• No results found

Security Simulation for Vulnerability Assessment

N/A
N/A
Protected

Academic year: 2021

Share "Security Simulation for Vulnerability Assessment"

Copied!
6
0
0

Loading.... (view fulltext now)

Full text

(1)

Security Simulation for Vulnerability Assessment

Brian Hennessey

Director Advanced Programs Adacel Systems Inc.

6200 Lee Vista Blvd. Orlando, Florida e-mail: brian.Hennessey@adacel.com

Bradley Norman

Member of the Technical Staff Sandia National Laboratories

E-mail: bnorma@sandia.gov

Robert B. Wesson

Chief Scientist Adacel Systems Inc.

6200 Lee Vista Blvd. Orlando, Florida E-mail: bobwesson@adacel.com

Abstract. This paper discusses simulation technologies developed to “stimulate” an operational command and control security system. The paper discusses simulation techniques used to create a virtual model of a facility in which to conduct vulnerability assessment exercises, performance benchmarking, Concept Of Operations (CONOPS) development and operator training. The paper discusses the specific techniques used for creating a 3d virtual environment and simulating streaming IP surveillance cameras and motion detection sensors. In addition the paper discusses advanced scenario creation techniques and the modelling of scenario entities, including vehicles, aircraft and personnel. The paper draws parallels with lessons learned in using Air Traffic Control simulators for operator training, incident recreation, procedure development and pre acquisition planning and testing.

1. INTRODUCTION

By definition, a simulator seeks to create a representative model of an actual device or process. Simulation is used in many different and diverse domains in order to gain insight into the operation and behaviour of actual systems and procedures in a safe environment. There are multiple simulation types, however for the purposes of this paper, they can be broken down into:

• Computation simulation - Computational type simulations use mathematical and probability models to determine an outcome. An example of this type of simulation would be a Monte Carlo Simulation.

• Interactive simulation - often referred to as “human in the loop” simulations. These are physical simulations in which humans are an integral part of the system being simulated. Examples would include Air Traffic Control and flight simulators.

2. INTERACTIVE SIMULATION

The uses of interactive simulation is well established in Air Traffic Control (ATC) training and research and development. This paper focuses on the potential uses

of interactive security simulators to assist in the design, evaluation and use of physical security systems, using ATC simulation as a template. There are many potential uses for simulation in the physical security realm. These include:

2.1 Security Personnel Training

The reduction of on the job training time through teaching an operator the location and capabilities of the sensors at a particular site, the building locations, fence perimeters, obstructions and coverage gaps etc. Simulation can also be used to aid in teaching situational awareness and improve decision-making skills.

2.2 Simulated Force on Force exercises

Force on Force exercises are currently mandated in many industries, such as the nuclear power industry. However the nature of force on force exercises introduces many artificial elements.

For example, the responders are usually told when & were the attack will come from. Actual physical security assets cannot be destroyed, i.e. fences can’t be cut, buildings cannot be damaged, and cameras and sensors cannot be compromised. An interactive simulation system can realistically simulate all of these

(2)

activities without the associated costs and security compromises.

2.3 Human Factors Studies

A simulator can be a powerful research tool for performing human factor studies that assist in designing more efficient systems. Areas of research could include; operator workload, stress, number of simultaneous actions, security force communications, and orchestration of neutralization forces.

2.4 Planning & evaluation

A simulator enables a user to add and define sensors & their capabilities to a virtual facility. Their benefits can be quickly validated prior to actual installation.

2.5 Procedure development & validation

Threat scenarios using current procedures can be simulated in real or fast time. Procedures can then be modified and their effectiveness validated through further simulation.

2.5 Conduct performance benchmarking Every system has a failure point. If it’s a steel beam it is the point of structural failure. With a Physical Security System is can be the saturation point for operator workload or the capacity of a network to handle data. A simulator can help validate when and how a failure will occur

3. INTERACTIVE AIR TRAFFIC CONTROL SIMULATION OVERVIEW

The realm of ATC and airspace design uses a melding of both computational and interactive simulation. A typical example of this is in the design of airspace. The FAA and Airports regularly utilize tools such as TAAMS (Total Airline Airport Management System) to create airspace and airport models to assist in optimizing existing and new air routes. Once these optimized air routes are designed they are typically input into an ATC simulator and validated by experienced Air Traffic Controllers. The rational is that the "Control" elements of "Air Traffic Control" are the humans. The ATC infrastructure exists primarily to provide information to the Controllers (and pilots) in which to make sequencing decisions.

The interactive simulations using real controllers will validate the usability of the new procedure. For example, although a new procedure may be technically more efficient it may be operationally inefficient or present high risk, such as by placing excessive stress on controllers or pilots.

3.1 Evolution of ATC Real-Time Interactive Simulation

Up until the mid-80s, ATC simulation consisted of the sorts of probabilistic, aggregate type simulations. By 1990, however, the power of computer technology enabled the creation of interactive simulators, such as those used for years in pilot training.. End users began purchasing these relatively expensive simulators because of quantifiable benefits derived from their use.

3.2 Quantifying the benefits of ATC Simulation In the mid-90s, Chicago O’Hare tested the first low-cost prototype ATC Tower Simulator for training. The system was used to evaluate emerging simulation technologies and to determine whether tower simulation was a cost-effective training tool at high-density airports such as O’Hare. A study conducted by the Volpe Transportation Centre verified that the system reduced training times by as much as 40%. The data collected for this assessment consisted of a supervisory rating the Controller’s performance in skill categories such as: visually scanning the airport, maintaining efficient traffic flow, aircraft identification, working speed, missed/delayed traffic calls, and clear concise communication. In addition the time (number of days) taken before becoming certified to work independently on the actual control position was analysed.

The preliminary results of this assessment included the following observations:

• On every category, the simulation-trained students demonstrated faster acquisition of skills, even when compared to traditionally trained (no simulator training) fast learners. • The results indicate that the inclusion of

simulation training substantially increased the rate at which the skills were acquired.

• The ability to manipulate the amount and complexity of ground traffic in a simulated environment permits developmental controllers to practice their skills at appropriate, challenging levels without concern that their action or inaction might jeopardize safety.

• The actual performance of the simulation-trained students combined with less than a week of on the job experience was rated as equivalent to fast learners with 1.5 to 3.8 months and to average learners with 4.3 to 5.8 months of conventional training.

• One month of simulation training appeared to be equivalent to three or four months of traditional training.

(3)

4. THE PHYSICAL SECURITY SYSTEM 4.1 Alarm Communication and Display

Background (AC&D)

An alarm communication and display (AC&D) system transmits alarm signals from intrusion detection sensors, and displays the information to a security operator for action. Modern systems use computer technology and graphics to communicate alarm information to the operator. Characteristics of a good AC&D system include fast reporting time, easy and quick discovery of single-point failures, isolation and control of sensors, expansion flexibility.

High reliability, Internet Protocol (IP) based networks are replacing older systems, which utilize star networks and various multiplexing as transportation methods. Modern AC&D systems integrate access control, video assessment, and sensor alarm data into a single computer display system.

A physical protection system integrates people, procedures, and equipment and must be designed with the specific needs and resources of the site in mind. The human decision remains the most important factor in this process.

4.2 Problems Faced

The AC&D system operator is alerted by sensor alarms, controls the video assessment equipment, evaluates the situation, provides updates to supervisors, communicates over radio, phone and public address systems, dispatches security forces, and manages many other general functions.

As the threat increases, many factors increase for the AC&D operator, including workload, stress, number of simultaneous actions, security force communications, and orchestration of the neutralization. An advanced alarm system simulator is needed to assist in evaluating the efficiency and performance of the AC&D operator. A method of measuring operator performance under a variety of conditions is desired to supplement the overall system modelling efforts at Sandia.

4.3 System design

Detection, delay, and response are all required functions of an effective physical protection system. These functions must be performed in the correct order, and within the length of time required for the adversary to complete his task. A well-designed physical protection system provides protection-in-depth, minimizes the consequence of component failures, and exhibits balanced protection. A physical protection system must accomplish its objectives by either deterrence or a combination of detection, delay, and response. In addition, a design process based on performance criteria rather than feature criteria, will

select elements and procedures according to the contribution they make to an overall system performance.

4.5 Network design

Virtual Local Area Networks (VLAN) are the transportation method of choice in current physical security systems. A VLAN Network layer allows integration of complex and dissimilar devices into a robust physical security system. Many devices now have open message formats which allow for system level integration of equipment. The open messages are often written in Extensible Mark-up Language (XML).

5. SIMULATION OF SECURITY SYSTEMS 5.1 A Physical Protection Model

An interactive security simulation can utilize many of the existing probabilistic data sets used to model a physical protection system. An example model to determining the effectiveness of a system would be: Pe=Pd*(Pi*Pn)

Pe Probability of effectiveness Pd Probability of detections

Pi Probability of Interruption (the response force gets to the scene in-time)

Pn Probability of Neutralization

Pd=probability of detections and is calculated as follows:

Pd=Ps*Pa

Ps Probability of sensing - (the sensor detects the intrusion)

Pa Probability of a assessment - (the Operator sees the alarm message)

In a hybrid simulation, actual human interaction can be used in many of the instances that were previously represented as a probabilistic number. For example the probability of assessment will be determined by whether the human operator actually saw and acted upon an alarm.

In addition, the interactive simulator can be used to influence the probability of detection through changes in weather and visibility. Multiple simultaneous alarms can also influence the ability to assess and coordinate the response force.

(4)

6. INTERACTIVE SIMULATION OF A PHYSICAL PROTECTION SYSTEM

Using interactive simulation in the physical security industry is very new. As such very little statistical data is available to quantify the effectiveness. However there are many parallels with the realm of Air Traffic Control (ATC) simulation. The core functions of a control room operator and an Air Traffic Controller have many similarities. For example, the core functions of both are:

Table 1: Core functions of ATC and security

Function ATC Security

Detect Detect aircraft coming into controller’s area of responsibility using radar, position data and GPS. Information is displayed on controllers situation display. Detect intrusion using interior and exterior sensors. Information is displayed on AC&D display.

Assess Use of established ATC procedures to determine how to best sequence the aircraft in a safe and expedient manner. Using established procedures determine validity and severity of threat and how best to deal with it..

Act Issue ATC clearance Issue alert, send out patrol

7. VAST SIMULATOR

The Adacel VAST simulation platform is an interactive simulator. The system enables a user to create a virtual recreation of a facility and its physical protection system. The system includes a comprehensive scenario generation toolset to enable a user to define the location and capabilities of their various detections assets such as CCTVs, motion sensors and access control devices.

VAST can integrate into a VLAN and “Stimulate” a number of vendor’s alarm communication and display (AC&D) systems. In this manner operators can utilize the same interfaces which they use in their day to day job.

Simulated Alarm messages and video will appear on the AC&D displays – just like live data. Alarms messages can be triggered by simulated vehicles, personnel, aircraft, boats etc. The system will also simulate alarm messages such as “Tamper, Fault, Max Attempts Failed” The user can change the types, quantity and capabilities of the detection assets and run

“what if” threat scenarios to validate the location and deployment of sensors as well as to help assess a facility’s vulnerability.

The simulation is built in a layered manner with three main layers.

7.1 Layer 1 - Target classification

The first layer in the simulation defines the site boundaries, fences, water, building locations & entry points, topography, vegetation etc. This virtual environment constitutes the simulated “Playing Area”. This is the area in which all of the activities within the simulation will occur.

The simulated facility can be indoors, outdoors or a combination of both. The virtual facility is built by overlaying satellite and ground based imagery onto 3d wire frames to create a three dimensional, photo realistic re-creation of the facility. In this manner simulated cameras can be placed anywhere within the playing area and will display real-time imagery from that location

7.2 Layer 2 – Physical Security System Hardware

The second layer comprises the detection assets of the facility. These include surveillance cameras, motion sensors, access control devices etc. The system can simulate the following types of cameras:

• Colour and Black & white, Fixed & PTZ and night vision

• Resolution and frames per second

• IP cameras with user definable CODECs, bit rate, resolution and frame rate

The system can model the following type of sensor: • Motion sensors – microwave, infrared, radar -

definable detection range & beam width • ·Barriers, fence, turnstiles, access control –

keypads, dry contact.

7.3 Layer 3 – Threat Definition

The final layer of simulation models the actual facility operations and the intrusion(s) events. Facility operations include typical background activities during certain working hours. They can be on automatic routes or controlled by the instructor. The location and makeup of the facilities response forces are also defined. They system can utilize a large database of models including cars, trucks, Boats, Aircraft, UAV, personnel, wild life.

The intrusion can include multiple personnel and vehicles. The intruders will have targets. There can be

(5)

multiple targets. Primary and secondary targets can be defined. The primary target can be changed to the secondary target in real-time while running the scenario. The type of attack can simulate the type of adversary such as a terrorists or criminal.

8. SIMULATION SYSTEM COMPONENTS 8.1 AC&D System

The AC&D system would typically be an offline third party vendor’s AC&D system connected to the simulator via the VLAN. By default the system adheres to a subset of the Sandia Laboratories XML Interface Control Document (ICD). The XML alarm template can also be modified by the end user.

Alarms will be triggered by a vehicle, person, aircraft, boat etc passing through a sensor’s detection field. This will trigger an “Alarm” message. Alarms can also be triggered by time, these can send alarm messages such as “Tamper, Fault, Max Attempt Failed” Alarm message will be sent to AC&D system.

8.2 Instructor Station

The Instructor’s main role in the simulation is to control both adversary & response forces. When a scenario is created these assets are on assigned pre-defined goals. However the Instructor can alter these goals in real time as the scenario evolves.

For example the Instructor can direct forces to different areas on the site, change their speed, destination, simulate cutting through fences etc. Response and adversary forces can include both vehicles and personnel.

The response forces are controlled by the Instructor in response to directions from the Operator. For example, the Operator will call the telephone number or radio frequency (using the communications simulator) and request the assistance of the response force. The Instructor will respond as appropriate and send the force to the requested location. The operator will see the response assets moving to their location on their cameras. Multiple Instructor stations can also be utilized. In this manner red & blue forces can be created and assigned to a particular Instructor.

8.3 Communications System

The Communications Dispatch Simulator uses Voice Over Internet Protocol (VOIP) technology to provide a software only communications solution between the Operator and the Instructor. The user interface is intended to be representative of a typical dispatch system such as the Motorola Centracom. The system simulates both full duplex telephone lines as well as Push To Talk (PTT) radio lines.

8.4 Scenario Generator

The scenario is a stand alone tool used to load the three dimensional virtual facility model, create and define cameras, sensors, access control devices, define the time of day and weather effects. Background traffic, response forces, patrol routes and adversary attack routes are also defined. The system uses simple point and click techniques to enable scenario to be created within the 3d environment. The scenario can be run total from within the scenario generator for testing purposes. Scenario can be run at up to 10x speed for fast time simulation.

8.5 Image Generators

The Image Generators (IGs) render multiple simultaneous cameras within the playing area. There is no theoretical limit to the number of cameras which can be defined and placed within the playing area, though each IG will usually simulate 4-6 cameras. The cameras can either be displayed on monitors attached to the IG or they can be passed through the IP cameras simulator and streamed across the network into a network digital video recorder or into a network camera control system.

The IP Camera simulator takes the real-time output of the simulated cameras and turns them into a streaming video feed. The user can define the resolution, video CODEC and bit rate of the video stream. A simulated IP address is attached to each camera so that a network video application will recognize each stream as a separate camera.

The IG is also used to simulate many types of weather effects including fog, rain and snow. Weather effects can change as the scenario progresses so you can simulate for example a heavy fog passing through. Night and day operations can also be simulated along with light transition from night to day and day to night.

9. CURRENT USE OF INTERACTIVE SECURITY SIMULATORS

The VAST simulator is currently being used by Sandia to develop and evaluate intrusion scenarios.

The simulator is also intended to assist in developing operator proficiency metrics and to develop an understanding of human factors issues – particularly involving taking AC&D operators to the limits of their capability, as expressed in terms of the design-basis threat.

The prototype simulator has been integrated with the Honeywell Vindicator VCC, and plans are underway to integrate an additional console.

(6)

10. SANDIA EXPERIENCE IN SECURITY SYSTEMS

Sandia National Laboratories' roots lie in World War II's Manhattan Project and its history reflects the changing national security needs of post-war America. Sandia's original emphasis on ordinance engineering, involved transforming the nuclear physics packages created by Los Alamos and Lawrence Livermore National Laboratories into deployable weapons, and expanded into new areas as national security requirements changed.

In addition to ensuring the safety and reliability of the stockpile, Sandia applied the expertise it acquired in weapons work to a variety of related areas such as physical security, energy research, supercomputing, treaty verification, and non-proliferation.

The U.S. Department of Energy recognizes Sandia as the lead laboratory for physical security R&D. For over thirty years, Sandia National Laboratories has provided physical security solutions for a wide spectrum of customers including the U.S. Department of Energy (DOE), U.S. Department of Defence (DoD), North Atlantic Treaty Organization (NATO), U.S. Department of State (DOS), Government Services Administration (GSA), dam and water systems, prisons, schools, communities, and chemical companies.

11. FUTURE SANDIA USES OF VAST

After thorough evaluation and validation Sandia will expand the uses of the VAST simulation/training tool. Potential areas of use include; training personnel, design and validate of emergency response procedures, performing human factor studies to assist in designing more efficient systems and stimulating COTS alarm monitoring stations to test their performance.

12. CONCLUSION

The beneficial use of simulation-based training, at least for air traffic control, was clearly demonstrated over 10 years ago.

In many domains, experience has shown that an interactive simulation is a must if the human is a critical component of the system being simulated. This is largely because of the multiple dimensions of human behaviour. Trying to mathematically model this behaviour is a daunting undertaking. However an interactive simulator negates this by simply putting an expert in their simulated domain.

So why hasn’t there been a greater use of it in physical security? There are several reasons, with the primary obstruction being that until recently it would have been difficult if not impossible to make a cost justification to do so. When determining if a simulator is appropriate medium there are many aspects to consider, including

cost of the actual system, cost and risk to train using the actual system and cost of failure to train properly. Flight simulators preceded ATC simulators for the simple reason that it was relatively easy to justify a high cost simulator when the actual aircraft cost many times more, operational costs were high and the cost of failure was crashing the aircraft.

Using the same logic ATC simulators became justifiable when the hardware became more standardized and the costs came down. The costs continue to come down. A $500 dollar PC graphics card now has greater performance that a four million dollar image generator of only a few years ago. Compounding the reduced hardware costs are an increased need.

The current terrorist threats have made it clear that the national critical infrastructure is now a front line target. Threats are continually changing and gaining in sophistication. It can longer be assumed that an intruder is on a two way mission. New technologies and procedures will continually be developed to counter the ever changing threats. Interactive simulation can help ensure that these are developed and validated to the fullest extent possible.

REFERENCES

1. The Design and Evaluation of Physical Protection Systems, Mary Lynn Garcia, Sandia National Laboratories

2. Vulnerability Assessment of Physical Protection Systems, Mary Lynn Garcia, Sandia National Laboratories

3. F.A.A., Office of Policy and Plans. Economic Values for Evaluation of Federal Aviation Administration Investment and Regulatory Programs. October 1989. 4. F.A.A. Office of System Capacity. Aviation Capacity

References

Related documents

__Card Products & Services __Cash Management __Check Printing & Supplies __Collections __Computer Hardware __Consulting Services __Credit Scoring __Credit/Debit

En este trabajo proponemos un modelo de evaluación de la eficiencia de los hospitales españoles en producción científica, dato que podría utilizarse como

In the prognosis (taking into account the economic crisis), we can tell that the Euro Championship in 2012 will have a profound effect on the number of trips in

A molecule is said to be saturated when each carbon atom which composes it contains the maximum possible number of hydrogen atoms (all the carbon bonds are single).. It is said to

The issue of security sector reform is crucial to the process leading to the re-foundation of the Democratic Republic of Congo or better to the passage from

Similar to the quenching studies conducted in DMSO, a decrease in the fluorescence intensity and lifetime of the pyrene monomer was observed with the addition of NM to the

on the study of the acceleration of the body is considered to be valid and reliable for predicting the risk of falling or for discriminating between population groups with

To collect data for the primary purpose of this study a questionnaire containing validated research tools was used, to test Foster’s information seeking model, which predicts that