The terror attacks around the world in recent years have kept the infrastructure industry on tenterhooks. Having dealt with threats like theft and unauthorised entry, safety consultants suddenly needed to refer to texts on explosion proofing, riot proofing, quake proofing and volcano proofing to ensure their facilities safety. Well, perhaps not volcano proofing, but when innocent social objects like civil airplanes, gel bottles and letter openers find themselves on lists of weapons of destruction, re-examining our business safety becomes entirely necessary.
Any facility manager would argue: ‘what’s new here?’ These threats have existed forever and current technology already offers us a range of solutions for controlled access, fire-rated or quake proof buildings. And they are not off the mark with that statement. The types of threat have not changed much, but another dimension has been added to them, and that dimension is ‘Intention to cause damage’.
Our businesses are protected against accidental damages by state of the art security solutions. But are our businesses safe against intentional threats? If anyone says: ‘the probability of intentional damage is lower than the probability of an accidental damage’, then I would say, just count the number of disgruntled employees, people with vested interests, or people who have the purpose of levelling the economy around us, let alone terrorist organisations.
With the means for destructions within reach of an ordinary man or woman, intentional threats will test the security industry much more severely than accidental threats in the years to come. How well do our current security systems stack up against intentional threats? If they don’t, then is there any sense in pumping money blindly to make our buildings and investments safer against merely accidental threats.
Datacentres, one of the most mission critical investments for our businesses, find themselves at the centre of attention of all the safety consultants, because of the sheer size of investment they require and the impact they have on the business when the routers they house stop buzzing. Accordingly, let us analyse the strength of three most commonly suggested security measures against the intentional threats.
1. Designing robust structures – making bomb proof or earthquake resistant buildings to house datacentres
Robust building structures, which are earthquake resistant, fire resistant or even bomb proof (especially for Tier III or IV datacentres), have been recommended owing to calls for higher safety for the expensive equipment housed in the facilities. Specifications including concrete wall construction all around without windows, foundations on bearings and fire resistant construction materials are becoming norms.
The goal
To avoid the facility collapsing, so that even if a calamity strikes, business can be conducted as usual.
Analysis
There is no doubt that the more robust the structure, the safer the investments is. The problem is that investing money in making the building robust can make the building safer, but not necessarily do the same for the business.
The most feared and most likely calamity is fire. Having fire rated construction material ensures that the fire is contained within the premises but the fire rated materials may not stop the equipment catching fire, especially when air-con vents, electrical and network cables themselves are doing their best to carry the fire throughout at an alarming speed. Solutions like FM200 (the waterless fire protection gas) are more effective in containing the fire than fire rated walls, glass panels or ceiling tiles. Also, with the dense packing of equipment in the racks, one wonders whether there was any use in fire proofing the concrete wall.
Similarly, explosion proofing the building may not protect the business from bombs, or riots (a real threat in some countries). Sure, if a bomb explodes outside of the facility, a bomb proof building will withstand the shockwaves (bear in mind it will cost us a bomb to make a ‘bomb’ proof building). But that’s only one threat out of many others. What happens if the bomb blows the duct in which the fiber-optics are running through various corners of the city, or if a bomb explodes in the network service providers’ premises, or if someone plants the bomb inside the datacentre itself? In fact, it could be argued, the risk of these instances happening is the same, if not more, as for a bomb exploding outside of the building.
Rioters do not need to attack the building or the mob protection fence which springs from the ground. They, merely need to attack the security guard who is operating the levers. Any instance in history can be studied to find out that it’s the weak link in our chain of security that gets exploited by the calamity. I did not say this, Murphy did.
Myth meter
Making datacentre buildings calamity proof is good, but judgement should be made on whether the investments in ‘safe’ buildings are making the business safer, not just the building.
Robust buildings may protect businesses from accidental damage, but do little to protect facilities (or businesses) from intentional damage. Bomb proofing should therefore be placed near the myth side of the security meter.
2. Access controlled entrances, vehicular entry, surveillance cameras
Modern day practice for access controls and surveillance start from controlled vehicular entry via manual security screening and security patrols, right up to bio-identification systems and CCTV analytics.
The goal
To avoid the entry of non-authorised personnel, mitigating the risk of intruders causing physical, infrastructure, theft or network connectivity damage to the datacentre. analysis.
Have you ever seen security guards taking a wheel mounted mirror and checking the bottom of your car before you can enter a secured building? I am told they search for explosives cased under the vehicle. According to a specialist, there are more than 200 ways an explosive can be designed and housed in a casing. And I would bet my life that many times the only version of bomb which the security guards are aware of is the James Bond version of six red sticks with a foot long wick.
On a serious note, controlled access does add to the safety level of the facilities. It does prevent unauthorised personnel gaining easy access to expensive facilities. It does build in an additional layer of protection. But there is inherent risk in the assumption that critical damage can be caused only by gaining access to the facility. Stealing pieces of equipment during loading/unloading time, cutting fiber-optical links by digging outside the premises are just two ways of many to cause damage without accessing the facility. There are many other opportunities to avoid access control points like tailgating, gaining access through ceiling tiles, entering at knife or gun point, developing acquaintances with maintenance staff, or even physically breaking-in, that can thwart any access control barriers we might put in place
Myth meter
These measures undoubtedly enhance the safety level at the site. But as mentioned above, the fallibilities of these systems need to be address as there are many opportunities to crack this layer of safety. It gets even easier if the wrong doer is a disgruntled former or current employee. On a myth meter, this measure is a 50-50.
3. Remote location, no advertising
Remote locations are preferred for housing datacentres by most safety consultants and it is advisable to keep a low profile in terms of facility marketing, advertising and signage so as to attract least attention.
The goal
By being remote and keeping a low profile, the attention of any mischievous elements can be avoided. Datacentres are therefore located at a safe distance from CBDs, which are high sensitivity targets.
Analysis
There are cases, where certain miscreants have tried to attack the properties and facilities of certain organisations, and the billboards and central locations of these facilities have made their job easier. However, the assumption that is the mischievous elements target these organisations because of display signs or their proximity to the CBD.
In certain countries, remote locations are chosen to avail industrial scale infrastructure which is otherwise not available in CBD areas. By choosing a remote or obscure location, neighbourhood attention is certainly avoided (unless someone notices the lorry bearing company logo visiting the site almost every other day). However, if someone has an intention to cause damage, a remote location will not have any benefits. In fact in some cases, it might actually facilitate a security breach. This is because:
- The agencies managing cleaning, electrical or other maintenance contracts are an easy source of information about the facility
- Service providers, neighbouring landlords, mail delivery agencies or own employees can be easy targets for such information
- Being at the remote location could also mean remoteness from city emergency services. Most countries do not offer the same level of responsiveness at their suburban sites for services such as firefighting, police support, auxiliary support etc. Should an emergency occur at a remote site, it can take longer to control the damage.
Myth meter
As this measure introduces bigger management challenges to achieve more safety in the form of perceived obscurity, this measure would rank pretty close to the myth side of the meter.
Conclusion
This article by no means suggests that the safety measures proposed by security consultants should be ignored. These solutions do guard business against accidental threats. However, it is imperative that business also acknowledge that the risks posed by intentional threats will, in future, actually pose more challenges than those posed by accidental ones. Deeper research and understanding of overall system is needed to ensure that businesses are protected against intentional threats. A comprehensive risk assessment plan and systematic approach to enhancing physical security would go a long way to secure businesses, rather than simply investing more in the technology. There is a need to make a value judgement in deciding if its worth investing millions to make our buildings 99 percent safer from 90 percent safer. After all, there may not be much sense in investing millions in new security tools if it prevents a passer by from stealing a box from your datacentre but allows the same person to walk in with a knife or bomb.
