Full Report
As violent extremist movements and terrorist organizations view critical infrastructure as a “major target,” the Organization for Security and Cooperation in Europe released new physical security guidance intended to help governments, owners and operators cut through “a complex web of practices, principles and nonbinding guidance documents” across member states. The Technical Guide on Physical Security Considerations…
Analysis Summary
# Best Practices: Securing Critical Infrastructure Against Terrorist Physical Attacks
## Overview
These structured guidelines, derived from the OSCE's Technical Guide on Physical Security Considerations, address the urgent need for governments, owners, and operators of Critical Infrastructure (CI) to enhance physical security against threats posed by violent extremist movements and terrorist organizations who view CI as a "major target." The practices focus on structured risk assessment and layered physical security measures.
## Key Recommendations
### Immediate Actions (Days 1-7)
1. **Conduct Initial Threat & Vulnerability Scoping:** Immediately review the facility’s designation and current threat level, referencing current intelligence regarding extremist focus on CI.
2. **Verify Perimeter Integrity Checks:** Conduct immediate, documented physical inspections of the primary perimeter security systems (fences, gates, lighting, CCTV coverage) to ensure immediate operability.
3. **Restrict Uncontrolled Access to Mailrooms:** Implement immediate procedural controls requiring manual inspection or remote screening of all incoming external mail and packages at the perimeter, preventing transport into main processing areas until cleared.
### Short-term Improvements (1-3 months)
1. **Execute Nuanced Risk and Threat Assessment:** Launch a comprehensive, structured assessment of extant threats and risks specific to the CI facility. This assessment must drive all subsequent physical security responses.
2. **Enhance Access Control Layering:** Review and tighten physical access control checkpoints. Ensure all personnel and vehicles are subject to documented screening processes upon entry to secure areas.
3. **Implement Physical Hardening for High-Risk Areas:** Install necessary, immediate physical deterrents in identified vulnerable zones, such as deploying bullet-resistant glass or blast curtains in critical control rooms or mailroom processing areas.
4. **Establish Public-Private Information Sharing Protocols:** Formalize or initiate agreements for regular, actionable physical security threat information sharing with relevant government bodies and peer operators.
### Long-term Strategy (3+ months)
1. **Develop Comprehensive Counter-Drone Measures:** Establish layered security plans that account for the threat of aerial attacks, including the deployment of drone detection and mitigation capabilities as necessary.
2. **Integrate Insider Threat Mitigation Procedures:** Develop and regularly exercise procedures focusing on mitigating threats originating from trusted personnel, including background checks, continuous monitoring, and segregation of duties for sensitive roles.
3. **Develop and Test Crisis Management Plans:** Create comprehensive security plans that include pre-defined responses for various attack methodologies (explosives, firearms, arson, CBRN events) and conduct biannual multi-agency crisis simulation exercises.
4. **Conduct Security Architecture Redesign for Mail Handling:** For new construction or major renovations, prioritize designing mailrooms to be located near the perimeter or outside the main facility footprint to prevent mail-borne IEDs from being transported internally prior to screening.
## Implementation Guidance
### For Small Organizations
- **Focus on External Boundaries:** Prioritize robust, visible perimeter controls (fencing, lighting) as they provide the most immediate visual deterrent.
- **Implement Standardized Screening:** Adopt a simple, documented checklist for screening all incoming vehicles and personnel entering the asset critical zone.
- **Leverage Local Partnerships:** Establish immediate liaisons with local law enforcement for intelligence sharing and collaborative emergency response planning.
### For Medium Organizations
- **Develop Layered Defense in Depth:** Implement at least two distinct physical security layers between the public area and critical assets (e.g., perimeter fence, secure parking lot, secured entrance building, asset control room).
- **Formalize Documentation:** Begin formalizing security assessments and procedural documentation as required by the structured guidance.
- **Conduct Scenario-Based Training:** Begin basic training drills focusing on immediate lockdown and reporting procedures for intrusion or suspicious package events.
### For Large Enterprises
- **Establish Integrated Security Management:** Implement a unified Security Operations Center (SOC) integrating physical events with cyber alerts (Cyber-Physical convergence management).
- **Mandate Comprehensive Assessments:** Ensure assessments cover symbolic value, potential for economic damage, and media impact, as recognized drivers of terrorist targeting.
- **Address Regulatory Complexity:** Develop internal frameworks to synthesize various national and international guidelines into one coherent, enforceable standard for all global sites.
## Configuration Examples
*The provided context does not detail specific technical configurations (e.g., specific camera resolutions or lock types). The guidance emphasizes the *application* of measures.*
**Procedural Configuration Example (Mailroom Screening):**
1. **Stage 1 (Perimeter):** All mail/packages are received at a dedicated, hardened external collection point.
2. **Stage 2 (Screening):** Packages are subjected to X-ray screening or detonation mitigation procedures (e.g., in a protective safe or remotely located blast containment unit).
3. **Stage 3 (Internal Transit):** Only cleared items are transported to internal processing areas using secure, non-public routes.
## Compliance Alignment
While the OSCE guide compiles best practices across its members, the structured approach aligns well with foundational security management standards:
- **ISO 27001/27002:** For establishing, implementing, maintaining, and continually improving the Information Security Management System (ISMS), specifically around physical and environmental security controls (A.11).
- **NIST SP 800-53 (AC/PE Controls):** The layered defense and access control recommendations map directly to various Physical and Environmental Protection (PE) controls.
- **General Risk Management Frameworks (e.g., NIST RMF):** The emphasis on a "nuanced assessment of extant threats and risks" as the central driver for response aligns with established risk management cycles.
## Common Pitfalls to Avoid
- **Incomplete Threat Modeling:** Basing security measures on outdated threat intelligence or failing to account for symbolic value, propaganda potential, or CBRN threats.
- **Ignoring Cyber-Physical Linkages:** Focusing strictly on physical barriers while neglecting the operational technology (OT) systems that physical attacks often seek to disable or exploit.
- **Procedural Drift:** Implementing strong physical measures but failing to ensure personnel are routinely trained and procedural measures are regularly tested (i.e., security theater without follow-through).
- **Poor Mailroom Design:** Allowing mailrooms to be located centrally or integrated deeply within the facility without proper blast mitigation or remote screening capabilities.
## Resources
- **Primary Document:** Technical Guide on Physical Security Considerations for Protecting Critical Infrastructure against Terrorist Attacks (Available via OSCE Publications).
- **Supporting Concepts:** Principles of Defense in Depth, Layered Security Architectures.
- **Framework Principles:** Information Security Management System (ISMS) structure for governance.