electronic access control

CPTED Part 2: Natural Surveillance and Natural Access Control

By Kevin Whaley, CPP, Sr. Security Consultant at Kenton Brothers

Natural Surveillance and Natural Access ControlWelcome to Part 2 of Crime Prevention Through Environmental Design (CPTED). In Part 1, I introduced the concept of CPTED and the importance of ensuring CPTED principles are considered when developing or enhancing your security program.

We touched on the four key overlapping concepts of CPTED which include:

  1. Natural Surveillance
  2. Natural Access Control
  3. Territorial Reinforcement
  4. Maintenance

For this part of the series, we will be diving into greater detail on the concepts of Natural Surveillance & Natural Access Control.

In order to successfully implement a CPTED plan of action, we must understand that all human space:

  • Has some designated purpose
  • Has social, cultural, legal, or physical definitions (such as expectations or regulations) that prescribe the desired and acceptable behaviors
  • Is designed to support and control the desired and acceptable behaviors

With that understanding in mind, our approach should focus on:

  • Manipulating the physical environment to produce behavior effects that reduce the fear and incidence of certain types of criminal acts;
  • Understanding and modifying people’s behavior in relation to their physical environment
  • Redesigning space or using it differently to encourage desirable behaviors and discourage illegitimate activities; and
  • Reducing the conflicts between incompatible building users and building uses, with the goal of eliminating “no person’s land” that no one takes ownership of.

There are various controls that can be implemented to supplement or support the approaches listed above. However, before we dive into that, we need to understand the various concepts of CPTED in order to apply the approaches correctly.

Natural Surveillance

Natural surveillance is defined as the placement of physical features, activities and people in a way that maximizes visibility from the surrounding environment. Why does this matter? It increases the threat of apprehension by taking steps to increase the perception that people will be seen.

In other words, features that can maximize the visibility of people, parking areas, building entrances and other common use areas promote natural surveillance.

Example #1

As you can see in picture below, this site looks like it may be abandoned. If I were a “bad guy” I would probably think this looks like it doesn’t get a lot of attention from the workers or from the public. There are a lot of dark areas in which it would be very easy to remain undetected. Passers-by may not even notice it’s there.

CPTED - Natural Surveillance & Natural Access Control

Now here is that exact same location after applying basic CPTED principles. For this location, they added a significant lighting to greatly enhance visibility and eliminate hiding spots. Additionally, the large tree on the left was overgrown and actually growing OVER the roof. The tree was trimmed back to eliminate that avenue of opportunity.

CPTED - Natural Surveillance & Natural Access Control

Example #2

In this scene, you can see that the parking lot is barely visiible from the sidewalk, much less the street. The overgrown vegetation and low levels give bad guys plently of places to hide.

CPTED - Natural Surveillance & Natural Access Control

After doing some basic landscaping, they were able to greatly enhance the visibility of the parking lot and in doing so, actually helped improve illumination levels since lighting wasn’t being blocked by vegetation.

CPTED - Natural Surveillance & Natural Access Control


Keep in mind that when we talk about natural surveillance, that can apply to any environment and scenario. It’s not restricted to outdoor scenarios and encompasses much more than just lighting, landscaping etc. It can also include interior spaces such as lobbies, or other common areas. This means the way in which these areas are constructed or designed as well as any “decorations” that may be placed. It’s important to make sure that you are allowing for clear lines of sight as much as possible for natural surveillance.

Natural Access Control

Natural access control is a concept where people are physically guided through a space by the strategic design of streets, sidewalks, building entrances, and landscaping.

Similar to natural surveillance, don’t let “natural” lead to the misconception that this has to deal with just exterior design and landscaping. This pertains not only to the exterior of your building but interior as well.

There is public space and there is private space and sometimes the lines can be blurry. Natural access control fixes that by guiding people in and out of a space using signs, barriers, and other cues. When it is very clear where people should be, it becomes glaringly obvious when someone crosses that boundary into a place they should not be. And that attracts a lot of unwanted attention for a would-be criminal.

Most of us follow the cues that guide us from one place to the next: we walk on the sidewalk or pathway, we obey signs that say “No Trespassing” or “Parking Prohibited,” and we respect barriers, walls, locked doors, and fences designed to keep us out of a particular space. Ignore those “rules,” and you stick out. You’ve broken the silent agreement. Few things say, “I don’t belong here!” more than stepping off the marked path, lingering in a no-parking zone, or hopping over a fence.

And that’s natural access control doing its thing.

Pathways, signage, lighting, and borders—hedges, other plants, fences, and so on—let us direct the flow of foot traffic, which allows us to differentiate immediately between where people should and should not be.

Public space: good. Private space: suspicious.

Criminals want to blend in and disappear. Natural access control reduces, if not eliminates, their ability to do so.

Other design elements include:

  1. Single point of entry
  2. Restricted access to private, internal spaces with barriers, doors, and signage
  3. Sidewalks, roads, and pathways that funnel traffic into appropriate public spaces
  4. Barriers to prevent unauthorized use of spaces
  5. Low, open-type fencing that indicates private space, but does not prevent natural surveillance
  6. Eliminating design features that grant access to roofs or higher windows
  7. Locking windows and doors
  8. Thorny plants around first-floor windows and other potential points of access

We encounter natural access control all around us, just living our day-to-day lives. Most respect the cues they provide and take heed of the simple message. And when we don’t, that’s a giant red flag to others that something isn’t right. Combined with natural surveillance, natural access control makes it easy for everyone to identify suspicious behavior and note the individual doing it.

It’s good for you and your home or business. It’s bad for those looking for an easy target!

Why Physical Security has to be part of the convergence discussion of OT/ICS security.

By David Strickland, Vice President of Kenton Brothers

Why Physical Security has to be part of the convergence discussion of OT/ICS security. There is a real buzz in the security world right now around securing Operational Technology (OT) and Industrial Control Systems (ICS). This buzz comes from two sources: companies and organizations that are being attacked through cyber security and physical attacks, and government agencies trying to get information broadcast to counter these threats. Threat levels have been increasing over the last few years and the cost of these attacks have risen to devastating levels.

According to CISA, in the first half of 2022 there were at least 22 reported large impact attacks on critical infrastructure leading to billions of dollars in losses. As the second half of 2022 numbers are being compiled, the sense of urgency to shore up the vulnerabilities is at an all time high.

How is OT security different than IT Cybersecurity?

IT – Information technology is just that. It is the transfer of data or information through physical appliances such as routers, switches and servers. Security for this technology centers around the prevention, detection and mitigation of attacks from software.

OT or Operational Technology is the manipulation of real world physical devices such as pumps, valves and controls through software or human interaction.  These are called Industrial Control systems. In contrast to IT cybersecurity attacks, the outcomes of successful OT / ICS  attacks include the potential to impact human safety and damage physical equipment. For example, taking any industrial processes OT / ICS equipment offline for extended time periods. This can be done through software or physical attacks known as sabotage.

Many organizations point to the Purdue Model for protecting OT and ICS. 

Why Physical Security has to be part of the convergence discussion of OT/ICS security. The Purdue model, created in the 1990’s is a comprehensive look at protecting ICS and has been the standard for many years. The Purdue Model has five zones that are considered when creating a robust security model. Yes, this model is the current standard, but in our opinion does not adequately address physical security.

Cybersecurity of IT, IIT (Industrial IT) and OT systems is still a very high priority.

A recent comprehensive report provided by the Department of Homeland Security (DHS) pointed out a few concerns. “Many organizations lack visibility into their complete OT environments, including IT/OT interconnections and supply chain dependencies. Cybersecurity is overwhelming for organizations and entities with small staffs and budgets. As a result, many are not able to achieve the cybersecurity posture required to adequately secure their IT/OT infrastructure. The majority of legacy OT equipment was never designed for internet connectivity, and may not easily be replaced, making it increasingly challenging to secure in converged environments.”

We must not make the mistake of ignoring the real probability of physical attacks on these same organizations that are overwhelmed with cybersecurity.

“A top priority must be to prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. Essentially a key aspect of this standard is to implement effective access control and protection of systems and equipment from damage.”

Physical Security for the OT Starts here:

Policies and Procedures:

Why Physical Security has to be part of the convergence discussion of OT/ICS security.It’s a well-known fact that most breaches (95%+) are a failure of procedure or policy over systems. A good red team will tell you that their most effective weapon for entry is a poorly trained or poorly disciplined employee. Polices and procedures must be created, trained, followed and tested constantly.

Establishing your perimeter:

As with most things involving physical security, you must start with a strong perimeter. This perimeter must be extended as far as physically possible. Access should be granted to only authorized personnel that have been through proper background checks and assigned clearance based on their job function. The perimeter is your best chance at early detection, reaction and mitigation.

Access Control:

Only authorized personnel with the proper clearance and certifications should ever be allowed access to your OT systems. These authorized personnel should constantly be vetted. Many organizations don’t remove terminated employees from this list quickly. No visitors or vendors should ever be allowed access without proper vetting and escort. Your access control systems should be set up in concentric circles with stronger policy the closer you get to critical infrastructure. All access control devices should be kept in proper working order and updated with proper firmware and cyber security practices.


Why Physical Security has to be part of the convergence discussion of OT/ICS security.Too many times we see organizations practice poor alarm management. Alarms in any form (Fire, Access Control, Intrusion Detection, Car) should never be ignored yet many times are. OT devices are vulnerable to physical attack and to things like flooding, fire and electrical damage. A system alarm can help bring immediate attention if properly managed.


Who inspects the inspector? Your IP video surveillance system. It keeps honest people honest and identifies those who are not. Critical infrastructure devices should have surveillance on the device itself and the human interaction point. This of course is on top of all perimeter entrance areas and key points throughout your property.

Knowledge and Cooperation:

The United States can leverage an existing body of knowledge to secure OT infrastructure. Prioritizing and applying these best practices, recommendations, and standards more broadly, in a comprehensive and accelerated manner, would strengthen security and achieve strategic outcomes.

Kenton Brothers Systems for Security stands by to do our part. Please let us know how we can help your organization.

Why Drive a Model T When You Could Be Driving a Tesla?

By Neal Bellamy, IT Director at Kenton Brothers

Why Drive a Model T When You Could Be Driving a Tesla?When a mechanic looks at a car, he doesn’t see a specific brand, model or color. He really sees the overall system. He sees an engine, brakes and wheels. Whether it’s a Model T or a Tesla, if the engine doesn’t work, it won’t go anywhere; if the brakes don’t work, it doesn’t stop and of course flat wheels don’t roll. Access control systems are similar. They’re really just a set of inputs, output and readers.

When it comes to access control systems in detention centers, they usually don’t need readers. This is the reason that PLCs (Programming Logic Controllers) dominate access control for detention centers.

What are PLCs?

PLCs, created in the 1960’s, are most commonly a simple set of inputs and outputs. Because they’ve been around for so long, and lend themselves to centralized control, most detention centers are driven from a PLC. A PLC reads an input from a touchscreen to open a door, connect an intercom, or turn on a light. An open door illuminates on the touchscreen to show it’s not secured. The PLC might even be tied to cameras to show a specific camera when an intercom is pressed. It’s all ITTT logic; If This, Then That.

There is a lot of overlap between a PLC in a detention center and access control. Access control still needs to be able to open a door and show that a door is unlocked. An access control system might even be tied to intercoms or a video system. However, most access control systems are not designed for lights, water valves or guard tours. That’s when you need something that fits in between.

Site plan at a glance

PLC Challenges

Site plan - held openOne of the issues with a PLC is that it’s mostly wires. Changes to a PLC system are difficult and can be expensive. Most integrations from an intercom system or a video system are done with wires. If you have a hundred cameras, you have a hundred wires. 50 intercoms require 50 wires.

Sometimes, there are communication-based integrations. But even then, station 10 will always be station 10. Even if station 10 ends up being in a closet after a remodel, it is still station 10.  Even small changes to a touchscreen require hours of programming by specialized personnel. While PLC systems can talk to other systems like intercoms and cameras, they are still separate systems with separate interfaces. It’s not all managed through one “pane of glass”.

Access Control vs PLCs

It’s time for this situation to change.

Guard TourAccess control systems like Gallagher still handle the inputs and outputs like a PLC system does, but these updated systems add flexibility.

Gallagher integrations with intercom systems like Harding, and video systems like Milestone are purely programming and IP based. Changes in the Milestone system get reflected in the Gallagher programming. Changing and adding cameras, intercoms, doors or moving a map are as simple as clicking edit on the site map. Everything can be managed through the Gallagher interface. Connecting an intercom, initiating a lockdown, turning lights on and off are all handled through the click of a button. If a door is opened and it shouldn’t be, Gallagher can bring it to the forefront so it can be dealt with. Alerts, automated instructions, logs and alarm escalations are all built right into the software.

While a Model T and a Tesla might both have an engine, brakes and wheels, no one would ever say that they’re equals. Both cars might get you to where you’re going, but one of them will drive itself to your destination with the AC on while playing music from your favorite radio station.

PLCs are getting the job done for detention centers across the country, but wouldn’t you like to have a solution that gives you more features and flexibility, while costing you less?

We can help you get there. Just give us a call.

Access Control: Here’s Why the Outlook is Sunny in the Cloud.

By Gina Stuelke, CEO of Kenton Brothers

Cloud Based Access ControlIn the security industry, cloud based video recording, retrieval, storage and archiving solutions are leading the charge for growing video subscriptions as a service.

The same can be said for cloud based access control systems.

Check out these six reasons why the cloud delivers more value and ease of use:

  1. Lower service and maintenance costs. Managing a system in the Cloud reduces the burden on IT, allows more remote diagnostics and creates the need for fewer on-site service calls.
  2. Users enjoy the most up to date software and features sets, due to the ability to update remotely.
  3. Remote health monitoring. Cloud based system monitoring helps ensure systems are recording when they should and reduces the possibility of events with no video evidence.
  4. Searching and sharing of evidence is easy via cloud export and storage of clips with password protected systems and search tools.
  5. Business intelligence. Cloud based systems provide analytic data that offer insight into business operations from real-time alerting to reports. This data can be used to improve the customer service experience, identify where employees need assistance or training, and prevent downtime.
  6. Ease of use. Cloud managed systems provide faster, easier and timely training via their intuitive interface. They provide more security and speed up the gathering of evidence when needed. The cloud systems offer greater flexibility by being accessed from a desktop, web browser or mobile device; therefore, easier and less work for IT teams.

Let the security consultants at KB answer your questions about moving your access control to a cloud based solution. We’re here to help!

Door Naming Conventions – Keeping Businesses Organized and Secure

By Alana Hanly, Security Consultant at Kenton Brothers

Door Naming ConventionsOne of the most critical aspects of planning a commercial security system design for a facility is organization. Taking the time to get the details right ensures that all users of the system easily understand how the various components and functions will work together. One of the topics that can cause a lot of confusion is how to verbally reference a specific door inside your building(s).

Depending on the size and nature of your business, an organization can end up having to secure a lot of doors!

Part of the KB Advantage is that we take pride in creating custom solutions for our clients. And that’s not marketing speak… We actually enjoy the process of working with you to design customized commercial security systems that will protect your people, property and possessions. We also like partnering with you to maintain or update your existing commercial security systems. Knowing that employees feel safer, and security officers have more confidence in their system, puts a smile on our face.

Regardless of the size of your access control system, it’s a good rule of thumb to have a naming convention established for the various doors in your system. For smaller systems, this is as easy as naming a door Main Entry or Employee Door. But what about when we’re talking about a system that has 10, 20, or even 500 doors? This is where you will see the value of our 125 years of experience providing commercial security solutions to businesses nationally.

A Conversation with Vince

Door Naming ConventionsI sat down with one of our employees, Vince Gelei, to learn more about our best practices for door naming conventions. Vince is experienced in the process of building and programming the many access control systems we provide for our customers.

Sometimes, it’s hard to put into perspective the number of devices that are involved in the access control programming for a single door. Without having some structure, the system can become convoluted and hard for both the end user and integrator to operate and maintain. Vince provided some great insight on the key factors for developing such a framework within an access control system:

  • End User’s Security Capacity – Determining the technical level of our customers plays a big part in system design. (We can’t provide a solution that’s hard for our customers to understand and use.) We want to make sure the final naming conventions will be an intuitive reference for the end user. This is the first priority in system programming.
  • Access Control System – The commercial security system that the customer has chosen also plays a big part in how we set up naming conventions. The capabilities of their system dictate what we can and cannot do when setting up doors and their naming structure.
  • Territory or Location – We would want to set up a City Reference if you have a national presence. For a specific region all the way down to a single building, we would set up a Building Reference. (These terms are the first step in verbally referencing a specific door.)
  • Total Door Count of Site – When we know ahead of time how many doors are on site and how they function, we can document this in your access control system. (This is not a feature supported in all access control platforms. This is another reason why our system design process is critical.)
  • Site Floor Plans – With existing floor plans we can document the solution for quick reference.
  • Door Numbers – Do the facilities have pre-established door numbers? If your building already has door numbers, we would simply leverage that convention.
  • Potential for Growth – Is this just the first phase of implementing a commercial security solution for your organization? If so, we want to plan for future phases and the growth of your organization. Trying to develop this afterwards can be a nightmare!

Door Naming ConventionsVince also goes on to explain, “A door could be named doors, access points, portals, etc. in your existing system. We help our customers rename them in a way that end users operating the system will be able to quickly identify the physical location of any door. Of course, with larger sites there is more complexity. We work with the end user to create a site-specific nomenclature that is typically composed of literal door numbering, but also acronyms to codify and differentiate the different locations.”

The overall recommendation from Vince is that door naming is a small but important detail when planning out your security system.

At Kenton Brothers, we have the experience of working closely with our customers and partners to design and implement customized commercial security solutions. Whether it’s time for you to plan and build out your first solution or update your existing security systems, give us a call. We would love to help you.