tonight i did an act and sip class with some friends and the teacher had me read a scene from grey’s anatomy and i kinda killed it as meredith tbh

Thoughts on Physical Security: The Ideal vs The Possible

This week in the lecturers, it was emphasised that in order to create effective defensive strategies, it’s important to keep in mind all domains of security (software, hardware, physical). This week, I decided to take note of the physical.

Last night, I was fortunate enough to watch my sister, a PhD student, partake in a competition where each PhD candidate gives a 3 minute speech about their project to us scientifically illiterate human beings at one of Sydney’s finest research institutions. The whole point of competition was to bridge the gap between the scientific realm and the everyday world - communicating complex ideas in simple, understandable terms. 

Side Note: I’ll make another blog post analysing the techniques the speakers used as I’ve been told and believe this skill of communicating complex ideas in simple, understandable ways will be crucial in being an effective security engineer.

So there I was, in front of the research institute, with a set of instructions to follow to signs and find my way to level 2. When I walked in, there was a large foyer with a reception desk sentineled by a very sleepy guard starting at his computer. I asked him where the talks were being held and he pointed towards the lifts, further down the foyer, some 60m. Before one could reach the lift, there was a security glass door that required an ID card to swipe through. I signalled to the guard back at the desk and he let me through. What I also didn’t mention was that right next to the door was a spiral stair case - literally right next to it so one could just jump over the banister, walk up a couple steps, and you’re on the other side of the security door. I did note there was a security camera facing this entire entrance, including the work around.

After going through to the lifts, I tried accessing other floors on higher levels - no problem. With the proper smart, casual outfit, and a confident stride, I could’ve walked to a location within the building, achieved an objective, and walked out without a hitch - as long as I didn’t linger, or look suspicious from the perspective of the security guard who most likely had eyes on the place through camera feeds.

My initial reaction was absolute shock - “how could they do this? They need to upgrade this immediately!” - but after thinking about it more, I’ve come a more complex understanding of security.

First of all, security isn’t free. It costs resources, mostly money. So the real question is not “how can we make this place impregnable?”, but “how much money are we willing to spend to decrease the chances of a security breach occurring?”. 

Well in order to answer that question, you need to understand what it is you are protecting - what is worth protecting? A research institute usually publishes its work for free, or for a small publishing fee, so the work, I would say, isn’t worth protecting too much. It’s cheaper and easier just to buy it once it’s is complete.

I can guess that the government regulated chemicals, the very expensive large research equipment, and maybe some other scientific ‘things’ (eg. dangerous bacterias) would be worth protecting.

If I was actually tasked with improving the security of the building, the first thing I would do is gather intelligence by asking officials working there on what could be dangerous if used with malicious intent, or what is very valuable. I would make sure to take extra precautions when storing this information as this information is valuable to adversaries. 

So assuming the three elements I’ve identified to be worth protecting is all that I’m tasked with. It would be much more cost effective and simpler to spend resources securing those elements as apposed to the whole building. Protocols can be put in place to access chemicals or dangerous scientific ‘things’ (eg. locked rooms requiring special permissions to access with ID card, having layers of permissions within the chemical room, record who accesses what and at what time, extra safety equipment or cleaning protocols to keep scientists and fellow employees safe, etc.). Large equipment can be placed in secured rooms also having their own procedures (eg. ID or bioinformatic checks to prevent randoms damaging equipment, live camera feeds of the room to security guard, etc). 

There are many layers of security that one could lay on top to prevent access to these rooms, but at the end of the day, not only is it impossible to create the perfect security system. It costs money and resources to get close to one, and a research institute isn’t going to spending all of its small grant money on high levels of security - it would defeat the purpose of a research institute. But some layers of security must be put in place at the most efficient cost. 

Before I continue, I’d like to make a side point about the security of foyer. Having the security door right next to an open stair well that provides an easy work around is ridiculous - the security doors function is now only to filter out those with cards, and those without (and even so, it doesn’t guarantee this - presenting the right story to the guard would probably give you access no problem, or tailgating someone who does have a card would work too). But to give back credit to the security designers, the foyer was designed not with security in mind. The research institute’s bones are decades old with recent refurbishments. As the lecturer pointed out, the general philosophy of designing things back in the day was - design what we want, and then add security later. It probably costed too much to take out the stair well or extend walls to allow for the proper functioning of the security door - though you have to ask yourself, why bother?

To conclude, I have to keep this in mind - because their work is ultimately public, what kinds of incentives would someone really have to disrupt the flow at said research institute? This research institute was not designing the atom bomb (which would definitely and did have a lot more security). The main real threat I can potentially identify is someone looking to break things or get access to dangerous scientific ‘things’ - ‘Breaking Bad’ style.

I appreciate this small excursion mixed with some new ideas from the lectures completely flipped my understanding of security from “WHERE ARE THE ROBOCOPS??? THIS BUILDING IS NOT SECURE” to a more realistic, and complex understanding of physical security, and even security as a whole.