Why Facility Breaches Happen, and How to Prevent Them

In July of 1982, a British man named Michael Fagan climbed a drainpipe in London, broke into Buckingham Palace, and triggered several alarms on the premises. Readers might imagine that he was quickly spotted and apprehended by the Queen’s Guard; that Scotland Yard was called onto the scene before quickly apprehending and arresting the intruder.

But that’s not what happened. Instead, Fagan ate snacks, drank a bottle of wine, wandered through the postroom, and sat on the Royal Throne for a while before calling it a night and leaving in boredom. Then he did it again, several days later.

This time, he wandered directly into Queen Elizabeth’s personal bedroom and managed to wake her up. The Queen – after making polite conversation – went to a palace telephone and called the police, who finally arrived to whisk Fagan away, but not before he requested cigarettes which were promptly brought to him by a maid.

Overlooking Old-Fashioned Threats

Later investigations showed that the failure of several security measures made Fagan’s famous exploit possible. On both of his entries, inconspicuous areas of the palace had not been adequately monitored. Internal alarm systems failed on his first intrusion; they functioned properly on his next break-in, but royal guards ignored them, assuming they were accidentally triggered.

If this seems like a freak incident that couldn’t happen in the U.S with our security technology and strict standardization codes, think again. In 2014, Iraq War veteran Omar J. Gonzalez climbed the iron fence outside the White House, ran straight through unlocked doors, and made it all the way into the East Room before he was finally stopped and captured by Secret Service agents.

The Gonzalez and Fagan breaches – although separated by four decades and the Atlantic Ocean – boil down to the same basic oversights:

  • Lack of adequate perimeter security
  • Lack of regular testing or drills leading to faulty equipment and mismanagement of security incidents
  • Completely unsecured entrances
  • Slow response time by security personnel

Discounting the Importance of Physical Security

We hear a lot today about the importance of Cyber Security Officers (CSOs) in the wake of major data breaches. But prioritizing digital over physical security can lead to oversights that jeopardize an organization and threaten public safety. Take a case in point:

To prevent a WarGames-style nuclear disaster, the U.S depends on old-fashioned ICS (Industrial Control Systems) to manage its nuclear reactors and uranium storage facilities. Because they are basically isolated from networked systems, these controls cannot be hacked or compromised from the outside. However, this does not guarantee their safety from old-fashioned break-ins and intruders.

In 2012, a weapons-grade uranium processing facility in Oak Ridge, TN, was shut down after three anti-nuclear activists broke through the perimeter fencing. Although this action triggered alarms alerting security personnel, the intruders – ages 57 through 82 – walked for two hours and passed through four barriers before they were finally apprehended. By that time, they had reached and vandalized a uranium storage building.

Although nothing disastrous occurred in the Y-12 breach, it served as a wake-up call for security contractors tasked with monitoring the facility. If three untrained, elderly activists could basically waltz into a highly sensitive area, imagine what professional criminals could have accomplished in the same time frame.

When Complacency Kills

So far, we’ve discussed security breaches that could have been prevented with proper physical security measures. What happens when prevention mechanisms work just like they’re supposed to, but security is still compromised?

On September 16, 2013, 34-year-old Aaron Alexis entered the Washington Navy Yard in Washington D.C, went inside a building where he had worked the previous week, and proceeded to shoot facility employees with a sawn-off shotgun. By the time he was killed in a shoot-out with police, Alexis had killed twelve people and injured three more.

How did Alexis access the Navy Yard to begin with? He had a secret-level security clearance which would remain valid until 2018. Concerns about Alexis’ behavior had never been reported to the government, and so this clearance was never revoked.

Moreover, while the U.S clearance process is notoriously scrupulous, it was later found that the USIS – who had conducted his clearance investigation – had overlooked past criminal behavior, including eight cases of past misconduct and a 2004 arrest for weapons assault.

The USIS was also responsible for the clearance investigation of Edward Snowden, who was famously able to access and leak thousands of classified documents while working as a contractor for the NSA.

The Need for Vigilance

These are several high-profile cases that could have been prevented through any number of simple security precautions, such as:

  • Better perimeter monitoring and security
  • Regular testing of security systems to ensure functionality
  • More rigorous reporting during the clearance process
  • Better systems to anticipate insider threats
  • Security checks of authorized personnel to prevent weapons on-premise
  • Higher number of trained security detail to apprehend intruders

Ensuring that these measures are carried out means starting from the top and enforcing consistent compliance goals across the board. In particular, the relationship between protective services and an organization’s Facility Security Officer (FSO) is crucial for mitigating threats and noticing blind spots before they turn into a disaster.

MathCraft understands that visitors represent one of the greatest vulnerabilities to facility security. Our security management platform includes ViSi Commander™, a robust visitor management solution specifically designed for classified facilities. The software features modules with pre-registration, check-in/out, and watch list capabilities, streamlining mission-critical routines and procedures.

Although compliance with security standards like NISP and NISPOM can seem cumbersome, they exist for a very simple reason: breaches can and do happen all the time, and rigorous oversight can mean the difference between life and death.

MathCraft Security Technologies offers a robust product line of NISPOM-compliant security applications for cleared contracts and enterprises. Our solutions are carefully engineered to improve security processes, giving Facility Security Officers (FSOs) and employees the comprehensive tools that they need to manage data, monitor visitors, and automate workflows. For ultimate convenience, they are also available on-premises or via the cloud.