Skip to main content

© All rights reserved.

LOOKING FOR SOMETHING?

Facilities Security Requires a Comprehensive Approach (Full Unedited Interview)

Written by Curtis Marquardt on . Posted in .

Burns Engineering’s Security Practice Leader Rene Rieder Jr. Sat Down with Us to Talk About Facilities Security, the Importance of Communication and How to Balance Form with Function in Ways that Enhance Security

CURTIS MARQUARDT:
Please tell our readers about yourself and your experience working in security. 

RENE RIEDER JR:
My name is Rene Rieder Jr. and I am the Security Practice Leader for Burns Engineering. I have  nearly three decades of security design and engineering experience involving planning, development, design, project management, construction, installation and commissioning of electronic and physical security solutions. My experience includes vulnerability assessment, security master planning and design of access control and video surveillance systems, passenger and goods screening systems, integrated operations centers and security system testing and readiness. 

My focus for projects is to understand my clients’ goals and challenges and offer innovative solutions that are practical, scalable and consider financial and regulatory constraints. As a design professional, I focus on forward-thinking and visionary solutions, encouraging my clients to think outside the box, while also taking calculated risks that will positively impact their businesses.

I currently serve as the Vice Chair of the ASIS Security Architecture Engineering Council and the Education Chair overseeing the Facility Security Design (FSD) course. Recently, I began to lead led the development of the new ASIS Physical Asset Protection (PAP) Design Standard which is a great tool outlining the framework for designing a physical security system. In addition, through the International Association of Professional Security Consultants (IAPSC), I’m a Certified Security Professional (CSC) which demonstrates my depth of knowledge, professional objectivity, integrity and independence along with my skills as a professional security consultant. 

My career has been really exciting, as I’ve had the opportunity to work on many projects in different vertical markets, both domestically and internationally. The diverse project experience I have enables me to provide my clients with the best-of-breed options and solutions possible from different market deployments. 

 

CURTIS MARQUARDT:
That’s an impressive background! So happy you can join us to talk security. Utilities are facing increasing physical attacks. Of course, substation attacks make the headlines, but utility security professionals have a wide range of facilities and infrastructure to protect. What has your experience working with utility customers revealed to you about the challenges that utility security professionals face that are critical, but aren’t making headlines?

RENE RIEDER JR:
The known-unknown security threats are probably the biggest challenge. The US Department of Homeland Security (DHS) under the National Infrastructure Protection Plan (NIPP), established a framework for critical infrastructure protection (CIP) identifying the development of an Energy Sector Specific Plan creating risk management programs. 

As this is only a risk management framework, it is still up to the individual operator to develop and deploy a security and risk mitigation program. This framework provides a starting point to identify the typical high-risk areas to focus on: perimeter doors, substations, transmission lines and data centers are typical security areas of control which need to be protected and typically under the control of the utility supplier. When I’m completing a security risk assessment, these are the areas I focus on, as it directly impacts the business and are most likely to “make the headlines.” However, it’s the less headline-making threats which can have a greater impact on operations and need to be considered. 

While there are multiple other threats to consider, two common examples I include with my assessments are insider threat and services provided by a third party that are critical for operations. The insider threat is a constant and difficult to predict threat to any organization. When I complete security assessments, I look at training records, security policies and procedures, access privileges, change control systems, user access control/entry monitoring procedures, to name a few. By reviewing these details, I can get an understanding how the utility operator considers security as either a “tick the box” exercise, or as a fully integrated security program relying on more than just technology.

An example of the second threat may include natural gas supply, which is supplied by a third party to power the generator. Although, the concern is: where are the shut offs, are they protected and who is responsible for protecting these valves? Understanding these critical factors, which may not be in the control of the utility, are a critical part of the security assessment. Taking a 360-degree security assessment will ensure that the security professional reduces the known/unknown threats as much as possible. 

CURTIS MARQUARDT:
I attended a session you delivered at GSX 2024 about Integrated Security Design. It was a fascinating presentation and I really enjoyed how you talked a lot about the importance of balance between form and function. Can you talk about some best practices utilities should consider when they look to balance form and function of their facilities and securing them?

RENE RIEDER JR.:
Security for utilities must be effective yet integrated into the environment, in such a way that protection is not achieved at the expense of operational efficiency. The key to this balance is a risk-based design approach that prioritizes real-world threats while avoiding excessive hardening. It calls for security measures to be symmetrically integrated into the architecture of the facility: landscaping, lighting and even building materials all can be used to provide added protection without a stark, uninviting environment.

A balanced security strategy is a layered defense that considers natural surveillance, physical barriers and technology. Principles such as Crime Prevention Through Environmental Design (CPTED) can guide the place of access control, optimized lighting and clear sightlines to minimize vulnerability while also maintaining openness and functionality in a space. Security solutions should enhance, not encumber, daily operations, so employees, contractors and visitors can move about with ease while remaining safe from undue risk.

Technology plays an important role in enhancing security, without interfering with either the form or function of a facility. Intelligent video analytics, automated access control and perimeter detection systems offer real-time threat detection with limited overt security presence. Integration into building management platforms provides a transparent security posture that is seamless in relation to operational needs.

By integrating security as part of overall design, utilities can achieve an operationally functional, aesthetically integrated environment that also respects both regulatory requirements and community concerns. 

CURTIS MARQUARDT:
For those utility security professionals who might have limited resources to make impactful changes to their facility security, what are some easier, more budget friendly things they might consider prioritizing to improve security?

RENE RIEDER JR.:
I would like to address this question by taking a three-tiered response approach:

Tier One – Operational and Cultural Changes

Security budgets are always a challenge. Unless there is a regulatory-driven security requirement or, unfortunately, a recent/major loss, security is traditionally the first budget which is reduced. When we talk about security programs, it’s important to look at the policies, systems and people and how each provides the comprehensive layers of the security program but how each has a different cost impact on both capital expenditures and operational expenditures and operating expenses. 

I would recommend starting simply by figuring out if there is an established, documented and current security program/policy that is approved by leadership. At a minimum, the security policy should define the level of protection for the facility, security responsibilities/response procedures and expectations for employees and visitors. Leadership approval is key to ensure that written policies are enforced and, if needed, funded. 

Next would be the application of Crime Prevention Through Environmental Design(CPTED) concepts. This may include simple activities such as repairing a damaged fence, providing a shrub/tree/grass clear zone around fences to provide external visibility into secure spaces and signage stating private property/no trespassing/etc. 

Damaged fences, overgrowth, trash, etc. creates a perception that the area is not monitored, taken care of or a priority for an organization. The “Broken Windows Theory” suggests that visible signs of disorder, like broken windows, vandalism and litter is a signal to potential criminals that the owners don’t care about crime. Addressing these issues establishes a level of ownership and care where criminals would be less likely to focus attempting to commit a crime at this location.

Employees—especially when assigned to a specific work area or region—are typically more in the know when there is a security issue/concern. The challenge is that they may not be engaged or understand their role in a “see something, say something” culture—or worse—they might have some sort of fear of retribution. By creating a security culture, the employees can become a force-multiplier without any additional staffing. Establishing a choice-based anonymous system to report security issues is important. Airports are very successful in implementing these types of programs, especially when there is a reward/recognition attached to a security culture program development.

Partnering with local Emergency Response/Law Enforcement to provide a collaborative security environment is also important. Utility environments are very complex and highly dangerous operating spaces for the untrained. Inviting local emergency responders and law enforcement professionals to tour facilities and learn how the locations function provides them with a familiarity of the spaces and a level of understanding about safe locations in response to an emergency. 

Each of these above are very low-cost methods to improve the security posture of an operation. The creation of a strong security culture empowers all employees to be part of the solution. 

Tier Two – Joint Project Support

Security projects can quickly become quite expensive, resulting in delayed implementation and making them subject to cancelation. When considering capital program improvements, focus on muti-department projects and wins. For example, thermal cameras at remote unmanned substations could greatly increase security monitoring and the ability to detect unauthorized access,  but this type of camera can also be used to detect when a piece of equipment exceeds a temperature threshold, identifying potential equipment overload. So, this type of camera may be cost prohibitive for a security department, but the fact that its cost could be shared across multiple departments provides a better pathway for deployment.

Tier Three – Security Master Plan

Development of a Security Master Plan is key to long term security program success. Too often, security departments are reactionary, resulting in greater challenges in seeking approval for solutions. The goal of a Security Master Plan is to take a holistic view of the current security posture and provide a realistic, achievable and affordable path to improve security. 

A Security Master Plan (SMP) starts with a Threat and Vulnerability Assessment (TVA) which takes an inventory of assets and how vulnerable each asset is to a specific threat. One key outcome of a TVA is a prioritized and focused list of security mitigation recommendations. The TVA is a powerful report that is developed in conjunction and with multiple stakeholders from an organization.

This joint input provides an opportunity for sharing ideas and concerns between departments. The outcome of the agreed-upon TVA becomes the basis for the SMP. The SMP looks at prioritizing the recommendations, identifying costs, establishing timelines, analyzes project interdependencies and ultimately, sets a security roadmap for deployment, improvements and maintenance (typically over the next 5-10 years). This plan eliminates the reactionary approach and sets a strategic approach. In addition—and very key to remember—the SMP has traceability back to the TVA  Therefore, if a recommendation is not implemented per the SMP, there is a direct connection to the increased vulnerability of the specific asset.  

Of the three tiers, this does have a higher cost of investment, but it also sets a strategic plan and traceability of risks and vulnerabilities. While the TVA and SMP may be developed internally, my recommendation is to utilize an independent and credentialed security design professional. In my experience, it’s typically easier to navigate challenges of internal silos and at times struggles between departments over limited funding sources. The end game is a long-term plan which can be funded, scheduled and deployed over time. 

CURTIS MARQUARDT:
As utilities plan and build out new facilities, what are some things they should be thinking about and what are some recommendations on how to be most effective at planning out security that achieves function with form?

RENE RIEDER JR.:
Location, location, location. When planning the location of a new facility, all attempts should be made to select a lower risk area. This would include looking at crime statistics, first responder access and environmental conditions—to name a few. 

While corporate real estate groups will typically complete this analysis, security leadership should be part of these discussions. However, as much as any organization wants to achieve the “ideal” location, often cost and need drives the final decision. By security leadership being involved with these decisions, it enables them to begin planning the security needs for the new facility based on the risk level of the chosen location and establishing a budget for the implementation.

Now that the location is selected, early security input to the design, layout and orientation of the facility presents an opportunity to “build” security into the facility from the ground up. Examples may include building setbacks, integrating landscapes to create stand-off and modifying road alignments to reduce speeds (to reduce vehicle attack threats). 

These CPTED principles can have the greatest impact on risk reduction without the implementation of a single security device (camera, bollard, card readers, etc). If the new facility is an office building, start considering the different user groups and controlling access. While an open lobby is very inviting, this is the first and last line of defense to protect corporate operations. 

As we move through the facility, consider spaces for sensitive information handling, such as IT/Data rooms and executive leadership offices. Each of these present different security risks and each need to be integrated into the overall program of the facility. With a blank slate, there are opportunities to integrate security measures without implementation/reliance on security devices.

After designing out as many risks as possible with the layout of the facility, including the site, we can finally look at the selection and deployment of security devices. Selecting security technology last reduces the reliance on technology to protect a facility. 

CURTIS MARQUARDT:
You work across other critical infrastructure segments. What are some lessons learned from the security solutions you’ve discovered with say airports or educational campuses that might be applicable to security strategies at utilities?

RENE RIEDER JR.:
Airport perimeter fence intrusion security has an extensive track record of success and some of the things they are doing could easily be deployed at utility locations. Because regulations require these technologies to be tested and configured for high accuracy and reliability, there are many lessons learned from those strategies that could be used at utilities. 

Another great lesson learned from airports is analytic-based rules for access permissions. Access to different parts of airports are based on several factors including a business need, appropriate security training, background checks, etc. before the individual is provided with a badge and access. Some security programs require recurrent security training every 12 months to retain access permissions. This training requirement is configured with the user’s profile so that if they don’t complete the training, badge access is automatically disconnected. 

In addition to training records, I’m seeing airports using analytics to look at access trends. For example, employee John Doe works Monday to Friday from 9 a.m. to 5 p.m. and accesses the same five doors within the airport to get to his workspace. 

But what if this employee is accessing a new door he typically doesn’t use? The Security Manager will receive notification of this anomaly and can investigate; is the employee “testing” the security system, was their normal door out of service, or was there some other external impact resulting in this change in the predictable activity. This intelligence can provide early notice for a potential maintenance issue or, worse case, and insider threat testing the security system.

From the educational market, I would highlight mass notification systems. The higher education market has very successfully deployed methods to disseminate relevant emergency information to a large population very quickly with different technologies. This market is further challenged by a large population of employees, students and visitors who are mostly transient. 

The use of audible mass notification systems, push messages to mobile devices, emails, text messages and workstation pop-up screens connected to the school’s network are some examples of getting information about how the different user groups should react during the emergency. While the technology is great, the real lesson learned is the back-end process and deciding who “pushes” the button to send emergency message(s). 

CURTIS MARQUARDT:
You’ve also worked internally with many organizations and have seen some of the internal human interaction that shapes the strategy and planning process. What are some recommendations you would give utility security professionals as it relates to getting buy in, working with other departments, etc. in ways that ensure greater success?

RENE RIEDER JR.:
Communication is key. Security systems are a very hard sell mostly because when they’re working per design intent, their effectiveness is transparent to most users. As a result, at times, it can be difficult to justify getting buy in and funding across departments. 

In comparison, if an HVAC system is running out of temperature spec (too hot or too cold), this directly impacts the users operating environment resulting in an easier buy-in for maintenance, upgrades or replacement. Which brings me back to my initial comment: communication is key. Two strategies that have been successful for me are security culture education and security at the table. 

First, I’ll talk about security culture education. Utility organizations have very strong safety cultures because they train all staff to know and understand their role in contributing to a safe working environment. Unfortunately, security is often looked at as “ the security team’s problem” to address. 

A strong security culture, just like a strong safety culture requires everyone at the organization taking ownership and levels of responsibility. The resulting impact is that buy-in on the security project is greatly increased because different departments understand their role in creating a secure culture for the organization. A level of trust is established before the ask, which results in greater program success.      

Now, the other concept I talked about is security at the table. Successful security groups have seats at the table and are part of all planning, upgrade and construction projects. While a project may not require security upgrades today, security professionals always need to consider dynamic and changing threats. 

Something as simple as providing additional underground communication lines when a project site is under construction to a remote location will futureproof the installation and enable direct deployment of cameras. Simple futureproofing today can save significant capital costs in the future. 

The other advantage is that collaborative solutions may be identified when security is providing early input into the design. Too often, security is presented with a near complete design when it’s too late or cost prohibitive to deploy the needed mitigation measures.

Also, as we discussed earlier, a camera can be more than a security tool, it could be used for remote maintenance, remote visual inspections, detect equipment operating out of temperature specifications, etc. Collaborative system solutions like this occur when security is at the table.

CURTIS MARQUARDT:
Last, if you could see into the future, what are the security challenges that exist in that time that aren’t perhaps front of mind or pervasive today?

RENE RIEDER JR.:
This is a great question and probably the hardest question I get from my clients. Security risks will continue to evolve, change and adapt to the deployed mitigation measures. With that, I have two challenges which need consistent focus and always evolving. 

Homegrown violent extremists (HVE) are a greater threat than the more common insider threat. HVEs are difficult to track. The typical goal of HVE’s are terrorism focused where the insider threat is typically business intelligence/business disruption. So, what can we do as an industry to address this threat? We need to start looking at activity intelligence. HVEs, like insider threats, typically have inside knowledge of the facility, door locations, camera locations, etc. Activity intelligence would learn the HVEs typical security habits and be able to flag anomalies. 

My other security concern is drones, especially for utility operators. While drones under the control of licensed pilots can provide extremely valuable information to utility operators, especially for inspections and accessing remote locations, drones can also be used to attack these same operations. 

Drones are constantly improving, providing greater flight times, cargo carrying capacity, pilot control and lower purchasing costs. As we have seen from the aviation industry, remotely operated drones can quickly and easily have an impact on critical infrastructure. While there have been few reported cases in the US, this has been an evolving threat in Europe and I would expect to see this threat expand in the US in the coming years. Utility companies should be looking into identifying funding investments in drone detection and response technologies to be fully prepared for this emerging threat.

——————————
About Rene Rider Jr, PSP, CPP, CSC
René Rieder Jr, PSP, CPP, CSC is the Security Practice Leader for Burns Engineering, with over 25 years of experience in designing security solutions. His expertise spans vulnerability assessments, security master planning, and the design of access control, video surveillance, and risk mitigation systems. Known for his innovative yet practical approach, René helps clients navigate operational, financial and regulatory challenges while enhancing their security posture.