Perimeter security - Why PAS 68 is not enough

Perimeter security - Why PAS 68 is not enough

by Stephen Munden, PSSA

It is not uncommon to see perimeter security products advertised as a ‘PAS 68’ barrier, bollard, blocker or gate. This descriptor also seems to have permeated into procurement, where ‘PAS 68’ products have been ordered from manufacturers, without much further specification.
    
BSI PAS 68, and its European and international counterparts, CEN WA 16221 and ISO IWA 14-1 respectively, essentially contain only one performance requirement, that when tested in accordance with the test method specified in the standards the vehicle security barrier (VSB) shall – (a) Resist/ restrain/ deflect the test vehicle from advancing beyond the VSB; and/ or (b) Immobilise the test vehicle by trapping it; and/ or (c) Immobilise the test vehicle by preventing it progressing using its own engine power after impact.
    
Where the requirements are met, the VSB is rated in accordance with the performance rating classification code specified in IWA 14-1: 2013/ BSI PAS 68: 2013. So, in fact, where a claim is made by or on behalf of a manufacturer that a VSB meets PAS 68 requirements, they are solely relating to a single horizontal impact test.  

Operational Requirements
Further guidance on selection, installation and use of VSBs is provided in IWA 14-2 (PAS 69). Part 2 of IWA 14 describes the process of producing Operational Requirements (OR) and also gives guidance on a design method for assessing the performance of a VSB.

This considerably expands on the requirements, particularly for hostile vehicle mitigation, but which can apply to other threat mitigation.
    
There are five stages of planning. Level 1 OR – a statement of security needs and security systems definition, based on threats (although these might not always be known). These may include VSBs, fencing, pedestrian access control, intruder detection systems, etc.
    
Level 2 OR – providing more detail about the specific Hostile Vehicle Mitigation (HVM) measure, including site vulnerabilities, HVM measures performance requirements, physical and environmental constraints, rules, regulations and management, integration and success criteria.
    
Level 3 is the technical specification – the detailed requirements for the security solution. Level 4 involves system commissioning, validation, training and handover, which includes assessing deliverables against the requirements, while Level 5 analyses lifetime operation – the maintenance and servicing that ensures reliable, safe and secure operation of the equipment.

Performance standards
In addition to vehicle impact performance requirements, performance standards for the following form an essential part of the technical specification:
    
Health and safety – what are the mandated regulations and supporting standards to ensure compliance and safe operation of the equipment? These could include electrical safety, electromagnetic compatibility (EMC), machinery safety and pressure equipment safety. CE Marking by the manufacturer/ installer will be required in many cases. The supplier’s Declaration of Conformity (a legal requirement) will include details of the regulations and supporting standards with which the equipment has been shown to comply.
    
Environmental impacts – consideration here should include not only the significant environmental conditions that may affect the deployment or performance of the equipment but also the potential for adverse impact on the environment, for example, hydraulic fluid loss getting into drains or soil.
    
Organisational requirements – these may relate to the equipment in use under normal, abnormal and emergency conditions. They may also include quality criteria to which the equipment is expected to conform, for example finish, aesthetics, durability, longevity, etc.
    
Security – as detailed in the PAS / IWA specifications and including integration with other security measures, traffic control measures and, if applicable, the public realm.
    
From what has been covered so far it can be seen that, in addition to functional performance requirements such as impact testing, further requirements, which may be common to all applications or specific to an application or site, must also be specified. These include physical specifications, procedural requirements, and non-functional requirements such as safety and EMC. The latter may also be Essential Safety Requirements, as defined under European legislation.

New Threats – New Requirements
Cyber security is, deservedly, receiving a lot of attention these days, particularly in respect of information security. However, cyber threats are equally relevant to physical perimeter security.
    
There are several aspects to this, including the control of perimeter security equipment by electronic devices, the remote diagnostics of equipment, the integration of multiple devices and the so-called ‘Internet of Things’.
    
Software is a particular source of concern, with many well-known faults apparently not being rectified and widespread re-use of chunks of uncontrolled code. There are now several relevant specifications relating to cyber security of physical security systems, including BSI PAS 754: 2014 ‘Software Trustworthiness. Governance and management. Specification’ and guidance from the Trustworthy Software Initiative.
    
Hostile vehicles are not only confined to the ground. Another emerging threat is from the increasing use of Unmanned Aviation Vehicles (UAVs) or drones. Consideration now has to be given to how to detect and protect against UAVs, in addition to countermeasures against ground attack. It seems highly likely that perimeter security technology will need to become even more integrated and a lot more sophisticated to cope with a wider variety of attack methodologies, which in themselves may be multi-layered.

Organisational Resilience
Given the complex and systemic nature of perimeter security solutions today, it seems unlikely that producing Operational Requirements and subsequent specification based on determined threats will by itself be sufficient.
    
This is because by their very nature risks are uncertainties and cannot all be known. Instead of focussing only on physical threats, it also seems prudent to identify and modify organisational vulnerabilities which, if exploited, could impact the organisation’s mission or function.
    
In other words, instead of asking ‘how do I protect this asset from multiple and unknown threats?’, ask ‘what essential capabilities must be maintained and what losses are unacceptable?’. This presents the need for a different type of specification which, while including ‘point solutions’, also includes a more holistic and systemic perspective. Some emerging standards in this area include BS 65000: 2014 and ISO 22316 Guidelines for Organizational Resilience and ISO 34001 on Security Management Systems.

Please register to comment on this article