Are you protecting your assets from the right threats?
How do you manage asset protection across the enterprise?
How do you know your physical protection system (PPS) will work when it’s needed? How can you prove it?
A PPS is a collection of technology, procedures, and people. It includes everything from signage and fencing and lighting to HR policies, access control, video surveillance systems, security awareness training of employees, static and mobile guards, and anything else related to the protection of your assets that lies within your organization’s control. A PPS, made up of many parts, is a lot like a piano – and you cannot tell if a piano is in tune by looking at it. You have to play it.
The US Nuclear Regulatory Commission defines a Design Basis Threat (DBT) as “a description of the type, composition, and capabilities of an adversary, against which a security system is designed to protect.” It is prepared using criminal and national intelligence, crime data, sector-wide incident data, and your own organization’s experience. It is not a predictive document: it describes the range of the possible, not the probable.
Simply put, it tells you that if the adversary attacks one of your facilities, this is what it will probably look like: the maximum number of people; their motivation and determination; the weapons and tools they use; the skills and knowledge they are likely to have; and potential points of collusion with insiders. It tells you what to expect at your highest priority sites, your medium-priority sites, and your low-priority sites. It is a tool that helps you to match protection measures with your organization’s risk tolerance.
A DBT and scenario-based security analysis combines realistic threat definition with practical, risk-based, actionable planning. Using the DBT, you create scenarios that exploit vulnerabilities and weaknesses in your PPS, and then conduct table-top exercises along with a diverse team to test them against the site. The team assesses the ability to detect, assess, delay, and respond at each step. This process identifies weaknesses and vulnerabilities, tests responses, and refines strategies to ensure robust, balanced, and cost-effective defence.
Experience has shown that most of the upgrades required to improve PPS performance are either inexpensive or free: often, it is just improving the flow of information within an organization or changing procedures.
Ross was part of the 2016 team that developed the DBT for the North American electric sector and has participated in updating it every year since. He was also a member of the team that helped the Ukraine national transmission company develop their DBT in 2019.
What would the service look like?
Please contact us to discuss how a design basis threat can help you to protect your organization.