Security Considerations for Microbiological and Biomedical Facilities
by Chris Royse & Barbara Johnson
Visit our Anthology Books page for more information or to order the Anthology series and other ABSA publication.
In recent years, increasing questions have arisen regarding the adequacy of and need for the implementation of a security program in biomedical institutes and facilities working with and storing pathogens. Most of the concern has been focused on facilities working with and storing select agents and BSL-4 pathogens. In some instances, increased security, protective measures, and regulations have been promulgated and implemented as a result of 1) criminal activity by animal rights activists, 2) the necessity to protect intellectual rights/information, patent material/processes and business sensitive information, and 3) recognition of the potential for individuals or organized groups to obtain biological pathogens for criminal/terrorist use.
The diversity of these concerns is applicable to a wide range of institutes in the biotech industry that include: animal housing and breeding facilities, research institutes conducting work with animals, institutes conducting research with dangerous pathogens, pathogen repositories, and pharmaceutical and biotechnical companies. The concerns may also apply to other organizations, such as: diagnostic facilities, medical centers and universities conducting work with pathogens, and other businesses that are involved in handling, transportation, or other forms of work with pathogenic material. In considering the diversity of the types of organizations that may work with pathogens, it becomes evident that there is not one solution for all needs. In the same way a biological safety risk assessment is conducted at institutes preparing to work with pathogens, so should a security risk assessment be performed. Hence, each organization will develop and implement a security program based on their risk assessments, evaluation of problems and solutions, consideration of mission requirements and constraints, and level of acceptable risk. The authors would like to stress that it is not the objective of this chapter to define acceptable risk, solution requirements, or develop policy.
The objective of this chapter is to provide the reader with information regarding potential components of a security program, and the tools for developing a decision matrix to determine the security needs of their facility. The intent is to provide a set of decision considerations that can be applied across a vast spectrum of facilities/institutes, not a set of solutions
In an attempt to develop a systematic and rational approach to defining a successful, cost effective security program, this chapter will review:
- Concept of security management,
- Security plan development,
- Personnel considerations,
- Technical considerations,
- Operational considerations.
Concept of Security Management
The word security, "freedom from danger or anxiety". (Webster, 1992) often has a negative connotation not only by those intending to do harm, but also by those who are the recipients of protective services within a facility or institute. To many people, security is equated with limited access to facilities, materials, information exchange, and possibly colleagues, via fences, guards, locks, areas of restricted access, or other measures designed to keep people apart. Competent security management does not have to unduly interfere with the day to day activities of scientific personnel or act as an impediment to conducting research in a pleasant and professional setting. It is ultimately the role of the director of the facility or institute, through consultation with staff, to determine and provide the appropriate level of security and security oversight at their institute.
The Security Management Concept is a systematic process designed to develop rational and cost-effective physical security program strategies in order to protect critical facility assets. This system must take into account the actual, measurable assets of the program (i.e., personnel, products, patents, proprietary and personnel sensitive information, and hazardous materials) as well as the intangible essential mission functions (academic freedom, collaboration, and personal rights). Part of this process involves selecting countermeasures (preventative measures) appropriate to the level of risk that management is willing to accept.
Just as one of the key elements in a successful Biosafety Program is to identify risk and take actions to prevent accidents/incidents, the key to proper Security Management is to identify and reduce the risk of an adverse incident occurring. Security, like Biosafety, is often funded from an institutes "overhead or indirect budget." Therefore, Security Management is typically accomplished within the constraints of already tight financial resources due to inevitable competition for funding. The best way to understand how security at any facility or institute is to be managed is to identify existing security requirements at the Federal, State, local and Corporate levels, and understand the mission of the facility or institute which must be protected. In the case of security involving biological materials, there are scant established rules and guidelines. (http://www.cdc.gov/od/ohs/lrsat/regmat.htm, 2001). Institutes are largely on their own to develop a security plan that accurately reflects and address their needs. This is not necessarily bad. Due to the diverse types of institutes, mission objectives, assets, as well as numerous other factors, it is probably beneficial that each institute be able to develop a security plan that is tailored to its needs.
Security Management is as much an issue of establishing a state of mind as it installing a suite of technical equipment or measures. It is a concept that is hard to accept as a necessity, until an adverse incident occurs. Once an incident occurs, it is often too late to take the appropriate steps rapidly enough to prevent or decrease losses. Security Management is a cost/benefit analysis. It clearly states what is necessary to secure and what is expendable. A well-devised security management concept takes into account personnel, technical, and operational considerations. Also, the development of a security plan will help those charged with making decisions for the facility or institute understand the status of their assets, vulnerabilities, risk factors, current and acquirable preventative measures, and potential for loss (as a function of their actions or lack of action).
The Security Plan
As various equities are at stake, one model for development of a security working group calls for interactive relationships and overlap in responsibility between the principal players. The development of a coordinated and comprehensive security plan should be academic in its approach. A competent plan requires open communication, education of team players, joint participation of the security and other staff, compromise in both design and desires, and continuous updating. This exercise provides an opportunity to bring staff together with their security specialist counterparts as a team. The Principles include, but may not be limited to the offices of security, biosafety, emergency response (local fire and police), and the scientific director or program manager. Depending on the prioritization of mandatory secured items, team members may be expanded to include the occupational health staff, industrial hygienist, radiological safety officer, veterinarian, public affairs officer, etc. In cases where security is concerned with safeguarding biological materials, the security plan should be closely coordinated, if not interwoven into the appropriate elements of the institutes biosafety program. Some members of the team will play a predominantly security oriented technical and policy role in the assessment process, while others will be more involved in providing technical information on the current status of capabilities and mission requirements. The team, which is developed, will vary depending on the goals of the senior management and the mission of the institute, but the core team should be fairly consistent at the programmatic level to maintain continuity. While security will lead the effort, the consensus and descending comments should be provided to the senior management for an ultimate decision regarding implementation.
Security Management is the Management of Security Risks
Security Management and the Management of Security Risks are synonymous, i.e., they are concepts which enable those charged with the responsibility for the research or production at a biotechnical/biomedical facility or institute to mitigate the chances of an adverse security event from happening. Security and Security Risk Management begin with a Security Risk Analysis. Suggestions for proper Security Risk Analysis come in many different forms, but all are essentially comprised of the same elements (see Tables I and II in the appendix for a quick reference guide). A good example of a Security Risk Analysis outline can be found in Jopeck's article "Five Steps to Risk Reduction". (Jopeck, 2000). Jopeck contends that a Security Risk Analysis is comprised of these steps (see also Appedix, Table 1):
- Asset assessment,
- Threat assessment,
- Vulnerability assessment,
- Risk assessment,
Assets include, but are not limited to the facility's or institute's:
- Land that it physically rests upon,
- Infrastructure (air handling, power, water, sewage, etc.)
- Equipment and materials,
- Information/intellectual property, whether it be research, development or production,
The security working group must identify those things possessed by the facility or institute that are assets and are therefore potential targets. One technique is through interviews "Program Managers, Facilities Managers and Computer Systems Managers". (Jopeck, 2000). The assets must be prioritized from most important to least important. Importance should be determined by the a facility's or institute's director, but can usually be based upon:
- Time - how much time will it take to recover or replace the asset?
- Cost - how much will it cost to replace the asset?
- Customers - how many customers may be lost or not gained do to delays cause by asset loss?
In the case of facilities working with select or other dangerous agents, the question may also be asked, "Potential damage - what is the impact of the intentional use or release of this agent".
When ranking assets, one suggestion is to consult the facility's or institute's Business Impact Analysis (BIA). A BIA identifies and addresses the company's exposure to business disruption, the impact on the company of this exposure, steps the company can take to address it, and how much those solutions cost. (Myatt, 1999). If a BIA has not been conducted before, it would be prudent to complete one during the time the asset analysis is being conducted. The results of the asset assessment is a worksheet that identifies and maps valued assets and their relationships to one another. (Jopeck, 2000).
At the programmatic level, it is the role of the senior management (i.e., University Chancellor, Institute Director, Commander, etc.) to ensure that the perceived threats to the institute, as well as the institute's mission and goals are understood and communicated to a security working group. As stated before, there are three major types or groupings of threats to a biotech/biomedical facility or institute:
- Criminal activity by animal/environmental rights activists,
- Intellectual property compromise by competitive intelligence agents,
- Bioterrorists or criminals attempting to obtain biological pathogens for inappropriate use.
In order to evaluate the capabilities of a known threat, information must be gathered on the "capabilities, intent and history of adversaries attacking the assets of similar organizations". (Jopeck, 2000). Examples of facility or institute compromises from the listed threat groups include:
- Recently, members of the Earth Liberation Front (ELF) are suspected of burning the University of Washington Center for Urban Horticulture's research laboratory to protest the "genetic modification of trees". (Verhovek & Yoon, 2001). "Following attacks on university property carried out in the name of animal rights," laboratories had to be built underground in order to protect AIDS researchers at California's Stanford University. (Getty, 1996).
- Two Japanese research scientists were recently charged with "stealing cells and genetic material" from the Lerner Research Institute, a unit of the Cleveland Clinic Foundation specializing in Alzheimer's research. Upon stealing the materials, one of the scientists sabotaged his own lab, resigned once the materials were in Japan, and began working there a "a few weeks later." "More and more cases of scientific and industrial espionage have come to light in recent years, a reflection of the rising value of research". (Gillis, 2001).
- Prior to his well - publicized arrest in 1998 for suspected possession of "military grade anthrax," Ohio's Larry Wayne Harris was "arrested in May 1995 after a Rockville, Md. Laboratory sent three vials of bubonic plague' inactive bacteria to his home." Mr. Harris has been "identified by the FBI as a member of the Aryan Nations". (Macy, 1998).
Though natural disasters (e.g. fire and flood) are threats to biotech/biomedical facilities or institutes, they are not typically mitigated by the security plan unless they result from an attack by one of the aforementioned threats. In order to ensure the risk of such threats are decreased, the analysis should include "historical data and expert predictions." The difference between adversaries and natural disasters is the latter does not posses "intent". (Jopeck, 2000).
In this step, individual assets are considered from the perspective of the threat. What value is this to me? How would I take (steal) it? How would I sabotage it? One of the best ways to gather this type of information is to "interview" those responsible for the asset (operator level) and through "observation. (Jopeck, 2000)." Observation may focus on the steps in the processes used to create the asset, or on processes involving manipulation or transfer of the asset (i.e., in the case of dangerous pathogens: how and where are they used in research protocols, how are they transferred with an institute and to other institutes, what are the security conditions under which they are stored or grown, etc). The objective of conducting an observation analysis or mock walk-through of the process is to identify steps or instances where the asset may be (most) vulnerable to theft or sabotage (see Appendix, Table 2).
Typically, some sort of security capability already exists when reviewing assets. This means the vulnerability can be viewed from one of two positions: "how the existing countermeasures reduce vulnerability to the unwanted events (progressive);" ignoring installed countermeasures and plugging them back in later to see how/if they reduce the asset's vulnerability ("regressive"). (Jopeck, 2000).
This assessment combines information from the preceding assessments (asset, threat and vulnerability) and determines the level of risk the institute or facility is currently operating under. "Several techniques for calculating risks exist. They range from simple qualitative systems to those based on complex mathematical formulas. Still others are hybrids of the two". (Jopeck, 2000). The majority of these calculation techniques encountered by the authors have not transitioned well to the biotech/biomed facility or institute model. Regardless of the calculation method used, the most important thing to understand is how the vulnerabilities of an asset vital to a facility's or institute's mission may be exploited by an identified threat and therefore disrupts or destroy the ability to complete that mission.
For example, "two laboratories at the University of Arizona were burned and over 1,200 rats, rabbits, and mice were stolen by the Animal Liberation Front (ALF), destroying years of research to develop a treatment and vaccine for Cryptosporidium". (http://www.biostat.umn.edu/~carlton/PETA.html, 2001). In retrospect, if we could view the risk analysis for the rodents (assets), it would have indicated that the rodents in this study were determined to have a "high loss impact to the company". (Jopeck, 2000). They would have been considered highly vulnerable to fire and the threat, and based on past activities of organizations like ALF, would have been considered a high loss impact. This would have warranted tighter access control to the area(s) surrounding the rodent holdings as well as a robust fire suppression capability that in turn would have increased their animals' chances of survival.
In this step, the determination must be made as to what steps will be taken to protect the assets by reducing their vulnerabilities and keeping threats at bay. Approaches can be organized in three categories:
- "Risk Averse": the objective is to have risk reduced to near zero (may not be realistic),
- "Risk Tolerant": the objective is to develop a balance between the needs of security and business constraints, i.e., funding, mission, etc.
- "Risk Acceptance": organization accepts maximum risk, i.e., in order to decrease costs. This approach is least desirable if protection is needed. (Jopeck, 2000).
Countermeasures are best categorized under the headings: personnel considerations, technical considerations, and operational considerations. These will be discussed further in the following sections.
Upon completion of the risk assessment, recommendations should be presented to those members of management with the authority to accept risks and finance security enhancements if warranted. It is important to remember that this is a continuous process.
Biotechnical/biomedical facilities and institutes may be subject to a number of outside threats. Generally speaking, most realistic threats to assets (especially biological materials), and the most potentially dangerous threats to security in any industry, are those posed by "insiders", or employees. (DTRA, 2000). Any number of events may cause an employee to become a security/safety risk for the company, employer, or coworkers. Some examples include, but are not limited to:
- Becoming unhappy or "disgruntled,"
- Being passed over for promotion,
- Being reprimanded,
- Psychological or emerging personal problems, e.g. divorce, sick child/relative, substance abuse, etc,
- Moral/ethical disagreement with new projects or products,
- Recruitment and acceptance of a job to infiltrate an area and "spy" for another company or special interest group.
The insider threat is the hardest to protect against, and due to innate coworker trust, can be the most dangerous for numerous reasons. In terms of protecting biological materials from insider theft or inappropriate use, there are no reasonable, or tested and proven, technical solutions available. (DTRA, 2000). The answer largely depends upon personnel management and access control.
While inappropriate in academic settings, and unaffordable for many corporate entities, the first step in protecting a facility's or institute's assets from potential threats from employees is through the practice of background checks. "Background checks are an essential component of any good hiring program, and the criminal history check is especially critical ". (Long, 2001). In lieu of conducting background checks, an employer should at a minimum check the individuals references, and verify that the information provided is accurate. Even if some form of background check is preformed by the institute, it is worth mentioning that individual problems may not begin to manifest until after someone is hired, possibly even in a long-term employee. Therefore, once employees are hired, security or personnel reviews of their actions should continue on a periodic basis, or upon a change in duties or access. These requirements and parameters should be set at a corporate/institute policy level, and delegated down to security to implement.
Raising the level of security awareness among employees is a very important, but sometimes daunting task. Some of the main problems include identifying the appropriate level of training in order to maintain interest as well as timing the training so as not to interfere with hectic research or production schedules. At a minimum, employees need to know:
- How to identify personnel and determine whether they are in an authorized area.
- How to report suspected breeches of security.
- Security personnel cannot be everywhere at once, therefore, everyone is a security officer.
- The company's assets are their assets, and both personal and coworker safety and security are shared responsibilities.
It would be difficult to imagine an individual noticing, then walking past an uncontrolled fire in a laboratory and not trying to intervene or report the incident. People are taught and trained at an early age that fire poses a threat to life, safety, and property. Similarly there are danger signs which can be observed in terms of security breeches or potentially catastrophic personnel problems. Without teaching or training programs, it is easy for the untrained eye not be aware of these signs or their possible significance.
For many organizations, finding the time to provide security awareness training for non-security personnel is the biggest problem. There are many good examples of security awareness training programs, but the most important thing to remember when breaking training down into sessions is "to segment the training material so that each lesson would build on the previous lesson and reinforce the central theme that security [is] everyone's job". (McShane, 1999). This is not unlike the concept of biosafety training, where safety training is only effective if it is adopted at the line worker level and supported all the way up the management chain. Training should be relevant to the position and risk, provided in a way that is understood to "non-security professionals," provided in format and increments for maximum effectiveness, and a point of contact should be made available for questions.
As people are "only human", there is always the potential for an employee to feel building, insurmountable pressure/problems that may lead them to acts of workplace violence (against others or self), or provide materials, proprietary data, or security procedure information to an outsider (collusion) in exchange for compensation. The best way to ensure employees receive needed help before an incident occurs is by establishing a good Employee Assistance Program (EAP).
The intent of any EAP is to provide a way for employees to get confidential, professional assistance in overcoming a personal problem that is interfering with their life and livelihood. Additionally, EAPs also outline those signs that fellow employees and employers can look for to better understand if someone is having a problem. These signs are called "Fitness for Duty Behavior." Numerous companies, State and Federal agencies and institutes offer no cost assistance under these types of programs to employees. For employees of The Florida State University (FSU), the University's EAP outlines these signs on their website. At FSU, they are:
- "Expression of bizarre and inappropriate thoughts,
- Excessive absenteeism without prior approval or rationale,
- Degenerating physical appearance,
- Acts of insubordination,
- Poor work performance,
- Poor workplace relationships with others,
- Indications of alcohol/substance abuse,
- Excessive complaining". (http://www.eap.fsu.edu/guidelines.html, 2001)
Instituting an EAP can prevent tragic actions or theft of assets, while a less physically constraining security management system can evolve that:
- Protects physical assets and
- Provides valuable employees professional assistance without jeopardizing their personal or professional integrity.
Through background/reference checks, security awareness training, and an EAP, facilities and institutes can develop a comprehensive approach to security management regarding personnel considerations.
Technical considerations include those items or equipment that may be used to decrease vulnerabilities of an asset to a particular threat. Depending on the mission of a biotechnical/biomedical facility or institute, as well as its risk analysis, suitable equipment is commercially available to help reduce the vulnerability of an asset. Some examples include: fences, lights, closed circuit television (CCTV), motion detectors with lights or CCTV, self closing doors, locking doors, alarms, and card key access.
Access control can be a problem for many institutes as Directors must determine "who" requires authorized access to "which" areas or "which" materials. At times there is also a question of whether access is authorized only during regular business hours, or is authorized regardless of time or day. Research and production can be around the clock endeavors. However, there are technologies that are becoming more affordable that may help overcome some of these obstacles like extended standoff proximity cards, biometrics and remote access control. (Strauchs, 2001). Issues of sterilization and decontamination may come into play in some instances, be it worker or product protection.
It is important to remember that whatever is determined to be the appropriate level of countermeasures (risk averse, tolerance or acceptance), installation of the technology is only one part of the process. Resources (time, money and personnel) must be budgeted to account for time to design, procure, install, test, train, and then retest and retrain on a reoccurring basis (e.g. as personnel change).
Operational components of a security program are comprised of on-site or local security forces to include campus police, hospital or corporate security personnel, local police, emergency assistance, etc. The operational portion of security management is best remembered through the D3RT ("dirt") acronym, which stands for Deter, Detect, Detain, Respond and Train. The maintenance of an adequate and competent security force, security procedures and policies (i.e., background/reference checks, security awareness training, and an EAP) and the installation of technical equipment enables the institute to effectively deter and detect most threats. The security force need not be large, rather adequate for the threat and vulnerability previously established and agreed to in the security plan. It is also important to remember that while technology can reduce the number of personnel required to provide the desired level of protection, there must be adequate staffing if personnel need to respond to an incident (other personnel may be required to provide assistance, interface, and monitoring).
Detention of threats refers to delaying the individual(s) egress, be it related to a criminal or terrorist act at the facility or institute. Delay gives the security force time to receive notification (register) that an event has happened, and respond. A good way to detain individuals as well as providing a safe and aesthetically pleasing place to work for employees is through Crime Prevention Through Environmental Design (CPTED). CPTED is the practice of designing the exterior and interior of a facility or institute with security in mind. A thorough design can make it difficult for an individual to rapidly exit after committing a terrorist or criminal act. Some examples include: landscaping so that fences and retaining walls are not noticed until directly upon them, landscaping to minimize instances of crimes against individuals (i.e., well lit, open approach areas to buildings vs. shadowy enclosed areas) and meandering walkways or corridors so as not to provide a straight exit to perpetrators of crime. (http://www.cpted.net, 2001).
During the investigation of an incident, non-security personnel such as scientists must be able to conduct rapid, detailed accountability audits and be prepared to report on anything that is no longer accountable. This may include animals, experimental or proprietary material/information/product, and is especially important for facilities or institutes working with select agents and BSL-4 pathogens.
An institute's security personnel need to be able to respond appropriately to all types and levels of threats (mischievous vandalism to bomb threats to theft of dangerous pathogens). It is recommended that a good working relationship with local law enforcement authorities be cultivated to provide professional interaction, as well as provide assistance if necessary. Depending on the physical size of the facility or institute, mobility of the security force should be considered. The security force may require cars, motorcycles or bicycles, or a combination, in order to effectively patrol areas and rapidly respond to a threat. Before responding to an incident, security personnel must be aware in advance of any potentially biohazardous materials or other unique hazards located in the facilities (i.e., chemical, radiological, animal, etc.). Security personnel will need a well-developed and practiced plan for safely apprehending individuals who may possess, or may be contaminated by, a biohazardous agent. This plan should be developed in coordination with biosafety personnel. A good place to start is by reviewing the institute's Biological Emergency Response and Assistance Plan, then modifying it for likely scenarios.
Training of security force officers as well as non-security personnel must be competent, consistent, and continuous. Competent security training, especially at biotechnical/biomedical facilities, includes ensuring everyone is aware of all potential threats that may exist. These threats include industrial chemicals, biohazards, radiological hazards; at production facilities, such things as low hanging objects, slippery floors, and other physical industrial hazards must be evaluated. Competency also means that the training is conducted by personnel with experience in working in research or production settings who arfe able to provide that experience through classroom instruction and operational supervision. When applicable, this training should be provided by the biosafety officer, industrial hygienist, and other safety specialists at the institute. Consistency of training is synonymous with quality, and should be maintained at a high level of standard. The training should be well planned, and from the time it is implemented it should change to meet new challenges. Changes will be required when the risk analysis has been revised, or in some instances when new operations, projects or facility construction are considered. Training for security officers and non-security personnel must include open access to information to ensure that everyone is well aware of all procedures and policies. The value of training will be evident in the event a terrorist or criminal acts. A well trained staff means personnel can be more effectively protected and information can be reported to the security force and managers as rapidly as possible.
The most important part of operational considerations is to ensure that no part of the D3RT formula is an overt burden on the day to day operational activities of the institute or facility. Many security personnel find that administrators and scientists consider security measures prohibitive and counterproductive to an open and collegial work environment. This is generally a misnomer fostered by rumors (or factual cold war experience) at former weapons facilities. Security today can be achieved in a more innocuous manner, and in the civilian sector is a prerogative of the institute Director. The driving forces of the Director may be centered on personnel safety, protecting commercial assets, preventing the theft or misuse of hazardous materials, or other. While maintaining a safe and secure facility, it is also important to prevent security from interfering with the work or comfort of the employees. This will help in fostering cooperation and collaboration in any security management system.
Technical and Operational Challenges in Securing Biological Pathogens
Technical solutions applied in concert with operational plans can be successfully used in providing security to materials when they are stored in a centralized repository, i.e., cell lines, pharmaceutical libraries of products in development and test phases, pathogenic material, and even personnel files or business sensitive archives. An approach to protecting pathogens stored in central repositories is to implement a two-person rule for accessing the materials. There are numerous variations on this approach to include one person (such as a division chief or designate) to have the key to the entry door, while the other person (such as a biosafety officer) to have a key or combination to a second lock. Another variation, which also facilitates routine inventory control (annual accountability for materials), employs the use of bar codes on the vials rather than identifying the contents by name. Not overtly identifying the material is a deterrent since an individual does not know what they are stealing, whether it is the right material, how to grow it, or how to use it. In this system, the scientist files a request for the material, which is approved by his management and the institution biosafety officer before the material can be removed from storage. The approved request is provided to storage facility personnel who identify the location of the material in the freezer complex and accompanied by the scientist or biosafety officer, retrieve the material. This method is being successfully used in large institutes working with cell cultures, hybridomas, and BSL-1 and BSL-2 (non-select agent) materials. With LAN networking capabilities, requests for materials can be approved in a matter of minutes. The bar code system has the advantage that it not only facilitates inventory control, but can be used as a management tool when it is programmed to alert a project manager or senior scientist when only "X" number of samples remain in storage (the manager can then reorder, grow, or clone replacement material before inadvertently using the last vial).
A solution to protecting a collection of biological pathogens while facilitating biosafety requirements for select agents (BSL-3 and BSL-4) materials is to locate the collection within the containment area. Containment is the logical place from a safety perspective to store the material, since this is where the material will be used. Storage in containment introduces the need to gain access to and traverse change areas, shower areas (in BSL-4 it requires entry through airlocks which are usually monitored by engineering services), and other points which are generally access controlled by combination lock, card key or other means. Once the individual reaches the door to the repository there may be an additional level of access control to enter that area, with monitoring by motion detector activated CCTV. Locks are a standard feature for freezers, and serve as another layer of deterrent. This scenario provides a combination of operational and technical solutions for safeguarding biological materials in storage areas. It is worth noting these techniques are successful against most (if not all) intruders with the exception of the authorized insider. Using the two - person rule for removing material from a storage area would eliminate this threat unless the two people were working in collusion (usually a remote possibility).
It is also important to note that while biological material in the repository can be fairly well secured, there is virtually no reasonable operational or technical way to provide this level of security to materials being grown in the laboratory. A realistic security risk assessment would identify the laboratory itself as the most vulnerable area to protect. It is obviously easier for the authorized insider to obtain a sample of material he or an associate works with from a flask and carry it out. It is virtually impossible to note these types of discrepancies much less track the missing material. In most institutes BSL-2 pathogens are worked with in laboratories where the doors are not locked or closed during routine working hours, allowing anyone to access and remove a small amount of material. In institutes where work is ongoing with select agents or BSL-3 and 4 agents, laboratory doors should be self-closing and should have access control devices (locks, punch codes, card keys) to deter unauthorized access. The truth is, however, that there is no absolute way using rational measures to prevent a motivated insider from obtaining small amounts of biological material. It is not rational to expect scientists to work using a buddy system; it is cumbersome and at a minimum, doubles labor and PPE costs, not to mention that it is easily defeated. Nor is it rational to try to use continuos monitor CCTV, "portal or tracking" systems (currently undeveloped/unproven/very expensive technology dependant upon developing a label for the organism/media/etc. and tracking the movements of organisms through an area), or other technologies and methods employed by nuclear and chemical security and surety programs. Because biological materials do not "give off" a unique signature that can be measured in real time (especially when in vials), and are valuable in minute quantities (growth potential), they pose a difficult problem from a security point of view. While technology and operational security can greatly help deter outsiders from acquiring hazardous materials, the key is in preventing insider incidents, the most probable cause of a security breech, is discussed in the Personnel Consideration section.
The intent of this chapter is to give a broad overview of the security management considerations for biotechnical/biomedical facilities or institutes. It has not been intended to set policy, replace current SOP's, or become an "off the shelf" standard operating procedure. Rather, it has provided information that can serve as a conservative starting point for those looking to establish or redesign their facility's or institute's security management concept in order to meet current, new, and emerging threats.
Security management, the process of developing a plan to protect assets, ensuring individual employees are protected, maintaining technical countermeasures, and integrating operational security into daily activities may seem to be a concept that could rapidly overtake the business or academic necessities of a facility or institute. However, in the past decade, the world has changed and these aspects of security are more often becoming necessities. Professional activists, bioterrorists, and competitive intelligence agents are rapidly becoming threats in the new century. Only through the development of a staffed endorsed, management supported, integrated security management program can these threats be properly addressed. When the threats are properly addressed, the security program they will be recognized as an asset, not burden.
Overview of Security Requirements Analysis. (Hamilton E, 2000).
- Identify the assets to be protected.
- Assess the value of the assets.
- Assess the potential threats.
- Assess vulnerabilities.
- Assess risks.
- Determine countermeasures options and estimate costs.
- Make risk management decisions.
Explanation of Components Considered in a Security Requirements Analysis (Hamilton E, 2000).
- Assets to be protected may include:
- Material (biohazardous, chemical, radiologic, etc).
- Intellectual Property/ Products/ Processes.
- Equipment/ Facilities.
- Corporate/ Institutional Reputation and Mission.
- Records/ Computer Databases/ Personnel Sensitive Information.
- An institute can then assess the value of its assets by asking the following types of questions:
- What is the impact of loss, damage, compromise, or interruption of operations?
- What does the facility stand to lose?
- What does an adversary stand to gain?
- What is the impact of loss on the institutes mission, or in terms of national threat (i.e., theft of biohazardous material)?
- What is the potential impact on peoples' lives?
- Can the asset be replaced or repaired, and at what cost (not just monetary consideration)?
- Determine who constitutes the most likely potential threat, this may include more than one type of category:
- Extremists/ Fanatics (right wing "animal rights" activists)?
- Criminals/ Vandals?
- Political Activists (right wing "right to life" activists)?
- Drug/Alcohol/ Psychologically Impaired?
- Disgruntled Employees/ Students?
- Terrorists/ Racists (domestic and international)?
- Keep in mind they may be:
- Both (Collusion).
- Part of assessing vulnerabilities making an integrated assessment of the following aspects:
- What weaknesses could be exploited to result in loss, damage, compromise, or disruption of assets at your institute?
- Location of facility: is it in a high threat area, what is the accessibility of facility, what is the proximity of other buildings and the nearness of response forces, vehicle access roads?
- How may the adversary gain access or otherwise achieve their goal: forced entry, covert entry (in collusion with insider) authorized entry (insider), extortion of insider, unescorted walk-in, stay behind after hours, arson, diversionary tactics?
- Determine site specific requirements of the physical security system by
- Physical aspects (i.e., perimeter barriers, building construction and layout, facility layout, access roads, response vehicles and equipment),
- Technical aspects (i.e., existing physical security systems and equipment, communications, power and signal distribution infrastructure, lighting),
- Operational aspects (i.e., personnel, concept of operations).
- To assess risks include or consider the following:
- The motives/goals of your adversaries (greed, revenge, sabotage, societal unrest, vandalism, ego, opportunity, national harm, propaganda, theft, perceived right, no known reason).
- The adversary's level of knowledge, capability, dedication, skill, and potential that they have "inside" assistance.
- Prioritize assets according to severity of impact of loss, damage, compromise, or disruption of your mission goals and values.
- Select most realistic threat to that asset.
- Select most realistic vulnerability to that asset.
- Determine the probability of occurrence, probability is a function of vulnerability and threat to the asset.
- Options for countermeasures:
- Do nothing.
- Upgrade, augment or replace existing security.
- Modify concept of operation.
- Retrain or re-equip personnel.
- Relocate assets to a more secure site.
- Re-evaluate physical security objectives.
"Aids activists vs. PETA" (2001). University of Minnesota School of Public Health. Biostatistics. http://www.biostat.umn.edu/~carlton/PETA.html. Online.
Department of Health and Human Services Centers for Disease Control and Prevention (2001). Biosafety in Microbiological and Biomedical Laboratories (BMBL) 4th Edition. "42 CFR Part 72." Online. http://www.cdc.gov/od/ohs/biosfty/bmbl4/bmbl4toc.htm.
(DTRA) Defense Threat Reduction Agency (2000). "Enhancing the Security of Dangerous Pathogens Workshop." Albuquerque, NM.
"Fitness for Duty" (2001). Florida State University Employee Assistance Program. http://www.eap.fsu.edu/guidelines.html. Online. 27
Getty, J (1996). "The Tragic Hypocrisy of 'Animal Rights'." Wall Street Journal. Online. Americans for Medical Progress Educational Foundation Articles. 13
Gillis, J (2001). "Scientists Accused of Theft." New York Times, A18.
Hamilton, E (2000). "Risk Management In the Approach to Physical Security Planning." Obolensk, Russia.
(ICA) International Crime Prevention Through Environmental Design Assosication. (2001). http://www.cpted.net. Online.
Jopeck, E J (2000). "Five Steps to Risk Reduction." Security Management.
Long, J W (2001). "Background Checks Step by Step." Security Management 72-78.
Macy, R (1998). "Two Men Arrested with Anthrax." The Associated Press. http://archive.nandotimes.com/newsroom/ntn/nation/021998/nationt_20801_noframes.html. Online.
McShane, W J (1999). "Raising Security Awareness." Security Management: 29-30.
Myatt, P B (1999). "Going in for Analysis." Security Management: 75-79.
Strauchs, J J (2001). "Which Way to Better Controls?" Security Management: 93-100.
Verhovek, S Yoon, (2001). "Fires Believed Set as Protest Against Genetic Engineering. New York Times. Online. America Online. 23
Webster (1992). New Webster's Dictionary and Thesaurus of the English Language. "Security."
Chris Royse & Barbara Johnson - Security Considerations for Microbiological and Biomedical Facilities, Anthology of Biosafety V - BSL4 Laboratories, Chapter 6 (2002),