Human safety is the most important factor in designing physical security safeguards.  

Physical security and system security can be inversely proportional to one another, where one risk goes up, the other may go down, and vice versa.  For example, if you’re company’s building is totally open to the public, you may need your proprietary systems and data to have elevated access controls, whereas if your building is completely locked down and requires 3 biometrics, a password, and ID badge to get in, you might not need elevated system security.

Crime Prevention through Environmental Design (CPTED) – this is an approach to crime prevention through the use of common sense tactics, such as placing a receptionist or guard near all entry points, locating server rooms off the beaten path, having thick bushes near an entrance that you don’t want people to wander into.  

It has three categories, organizational (people), mechanical, and natural design.  An example of organizational/people might be placing the guards at entrances. An example of mechanical might be putting turnstiles at each entrance.  Some new terms under this category are also “contact devices, or switches” which are remote control devices.  Solid core refers to a thick and heavy door, whereas hollow core doors are super light, and can be easily broken. An example of natural design would be the thick shrubbery along the pathways to a restricted work area.

A contact alarm is one that triggers if the right contact isn’t detected. The CBK talks about doors being propped open that trigger contact alarms.

Sensitive compartmented information facilities (SCIFs) – basically a sophisticated way of saying restricted area.  Some key differences might be having soundproof doors, or basically solid core or stronger doors. It should also have its own power and telecommunications connections, as well as security systems that are separate from the enterprise.  RF protections might include something like a faraday cage.

  • Soundproof doors/walls
  • Its own power/telecoms/security systems
  • Isolated ducting
  • RF protection
  • Nondescript exterior
  • No windows
  • Motion/intrusion detection

Wiring closets, intermediate distribution facilities, and wiring infrastructures (aka: cable plants) – considerations for physical security should be given to areas where external communications enter the facility, where phones, networks, and special connections occur, and where any internet service provider (ISP) equipment is located.  Considerations for security include:

  • Physical access to the room must be restricted to authorized personnel. 
  • Physical access to the room must be monitored
  • Consider locks on equipment such as cables or cages
  • Tamper proofing for wiring
  • Surge/shock protection
  • Uninterruptible power supply 
  • Temperature control
  • Fire detection/suppression
  • Emergency shutoffs

Server room considerations:

  • Racks
  • Equipment locks
  • Cages
  • Surge/shock protections
  • Uninterruptible power supply
  • Non-conductive hooks/gloves/apparel 
  • Appropriate training
  • Non-sprinkler fire suppression

Media storage facility

  • Additional site storage for backups
  • Fire/water proof containers
  • Encryption
  • Monitored access
  • Limited access to media for authorized individuals (sometimes called archivists)
  • Temperature controls

Evidence storage

  • Evidence lockers/containers
  • Environmental protections
  • Consideration to safeguard against evidence tampering and to ensure that the chain of custody is maintained

Restricted work areas:

  • Locks
  • Biometrics
  • Physical access ID cards
  • Physical access logging
  • White noise machines / sound proofed walls
  • Limited visibility from the outside (e.g. no windows)
  • Electromagnetic emissions-blocking (e.g. faraday cage/field)

Utilities:

  • Power
    • Redundant power
    • Backups
    • Batteries
    • Dual power for data centers
    • Testing of backup sources
  • Telecommunications
    • Multiple communication service providers
    • Redundant communication channels or methods
    • Ensure no single points of failure on equipment
  • Water/sewage
    • Temperature control
    • Prevent damage to equipment
    • Most fire suppression systems would work

HVAC

Ensure that the cooling matches the heat generation of equipment and the room size, insulation, and other elements of the environment, such as humidity.  The CBK talks about high density equipment, which likely refers to having a lot of equipment/servers jam-packed together in a tight space such as might be the case with data centers, server rooms, or data closets.

Sensors are recommended to detect things like overflows and leaks, with notification mechanisms.

The standard by American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) for data centers is worth noting:

  • Standard 90.4-2019 Energy Standard
    • Recommends range of 64° to 81°F (18° to 27°C) for best hardware life

They also recommend having three sensors:  at the top middle and bottom of the rack.

Fire prevention/suppression concepts:

Ionization can detect smoke by measuring the electrical current between two charged plates while air passes between them

Photoelectric cells measure changes in light caused by smoke particles.

Spot type detectors use a bunch of sensors, both ionization and photoelectric, and includes carbon monoxide, heat, and flame detectors for a wider range of detection and to reduce false positives.

Very Early Smoke Detection Apparatus (VESDA) – there are two alarm levels, we have low, which triggers an enunciator or warning light, and there’s high, which would start the full suppression system.  VESDA systems are installed in the plenum space, or the space underneath the raised floor.

Balanced magnetic switch (BMS) – uses a magnetic field or mechanical contact to determine if an alarm has signaled.

Acoustic sensor – a device that uses passive listening devices to monitor building spaces.

Infrared linear beam sensor – a focused infrared (IR) beam that is produced from an emitter and bounced off a reflector that is located on the other side of the detection area.

Passive infrared sensors – infrared receptors are compared to typical background infrared levels to detect intruders.

Automatic request to exit – an automatic sensor that detects approaching people (motion) who may be wanting to exit.

Dual technology sensors – A combination of two sensor-type controls mentioned above.

And then we have the class fires that came back into the common body of knowledge:

Class A for combustibles

Class B for flammable liquids

Class C for electrical fires

Class D for flammable metals

Class K for cooking equipment.

  • Water-based – works well on wood-based products and it’s cheap.
    • Wet pipe – activates via heat sensors, heads operate independently.
    • Dry pipe – pressurized gas in pipes, lower risk of freezing or leaking.
    • Pre-action – pipes are filled with compressed air – considered dry pipe system until activated, then becomes a wet pipe system.
    • Deluge – all sprinkler heads are activated when the system is triggered, useful for areas that need expanded protection.
  • Gas-based – works well on all types of fire, safe for equipment, but expensive and potentially harmful to humans.
    • Hydrofluorocarbon
      • Halon
      • FM-200 
    • Inert gas (Argon/Nitrogen)
      • Argonite
      • Inergen
    • Aerosol
      • Aero-K (safe for humans)
  • Liquid (non-water) based
    • Aqueous Firefighting Foam (AFFF) which is a water-soluble foam for combustibles.
    • Novec 1230, which can be used instead of water or AFFF for A B and C.