Determine PPS Objectives Design PPS Physical Protection Systems
Detection Delay Response
Response Force Access
Delay Exterior Sensors
Interior Sensors
EASI Model Adversary Sequence Diagrams Computer Models Risk Assessment Response Force
Communications Alarm Assessment
Alarm
Communication & Display Entry Control
Analyze PPS Design
Analysis/Evaluation
Final PPS Design
Redesign PPS Facility
Characterization Threat Definition
Target Identification
An entry control system allows the movement of authorized personnel and material into and out of facilities, while detecting and possibly delaying movement of unauthorized personnel and contra-band. Entry control elements may be found at a facility boundary or perimeter, such as at vehicle gates, building entry points, or doors into rooms or other special areas within a building.
The objectives of an entry control system used for physical protection are:
• to permit only authorized persons to enter and exit;
• to detect and prevent the entry or exit of contraband material (weapons, explosives, unauthorized tools, or critical assets); and
• to provide information to security personnel to facilitate assessment and response.
In this text, entry control is defined as the physical equipment used to control the movement of people or material into an area. The term access control refers to the process of managing databases or other
records and determining the parameters of authorized entry, such as who or what will be granted access, when they may enter, and where access will occur. The terms are often used interchangeably in industry;
however, there are advantages to differen-tiating between the two. Many industrial access control systems include software to manage the database of those having authorized access, as well as the physical means of restricting entry or exit. Because the technical issues associated with the installation and use of entry control equip-ment are different than the administrative controls required to manage authorized access, they require separate consideration in order to achieve an effective and integ-rated subsystem.
The performance measures of entry control subsystems include throughput and error rates. Throughput is a measure of the time it takes for an authorized person or material to successfully pass an entry or exit point. Technology compo-nents that require longer throughput times may not be applicable in all situations, such as entry to an industrial facility at shift changes. Error rates will be 187
discussed in more detail in the section entitled “Personnel Identity Verification (Biometrics).”
Personnel Entry Control
Personnel entry control is the portion of an entry control system used to authorize entry and to verify the authorization of personnel seeking entry to a controlled area. This veri-fication decision is usually based on deter-mining whether the person (1) is carrying a valid credential, (2) knows a valid personal identification number, or (3) possesses the proper unique physical characteristic that matches the person’s characteristic recorded at enrollment (biometrics, such as fingerprint, hand geometry, etc.). These three concepts are summarized as what you have, what you know, and what you are.
With the exception of biometric devices, entry control devices may be used inde-pendently of the authorized person. A phy-sical characteristic match will verify the person’s identity; a credential or an ID number will only verify that the person requesting entry has a valid credential or knows a valid number. Combinations of entry control technology can be used effec-tively to protect access to a facility. These combinations can reduce throughput, but will make the system harder for an adver-sary to defeat. Methods of personnel entry authorization that will be discussed include personal identification number, creden-tials, and positive personnel identity verifi-cation or biometrics.
Personal Identification Number Systems are available in which a memo-rized number, referred to as a personal identification number (PIN), is used. To gain entry the user enters the PIN on a keypad. Some systems use a coded creden-tial to locate the reference file associ-ated with that badge number in the access control database. In this case, an individual
requesting access first inserts the coded credential and then enters a memorized number via a keypad. This number is compared to the one stored in the refer-ence file for that person. If the numbers are the same, the person is granted entry.
The memorized number may be selected by the individual enrolling, or it may be assigned. A four- to six-digit number is commonly used. This simple method does have weaknesses: (1) an individual could pass the PIN and credential to an unau-thorized individual; (2) the PIN could be observed surreptitiously by an adversary (shoulder surfing); or (3) the PIN could be obtained by coercion. In addition, people often write PINs down, making it easier for an adversary to obtain the PIN.
There are two primary considerations for selecting a secure PIN. First, the PIN should be long enough, and second, the PIN should not be a number that is too meaningful to the individual to whom it is assigned. The PIN must have enough digits to prevent easy guesses. This is especially important where a PIN is the only criteria for granting entry. For a population of a few hundred, a four-digit PIN should be sufficient. Four digits allow for a total of 10,000 combinations, which is much larger than the number of people in the popula-tion. The probability of guessing a correct PIN is low under these circumstances.
If a person is allowed to choose his or her own PIN, choosing a PIN that is too mean-ingful to that person should be strongly discouraged. Birthdays, partial social secu-rity numbers, phone numbers, and other numbers may be easy for the individual to remember but may also be easy for an adversary to guess. Other easy numbers to remember like 1-1-1-1, 1-2-3-4, and similar sequences should also be avoided.
Some systems provide a maximum number of PIN entry attempts before disal-lowing the credential or generating an alarm to the central control system. Using the PIN in combination with credentials and biometrics helps to raise the level of security.
Entry Control 189
Credentials
There are many types of credentials used in personnel entry control. Those that will be discussed in this chapter are:
• photo identification badge
• exchange badge
• stored-image badge
• coded credential
The first three require a manual check by a guard and require a high degree of vigilance. Coded credentials are checked automatically.
Photo Identification Badge
The photo identification badge is a common credential used for personnel entry control, but it is not always effective.
A false photo identification badge can be made, or an individual can make up their face to match that on a stolen badge in an effort to gain unauthorized entry. Also, because this kind of badge is manually checked, guard inattentiveness can reduce its effectiveness, especially at times when large numbers of people are entering a facility.
Exchange Badge
A badge exchange system requires that matching badges be held at each entry control point. When an employee presents a badge and requests entry, a guard compares the individual to the photo on the corresponding exchange badge held at the entry control point. If the two match, the guard exchanges the badges and allows entry. The exchange badge may contain more information than the employee badge and may be a different color. The employee’s badge is held at the entry control point until the employee leaves the area, at which time the badges are again exchanged. In this way, the exchanged badge worn within the secure area is never allowed to leave the area. This reduces the possibility of a facility badge
being counterfeited, lost, or stolen. The badge exchange system does not prevent someone from making up their face to match the image on a stolen badge in order to gain unauthorized entry.
Stored-Image Badge
The use of a stored-image (video compa-rator) system requires a guard to verify an individual’s identity based on visual char-acteristics. A securely stored image is used for comparison with a real-time image of the individual requesting entry.
Two of the most important features of such a system are enrollment capability and access time. Enrollment capability is the maximum number of images that can be stored by the system. The access time is the time required from entry of the iden-tification number until the stored image is displayed for viewing. These systems use a coded badge or keyboard to find the stored image for display and visual comparison by the guard.
Stored-image systems are not based on a unique, measurable characteristic, such as a fingerprint, so they are not consid-ered to be personnel identity verifica-tion. However, they have an advantage over manual photo identification systems in that it is difficult to tamper with the stored image. In this way, the stored-image system is comparable to badge exchange systems. Nonetheless, they are still suscep-tible to the use of make-up to disguise an unauthorized person.
Coded Credential
Coded credential systems, also called key-card systems, are commercially avail-able with a wide range of capabilities, including:
• maintenance of entry authorization records for each coded credential;
• provision of unique identification code numbers that can be read by a machine;
• termination of entry authorization for an individual without the necessity of recovering that individual’s badge or credential; and
• provision for several levels of entry authorization, such as entry only at selected entry control points or only at certain times of the day.
Entry authorization records can be updated each time entry is requested using a coded credential. Each entry action and its time of occurrence, entry location, and the coded credential identification number can be recorded and listed on request.
Many coded credentials are in the form of a badge that is worn or carried while in a facility. A technical introduction to the use and application of coded credentials is available (Wright, 1988).
There are many techniques available for coding a badge. The most common tech-niques include magnetic stripe, wiegand wire, bar codes, proximity, and smart cards.
Magnetic stripe encoding is widely used in commercial credit card systems. A strip of magnetic material located along one edge of the badge is encoded with data.
These data are then read as the magnetic strip is moved through a slotted magnetic reader. The measure of the resistance of a magnetic material to changes in the stored information when exposed to magnetic field is called its coercivity. The coercivity is defined as the magnetic intensity of an applied field required to change the information. The unit of magnetic inten-sity used to describe the coercivity is the oersted.
Two materials have been used as the magnetic stripe medium. The one most commonly used for credit cards is a 300 oersted (low coercivity) magnetic material. This material is relatively easy to erase. The coercivity of the second magnetic stripe material is in the range of 2500–4000 oersteds (high coercivity). This material is the one most commonly used in security credential applications and is
very unlikely to be accidentally erased.
Common household magnets are not strong enough to erase high-coercivity stripes.
Less common rare-earth magnets, on the other hand, do produce field strengths strong enough to alter high-coercivity magnetic stripes.
The use of alphanumeric encoding allows both the badge-holder’s name and a badge number to be included. Creden-tial forgery is relatively easy since data from the magnetic strip can be decoded or duplicate badges encoded by the use of commercially available equipment. This vulnerability can be mitigated to a great degree through the use of proprietary, nonstandard encoding and reading tech-niques. The use of proprietary systems, however, may limit the ability to interface with other equipment or subsystems. This may also limit choices when considering upgrades or expansions.
Wiegand wire technology has been in existence for some time, and the wiegand signal output format has become a de facto industry standard. The code is produced by a series of parallel, embedded wires that have special magnetic properties. The wires are typically arranged in two rows (see Figure 10.1). Encoding is determined during card manufacture. Cards are swiped through a slotted card reader, much like the way magnetic stripe cards are read.
Figure 10.1 Weigand Wire Badge. The metal wires produce a unique code that is determined when the card is manufactured
Entry Control 191
While this technology is not used too much anymore, the weigand data protocol is still in common use.
The bar code, widely used in retail trade to automatically identify products at the point of sale, is sometimes used on coded credentials. The varying widths of the bars and spaces between them establish the code. To read the card, an optical sensor scans the bar code and transmits the infor-mation to a decoding unit. Typically, the bar code is printed on the credential and is used in much the same way as a magnetic stripe. Unless the bar code is covered with an opaque covering, it is relatively easy to duplicate. This opaque covering is becoming more commonplace as the bar code badge moves into the security creden-tial market. Two-dimensional symbologies (2D bar codes) are also used on security credentials and are capable of storing more information than their ID counterparts.
The proximity badge is one whose infor-mation can be read without the badge being physically placed into a reader device. Proximity badges can be classified by the method of powering the badge, oper-ating frequency range of the badge, and read-only or read/write capability (Wright, 1987).
The electronic proximity identification badge, a small RF transponder/transmitter, must be powered in some way. A long-life battery packaged with the unit powers active badges. For some types of badges the battery power is applied only when the badge enters the interrogation field. For others, the badge continuously broadcasts and the reader antenna picks up the RF data as the badge enters the reading field.
The passive badge draws its power from the reader unit through the RF signal as it enters the interrogation field.
Proximity badges fall into two groups according to frequency. The low-frequency badges are in the 125 kHz range, and the high-frequency badges range from 2.5 MHz to over 1 GHz. A read-only badge contains a specific code usually fixed at the time of manufacture and cannot be changed.
Figure 10.2 A Passive Proximity Badge.
The embedded coil and the RF chip are visible through the transparent back
The read/write badge, on the other hand, usually contains a larger data field than read-only badges and can be programmed by the system manager as required. The proximity badge of Figure 10.2 has a transparent back showing the embedded components.
While relatively new in the United States, smart card technology has been in use for more than a decade in France.
The smart card is the size of a standard bank credit card with an integrated circuit embedded in the card. Gold contacts on the surface of the card (see Figure 10.3) allow for communication with a reading
Figure 10.3 Smart Card with Embedded Microprocessor. The processor contains specific user data, which gives this device high security protection
device. Contactless smart cards use RF communications to talk to the reader and do not have the gold contacts. Cards with only memory circuits serve much the same function as magnetic stripe cards: badge number, user’s name, and other informa-tion can be stored and read. A true smart card includes a microprocessor that makes the card smart and sets it apart from memory cards. The size of memory on the smart card ranges from 8 to 64 KB, with projections of 1 MB available in the future.
The main advantages of the smart card are its large memory and its high degree of resistance to forgery or compro-mise. These advantages must be consi-dered relative to the high cost of smart cards. Many smart cards have the ability to encrypt communications, which adds another level of protection. When facility populations are large and the security level is not extremely high, the cost of smart cards is prohibitive. However, issuing smart cards to a small population for use at a very high security facility or to limit access to certain areas in large facilities may be appropriate. Examples of the latter case might be entry into areas containing precious metals or executive suites. A facility may also have extensive administrative concerns such as training, health care records, or property control;
a smart card that combines one or all of these record-keeping functions with secu-rity features could be cost-effective.
Homeland Defense Presidential Direc-tive 12 (HSPD12) is a presidential direcDirec-tive signed by George W. Bush in August of 2004 that directs the entire Federal Government and all contract agencies to use a single high-security credential. The credential is based on Federal Information Processing Standard 201 (FIPS 201) and uses both contact and contactless smart card technology. The implementation of this new credential is scheduled to be completed in the 2009–2010 timeframe.
This directive primarily impacts federal and federal contractor facilities but may also have some impact on private industry.
For example, personnel driving vehicles into federal or contractor facilities on a routine basis may be required to obtain a federal ID. Oversight for the development and testing of the credentials and related equipment (readers and entry control systems), as well as issuance procedures, is being provided by GSA and NIST.
For more information on HSPD-12 see http://www.smart.gov/, http://csrc.nist.
gov/piv-program/, or http://www.smart.
gov/iab/. Considerable information can be obtained by conducting an Internet search on HSPD-12 or FIPS 201. Caution must be used when reviewing information obtained through a web search because a considerable number of vendor sites will appear in the search results. Some vendors state that their products are HSPD-12 compliant but do not mention certifica-tion. Compliance may simply mean that the vendor believes that their product meets all the requirements; to be certified, their product must be submitted to GSA and NIST for testing. Upon successful completion of the testing, the product will be placed on the government official approved products list, which can be found at http://fips201ep.cio.gov/apl.php.
Personnel Identity Verification (Biometrics)
Personnel identity verification systems corroborate claimed identities on the basis of some unique physical biometric char-acteristic(s) of the individual. Commer-cial equipment is available that uses hand or finger geometry, handwriting, eye pattern, fingerprints, speech, face, and various other physical characteristics.
All personnel identity verification systems consider the uniqueness of the feature used for identification, the variability of the characteristic, and the difficulty of implementing the system that processes the characteristic.
Biometric devices can differentiate between verification and recognition. In
Entry Control 193
verification mode, a person initiates a
verification mode, a person initiates a