Commercial Security Archives - Kenton Brothers Systems for Security

CPTED Part 2: Natural Surveillance and Natural Access Control

May 17, 2023/in Access Control, Commercial Security/by Kevin Whaley

By Kevin Whaley, CPP, Sr. Security Consultant at Kenton Brothers

Welcome to Part 2 of Crime Prevention Through Environmental Design (CPTED). In Part 1, I introduced the concept of CPTED and the importance of ensuring CPTED principles are considered when developing or enhancing your security program.

We touched on the four key overlapping concepts of CPTED which include:

Natural Surveillance
Natural Access Control
Territorial Reinforcement
Maintenance

For this part of the series, we will be diving into greater detail on the concepts of Natural Surveillance & Natural Access Control.

In order to successfully implement a CPTED plan of action, we must understand that all human space:

Has some designated purpose
Has social, cultural, legal, or physical definitions (such as expectations or regulations) that prescribe the desired and acceptable behaviors
Is designed to support and control the desired and acceptable behaviors

With that understanding in mind, our approach should focus on:

Manipulating the physical environment to produce behavior effects that reduce the fear and incidence of certain types of criminal acts;
Understanding and modifying people’s behavior in relation to their physical environment
Redesigning space or using it differently to encourage desirable behaviors and discourage illegitimate activities; and
Reducing the conflicts between incompatible building users and building uses, with the goal of eliminating “no person’s land” that no one takes ownership of.

There are various controls that can be implemented to supplement or support the approaches listed above. However, before we dive into that, we need to understand the various concepts of CPTED in order to apply the approaches correctly.

Natural Surveillance

Natural surveillance is defined as the placement of physical features, activities and people in a way that maximizes visibility from the surrounding environment. Why does this matter? It increases the threat of apprehension by taking steps to increase the perception that people will be seen.

In other words, features that can maximize the visibility of people, parking areas, building entrances and other common use areas promote natural surveillance.

Example #1

As you can see in picture below, this site looks like it may be abandoned. If I were a “bad guy” I would probably think this looks like it doesn’t get a lot of attention from the workers or from the public. There are a lot of dark areas in which it would be very easy to remain undetected. Passers-by may not even notice it’s there.

Now here is that exact same location after applying basic CPTED principles. For this location, they added a significant lighting to greatly enhance visibility and eliminate hiding spots. Additionally, the large tree on the left was overgrown and actually growing OVER the roof. The tree was trimmed back to eliminate that avenue of opportunity.

Example #2

In this scene, you can see that the parking lot is barely visiible from the sidewalk, much less the street. The overgrown vegetation and low levels give bad guys plently of places to hide.

After doing some basic landscaping, they were able to greatly enhance the visibility of the parking lot and in doing so, actually helped improve illumination levels since lighting wasn’t being blocked by vegetation.

Inside/Outside

Keep in mind that when we talk about natural surveillance, that can apply to any environment and scenario. It’s not restricted to outdoor scenarios and encompasses much more than just lighting, landscaping etc. It can also include interior spaces such as lobbies, or other common areas. This means the way in which these areas are constructed or designed as well as any “decorations” that may be placed. It’s important to make sure that you are allowing for clear lines of sight as much as possible for natural surveillance.

Natural Access Control

Natural access control is a concept where people are physically guided through a space by the strategic design of streets, sidewalks, building entrances, and landscaping.

Similar to natural surveillance, don’t let “natural” lead to the misconception that this has to deal with just exterior design and landscaping. This pertains not only to the exterior of your building but interior as well.

There is public space and there is private space and sometimes the lines can be blurry. Natural access control fixes that by guiding people in and out of a space using signs, barriers, and other cues. When it is very clear where people should be, it becomes glaringly obvious when someone crosses that boundary into a place they should not be. And that attracts a lot of unwanted attention for a would-be criminal.

Most of us follow the cues that guide us from one place to the next: we walk on the sidewalk or pathway, we obey signs that say “No Trespassing” or “Parking Prohibited,” and we respect barriers, walls, locked doors, and fences designed to keep us out of a particular space. Ignore those “rules,” and you stick out. You’ve broken the silent agreement. Few things say, “I don’t belong here!” more than stepping off the marked path, lingering in a no-parking zone, or hopping over a fence.

And that’s natural access control doing its thing.

Pathways, signage, lighting, and borders—hedges, other plants, fences, and so on—let us direct the flow of foot traffic, which allows us to differentiate immediately between where people should and should not be.

Public space: good. Private space: suspicious.

Criminals want to blend in and disappear. Natural access control reduces, if not eliminates, their ability to do so.

Other design elements include:

Single point of entry
Restricted access to private, internal spaces with barriers, doors, and signage
Sidewalks, roads, and pathways that funnel traffic into appropriate public spaces
Barriers to prevent unauthorized use of spaces
Low, open-type fencing that indicates private space, but does not prevent natural surveillance
Eliminating design features that grant access to roofs or higher windows
Locking windows and doors
Thorny plants around first-floor windows and other potential points of access

We encounter natural access control all around us, just living our day-to-day lives. Most respect the cues they provide and take heed of the simple message. And when we don’t, that’s a giant red flag to others that something isn’t right. Combined with natural surveillance, natural access control makes it easy for everyone to identify suspicious behavior and note the individual doing it.

It’s good for you and your home or business. It’s bad for those looking for an easy target!

You would be surprised how differently people behave when they know they’re being watched.

May 2, 2023/in Commercial Security, Video Surveillance/by Ryan Kaullen

By Ryan Kaullen, Field Services Manager at Kenton Brothers

In the fall of 2022, Kenton Brothers performed a video monitoring installation with a large, regional banking customer. They were having issues with how their employees were being treated verbally and sometimes physically at their tellers’ stations. The theory behind the installation was that if people can see themselves on camera and see how they are acting, then perhaps they wouldn’t act poorly. And if it worked, it would reduce these incidents in the work place and make their employees feel safer and happier.

Viewing Monitors = Safer Work Places

The results of the install have been extremely positive. The results were so positive that Homeland Security has since told our customer that this should become a standard across all of their banking footprints. Not only has it stopped violence against the bank employees, it also cut back on fraud as these monitors catch different angles, angles that overhead cameras don’t capture.

Kenton Brothers has been commissioned on several more of these projects for our bank customer and moving forward they will start unrolling them at their other branches.

The video from these monitors is housed within the customer’s video management system (VMS) and can be viewed within the VMS client software. (And their existing storage and retention policies dictate how long the video will be available.

What does it take to do this install?

The installation of the monitors is relatively easy. The monitors can be mounted in many different spots with various angles depending on the end goal. Typically, the install of the cable and monitors is a two day install. During that time, the individual teller stations will be non-operational for an hour or two, so the down time isn’t extensive. Of course pricing is dependent on the number of monitors and number locations.

The bottom line is that this commercial video surveillance monitoring solution captures different angles, puts people on camera and changes their behavior in positive ways. This directly affects the safety and security of the employees and the facility.

For more information, please give us a call!

Why Physical Security has to be part of the convergence discussion of OT/ICS security.

April 26, 2023/in Access Control, Commercial Security, Cyber Security, Video Surveillance/by David Strickland

By David Strickland, Vice President of Kenton Brothers

There is a real buzz in the security world right now around securing Operational Technology (OT) and Industrial Control Systems (ICS). This buzz comes from two sources: companies and organizations that are being attacked through cyber security and physical attacks, and government agencies trying to get information broadcast to counter these threats. Threat levels have been increasing over the last few years and the cost of these attacks have risen to devastating levels.

According to CISA, in the first half of 2022 there were at least 22 reported large impact attacks on critical infrastructure leading to billions of dollars in losses. As the second half of 2022 numbers are being compiled, the sense of urgency to shore up the vulnerabilities is at an all time high.

How is OT security different than IT Cybersecurity?

IT – Information technology is just that. It is the transfer of data or information through physical appliances such as routers, switches and servers. Security for this technology centers around the prevention, detection and mitigation of attacks from software.

OT or Operational Technology is the manipulation of real world physical devices such as pumps, valves and controls through software or human interaction. These are called Industrial Control systems. In contrast to IT cybersecurity attacks, the outcomes of successful OT / ICS attacks include the potential to impact human safety and damage physical equipment. For example, taking any industrial processes OT / ICS equipment offline for extended time periods. This can be done through software or physical attacks known as sabotage.

Many organizations point to the Purdue Model for protecting OT and ICS.

The Purdue model, created in the 1990’s is a comprehensive look at protecting ICS and has been the standard for many years. The Purdue Model has five zones that are considered when creating a robust security model. Yes, this model is the current standard, but in our opinion does not adequately address physical security.

Cybersecurity of IT, IIT (Industrial IT) and OT systems is still a very high priority.

A recent comprehensive report provided by the Department of Homeland Security (DHS) pointed out a few concerns. “Many organizations lack visibility into their complete OT environments, including IT/OT interconnections and supply chain dependencies. Cybersecurity is overwhelming for organizations and entities with small staffs and budgets. As a result, many are not able to achieve the cybersecurity posture required to adequately secure their IT/OT infrastructure. The majority of legacy OT equipment was never designed for internet connectivity, and may not easily be replaced, making it increasingly challenging to secure in converged environments.”

We must not make the mistake of ignoring the real probability of physical attacks on these same organizations that are overwhelmed with cybersecurity.

“A top priority must be to prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. Essentially a key aspect of this standard is to implement effective access control and protection of systems and equipment from damage.”

Physical Security for the OT Starts here:

Policies and Procedures:

It’s a well-known fact that most breaches (95%+) are a failure of procedure or policy over systems. A good red team will tell you that their most effective weapon for entry is a poorly trained or poorly disciplined employee. Polices and procedures must be created, trained, followed and tested constantly.

Establishing your perimeter:

As with most things involving physical security, you must start with a strong perimeter. This perimeter must be extended as far as physically possible. Access should be granted to only authorized personnel that have been through proper background checks and assigned clearance based on their job function. The perimeter is your best chance at early detection, reaction and mitigation.

Access Control:

Only authorized personnel with the proper clearance and certifications should ever be allowed access to your OT systems. These authorized personnel should constantly be vetted. Many organizations don’t remove terminated employees from this list quickly. No visitors or vendors should ever be allowed access without proper vetting and escort. Your access control systems should be set up in concentric circles with stronger policy the closer you get to critical infrastructure. All access control devices should be kept in proper working order and updated with proper firmware and cyber security practices.

Alarms:

Too many times we see organizations practice poor alarm management. Alarms in any form (Fire, Access Control, Intrusion Detection, Car) should never be ignored yet many times are. OT devices are vulnerable to physical attack and to things like flooding, fire and electrical damage. A system alarm can help bring immediate attention if properly managed.

Surveillance:

Who inspects the inspector? Your IP video surveillance system. It keeps honest people honest and identifies those who are not. Critical infrastructure devices should have surveillance on the device itself and the human interaction point. This of course is on top of all perimeter entrance areas and key points throughout your property.

Knowledge and Cooperation:

The United States can leverage an existing body of knowledge to secure OT infrastructure. Prioritizing and applying these best practices, recommendations, and standards more broadly, in a comprehensive and accelerated manner, would strengthen security and achieve strategic outcomes.

Kenton Brothers Systems for Security stands by to do our part. Please let us know how we can help your organization.

Physical Security as a Service? It’s Time!

March 29, 2023/in Commercial Security, Maintenance and Service Agreements, Remote Services Group/by David Strickland

By David Strickland, Vice President of Kenton Brothers

Kenton Brothers Systems for Security has been in business since 1897. This year we are celebrating our 125th year! Over that time, we’ve seen our industry innovate and transform several times. Currently, we are at another crossroads of evolution and innovation.

Traditionally, organizations have developed and generated their own internal physical security teams… one person or policy at a time. As their needs grow, so would their team. This team worked hard to stay on top of the regulations required of them as well as the technology available to them to meet those regulations. They would enhance capabilities based on the threats they faced, and manage the risk the best they knew how.

Many of the systems internal security teams traditionally invested in have become more and more complex and even introduce new risks with the convergence of IT/OT security and physical security considerations. This pressure to keep up with modern technologies and the threats they bring has become a real strain on resources. This, coupled with a very low labor pool, has led to some great conversations with our customers.

The Need for Physical Security as a Service

Over the last two years, Kenton Brothers has been approached by companies and organizations from many different industries. They want to know more about what we offer to help support getting them out of this downward loop. We quickly noticed that many of these customers’ needs analysis meetings carried the same theme. “There just aren’t enough resources to go around. With current personnel levels, there’s just no way to cover everything correctly.”

After several interviews, the pattern appeared and these valued customers needed support in the following ways:

Administration of Access Control, IP Video surveillance, Intrusion Detection system
Hosting and Managing of Access Control, IP Video surveillance, Intrusion Detection system
Policy and Procedure creation
Personnel Training
Physical Inspections and Maintenance
Alarm Management
Cleaning and Repairing equipment
Firmware and End of Life Management
Forensic Discovery and Preservation
Technology Selection
Future planning
Red team testing

An additional question was raised. “Would Kenton Brothers be able to take over the day-to-day running of our systems?” The answer is YES.

Case Study

In one scenario, a customer was losing their System Administrator soon after losing their Director of Security. This left no one to manage their physical security systems. This company is in a highly regulated industry and wasn’t able to find a replacement internally or manage the system correctly on their own in the time given. With three days notice, we went to work supporting our customer. We also created operating procedures for the tasks needed to successfully manage the following areas:

Immediate:

Onboarding and offboarding employees
Issuing credentials, assigning to user groups
Managing alarms and system messages
Preserving video evidence forensically
Running daily checks of access control and video Systems
Daily updates to system communications that are shared with IT and executive teams

Secondarily:

Working with IT and executive management to communicate the state of system
Create polices and procedures for new staff taking over
Inspecting system to determine firmware status and Cybersecurity risk

We were able to create a part time Managed Service Agreement (MSA) that dedicated three hours a day to our customer. The agreement allows for additional hours for special projects such as a new location being built that will need to be onboarded in the next few weeks.

At Kenton Brothers, Partnerships and Innovation are core values. Partnerships have to be WIN/WIN and this was definitely the case in this situation. The Innovation came when the company decided to change the position they’re trying to replace by keeping future duties in Kenton Brothers’ hands.

Physical Security as a Service? Yes. If that sounds interesting, we would love the chance to work with your team to explore the idea and what it could mean for your organization. Just give us a call!

Crime Prevention Through Environmental Design

March 22, 2023/in Commercial Security, System Design and Consulting/by Kevin Whaley

By Kevin Whaley, CPP, Sr. Security Consultant at Kenton Brothers

Welcome to the first part of a multi-part series where we dive into the idea of Crime Prevention Through Environmental Design or CPTED.

How many parts? Yet to be determined. My objective with this series is to provide you with an introduction to CPTED with the hope that you will be able to consider these ideas and principles for your next security project.

Introduction

When it comes to physical security, most people tend to think of guards, video surveillance (aka “big brother”), alarms, fences with barbwire, etc.

That is the basic underlying impression that people get when they hear security. When I think of security, I think of onions. (That’s not an acronym for anything.) When I conduct a security assessment, I tell my clients to think of security like an onion. Why? Because security, like onions, should have layers. We also refer to these layers as “concentric layers of security” meaning that each layer builds off of the last to create maximum protection.

When developing a security plan, the goal is to create a “target shift” or target hardening. This means that you’re trying to make it as difficult as possible to defeat the security measures or increase the probability of becoming detected or being caught. Depending on conventional security measures like access control, video surveillance and security guards may have their limitations. Employing standalone security measures may fail to address the underlying behavioral patterns that may adversely affect the environment. That’s where CPTED comes in.

Crime Prevention Through Environmental Design

CPTED is defined as “the proper design and effective use of the built environment that can lead to a reduction in the fear and incidence of crime and an improvement in the quality of life.” In other words, a CPTED analysis focuses on creating changes to the physical and social environment, that may reinforce positive behavior, with the goal of reducing opportunities for crime that may be inherent in the design of the built environment. CPTED is a multi-disciplinary approach to deterring criminal behavior.

CPTED incorporates principles from:

Planning
Architecture
Landscape Architecture
Security
Facilities
Engineering
Law Enforcement
Legal/HR

CPTED design includes the physical design, social management and directives that seek to affect positive human behavior as people interact with their environment.

Depending on your organization’s industry, you may already have established design guidelines that have been set by a governing body, standard, or regulation. For example, FEMAs Risk Management Series: Site and Urban Design for Security (Guidance Against Potential Terrorist Attacks) FEMA 430, establishes guidance for government facilities but can be applied almost universally.

However, if your organization doesn’t have guidelines, there are many factors that you may need to consider during the planning phase.

These factors may include (but are not limited to):

Stairs and ramp design
Interior and exterior lighting
Parking lot designs
Landscaping
Doors and windows
Blind spots or “ambush” points
Building circulation patterns

When entering the planning and design phase, it may be beneficial for you to enlist the services of a security consultant with experience in conducting CPTED assessments to assist you in developing your plans. (That would be Kenton Brothers Systems for Security… :)

CPTED is based on 4 key overlapping concepts which we will dive into in greater detail in the rest of this series.

Natural Surveillance – the placement of physical features, activities, and people in a way that maximized visibility from the surrounding environment. This increases the threat of apprehension by taking steps to increase the perception that people can be seen.

Natural Access Control – Natural access control means controlling access to a site. People are physically guided through a space by the strategic design of streets, sidewalks, building entrances, and landscaping. This clearly defines entryways and guides personnel to specific entrances that are well lit and overlooked by surrounding areas.

Territorial Reinforcement – In CPTED it refers to the development of areas or places where the users feel a strong sense of ownership. It is an umbrella concept, embodying natural surveillance and access control principles. This establishes your territorial boundaries and provides the “line in the sand.”

Maintenance – Allows for the continued use of a space for its intended purpose. Serves as an additional expression of ownership. Prevents reduction of visibility from landscaping overgrowth and obstructed or inoperative lighting. Ensures that your security postures remain effective by reinforcing the concepts of natural surveillance, access control and territorial reinforcement. Displays that the site is regularly cared for and occupied.

CPTED can be a little overwhelming, even for seasoned practitioners. If you’re interested in finding out how CPTED can enhance your organization’s security program, or just want to learn more, please contact me. (Kenton Brothers’ local CPTED subject matter expert, Kevin Whaley, CPP.)

CPTED Part 2: Natural Surveillance and Natural Access Control