Share thisOrganizations should attempt to anticipate and exceed potential new security standards by implementing a structured program that includes physical, technical, and operational measures.
The actions of Bruce Ivins, the scientist that mailed seven anthrax laced letters that killed five people and sickened 17, is a grim reminder of the need for security within many biosafety laboratories (BSL) facilities. In September of 2008, the United States Government Accountability Office (GAO) reviewed five BSL-4 facilities. In their report, “Biosafety Laboratories – Perimeter Security Assessment of the Nation’s Five BSL-4 Laboratories,” they concluded that more needs to be done.
The GAO report accounted for only a handful of the BSL-4 laboratories that are currently in existence, but provides a baseline for global improvements. Now in 2009 the GAO, according to the Associated Press, will release another report claiming, “Although Centers for Disease Control (CDC) has taken some modest steps for studying how to improve perimeter security controls for all BSL-4 labs, CDC has not established a detailed plan to implement our recommendation.”
Organizations that currently have, or are planning to build, need to be mindful in the application of security for BSL labs. In the opinion of this author, organizations should attempt to anticipate and exceed potential new standards. It is only a matter of time until regulations/legislations will be implemented to further control something that seems uncontrollable.
The GAO reports have gained the interest of Congress, and future legislation may place requirements on security implementations for the nation’s BSL facilities, many of which are struggling with the security risks at hand. A regulation-driven security implementation may be a bitter and expensive pill for these organizations to swallow.
BSL facilities need to begin planning and implementing a structured security program and should not wait for legislature. Although there may be no way to prevent a determined aggressor from gaining access to an asset, such as a controlled agent, we can deter them from attempting the act, and detect them through use of broad security controls that emphasize a comprehensive security program that calls upon physical, technical, and operational security.
Some ideas for strengthening a security program include using the following broad controls:
Operational Security:
- Implementing an ID/credential program which requires IDs to be worn in all areas that house BSL facilities.
- Ensure the ID has a number of anti-counterfeiting technologies.
- Background investigations for persons who will handle agents or need access to BSL facilities.
- Random security patrols of the interior and exterior through a guard tour.
- Employee awareness to detect/identify tailgating (a person following someone with a valid credential through a door).
- Conduct a third-party assessment to ensure that existing facilities are adequately protected.
Physical Security:
- Compartmentalization or layer physical and technical security, which controls access to areas that house BSLs.
- Security should not begin at the outer door that enters a BSL lab. Implement stand-off distance/setback from a street or an area where an explosive device could reside.
- Minimize door latch manipulation with the use of strike/astragal cover plates.
- Utilize high-security locking with biaxial tumblers to minimize picking/lock-bumping attacks.
- Do not sacrifice lighting — lighting is the number one deterrent to crime.
Technical Security:
- Use of access control.
- Avoid electro-magnetic locks, as they are maintenance headaches and are easily bypassed.
- Use two forms of authentication to access sensitive areas.
- All doors should be alarmed.
- Use cameras to conduct video tours of areas, and the perimeter for areas that house BSL facilities.
- Implement automatic doors for areas with negative pressure to ensure doors do not become propped inadvertently by internal/ external pressure differences, which are common in these facilities.
Summary
The key to security controls is time. A delay, or a series of cumulative delays, may cause a target to become undesirable to a would-be aggressor. Thus, security countermeasures can serve as a deterrent to an attack. Additionally, the longer we delay an act, the more opportunities we have for the act to be detected. All these factors considered, the desired result is to cause an attacker to abandon their attempts, or, at best, never attempt the act in the first place.
Sean A. Ahrens, CPP, CSC is a Project Manager with Schirmer Engineering, an Aon Global company that specializes in security assessments and security systems design. He can be reached at 847-953-7761 or Sean_Ahrens@schirmereng.com.