Designing Physical Security: Fundamental Principles for Optimal Protection

Designing Physical Security: Six Engineering Principles — Each Derived from a Documented Failure

Executive Summary

Physical security design fails when it is treated as a set of general principles to be applied uniformly rather than as an engineering discipline to be applied precisely. The principles in this paper are not abstract guidance — each is derived from a documented failure where the absence of the principle produced a confirmed consequence.

Metcalf (2013): no cooling fin screening and no independent communications — Protection-in-Depth absent. Target Corporation (2013): vendor credential not revoked at contract end — Access Management failed. SolarWinds (2020): build server not in an isolated secure zone — Zone Architecture absent. Oldsmar (2021): OT workstation with unrestricted remote access and no monitoring — Detection and Response absent. Brussels Airport (2016): landside zone had no structured security layer — the perimeter stopped at the airside boundary. Twitter (2020): critical admin tool accessible from any VPN session regardless of physical location — Integrated Security Design absent.

Each principle below is stated as an engineering requirement, referenced to its governing standard, and anchored to the incident that demonstrates what happens when it is not applied. All incident data is sourced from named primary documents.

Principle 1 — Risk Assessment Precedes Design

THE PRINCIPLE: No physical security countermeasure can be correctly specified without a prior risk assessment that identifies the asset, characterises the threat by actor, method, aim point, and objective, evaluates likelihood and consequence, and determines the acceptable residual risk. A countermeasure specified without a risk assessment is a guess. A countermeasure specified against a documented risk assessment is an engineering decision.

1.1 Asset Identification — The Metcalf Lesson

Asset identification must extend beyond the primary asset to every component whose failure takes the primary asset offline. The Metcalf substation attack of April 2013 targeted the cooling fins of 17 power transformers — not the transformers themselves. The attackers selected the most vulnerable component whose destruction would disable the primary asset. An asset inventory that lists 'power transformer' without listing 'transformer cooling system panels (2 mm mild steel, oil-filled, exposed to external firing line)' as a distinct vulnerability is an incomplete asset inventory that will produce an incomplete risk assessment.

Confirmed consequence: USD $15.4 million direct repair cost (FERC Order 802 supporting analysis; Senate testimony of Commissioner Wellinghoff, March 2014). 27 days offline. Replacement transformers sourced internationally because domestic manufacturing capacity could not supply within an operationally acceptable timeframe.

SolarWinds parallel: The SolarWinds SUNBURST compromise of October 2019 to December 2020 targeted the build server — the physical machine that compiled and packaged the Orion software update distributed to 18,000 organisations. An asset inventory for a software company that identified servers and network equipment but not the build environment as a separate high-criticality asset class missed the asset that was selected for attack. Source: SolarWinds Form 8-K, December 2020; GAO-21-354.

1.2 Threat Characterisation — Four Dimensions

Threat characterisation requires precision across four dimensions. A threat described only as 'physical intrusion' or 'cyber attack' is not a characterised threat — it is a category label that produces no actionable design parameter.

Threat actor — who: The actor's tier determines their capability, resource access, and target selection logic. CISA's confirmed taxonomy: Tier 1 (nation-state: long dwell, ICS-specific tools, pre-positioned capability — Volt Typhoon, Sandworm); Tier 2 (state-affiliated: significant resources, commodity tools — IRGC Cyber Av3ngers, County Mayo 2023); Tier 3 (criminal: commodity ransomware — Conti, HSE 2021). Controls sufficient for Tier 3 are necessary but not sufficient for Tier 1.

Attack method — specific technique: The specific method determines which vulnerability is in scope. Cooling fin screening addresses standoff .30-calibre rifle fire. A data diode addresses IT-to-OT lateral movement. Default credential change addresses Shodan-indexed PLC exploitation. None of these controls addresses any other method. Specifying 'physical attack countermeasures' without specifying the method produces controls that may be irrelevant to the actual threat.

Aim point — specific target component: CARVER analysis (Criticality, Accessibility, Recuperability, Vulnerability, Effect, Recognisability) identifies the specific component an adversary would target. A 220 kV transformer cooling fin scores 9/10 on Vulnerability and 10/10 on Recuperability (12-18 month replacement lead time, fewer than 20 global manufacturers). The risk assessment that scores the transformer as a whole asset rather than its most vulnerable component will under-specify the countermeasure.

Objective — what the attacker seeks to achieve: An attacker destroying a transformer has a different objective from an attacker installing a hardware implant on a SCADA workstation. Objective determines target selection, timing, and dwell requirements, which in turn determines the detection architecture. Volt Typhoon's SCADA topology collection is not an attack — it is preparatory-phase intelligence collection for a future attack. The risk assessment must characterise both phases, not only the kinetic phase.

1.3 Residual Risk — The Engineering Acceptance Decision

Every physical security system leaves residual risk. ISO 31000:2018 Clause 6.5 establishes the four treatment options: Modify (apply countermeasures), Retain (accept residual risk), Avoid (cease the activity), Share (transfer via insurance or contract). Residual risk is the result of the Modify decision — the risk remaining after selected countermeasures are applied. The Retain decision requires documented management approval at a level appropriate to the consequence of the risk. An organisation that has not explicitly accepted its residual risk in a documented governance process has not completed a risk assessment — it has produced a document.

THE COMPLIANCE TRAP: CER Directive Article 12, NERC CIP-014-2, and ISO 27001 all require a risk assessment. None of them can be satisfied by a document that does not explicitly identify assets, characterise threats by method and actor, score likelihood and consequence, specify countermeasures, and document residual risk acceptance. A compliant-looking document that does not contain all of these elements is non-compliant with the substantive requirement regardless of its format.

Source: ISO 31000:2018: Risk Management — Guidelines. Clauses 6.2-6.6. FERC Order 802 supporting analysis: USD $15.4M Metcalf repair cost. Senate Energy Committee testimony, March 2014. SolarWinds Form 8-K, December 2020. GAO-21-354, June 2021. CISA AA24-038A (Volt Typhoon), February 2024.

Principle 2 — No Single Point of Security

THE PRINCIPLE: A physical security system with a single controlling layer — however robust — has a single point of failure. An adversary who defeats that layer has unrestricted access to the protected asset. Each layer must provide additional time between the adversary's initial breach and their achievement of the attack objective. The sum of time across all layers must exceed the response force arrival time. This is not a design aspiration — it is a calculable engineering parameter.

2.1 The Four-Zone Model — Applied to Documented Failures

The Purdue Enterprise Reference Architecture (Williams, 1992), developed for OT network segmentation, applies with equal validity to physical security zoning. Assets are grouped into zones by security requirement. Zone boundaries are controlled interfaces. Breaching the outer zone boundary does not provide access to the inner zone — the attacker must defeat a second independent control.

Zone 0 — Public space: No authentication required. Zone 0/Zone 1 boundary: ISO 22343-1:2023 rated HVM barriers preventing vehicle penetration. CCTV at Detection grade (BS EN 62676-4, 0.04 pixels/mm). The Metcalf attack was executed entirely from Zone 0. The attackers did not breach Zone 1. Zone 0/Zone 1 separation via cooling fin screening and an independent communications pathway would have compressed the engagement window and detected the attack. The attack exploited the absence of any Zone 0 detection capability — the attackers operated in Zone 0 for 31 minutes between the telecommunications cut and first shot without generating any alert.

Zone 1 — Site perimeter: Single-factor authentication at vehicle checkpoint. CCTV at Observation grade (0.125 pixels/mm). Perimeter intruder detection on fence line. All access events logged to PSIM.

Zone 2 — Building envelope: Multi-factor authentication at primary entrances. CCTV at Recognition grade (0.25 pixels/mm). Visitor management with escort. The Brussels Airport attack operated entirely in Zone 2 — inside the terminal building but outside the airside screening boundary. The Ben Gurion model extends Zone 2 protection to the terminal entrance doors, creating an additional controlled interface that Brussels did not have. The consequence of its absence: 16 killed, 187 injured, 22 March 2016.

Zone 3 — Secure and controlled areas: Multi-factor authentication plus management authorisation. Dual-person access rule for highest-criticality environments. CCTV at Identification grade (1.25 pixels/mm). USB ports physically disabled. All access events logged and reconciled daily. The SolarWinds build server — the origin point of the SUNBURST supply chain compromise affecting 18,000 organisations — should have been in a Zone 3 equivalent, with no network connectivity to the development environment and hardware integrity verification before each build run. It was not. The consequence: USD $40 million direct cost (SolarWinds Form 8-K), USD $90-100 million US government remediation (GAO-21-354).

2.2 The Critical Time Equation

For Protection-in-Depth to function operationally, the following inequality must hold:

Detection Time + Cumulative Delay Time > Response Force Arrival Time

If detection takes 2 minutes and cumulative delay across all layers is 8 minutes, the response force must arrive and intervene within 10 minutes. A response force with a 15-minute arrival time means the adversary has 5 unimpeded minutes after defeating all delay mechanisms. At Metcalf, the 31-minute telecommunications pre-cut window and 19-minute engagement window together produced 50 minutes of undetected, unimpeded operation — because there was no Zone 0 detection, no independent communications, and no acoustic detection. Acoustic gunshot detection (ShotSpotter or equivalent: 1-2 second detection and location) integrated with independent cellular communications would have compressed this to the law enforcement response time from first shot. The time equation must be solved for every threat scenario in the risk assessment — it is the fundamental design parameter of any Physical Protection System.

2.3 Redundancy Requirements

Power redundancy. NIST SP 800-53 PE-11 (Emergency Power) requires backup power capable of maintaining security function for a defined maximum outage. Minimum for CNI sites: 72 hours UPS and generator for all security systems — CCTV, access control, alarm transmission, and communications. Security infrastructure that fails when the grid fails has a single point of failure that is neither unusual nor difficult to exploit.

Communications redundancy. The Metcalf attackers cut the AT&T fibre-optic cable serving the substation specifically because it was the only alarm transmission pathway. All security alarm and SCADA communications must have minimum two independent physical pathways: primary fibre, secondary cellular 4G/5G industrial router, tertiary satellite for locations with poor cellular coverage. A single cable cut must not be able to silence the alarm system.

Detection redundancy. Optical CCTV is degraded in darkness, fog, and heavy precipitation. Thermal imaging (FLIR Triton F-Series: detection range 10+ km for human-size target, operates in complete darkness and adverse weather) covers the conditions where optical fails. DAS (Fotech Helios distributed acoustic sensing: 24/7 perimeter monitoring, 5-metre location accuracy, defeats darkness and weather) covers the approach pathways. No single detection technology is sufficient.

Source: Williams, T.J. (1992) Purdue Enterprise Reference Architecture. Purdue University. FERC Order 802 (Metcalf). Brussels Airport: Belgian Federal Prosecutor acte d'accusation, 2019. NIST SP 800-53 Rev 5: PE-11.

Principle 3 — Integration, Not Aggregation

THE PRINCIPLE: Assembling a collection of security components is not designing a Physical Protection System. Integration requires that components work together: detection outputs trigger access control responses; access events are correlated with CCTV records; alarms transmit via redundant pathways to a monitored operations centre; response force deployment is coordinated through the same platform that generated the detection event. An integrated PPS produces a response faster and more precisely informed than any component could produce independently.

3.1 PSIM — The Integration Layer

A Physical Security Information Management platform correlates events from access control, CCTV, alarm systems, perimeter sensors, and visitor management into a single operational picture. Without PSIM integration, the security operations centre receives disconnected data streams and performs correlation manually, introducing delay and error.

Three specific detection scenarios require cross-system correlation that no individual component can provide:

• Physical access event to the server room at 03:00, followed within 5 minutes by a new network device appearing on the server room switch — individually: a late-night maintenance visit and a routine discovery event. Combined: a hardware implant indicator requiring immediate investigation. Neither system generates the alert independently.

• Badge access failure at a controlled zone door (correct card, wrong biometric), followed 20 minutes later by a successful workstation login using the same card's associated account — individually: a failed entry attempt and a normal login. Combined: a credential sharing or card cloning indicator.

• ANPR camera detecting a vehicle circling the site perimeter three times in 90 minutes, combined with a Shodan alert showing a new IP querying the site's OT device — individually: inconclusive. Combined: coordinated physical-digital reconnaissance requiring immediate escalation to the security operations centre.

Genetec Security Centre is the PSIM platform specified throughout this paper series — native integration with access control, CCTV, ANPR, and visitor management, with API connections for counter-UAS detection, OT monitoring platforms, and third-party alarm systems.

3.2 Visible and Covert Balance — The Metcalf Reconnaissance Lesson

A perimeter security architecture that is entirely visible communicates its layout to any adversary conducting pre-attack reconnaissance. The Metcalf attackers demonstrated knowledge of the substation's telecommunications infrastructure — specifically which vault to access to silence the alarm before the attack. This knowledge came from prior reconnaissance that identified the single-pathway alarm communications system.

Visible security deters opportunistic threats. Covert security detects the sophisticated attacker who has calibrated their behaviour to avoid triggering the visible measures. The correct balance: visible perimeter CCTV and guard patrols for deterrence, combined with buried DAS, thermal imaging operating in passive mode, and covert acoustic detection for detection of the attacker who has assessed and planned to avoid the visible elements.

3.3 Technology and Human Integration — Three Failure Modes

Alert fatigue: A detection system generating more alerts than the SOC can review produces a condition where alerts are ignored — not because they are false but because there are too many to process. The County Mayo water utility attack was detected not by any monitoring system but because the pump stopped working (CISA AA21-042A). The PLC had no alert threshold configured for authentication anomalies. Alert fatigue prevention requires tuned thresholds, tiered escalation distinguishing routine events from urgent ones, and staffing ratios allowing human review of each high-confidence alert within a defined response time.

Technology dependence without contingency.: The Oldsmar water plant attack (February 2021) disabled the TeamViewer remote access interface, requiring physical attendance at the pump station for restoration. A security architecture assuming continuous technology availability without a documented manual fallback has a single point of failure in that technology's availability. Every security technology must have a documented degraded-mode procedure maintaining core security function when the technology is unavailable. Source: CISA Alert AA21-042A.

Automation without pre-authorised response: Automated response systems function only when their response actions are pre-authorised. A detection system generating an alert that requires human decision-making before any protective action will not provide protection within the decision window of a fast-moving threat. Pre-authorised automated responses — shelter-in-place on drone detection, lockdown on forced door alarm, vendor credential revocation on session anomaly — must be part of the security design.

Principle 4 — Minimum Necessary Access, Continuously Reviewed

THE PRINCIPLE: Every individual — employee, contractor, vendor, visitor — must have the minimum access required for their specific current role, continuously reviewed, and immediately revoked when that role changes or ends. The risk is not the access control technology — it is the process that maintains the access rights list in a current and accurate state. The Target, SolarWinds, and County Mayo breaches were all access control failures. None required defeating any physical barrier.

4.1 Vendor Access — The Highest Risk Category

Vendor access represents the highest-risk access category because it is less monitored, less frequently reviewed, and more likely to involve standing credentials persisting beyond the operational requirement. The documented evidence:

Target 2013: Fazio Mechanical Services HVAC vendor held standing VPN credentials for remote monitoring of Target's building management system. Those credentials were compromised and used to pivot from the BMS network to the payment card network, exfiltrating 40 million payment card records over six weeks. Documented consequence: USD $292 million (Target Form 10-K, FY2014). The standing credential — not a novel exploit, not a zero-day — was the entire attack pathway. Contract-end revocation of the credential would have prevented it entirely.

County Mayo 2023: The Unitronics PLC was internet-accessible with the factory default username and password unchanged since installation — a vendor-default credential that the operator had never changed. CVE-2023-6448, CVSS 9.8 Critical. The attack required a Shodan query, a browser, and the factory manual. Cost of prevention: zero. Consequence: national NCSC-IE audit programme, 180 households without water for two days.

Zero-standing-access architecture requires five controls — all process requirements rather than technology procurements:

• Per-session credential issuance: vendor credentials generated by PAM system (CyberArk, BeyondTrust) for session duration, automatically voided at session close. No vendor holds standing credentials between sessions at any time.

• Session recording: full keystroke logging and screen capture from session open to session close, stored on isolated logging server for minimum 12 months. Provides complete forensic record of every vendor command.

• Time and scope limitation: each session authorised for a defined time window and defined operational scope. Commands outside scope trigger an alert. Sessions beyond the authorised window are automatically terminated.

• Physical access escorted: vendor physical access to Zone 2 and Zone 3 escorted throughout. No vendor left unescorted in a restricted area regardless of task.

• Contract-end revocation: all vendor accounts explicitly voided — not deactivated, voided — from the PAM system at contract end. Quarterly access review confirms no standing credentials for vendors whose contracts have expired. This is the specific control that would have prevented Target 2013. 

4.2 The Three Access Tiers — ASIS PSC.1-2012

Need to access: The individual requires access to this zone to perform their specific current function. No alternative pathway allows them to perform that function without entering the zone. This is the correct basis for access grant. An HVAC engineer requires access to the plant room. They do not require access to the server room. A building contractor requires access to the building exterior. They do not require access to the control room.

Good to know: The individual would benefit from access but can perform their function without it. This is not a basis for access grant — it is a basis for sharing information through appropriate documented channels. Senior management requiring visibility of security operations data do not require physical access to the SOC — they require a reporting mechanism.

Need to go: The physical equivalent of need to know — the individual must physically enter the zone. This classification must be applied at zone level, not at site level. A person may have need to go to Zone 2 (building interior) but not Zone 3 (server room). Zone access rights must be assigned at the granular zone level, not at the level of 'has site access.'

Source: ASIS PSC.1-2012: Section 6.4 (Access Control). IEC 62443-2-4:2015: Vendor access security. Target breach: US Senate Commerce Committee Kill Chain Analysis, March 2014. Target Form 10-K FY2014. CISA AA23-335A (County Mayo), December 2023.

Principle 5 — Detection Must Be Actionable

THE PRINCIPLE: A detection event that does not produce a response within the cumulative delay time of the remaining security layers has no security value. Detection capability must be specified against response capability: what is detected, at what range, with what probability, in what time, communicated to whom, triggering what response, with what expected arrival time. Any detection system whose alert cannot be actioned before the attacker achieves their objective is a recording system, not a security system.

5.1 CCTV Performance Specification — BS EN 62676-4:2015

Physical security CCTV procurement must specify operational performance parameters, not product names or feature lists. BS EN 62676-4:2015 (Video Surveillance Systems — Application Guidelines) provides the performance specification basis:

Detection grade (D) — 0.04 pixels/mm: A person entering the monitored area is detected. Wide-area overview at Zone 0 and outer perimeter. Confirms presence — does not support identification.

Observation grade (O) — 0.125 pixels/mm: A person's actions can be observed. Zone 1 boundaries and public access areas. Activity is assessable — a person approaching a vehicle, handling an object, or interacting with infrastructure can be monitored.

Recognition grade (R) — 0.25 pixels/mm: A previously known person can be recognised. Zone 1 to Zone 2 transition points. Faces distinguishable but not necessarily identifiable without prior knowledge.

Identification grade (I) — 1.25 pixels/mm minimum: An unknown person can be positively identified. Minimum 4 megapixel resolution at operational range. Required at all controlled access points, Zone 2/Zone 3 boundaries, and SOC monitoring positions.

5.2 Complementary Detection Technologies

Thermal imaging — FLIR Triton F-Series: Cooled MWIR thermal imaging: detection range 10+ km for human-size target; recognition range 2-4 km; operates in complete darkness, fog, and precipitation. Slaved to radar track, the camera slews automatically to the detected target's predicted position, providing identification confirmation within 2-3 seconds of radar alert. Addresses the core limitation of optical CCTV: degraded performance in adverse conditions.

Fibre-optic DAS — Fotech Helios: Distributed acoustic sensing cable buried in perimeter fence foundation. Detects vibration from footsteps, fence cutting, digging, and vehicle movement along its entire length, with approximately 5-metre location accuracy. Functions in complete darkness, unaffected by weather. 24/7 perimeter monitoring with alert to PSIM. At Metcalf, Helios DAS would have detected the attackers' approach to the substation perimeter in darkness before the telecommunications were cut — generating an alert 31 minutes before the first shot rather than 19 minutes after.

Acoustic gunshot detection — ShotSpotter class: Detects and locates rifle fire within 1-2 seconds with approximately 10-metre accuracy, regardless of lighting conditions. Integration with PSIM triggers automatic PTZ camera slew to the detected firing position. At Metcalf, acoustic gunshot detection integrated with independent communications would have reduced the 19-minute uninterrupted engagement window to the law enforcement response time from first shot — regardless of whether the fibre-optic cable had been cut.

5.3 Response Architecture — Three Levels

Level 1 — Automated response (seconds): Pre-authorised actions triggered without human decision: zone lockdown on forced entry alarm, shelter-in-place notification on drone detection, vendor credential revocation on session anomaly, access denial on repeated authentication failures. These execute within seconds of the triggering event. A fast-moving threat whose decision window is measured in seconds cannot be addressed by a response that requires human authorisation.

Level 2 — Security operations centre response (2-5 minutes): Human-assessed alert triggering coordinated response: guard dispatch to investigate perimeter detection event, duty manager notification on Zone 3 after-hours access, law enforcement contact for events above site security authority.

Level 3 — Emergency response force (minutes to tens of minutes): Law enforcement, fire, or specialist response for events exceeding site security capability. Requires pre-established notification protocols, site access arrangements for emergency vehicles, and designated coordination points. Pre-established protocols — not improvised phone calls — determine whether the response force arrives in 8 minutes or 18 minutes. ISO 22301:2019 Clause 8.4.4 requires plans to be tested at minimum annually.

Source: BS EN 62676-4:2015: Video Surveillance Systems — Part 4: Application Guidelines. FLIR Triton F-Series product specification 2024. Fotech Helios DAS technical overview 2024. Metcalf engagement timeline: FERC Order 802, November 2014.

Principle 6 — Investment Decisions Require Documented Consequence Data 

THE PRINCIPLE: A security investment decision justified by a modelled risk reduction percentage is not a financial analysis — it is an opinion. A security investment decision justified by the documented consequence cost of the risk it addresses and the documented installation cost of the countermeasure is an engineering-grade cost-benefit calculation that will withstand audit, board scrutiny, and post-incident examination.

6.1 The Cost Asymmetry — Primary Source Data

Metcalf substation (2013): Confirmed consequence: USD $15.4 million direct repair costs (FERC Order 802; Senate testimony Commissioner Wellinghoff, March 2014). Cooling fin screening and independent communications for a single substation: approximately USD $200,000-500,000 based on current US and European contractor pricing. Countermeasure cost as percentage of consequence: 1.3%-3.3%. The investment required to prevent the confirmed consequence is between 1% and 3% of that consequence.

County Mayo water utility (2023): Confirmed consequence: loss of water supply to 180 households, national NCSC-IE audit programme, estimated EUR 50,000-500,000 in national response costs. Cost of prevention: zero — changing the factory default password costs nothing. This is the most economically irrational security failure in the documented record: a zero-cost control not implemented, producing a six-figure national response. The failure mechanism is not economic — it is awareness and process.

Target Corporation (2013): Confirmed consequence: USD $292 million (Target Form 10-K, FY2014). Cost of prevention: zero-standing-access vendor management is a process cost, not a technology procurement. Contract-end credential revocation requires a quarterly audit process and a PAM system — total annual cost for a large organisation: EUR 20,000-80,000. As a percentage of the confirmed consequence: 0.007%-0.027%.

SolarWinds (2020): Confirmed direct consequence: USD $40 million (SolarWinds Form 8-K). US government remediation: USD $90-100 million (GAO-21-354). Build server Zone 3 isolation: a network architecture decision and a dual-person access process — capital cost approximately USD $50,000-200,000. As a percentage of direct consequence: 0.1%-0.5%.

6.2 The Regulatory Cost Dimension — Post-2022

The investment case for physical security under the current European regulatory framework has two cost components on the non-investment side: the direct consequence cost of the security event and the regulatory fine that may follow it. Both must be included in the cost-benefit calculation.

• NIS2 Article 32 enforcement: fines up to EUR 10 million or 2% of global annual turnover for essential entities, whichever is higher. Personal liability for senior management established by Article 32(6).

• GDPR Article 83: fines up to EUR 20 million or 4% of global annual turnover for data protection failures with a physical security dimension — including physical access to personal data processing environments.

• CER Directive S.I. 559/2024: enforcement mechanisms for operators of critical entities in eleven sectors who fail to implement Article 12/13 all-hazards risk assessment and proportionate resilience measures.

An organisation investing EUR 500,000 in physical security countermeasures to prevent a EUR 100,000 consequence event has made a poor investment. An organisation investing EUR 500,000 to prevent a EUR 100,000 consequence event plus a EUR 5,000,000 regulatory fine has made a reasonable investment decision. The regulatory dimension, absent from pre-2022 security management literature, is now the second financial parameter in every security investment case.

 7. The Six Principles as a Unified Framework

The six principles are not independent guidelines — they form a unified engineering framework in which each principle enables the next. Risk Assessment defines the threats that Protection-in-Depth must address. Integration determines how the layers in that architecture are connected. Access Management specifies how zone boundaries are enforced. Detection and Response determines whether breaches of those boundaries are identified and stopped. Investment provides the financial basis for the decisions all five preceding principles require.

Each principle is validated by a documented failure where its absence produced a confirmed consequence. This is not coincidence — it is the method by which engineering principles are established. A principle that cannot be validated against a documented failure is a preference, not a principle.

The six incidents that anchor this paper span 2013 to 2023: Metcalf, Target, SolarWinds, Brussels Airport, Oldsmar, County Mayo. In every case, the principle whose absence caused the failure was understood, documented in a governing standard, and available to be implemented before the event. In every case, the cost of implementation was a fraction of the documented consequence. In every case, the failure to implement was not economic — it was organisational: the risk was not assessed at the level of specificity required to identify the specific control; or the control was identified and not prioritised; or the access rights list was not maintained in a current state.

A physical security design that can articulate its risk assessment basis, its layer architecture, its integration logic, its access management controls, its detection performance parameters, and its investment justification against documented consequence data is an engineering product. A collection of security purchases without this analytical foundation is not.

References and Primary Sources

1. ISO 31000:2018: Risk Management — Guidelines. Clauses 6.2-6.6. ISO. Geneva. 2018.

2. ASIS International. PSC.1-2012: Management System for Quality of Private Security Company Operations. ASIS. Alexandria VA. 2012. Reaffirmed 2020.

3. ASIS International. ANSI/ASIS PAP.1-2019: Personnel Security Standard. ASIS. Alexandria VA. 2019.

4. NIST SP 800-53 Rev 5: Security and Privacy Controls. Physical and Environmental Protection (PE) family. NIST. September 2020.

5. IEC 62443-2-4:2015: Security Program Requirements for IACS Service Providers. IEC. Geneva. 2015.

6. IEC 62443-3-3:2013: System Security Requirements and Security Levels. IEC. Geneva. 2013.

7. ISO 22301:2019: Security and Resilience — Business Continuity Management. Clause 8.4.4. ISO. Geneva. 2019.

8. NERC CIP-006-6: Physical Security of BES Cyber Systems. NERC. Effective July 2016.

9. BSI. BS EN 62676-4:2015: Video Surveillance Systems — Part 4: Application Guidelines. BSI. London. 2015.

10. FERC. Order 802: Physical Security of the Bulk-Power System. November 2014. [USD $15.4M Metcalf — Senate testimony Commissioner Wellinghoff, March 2014.]

11. US Senate Commerce Committee. A Kill Chain Analysis of the 2013 Target Data Breach. March 2014.

12. Target Corporation. Form 10-K Annual Report FY2014. Filed with SEC March 2014. [USD $292M.]

13. SolarWinds Corporation. Form 8-K. Filed with SEC 14 December 2020. [USD $40M direct.]

14. US Government Accountability Office. GAO-21-354: Federal Response to SolarWinds and Microsoft Exchange Incidents. June 2021. [USD $90-100M government remediation.]

15. Belgian Federal Prosecutor's Office. Attentat de Bruxelles du 22 mars 2016: Acte d'accusation. Brussels. 2019. [16 killed, 187 injured, attack in unscreened landside zone.]

16. CISA. Alert AA21-042A: Compromise of Water Treatment Facility (Oldsmar). February 2021.

17. CISA. Advisory AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs (County Mayo). December 2023.

18. CISA, NSA, FBI, Five Eyes. Advisory AA24-038A: Volt Typhoon. February 2024.

19. FLIR Systems. Triton F-Series Thermal Security Camera Product Overview. 2024.

20. Fotech Solutions. Helios DAS Technical Overview. 2024.

21. Genetec Inc. Security Centre PSIM Platform Technical Overview. 2024.

22. Williams, T.J. (1992) A Reference Model for Computer Integrated Manufacturing — the Purdue Enterprise Reference Architecture. Purdue University.

23. European Union. NIS2 Directive (EU) 2022/2555. December 2022.

24. European Union. CER Directive (EU) 2022/2557. December 2022. Transposed: S.I. 559/2024.

25. European Union. GDPR: Regulation (EU) 2016/679. April 2016.