Embassy Security: The Layered Response

As the representative offices of Governments overseas, Embassies, Consulates and High Commissions have always required high levels of security, and particularly so in areas where terrorist cells and disaffected groups may operate. As Tim Northwood outlines, the Best Practice approach to adopt is one that involves a layered security regime.

Sadly, terrorist attacks on Embassies are something of a common occurrence and often result in loss of life. Witness the American Embassy bombings in Tanzania, Kenya and the Yemen, the Australian Embassy bombing in Jakarta and the Embassy sieges that have occurred here in the UK as well as in Sweden and Colombia. All are ample demonstration of the dangers posed to Embassy staff and property alike.

Headline-hitting anti-Government demonstrations and terror attacks are what most people initially think of in terms of security threats to Embassies. While these events can occur and security teams do need to be well-prepared for them, they represent only a small portion of the risk landscape for an Embassy and its dedicated staff.

Part of the security solution will, of course, involve physical barriers, fences, bollards and anti-blast protection measures as well as safe rooms in case evacuation isn’t possible, but it must be recognised that cyber threats are just as dangerous, so encrypted communications, failover capacity and fine-grained permissions as well as forensic audit trails are some of the other measures Embassy security professionals must also have in place.

The challenge is to balance the requirement for security – sometimes very high security – with the day-to-day access needs of bona fide Embassy staff and visitors who must come and go in the course of their legitimate business.

With this in mind, let’s explore some of the key points security and risk managers need to consider when planning security for an Embassy or Consulate. The overarching message is that Embassies need a layered approach. This means security teams can allow legitimate staff and visitors to work and move around freely while, at the same time, the Embassy and its staff are kept safe from determined intruders, be they physical or cyber.

Central management

It’s important the home country can manage Embassy security centrally, while still allowing local staff to control their own sites. The security solution must be able to handle a vast network of premises worldwide incorporating thousands of access-controlled doors and alarm sensors and integration to many other security applications including CCTV cameras.

The home country needs constant remote access to local systems so central security managers can access local CCTV, audio and any other information in the event of a security risk to help them support local staff.

Systems that allow multiple bespoke protocols mean central security managers can ensure that they’re alerted to local, national and global issues promptly.

Advanced reporting allows security managers to include – or, indeed, exclude – particular recipients on specified matters. For example, they can share country-specific information with the local Embassies and Consulates and the home country only.

Fine-grained permissions

Security systems that allow ‘fine-grained’ tailoring for permissions and protocols offer better protection. For example, systems that allow you to create completely bespoke access credentials for each member of staff and every visitor ensure that these individuals can only access the correct areas and systems.

The same is true with protocols. Embassies are likely to have intricate, global combinations of alerts and information they want to share in response to different events from simple pager messages through to full lock-down protocols. Systems that allow for multiple and complex combinations of alerts and alarm escalation protocols are essential.

While we’re talking about fine detail, systems offering a full forensic audit trail are also vital. Forensic audit reports cover every single action and engagement with the access control system and can be reported at the local level or direct to the home country. This means that security and risk managers can see exactly who has done what to the system and when.

A good audit trail system should be able to ‘roll-back’ changes made to system programming by any person or entity at a specific date and time. This means, for example, that any changes made by a ‘rogue’ operator can be undone in one action and the system programming rolled back to exclude these changes.

Finally, ensuring every device connected to the access control system has its own MAC address is another way of drilling down to the fine detail and guard against security breaches. This measure prevents module substitution, for example. If an attacker attempted to replace movement sensors for others that covered less distance, for instance, then the system would alert operators to the unauthorised change.

Secure communications

Secure communications are paramount at every level for Embassies and Consulates whether that’s via their own private communication networks or between access control system controllers, servers and door modules, or when the core system integrates with third party systems such as CCTV.

A robust level of end-to-end encryption across all communication channels and interfaces is crucial. Data encryption ensures secure LAN communications at all times, while continuous monitoring will detect any fault or attempted module substitution. Ensuring the communications network is isolated helps in reducing the risk of interception.

Embassies need to ensure that their systems are ‘always on’. A security system should offer high availability with an IP network that runs multiple instances of itself – at the same time – across multiple nodes or servers at the local, national and global levels. Solutions such as database failover clustering mean auto-connection to available nodes when necessary with no compromise of the system.

Third party systems

Integrating third party systems with your core access control and security system creates a much more intelligent solution that’s cost-effective. An integrated system allows ‘cause and effect’ monitoring, such as relevant CCTV footage automatically appearing if an alarm or an alert is triggered.

As mentioned previously, all components should have their own MAC address, while the core system needs to offer end-to-end encryption. Integrating with CCTV, perimeter protection and ANPR are obvious, but bear in mind that biometric integrations are now also a possibility, offering as they do more security credential options for staff and visitors alike.

Duress alarms as fixed panic buttons or mobile alarms can be integrated as well as key lockers and asset and personnel tracking.

Embassies are likely to have sensitive areas, such as communications rooms, that require extra levels of protection – both physical and cyber in nature. On the physical level, escorted visitor protocols and advanced interlocking doors can help to control who gains entry. Ensuring that your access control system and all communication channels are protected with robust encryption is necessary to guard against cyber criminals.

Trouble-free access

Despite the security risks, Embassies still need to be accessible to thousands of bona fide staff and visitors who have legitimate and important business to attend to on site. Trouble-free access to their approved parts of the building, IT systems and any other systems they need to go about their work is essential.

Tim Northwood

Tim Northwood

Also essential is a robust system for managing visitors, including ANPR for vehicle access, bespoke credentials for individual visitors and the use of the aforementioned escorted access if visitors need to gain entry to a higher security part of the site.

Layering on extra security only in areas where it’s really needed is key to balancing the freedom of movement for staff and visitors while also guarding against determined intruders. In addition, this means that Embassies can have a more cost-effective system in place, only paying for higher security measures where they’re really needed.

The systems described are necessarily complex and there are usually several ways of setting and carrying out tasks. This effectively means that, while Embassies will always have their own in-house security teams, it’s important that members of staff receive full training – and any refresher training – from the manufacturer of their security system(s).

Ultimately, such detailed instruction will allow them to install and maintain the system in any eventuality and always remain on top of any system improvements and developments.

Tim Northwood is General Manager of Inner Range

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts