Monday 23 March 2015

Drones, Drones, Drones







“Drones.” It’s a term picked up by the public and media to describe Multi Rotor Remote Piloted Systems (I know it’s a mouth full). However, in certain groups the correct terminology is key in order to speak the same language. For the last two years I have been researching and studying Unmanned Systems and the potential uses in various industries. I have had opportunities to speak with some of the smartest people -from engineers to physicists and programmers to hardware designers. Every single one of them passionately pursuing their dreams.

Since co-presenting on The Emerging Security Threat from Unmanned Vehicles at ASIS Atlanta 2014, it seems the “Drone” craze is figuratively taking off. During my preparation for the presentation I read countless articles, papers, books have had dozens of emails, telephone conversations and interviewed several experts. I quickly realized how much good and bad can come from this technology. However, the same can be said for any of man’s innovations throughout history.

The Federal Aviation Authority (FAA) is scrambling to develop laws to govern the use of unmanned aerial systems both commercially and privately. Sadly I do not know any person with nefarious intent that will adhere to any law.

Everyday there is something about drones.

Reports are coming in of pilots seeing an unidentified unmanned aerial systems around the airport during landing and take-off the most vulnerable time for an airplane. Nuclear power plants around the United Kingdom and France reporting sightings of unmanned aerial systems flying around the facility. All major cities in the United States and around the world has had some type of unmanned aerial systems incident. New York Police Department Aviation Division chasing an unmanned aerial system that was flying around the George Washington Bridge. Flying around the Golden Gate Bridge cost one man ten thousand dollars in fines. However, the gentleman who crashed his toy on the White House lawn was not fined or charged.

Cartels in Mexico are using unmanned aerial systems to fly narcotics and other high value items over the boarder undetected. They even are using unmanned aerial systems to follow and identify tractor trailers to use in trafficking. Unmanned aerial systems are being used to fly narcotics, weapons and cell phones into prisons. Everyday more and more examples present themselves. Now is the time to take action not later when it’s already too late.

The Emerging Security Threat from Unmanned Vehicles will be presented again at:

ASIS 25th New York City Security Conference and Expo Session 1202, April 22nd, 1000 – 1100

ASIS Toronto’s 22nd Annual Best Practices Seminar April 23rd in Markham, Ontario

The Threat of the Unmanned Vehicles

Security professionals have an opportunity to think through a new threat that is just starting to be used by criminal elements. Now is the time for security professionals to examine the potential threat from unmanned systems and start devising countermeasures that can actually thwart their use in the air, on the ground, and under water. Executive Protection, supply chain security, and business espionage are just a few of the security sectors that must start addressing this emerging threat. This is an opportunity to learn about current systems and capabilities available to the public.


Posted by at No comments:

Challenge "SECURITY" to improve its effectiveness




“You can be sure of succeeding in your attacks if you only attack places which are undefended.” -- Sun Tzu

Emerge from the void, strike at vulnerable points, shun places that are defended, attack in unexpected quarters.” -- Ts’ao Kung



As these ancient Chinese experts on warfare indicate, our adversaries like to study us, determine our weaknesses, find our vulnerabilities and exploit them.

The challenge for professionals is to identify those vulnerabilities. I have found most professionals like to think they know the strengths and weaknesses of their programs. I regularly hear people say: we are the best one’s to assess our program because we know the company. However, it is amazing how quickly we can develop “blind spots” and that is the value of a third party assisting you in identifying weaknesses.

Red Team is an independent group that challenges an organization to improve its effectiveness. The purpose of identifying these weaknesses is the ultimate goal of enabling you to understand what new countermeasures need to be employed to protect your assets. These assets include and is not limited to your supply chain/ actual men and woman that work with you. A Risk Assessment, that includes a Red Team test of existing approaches, is extremely valuable in achieving that goal.

This is an example of how that concept can work in a live security environment, however, it can also function as a tabletop exercise.

During a strike detail, the security company’s management decided they needed to test their security team’s effectiveness. They had several sites to cover but were concerned with one of the sites, in particular. That particular site maintained several databases that housed all the customer information for the entire east coast, along with all the statistical information for the company nationwide.

A “Red Team” test was designed to see how far a motivated, disgruntled employee could get within the facility without being discovered and what kind of damage could be done. The Red Team came to understand that the facility was very open during operations and there was little or no control over secure areas. This meant that all the employees had knowledge of where critical areas were located and had unchallenged access to those areas.

The Red Team’s task was to attempt to enter the facility and place markers (match books from the hotel where the operators were staying) throughout the facility, and see if they could do so without getting caught. After a several days of surveillance the Red Team decided to do a penetration test during the night shift because it was determined that was when security was most lax and there were the fewest security personnel.

The Red Team entered the facility through the main gate while the security officer was on patrol and that position was unmanned. The team had determined that it took the officer ten minutes to complete his rounds and the security officer was very predictable. Upon entering the facility the team timed its movements to avoid patrols by other security officers. Since the patrol officers never varied their routes and never stopped or doubled back, it was an easy task. The entire facility was approximately twenty thousand square feet and there were five security officers patrolling at any given time.

The Red Team began to make its way through the facility placing markers in critical areas. Some of the areas included a compressed gas cylinder storage room and the server room. One of the Red Team members was even able to access the server using a security code found in an employee’s desk drawer. With physical access to the server room, the team member was able to down load several large files containing proprietary information. As the team moved through the facility they made their way to the office of the company’s Vice President’s office and were surprised to discover a covert camera monitoring system complete with monitors, pan tilt zoom cameras, a digital video recorder, remote data backup, and remote viewer -- none of which were in use and upon further inspection had apparently not been in use for over a year. The system monitored all critical areas, entrances, loading docks, even the lunch room. That system could have been disabled.

The Red Team had placed a total of 32 markers throughout the facility and even placed one under a fire extinguisher less than ten feet away from one of the security officers. During the debriefing, the security officers were all questioned about any activity they had seen the night before, when the test was taking place. None of them said they saw anything. Then one officer said he had seen a bunch of match books on the floor that he didn't remember seeing before but he had not reported it nor did he look around even though, in retrospect, he thought it was strange. Apparently the Red Team member that had placed the match book on the fire extinguisher unintentionally had dropped a few extra books on the floor when he had reached into his pocket to get the matchbook he placed on the fire extinguisher.

The exercise identified vulnerabilities and remotivated security officers to improve their professionalism.

It is important for security and management professionals to realize that being closed minded and thinking they have “good” security is a counterproductive way of thinking. If you believe there is no need for improvement in your security program, you have a recipe for disaster. No one has all the answers but if teamed with a good, professional third party, the resulting “team” can ultimately help provide a safer and more secure environment.

Part of the reason there is a security function is to protect life and property. That means putting aside preconceptions and ego. I have NEVER conducted an assessment or security test that did not identify some shortcomings. This includes some of the supposedly most secure facilities in the world. Guess what…no security is perfect and you can always improve.

"Good security in not cheap... and cheap security is not good". -- BB



Posted by at No comments:

Supply Chain Security “SECURITY”



What do you do if you are on a less than truckload shipping route and the carrier shows up with load of illicit contraband on the truck?

What do you do if your inbound shipment is stolen after it just arrived at the terminal and in route to its destination?

What do you do if your shipment arrives at your location and the seal is broken and it was not cut by customs or the carrier?

The answer to these question is nothing (in a sense), unless, you’re in a supply chain security program. In most of the aforementioned examples common sense would prevail and someone may contact law enforcement. However, there is a laundry list of people that need to be contacted and not just the shipper or insurance company.

Even if your organization is not in a government sponsored supply chain security program ie: Customs Trade Partnership Against Terrorism (C-TPAT), Authorized Economic Operator (AEO), Nuevo Esquema de Empresas Certificadas (NEEC) or Partners in Protection (PIP) you are still a part of the Global Supply Chain and therefore have a responsibility to protect it.

A supply chain is a system of organizations, people, activities, information, and resources involved in moving a product or service from supplier to customer. Supply chain activities transform natural resources, raw materials, and components into a finished product that is delivered to the end customer. In sophisticated supply chain systems, used products may re-enter the supply chain at any point where residual value is recyclable. - Wikipedia

At some point is the manufacturing, production and delivery of your wears you need to imagine the hundreds of people involved and fleets of vehicles land, sea and air that are used to get you what you need.

The Customs-Trade Partnership Against Terrorism (C-TPAT) is a voluntary supply chain security program led by U.S. Customs and Border Protection (CBP) and focused on improving the security of private companies' supply chains with respect to terrorism. The program was launched in November 2001 with seven initial participants, all large U.S. companies. As of December 1, 2014, the program has 10,854 members.[1] The 4,315 importers in the program account for approximately 54% of the value of all merchandise imported into the U.S.

Companies who achieve C-TPAT certification must have a documented process for determining and alleviating risk throughout their international supply chain. This allows companies to be considered low risk, resulting in expedited processing of their cargo, including fewer Customs examinations. - Wikipedia

In today’s global economy we rely on each other to be a good corporate citizens to protect and preserve our way of life. Nine out of ten your wears were brought to you by someone in a Supply Chain Security program. Ultimately that someone is responsible and playing an active role in the war against terrorism. It also means that this person reaps the benefits of said program. Reduced number of inspections at the borders , priority processing (front-of-line) for US Customs and Border Protection (CBP)inspections and a several other benefits.

However, in return the CBP expects you to do your part and what does that mean. Simply stated CPB accepts you as a secure “vendor” of sorts but they want you to be sure those you do business with are also secure. CBP will have you conduct a risk assessment of your supply chain and have you advise those to either join a program or become compliant.

Wherever you are in the Global Supply Chain you have a clear responsibility. It does not take much to figure out if you should have some sort of program. Unless your wares are brought to you by one person down the street and they make from beginning to end in there facility with no outside assistance, then consider developing a program.

Remember the questions the correct answer would be:

  • Conduct or have someone conduct a risk assessment of your supply chain
  • Conduct or have someone conduct a risk assessment of you and your facility
  • Develop proper polices and procedure and enforce them
  • Train your employees in supply chain security

Posted by at No comments:
Subscribe to: Posts (Atom)