Physical Security Penetration Testing

November 17, 2020

Security is generally viewed as more of a cost center than a profit center.  I think it is more important to be data driven than cost driven when security is at stake.  Almost universally, we see IT departments conducting cyber security penetration testing (PT) , and far less common to see organizations conducting physical security PT.  Yet in my opinion, this is an extremely low-cost, high-impact activity that only has positive results.  Penetration testing is defined as a deliberate effort by someone in or out of the organization to circumvent existing security measures and attempt to gain access improperly to a facility or critical asset.  Some companies choose to outsource the tests, but PT can be managed using internal resources just as effectively.

The first step in establishing a PT program is to develop a protocol and advertise to all employees (including contractors and contract security personnel) that a PT program is in effect.  Protocols should include the following at a minimum:

• Established frequency. We like to see manufacturing facilities perform these tests once a month, or at a minimum quarterly.  Administrative facilities or distribution centers might get more grace and perhaps be allowed to perform these tests semi-annually.
• PT should never endanger the safety of individuals or disrupt business or operations. Dependent upon the test scenario, consider informing local law enforcement that PT is taking place, especially if a test is carried out at night
• Illegal activity should never be a part of any PT.
• Do not record an actual incident / occurrence as PT. Observed, unplanned events would be logged as security incidents or security learning events.

The next step involves identifying a set of testing scenarios which are appropriate for your facility.  The idea here is to stretch a little bit.  Calibrating a test that is too easy or too difficult will not yield meaningful results.  Categories of testing scenarios might include personnel, security systems, duress alarms, information protection, procedures, guard operations or vehicle management.

Once the PT process starts, tests will result in a pass or fail.  BPS recommends that if a penetration test results in a failure, corrective action is implemented, and the test is conducted again within 30-45 days of the failure.

Then the question becomes, what to do with the results?  And this, in our opinion, is where the real value is accrued.  If the test is a pass and the breach of security is prevented, you can celebrate and advertise the success, praising employees for a good job recognizing the threat and properly responding.  Conversely, if there was a failure and the penetration was successful, you can remind and potentially retrain employees or recalibrate systems and processes for better outcomes.  All this is done proactively and all without any actual losses.

BPS recommends that statistics be aggregated and maintained over time to demonstrate continuous improvement to leadership and to identify trends which might suggest a need to amend security mitigation strategies across the enterprise.