Protect, Detect, React

Thousands of people flow into a typical large company headquarters each day. Passing through a metal detector and willingly watching the contents of their briefcases and purses displayed on an x-ray machine monitor, tenants queue up to proceed into the lobby. They wave their identification cards over card readers in any of a series of lanes with transparent, retractable barrier gates that open ...

By Deborah A. Somers, Senior Security Consultant, Sako & Associates, Inc., Arlington Heights, Ill. August 1, 2003

Thousands of people flow into a typical large company headquarters each day. Passing through a metal detector and willingly watching the contents of their briefcases and purses displayed on an x-ray machine monitor, tenants queue up to proceed into the lobby. They wave their identification cards over card readers in any of a series of lanes with transparent, retractable barrier gates that open when an authorized card is used. Visitors are issued a temporary badge that permits them entry for a pre-specified period of time, limiting their movement to certain areas of the building. At a moment’s notice, the security director is capable of generating a printout listing the cards that entered the building but have not yet departed. Surveillance cameras continuously record the flow of visitors from various strategic locations, and the images are compressed and archived for future reference. Security officers monitor the lobby, process visitors into the building and respond when an identification card has been rejected or someone tries to bypass the gate.

In just two short years since terrorists attacked the World Trade Center and the Pentagon, this lobby scenario has become commonplace in corporate America. Indeed, when one enters a building with fewer security measures, it feels as if the building’s management isn’t quite up to snuff or lacks adequate funding. After all, having stuff in the lobby feels as if someone is watching the proverbial store. Lobbies that used to be showplaces that greeted the visitor with a carefully designed ambience now find their vast expanses cramped by magnetometers, x-ray machines and mazes of roped lanes.

This rapid transition to public acceptance of inconvenient, unsightly and invasive surveillance systems could not have occurred without a tragic catalyst such as the 9/11 attacks. Not everyone is happy about the imposition, but most seem willing to accommodate it. Companies have strained to meet the unprogrammed expenses of new security needs, often eschewing the cost of professional design and instead opting for quick, conspicuous installation of equipment. The problem with this tactic is that it almost certainly yields an ineffective security posture.

Government leads the way

While commercial properties have undergone rapid transition, government buildings have been quietly initiating deliberate security upgrades since 1995. The day after the bombing of the Alfred P. Murrah Federal Building in Oklahoma City in 1995, then-President Clinton directed the U.S. Dept. of Justice to assess the vulnerability of all federal office buildings in the United States. Security systems of varying designs had been the norm in facilities such as courthouses and federal prisons, but most other government offices had little by way of protection. The government had no data or assessment regarding the security status of its real estate portfolio and therefore had no way of predicting the probability of another deadly attack.

In hindsight, some fatalities and injuries in the Oklahoma City bombing could have been prevented or minimized if the building had undergone a formal assessment and instituted basic security principles. For example, the explosive-laden truck was permitted to park too close to the building, violating the concept of an enforced setback. Shatter-resistant window film, coupled with a larger traffic setback, would have decreased the severity of the injuries. A frank examination of the pre-attack security posture of the Murrah building, as well as other facilities, revealed that across-the-board improvements at all government facilities were not only crucial but also feasible.

One could argue, of course, that both the 9/11 attacks and the Oklahoma City bombing were extreme scenarios that simply could not have been prevented. However, the point should not be lost that lives could be saved by incorporating a sound security plan—physical design, technology and operational measures. This would be one that is integrated with life-safety systems and includes emergency action planning and drills. In reality, most security systems in a governmental or any other building will be more likely to counter common crime than a terrorist attack.

Organize and standardize

In preparing a sound strategy, the myriad security needs of a very wide range of facility types and properties must be categorized and the likely threats identified. A good model to follow is the one adopted by the U.S. General Services Administration (GSA). Through its Public Building Service (PBS), GSA is the primary property manager for the federal government. GSA owns or leases almost 40% of the federal government’s office space and is responsible for the security design of that space. Over 30 other agencies, including the U.S. Dept. of State, also purchase, own or lease office space or buildings and must secure those properties.

At a minimum, the buildings with the highest risk are required to include surveillance cameras, intrusion-detection systems with central monitoring, and metal detectors and x-ray machines to screen people and their belongings at entrances.

In 1997 GSA’s Security Criteria formalized the preliminary revisions in an attempt to “ensure that security becomes an integral part of the planning, design and construction” of new federal buildings. The document was ultimately integrated into PBS-P100, Facilities Standards for the Public Buildings Service, and was last revised in March 2003. Meanwhile, the U.S. Dept. of Defense (DOD), another big government landlord, continued to refine its own antiterrorism regulatory guidance, culminating in the Minimum Antiterrorism Standards (UFC 4-010-01).

Protect, detect and react

So what else is the government doing? U.S. General Accounting Office Chief Technologist Keith Rhodes testified before Congress in April of 2002 about technologies being used to secure federal buildings. There were no surprises in the report, but it did confirm that newer technology such as biometric readers, and modifications of established technology, such as integrated alarm and surveillance camera applications, were being used to support basic security principles: protect, detect and react.

This fundamental mantra underscores the fact that a security system is comprised of closely integrated, complementary components.

An architect or engineer who works on a government project should be aware of the evolution of government building protection and the body of references available for such projects. Even if the client agency is not subject to existing governmental security regulations, it will usually agree to follow the established regulations of an agency with a more sophisticated history of security planning, such as DOD or GSA.

Further, sound security design includes not only architectural design and technological devices, but also operational matters. Therefore, a security design specialist may be best suited to integrate all aspects of the security system.

Top five government expectations

Having delivered a number of federal facilities, including the new U.S. Dept. of State office complex in Zagreb, Croatia, Sako Assocs. has had the opportunity to perform a number of security assessments, and in general, five rules apply in helping meet client expectations:

1) Apply appropriate regulations and guidelines. Government projects are usually highly regulated in terms of security provisions. If the client agency is not subject to its own regulatory standards, it will usually comply with—or even demand application of—the standards promulgated by another agency for similar projects. As a start, familiarize yourself with the standards and guidelines in the adjacent table.

2) Include a formal security design process in the project development. Government agencies are usually receptive to or may require security design as an additional service. The first step is to perform a formal threat-and-vulnerability assessment. Many agencies, such as water treatment facilities, nuclear reactors, ports and airports, are in the process of undergoing such assessments.

3) Protect the building. The design team should include a member with a demonstrated knowledge of at least the following methods of protecting a building:

  • Securing the site perimeter.

  • Regulating the avenues of approach to the building through the use of such architectural design elements as barriers and obstacles.

  • Creating sufficient setback.

  • Building hardening to mitigate potential blast damage.

  • Progressive collapse mitigation measures.

  • Envelope security ad-dressing appropriate openings, hardware and site flow.

  • HVAC mitigation measures vs. the risk associated with chemical, biological and radiological threats.

  • Utility security (indoor and outdoor) from intentional or unintentional damage, tampering and accidents. This also includes safeguarding communications systems so they can be utilized in an emergency.

  • Control access by utilizing barriers, keys, keypad systems, access cards, smart cards or biometrics, as appropriate.

  • Protection for high-risk spaces within the building, such as hazardous material storage rooms, loading docks and laboratories.

4) Detect a security incident. The design team should include a member with a demonstrated knowledge of the following:

  • Comprehensive surveillance design.

  • Intrusion-detection systems, such as line sensors, motion detectors, balanced magnetic switches, sonic sensors and vibration sensors. Ensure that service entrances and utilities are included, such as roof openings and service tunnels.

  • Lobby and mail processing area design that will accommodate explosives and metal-detection systems, such as magnetometers, x-ray machines and explosive residue detection systems.

  • Interior design skills that allow for effective visual lines of sight and that also reduce potential areas of hiding.

5) React to a security incident. This final aspect combines both technological and operational components that will improve the survivability of the building and its tenants should an incident occur.

  • Design life-safety and fire-protection systems per applicable codes.

  • Integrate the needs of the life-safety systems with the security systems. For example, accommodate the need for emergency egress routes without compromising secure areas.

  • Design adequate backup power systems and ensure that security systems are covered by the backup power supply.

  • Assess the need for emergency shutoff capability for the HVAC system.

  • Develop comprehensive emergency action plans, train tenants on how to execute the plans, and practice the plans regularly.

Be prepared for more

Government agencies want attractive, inviting buildings, not facilities that resemble fortresses. They will also continue to stress fundamental security design as identified through regulatory standards and guidelines.

Computer modeling software will be increasingly used to plan for emergency egress, predict potential blast damage, and design security systems. Nascent technology such as smart cards, biometrics, networked surveillance systems, explosive residue detection and CBR detection will evolve and become more prevalent as they become more reliable and cost-effective.

In the end, be prepared for training, as the increased employment of technological devices will require an increasing number of trained operators capable of operating increasingly sophisticated equipment and software.

On the Horizon

Perhaps the biggest challenge with respect to security systems in government buildings is the lack of standards in equipment. The lack of device and software standards hampers component interoperability, causing potential difficulties within the building, as well as when connectivity to another entity becomes necessary. Life-cycle and maintenance issues also must be considered in terms of interoperability.

Government clients have a higher potential for requiring interoperability with other entities at some point in the life cycle of the security system. Examples of common issues include:

Communications systems that must be coordinated for seamless, instantaneous interoperability. A recent example was demonstrated when fire and police units responding to the World Trade Center attack could not communicate critical information to one another, hampering their efforts and endangering their lives.

Most access-control systems utilize proprietary software so that the manufacturer has a monopoly on upgrades, maintenance and expansion opportunities. This can cause a problem when the client wants its employees to be able to use a single proximity card to access multiple sites that previously had been unconnected. This problem can occur not only across government agencies, such as the Dept. of Homeland Security and all its newly reorganized sub-agencies, but also within entities.

A county government, for example, may have dozens of buildings with varying levels of security installed in them. Since security systems are expensive, the county may have taken a piecemeal approach when selecting and installing them. Along the way, it may have unwittingly chosen a system for a set of buildings that is not compatible with the existing systems elsewhere in the county. The incompatibility may not have been noticed because access control procedures were lenient. Now, with a heightened focus on security, the county may want to utilize access control in all buildings using a single proximity card. As they try to implement the new policy, they unfortunately learn of the system incompatibility. Market forces are pushing manufacturers to address these interoperability issues, but problems still persist.

Additionally, surveillance systems may have difficulty talking to each other, especially when specialized functions come into play. For example, although the video signal from a camera may be received without a problem at an expanded remote site, the pan/tilt/zoom control functionality may not transmit effectively, so the new interoperable site would not have the ability to control the camera orientation.