusion) combines EASI and ASD methods and evaluates every possible path to central zone from the viewpoint of probability of interruption, and creates list of ten most vulnerable paths according to their possibilities of interruption. [6] If values of probability of interruption are equal, it lists paths according to total length of attack. Main SAVI program is accompanied by extensive database of delay and detection parameters of most commonly used protection elements. [8] SAVI method implements also sensitivity analysis. Given that most critical parameter is time required for response, for sensitivity analysis SAVI uses different values of response force time. Output is of course probability of interruption. Figure 4 shows sensitivity analysis for path with lowest probability of interruption. Figure 4. Analysis of probability of interruption sensitivity to response force time From the viewpoint of modeling the main method of evaluation of effectiveness (calculation of probability of interruption) may be identified as suitable, but models do not completely reflect demands of systems for protection of persons and property from the viewpoint of modeling of protected area. Stated disadvantage (even from viewpoint of nuclear facilities) is absence of probability of intruder elimination calculation. ASSESS (SANDIA NATIONAL LABORATORIES, USA) ASSESS Method (Analytic System and Software for Evaluating Safeguards and Security) is extension of SAVI method that contains additional modules for analysis of intruder neutralization and analysis of internal adversary as well as cooperation between internal and external adversary. [4] ASSESS utilizes probability of interruption and ASD method. In addition to implementation of new possibilities program has detailed structure which consists of six relatively independent modules. JCATS (LAWRENCE LIVERMORE NATIONAL LABORATORY, USA) Support tool JCATS (Joint Combat and Tactical Simulation) may be utilized for estimation of effectiveness of response force. [7] It is simulation software tool developed for training of officers and their response forces in commands and orders during intervention. Software tool reckons intervention from ground, as well as air, but also takes into account intervention of firefighting unit. [2] JCATS follows up its direct predecessor JTS, which was used since first half of 90 s, but development of such simulation tool reaches back to 70 s. [23] According to [9] is this tool intended for support of physical protection analysis and training of response forces. Protected facilities are mostly weapon deposits and other military objects. It is a combat simulation with realistic modeling of terrain, protected area, used weapons and ammunition. From the viewpoint of physical protection it contributes to calculation of probability of intruder elimination, but also has partial use in detection of vulnerable places in protection. European Journal of Security and Safety 6

Figure 5. Example from JCATS user interface SAPE (KOREA INSTITUTE OF NUCLEAR NON-PROLIFERATION AND CONTROL, SOUTH KOREA) SAPE (Systematic Analysis of Physical Protection Effectiveness) is a program for evaluation of technical effectiveness of security systems that follows SAVI and ASSESS methods, but improves these significantly. This method uses 2D model of protected area instead of ASD model and also uses new heuristic algorithm and considerably extends sensitivity analysis. SAPE was programmed in Visual Basic. Method is in phase of development and testing; most problems are caused by insufficient input data (for recent studies obsolete data from SAVI were used, because newer data are classified and not available). [1] European Journal of Security and Safety 7

Figure 6. Advantages of 2D maps compared to ASD are especially evident when modeling expansive security systems SAPE replaces ASD method with two dimensional map, as ASD diagram is disarranged, difficult to use and not very accurate in calculations. When calculating transition between two areas, constant value is added to total time without regard for specific path the intruder chooses (e.g. without regard to specific place the intruder breached fence etc.). To compare with SAVI and ASSESS, SAPE significantly extends sensitivity analysis, analyzing all protective elements on the most vulnerable path. Resulting values subsequently represent relative effectiveness of actualization of individual protective elements. SPRUT (ISTA, RUSSIA) SPRUT is software used for evaluation of physical protection effectiveness in nuclear facilities developed by ISTA corporation. Software serves for modeling of combat encounter between intruders and physical protection. Newer version SPRUT IM utilizes simulation modeling of intrusion into object aiming to calculate most effective scheme to defeat the attack. [10] SPRUT consists of three parts: - calculation of quantitative parameters of security system effectiveness, - detection of weakest parts of protection (analysis), - determination of optimal paths for response (synthesis). [11] European Journal of Security and Safety 8

Figure 7. Graphic user interface of SPRUT software VEGA-2 (ELERON, RUSSIA) Vega-2 is software tool intended for determination of physical protection system effectiveness for nuclear facilities in specified structure of security system and different adversary models (internal and external) [10] It was patented in 2007 and since 2008 it is used mostly for evaluation of stationary targets. Eleron developed software and trainer Poligon for evaluation of physical protection of road and railroad transports of nuclear materials. [11] Vega-2 is used for design of proposals and selection of optimal variant of physical protection system improvement. Protected area is modeled by zones, sections and passages. Software includes databases of physical barriers and detection elements with possibility of defining own elements. Analysis takes into account also activities of guards and members of response force, and on of the outputs is also list of optimal paths during intervention. [10] OTHER RUSSIAN TOOLS Other Russian tools dedicated to evaluation of physical protection effectiveness are mostly suitable for simulation of armed combat between response force and intruders (usually terrorist group). These tools, similarly to JCATS, are suitable for training of response forces and calculation of probability of intruder elimination. Specific tool is Analizator SFZ which is intended for calculation of shortest time of security system overcoming, acting as pessimistic model of SATANO program. Overcoming time includes movement times and times of breaching of different protection elements, including walls. Individual movement times are mathematically modeled in detail. In compliance with analysis, critical trajectories of intruder movement and optimal trajectories of response force are determined. [12] Program allows modeling of extensive areas and multiple-floor buildings. European Journal of Security and Safety 9

Figure 8. Modeling of critical trajectory of intruder in three-story object in Analizator SFZ software COMPARATION OF SOFTWARE TOOLS Higher listed software tools vary in several points: - different input and output parameters, - definition of input values by one value or by probability distribution, - method for protected area modeling, - utilization of sensitivity analysis. For most solutions it is common that they are based on calculation of probability of interruption and sensitivity analysis is subsequently based on this parameter. These solutions are based on intruder s awareness of security system structure and utilization of minimal (guaranteed) times. For example, SATANO software uses different approach. Evaluation based on utilization of most probable intruder paths and most probable (mean) times appears in these models. Acquirement of mean times is easier (e.g. by expert estimations) as acquirement of minimal (guaranteed) times, which can be acquired only by means of experiment. Theoretically it is possible to acquire even most probable intruder paths by expert estimations, but utilization of this method makes it impossible to classify model as quantitative. CONCLUSION As a result of acceptance of European and national generally binding laws many subjects are required to protect their property (e.g. buildings, machinery, equipment, information systems), based on fact that according to nature of their activities they belong to national or European critical infrastructure. At present there are different approaches, methodics and tools for design of security systems for protection of property in USA, Russia or South Korea. However, by applying these into conditions of protection of European critical infrastructure we encounter specific deficiencies and disadvantages: - utilization of qualitative approach, which makes it impossible to exactly verify effectiveness or efficiency of designed protective measures, - tools were designed for protection of specific materials and non-commercial facilities and were not intended for protection of other object types (e.g. linear constructions tunnels, railroads, highways, etc.), - do not allow evaluation of security in buildings with multiple floors, - tools do not take into account European technical standards, certificates and norms utilized in field of security, - tools do not take into account random factors, such as decisions made by intruder in uncertainty, - tools do not take into account economic efficiency of whole security system, as it was not necessary to take this into account in military or government strategic objects. European Journal of Security and Safety 10

It is a society-wide interest to successfully realize in practice the requirements of European Commission connected to physical protection of critical infrastructure elements from intentional activities of persons that aim to steal, damage or destroy their protected issue. Until now there were no standards, norms, methodics or software tools created in practice that would allow the owners or managers of critical infrastructure objects to effectively and efficiently protect their or entrusted property. In European Union, only Faculty of Special Engineering at University of Zilina in Zilina, where aforementioned software tool SATANO was created, deals with this issue in long-term and complexly. Authors of this article, who are also authors of the software tool, realize that it is necessary to make great effort to make this software full-fledged for use in practice to allow exact qualitative evaluation of designed or existing security systems for subjects of critical infrastructure. They also realize, that it is vital to join forces with organizations and research institutions that deal with said issue outside of European Union for longer time (e.g. SAVI method from Sandia Laboratories in New Mexico since 70 s), or at least to familiarize themselves with results of their research to avoid their own mistakes. ACKNOWLEDGMENTS This work was supported by the Slovak Research and Development Agency under the contract No. APVV- 0471-10 REFERENCES [1] Jangs, S., 2009, Development of a Vulnerability Assessment Code for a Physical Protection System : Systematic Analysis of Physical Protection (SAPE). IN : Nuclear Engineering and Technology, VOL.41 NO. [2] LOVEČEK T. 2009. Systémy ochrany majetku a možnosti ich kvalitatívneho a kvantitatívneho ohodnotenia : Habilitačná práca. Žilina. [3] Vyhláška 51/2006 Úradu jadrového dozoru Slovenskej republiky ktorou sa ustanovujú podrobnosti o požiadavkách na zabezpečenie fyzickej ochrany [4] Philips, G., 2004, New Vulnerability Assessment Technologies vs the Old VA Tools. New Meets Old. National Security Program Office. [5] Reitšpís, J., 2004, Manžérstvo bezpečnostných rizík, Žilina: EDIS - vydavatelstvo ZU Zilina, 2004. ISBN 80-8070-328-0 [6] Physical Protection of Nuclear Facilities and Materials, Albuquerque, New Mexico, USA [7] A Risk Assessment Methodology (RAM) for Physical Security. 2005. Sandia Corporation, White Paper. [8] Analýza účinnosti systému bezpečnostní ochrany jaderných zařízení a jadrných material, 1991, Ústav jaderných informácí [9] Joint Conflict and Tactical Simulation (JCATS) at Sandia National Laboratories, Fact Sheet, Sandia National Laboratories, 11/2006, SAND2006-7256P [10] Тарасов Ю. : Специализированные программные комплексы, IN: безопасность достоверность информация, 3 [78] май июнь 2008 [11] Hиколай P. : Методические аспекты задания требований к антитеррористической защищенности объектов и оценки достаточности осуществляемых мероприятий защиты, IN: безопасность достоверность информация, 3 [78] май июнь 2008 [12] Леус А. 2011 Оценка эффективности систем безопасности. Модель движения нарушителя по охраняемому объекту : LAP LAMBERT Academic Publishing. ISBN 978-3-8433-1637-8 [13] Council Decision 2007/124/EC, Euratom, Council decision of 12 February 2007, establishing for the period 2007 to 2013, as part of General Programme on Security and Safeguarding Liberties, the Specific Programme Prevention, Preparedness and Consequence Management of Terrorism and other Security related risks, Accessed on 2008-06-08, Available at: http://eur-lex. europa.eu/lexuriserv/lexuriserv.do?uri=oj:l:2007:058:0001:0006:en:pdf. European Journal of Security and Safety 11