The Missing Leg of a Well Balanced Facility Security Platform

The protection of high-value properties, and of the people working and/or living within them, is an important and challenging task. However, those responsible for most of the nation’s facilities typically invest in only three legs of the site security platform – i.e., those broadly related to risk assessments, planning, and the implementation of security measures. For that reason, although a site’s security profile may look stable and function well under normal use, this “three-legged” approach in protection is inherently flawed in design – guarding primarily and sometimes only against the threat characteristics determined in the facility’s risk assessment.

Nonetheless, U.S. protective practices and technologies have evolved in response to catastrophic events such as the 1995 bombing of the Alfred P. Murrah Federal Building in downtown Oklahoma City, the 1998 bombings of U.S. embassies in Kenya and Tanzania, and the bungled 1993 truck bombing of the World Trade Center in New York City.

Public buildings that were “open access” in the 1990s are now much better designed – and equipped with multiple layers of security protective measures.  But the effectiveness of those measures is inconsistent, and varies considerably from one location to another. The end result is that, despite all of the human capital and financial investment in planning, implementation, and staffing that has been used to improve security in recent years, many dangerous gaps remain – and should be faced head-on. Particularly important is the fact that, whether the security measures now in place are technological or human in nature, they must be tested, thoroughly and frequently, to ensure their effectiveness.

Functional Security Testing Models Functional security testing models can range from those using a very soft approach, such as informal procedural knowledge assessments, to the “hard penetration testing” described by former U.S. Navy SEAL Richard Marcinko in his 1992 best-seller Rogue Warrior. Any functional security testing model should assess the performance of not only security equipment but also security personnel under actual operating conditions. Moreover, all functional security testing should be well planned, with clear objectives set that: (a) link to predetermined threat modalities; and (b) incorporate measurable performance benchmarks.

In addition, functional security test findings, regardless of the model used, also should be well documented – and then incorporated in an improvement action plan approved by any agency or collection of agencies (a Building Security Committee, for example) responsible for improving security.

Here it should be noted that functional security testing usually differs considerably from the preparedness-exercise models used.  The most significant difference is that testing is almost always unknown to the person or group being tested.  Exercises, even functional exercises, depend more on artificiality than functional testing does.  There are a number of similarities between the two as well.

As in operational exercises, safety is and must be the first priority in functional security testing.  The planning and preparatory processes are fairly similar, except that there is no artificiality of location, communications, or preparation by those tested.  The after-action briefing can be and frequently is very similar to those used in exercises – and the improvement action planning and implementation should beentical.

A very soft testing could involve inquiries of personnel related to the security and emergency procedures used in various situational scenarios.  This approach can and should be as simple, for example, as asking security personnel and employees the basic question “What would you do if [etc].”  This approach can be both spontaneous and unobtrusive, but also quite effective, when applied to security entrance points.  For employees, it can and should test the depth of their understanding of facility emergency procedures.

A Broad Spectrum of Reasonable Alternatives Other functional security testing models might and probably should involve the use of deceptive or surreptitious penetration attempts to facilities – and/or to supposedly secure areas within those facilities.  The testing methods used should involve security personnel and employees in different tests.  One common access-control vulnerability is so-called “tailgating” – i.e., when an authorized person allows someone to follow him or her into a secure area without challenge and authorization verification.  This vulnerability is relatively easy to test and correct – if proper procedures are demanded and enforced.

Many other testing methods also can be used. Testing the detection of and response to dangerous and prohibited items – firearms and IEDs (improvised explosive devices), for example – should always be very carefully monitored. Fortunately, there are a number of zinc-constructed training firearms that have the look, feel, function, and detection image characteristics of real firearms, but are not capable of accepting a live cartridge.

Other simulation devices are readily available as well – but must be used with common sense. The IEDs used in testing should be well marked as “INERT.” Also, the testing methods designed to generate a “contain and secure” response should be carefully controlled as well.  The U.S. Marshals Service of the Department of Justice routinely prepositions a sworn deputy or two in close proximity to the screening point in order to control and terminate the test after the detection and appropriate response by security personnel have been achieved.

Aggressive “hard site” testing should be limited to those high-risk/high-value sites in which security personnel are trained, equipped, and procedurally prepared to execute highly predictable response actions.  Hard red team testing – i.e., actual attempts at physical site penetration – should be limited to a relatively small number of facilities.

Narrowing the Gap Through Improvement Action Planning The full investment in security testing needed can be achieved only through improvement action planning and implementation. Testing may reveal gaps that can be narrowed or perhaps even eliminated by training, procedural revisions, repositioning, and/or recalibrating security equipment as well as improving communications capacities.  Improvement action planning and implementation should focus, therefore, on strengthening the security posture of the site rather than on correcting the failures of a single individual.

Obviously, functional security testing may in fact reveal individual performance deficiencies, but those should be addressed as a supervisory corrective issue within the site’s own human- resources procedures.  Conversely, positive performance in functional security testing can be linked to incentive programs that elevate, and appropriately reward, motivation, dedication, and vigilance.

Like the exercises, functional security testing should be a recurrent part of the individual site’s overall security program. For that reason, the “best practices” models for all-hazards preparedness should incorporate a clearly defined preparedness exercise cycle.  A best practice for functional security validation should also include a recurrent cycle for testing and evaluating various aspects of the site’s security profile.

To briefly summarize: Functional security testing is a vital, important, and absolutely essential aspect of a truly comprehensive, and therefore effective, security program. Just as a table is much sturdier when it rests on four legs instead of three, the security and emergency preparedness posture of a critical-infrastructure site is much stronger when recurrent functional security testing and improvement action planning are meticulously planned, and used effectively.

Joseph W. Trindal

As founder and president of Direct Action Resilience LLC, Joseph Trindal leads a team of retired federal, state, and local criminal justice officials providing consulting and training services to public and private sector organizations enhancing leadership, risk management, preparedness, and police services. He serves as a senior advisor to the U.S. Department of Justice, International Criminal Justice Training and Assistance Program (ICITAP) developing and leading delivery of programs that build post-conflict nations’ capabilities for democratic policing and applied modern investigative techniques. After a 20-year career with the U.S. Marshals Service, where he served as chief deputy U.S. marshal and ERT incident commander, he accepted the invitation in 2002 to become part of the leadership standing up the U.S. Department of Homeland Security as director at Federal Protective Service for the National Capital Region. He serves on the Partnership Advisory Council at the International Association of Directors of Law Enforcement Standards and Training (IADLEST). He also serves on the International Association of Chiefs of Police, International Managers of Police Academy and College Training. He was on faculty as an instructor at George Washington University. He is past president of the InfraGard National Capital Region Members Alliance. He has published numerous articles, academic papers, and technical counter-terrorism training programs. He has two sons on active duty in the U.S. Navy. Himself a Marine Corps veteran, he holds degrees in police science and criminal justice. He has contributed to the Domestic Preparedness Journal since 2006 and is a member of the Preparedness Leadership Council.



No tags to display


Translate »