Living through the global pandemic we currently find ourselves in the middle of, it has never been more apparent that digital infrastructure is something that is integral to every facet of our lives, from the growth of working at home and remote learning, to the increase in social interaction with friends and family via video call software. It is crucial to the proper function of modern society, national governments, and world economies, as well as keeping infrastructure assets operational and business running globally.
There is already a great deal of attention and focus on the cybersecurity threat to this crucial infrastructure, but that should not be the only concern. Amidst the growing threat landscape, it seems implausible that something as important as physical access be overlooked. The fact is, however, that physical security is often at the tail end of the process when it comes to designing, constructing, and operating digital infrastructure.
Jeremy Terry is the CEO of Meesons, which specialises in protecting national infrastructure such as oil and gas, electricity, and water up to the highest level. According to Terry, digital infrastructure is now widely regarded as the fifth utility, and we should expect it to be protected to the same standards as the infrastructure it underpins.
Operators and customers have specific security needs for data centre projects, and the tier level of the facility, ranging from tier 1 to tier 4, generally dictates the level of physical security needed. William Ringer, project team leader at architectural practice ARC:MC, says that most technology companies employ security experts to provide a holistic view of data centre designs, ensuring risks are thoroughly mitigated. This may include protecting a site from vehicles trying to crash through the physical layers, people trying to gain unapproved access or even drone attacks.
He also explains that, while most of the clients he has worked with do implement global security standards, these standards are driven by the customers and the insurance companies, who define specific physical and operational requirements.
Differences in security standards testing measures
The traditional method for ensuring compliance is through industry standards, but the data sector does not have a globally recognised standard for physical access control. At present, it is served by several technical and geographical specific standards. The two most well-known and important standards that are used in determining the relative resistance of security product ranges are the internationally recognised Loss Prevention Standard (LPS) 1175, published by the Loss Prevention Certification Board (LPCB), and the European Standard (EN) 1627.
While both standards focus on a product’s physical robustness, there are key differences to the testing and certification that mean they are not comparable. These differences include the range of tools and methods used in the testing process, different failure criteria, and varying assessments of the attack readiness of a product as well as the differences in the scope of products covered by the standard and their application across all layers of protective security. It is important to consider these differences when specifying revolving doors, security portals or other security measures for a building.
Searching for a global standard in physical access
As the technical and commercial lead for physical security at the Building Research Establishment (BRE), Richard Flint notes that an increasing number of global data centre providers are aligning their forced entry protection specification to the latest edition of LPS1175 (Issue 8), which was published in early 2019.
So, why is LPS1175 fast becoming the global standard for forced entry protection of data centres and other important assets?
“The standard is well suited to complex environments, supporting the defence in depth approach and enabling holistic specification of performance across all layers – perimeter, building envelope and data hall – down to individual assets, as well as protecting key services such as fire suppression equipment,” Flint says. “In some ways it can be said that the global data centre sector is adopting LPS1175 at a far quicker pace than other sectors. That is almost certainly because many operators within the data centre sector that are adopting LPS1175 have a global footprint compared with the global footprint of individual operators of water and other utilities that have historically used LPS1175. Also, the growth in investment in new data centre facilities worldwide is far higher compared with the investment in most other infrastructure sectors.”
Discrepancies between the two standards, and the level of security a data centre requires to function, may also be playing a part in the rapid adoption of LPS1175. For example, many products that had been rated to EN1627-30 standards have been submitted to BRE for evaluation due to specific concerns regarding whether they would afford equivalent delays if evaluated to LPS1175. This is because LPS1175 testing bears a greater similarity to the threats the specifiers were concerned about.
“In all cases, the EN1627-30 certified products delivered significantly less delay to forced entry when evaluated in accordance with LPS1175,” Flint explains. “For example, over 90 per cent of the EN1627-30 RC4 products BRE have tested to LPS1175 failed to achieve more than Security Rating 2 to LPS1175. This could potentially leave facilities that have invested in such products prone to intrusion because, rather than delivering the ten minutes of resistance expected based on the EN1627-30 RC4 rating attributed to those products, they failed to deliver five minutes of resistance to tools of a similar size, concealability and portability defined for LPS1175 Security Rating C. In fact, those RC4 rated products were only capable of delivering at least three minutes resistance to smaller LPS1175 category B tools such as claw hammers, screwdrivers and knives.”
Cyber security and physical security risk assessment
Whether the risks posed to a data centre relate to cyber security, physical security or a combination of both, Flint argues that the level of protection must be proportionate to the nature of the threat. This can be achieved using the Security Assurance certification scheme (SABRE) delivered by BRE. The scheme provides an excellent methodology for considering the risks faced by those responsible for designing, constructing and managing built assets, because it allows developers, owners, occupiers and other interested stakeholders to display their commitment to security, and seek value for money at every stage of an asset’s life cycle.
“SABRE leads users through the well-established Plan-Do-Check-Act process and is aligned to the principles of ISO31000,” Flint concludes. “Data centres and other built assets successfully assessed under the SABRE scheme, which is aligned to BRE’s BREEAM and CEEQUAL Sustainability schemes receive LPCB certification. That can be used to communicate the risk holder’s commitment and approach to security on a given asset,”
Gareth Hulmes, head of SABRE at BRE Group and co-chair of the Security Institute’s Built Environment Security Special Interest Group, explains that SABRE enables those responsible for managing the security of an asset to demonstrate whether they have identified and evaluated their security risks, whether they be related to crime, terrorism, protests or other risks, developed an appropriate and proportionate plan to address their security requirements and implemented that plan. “The process ensures the involvement of competent security professionals, those with appropriate experience, qualifications and industry standing, at key intervals to give optimum assurance over the final outcome,” he adds. “Where new construction projects are concerned, that they span the entirety of the asset lifecycle from ‘strategic definition stage’ through to handover and occupation.”
The early application of SABRE in the design and construction process is important, as it ensures due consideration of the range of factors described by Ringer as influential in making key security decisions and setting operational requirements for new projects.
“This would range from site access, security threats around the site and physical site constraints that may raise levels of risk. For example, a freight railway line within a specific proximity, gas mains, or manufacturing facilities that may cause operational risks. This list is fairly typical, and due diligence is completed for each site to determine suitability – the earlier in the design process, the better.”
Given the ever-increasing importance of data centres in the digital age, data centre managers should use all the tools available to them to ascertain the level of security they require, consider how they intend to communicate their security commitment, and make informed decisions on how best to protect their asset from physical access threats, as well as cyber-attacks.[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]