www.ysecurity.net 1

Jere Peltonen

Estimate of Multiple Adversary Sequence Interruption

Jere Peltonen, CPPlinkedin.com/in/jerepeltonen

JER

E P

ELT

ON

EN

EASI

EASI (Estimate of Adversary Sequence Interruption)

Sandia National Laboratories

U.S. Department of Energy

EASI has been used to analyze e.g. physical security arrangements of nuclear facilities

www.ysecurity.net 2

Jere Peltonen

JER

E P

ELT

ON

EN

What is analyzed?

Structural arrangements

Surveillance

JER

E P

ELT

ON

EN

What are the results?

probability of failure of unauthorized entry

in other words

probability of successful interruption

www.ysecurity.net 3

Jere Peltonen

JER

E P

ELT

ON

EN

EASI

can be used easily to analyze arrangements that follow the principle of concentric protection layers

JER

E P

ELT

ON

EN

EASI / TUREAN

Basic EASI does not calculate alternative routes of entry

TUREAN application of EASI calculates all alternative routes

www.ysecurity.net 4

Jere Peltonen

JER

E P

ELT

ON

EN

Why to use?

To get more reliable information

JER

E P

ELT

ON

EN

Why to use?

Security arrangements cost money

On the other hand, to not use any arrangements can be very costly mistake

We must find the optimum solution, that does not cost too much, but gives adequate protection

www.ysecurity.net 5

Jere Peltonen

JER

E P

ELT

ON

EN

Why to use?

The security expert or manager needs to make his/her case to the people that have the money

He/she must demonstrate the vulnerabilities of existing arrangements

He/she must demonstrate the effectiveness of planned arrangements with regard to protection of assets

JER

E P

ELT

ON

EN

Why to use?

Existing or planned arrangements may be good as such, but the chain is only as strong as its weakest link

TUREAN finds the weakest links

www.ysecurity.net 6

Jere Peltonen

JER

E P

ELT

ON

EN

Why to use?

To get clear numerical information that can be used to

find the existing weaknesses

test the effectiveness of planned arrangements

justify the necessary new arrangements

JER

E P

ELT

ON

EN

Why to use?

TUREAN is an excellent tool for teaching analytical approach

www.ysecurity.net 7

Jere Peltonen

JER

E P

ELT

ON

EN

How to get numerical information?

calculate the probability of successfull detection and alarm

And

calculate the probability that remaining time will be enough to interrupt the entry

JER

E P

ELT

ON

EN

How to get numerical information?

the probability of successful detection and alarm is calculated using the reliability of detection elements and detection-to-response reliability

www.ysecurity.net 8

Jere Peltonen

JER

E P

ELT

ON

EN

Detection elements

anything that may detect the unauthorized entry and execute the alarm (intrusion detectors, local guards, passers-by)

JER

E P

ELT

ON

EN

How to get numerical information?

the probability that remaining time allows interruption is calculated by

adding up delay values of all delay elements, taking into account the real world uncertainties of the values, and

comparing it to the response time value, taking into account the uncertainty

www.ysecurity.net 9

Jere Peltonen

JER

E P

ELT

ON

EN

Delay elements

Anything that may delay the intruder (door, window, wall, fence, lock, etc.)

JER

E P

ELT

ON

EN

3 most essential terms

Delay

Detection

Response time

www.ysecurity.net 10

Jere Peltonen

JER

E P

ELT

ON

EN

Other terms

Probability

Normal distribution

Expected value

Standard deviation

Type

Sequence of events

Zone

Intrusion route

JER

E P

ELT

ON

EN

Concentric layers of protection

GATEDOOR

DOORWINDOW

WINDOW

SAFE

FENCE

www.ysecurity.net 11

Jere Peltonen

JER

E P

ELT

ON

EN

Intrusion route

JER

E P

ELT

ON

EN

Sequence of events

12

3

45

67

www.ysecurity.net 12

Jere Peltonen

JER

E P

ELT

ON

EN

Alternative events(=alternative routes)

12

345

67

3

1

3

5

1

JER

E P

ELT

ON

EN

Alternative events

12

345

67

3

1

3

5

1

1 Crossing the fence

1 Locked gate

1 Through the fence

1

1

1

www.ysecurity.net 13

Jere Peltonen

JER

E P

ELT

ON

EN

Alternative events

123

45

67

3

1

3

5

1

2 Moving across the yard

1

1

1

2

JER

E P

ELT

ON

EN

Alternative events

12

345

67

3

1

3

5

1

3 Making a hole

3 Window

3 Locked door

1

1

1

2

3

3

3

www.ysecurity.net 14

Jere Peltonen

JER

E P

ELT

ON

EN

Alternative events

12

345

67

3

1

3

5

1

4 Moving inside

1

1

1

2

3

3

3

4

JER

E P

ELT

ON

EN

Alternative events

12

345

67

3

1

3

5

1

5 Making a hole

5 Locked door

1

1

1

2

3

3

3

45

5

www.ysecurity.net 15

Jere Peltonen

JER

E P

ELT

ON

EN

Alternative events

12

34567

3

1

3

5

1

6 Moving inside

1

1

2 3

3

45

56

1 3

JER

E P

ELT

ON

EN

Alternative events

12

345

67

3

1

3

5

1

7 Safe

1

1

1

2

3

3

3

45

56 7

www.ysecurity.net 16

Jere Peltonen

JER

E P

ELT

ON

EN

Alternative events

12

345

67

3

1

3

5

1

8 Going back the same or different route

1

1

1

2

3

3

3

45

56 7 8

JER

E P

ELT

ON

EN

Alternative events

12

345

67

3

1

3

5

1

1

1

1

2

3

3

3

45

56 7 8

18 ALTERNATIVE INTRUSION ROUTES

www.ysecurity.net 17

Jere Peltonen

JER

E P

ELT

ON

EN

Delay

30 s

30 s

Event 1

Total

JER

E P

ELT

ON

EN

Delay

30 s

60 s

90 s

Event 1

Event 2

Total

www.ysecurity.net 18

Jere Peltonen

JER

E P

ELT

ON

EN

Delay

30 s

45 s

60 s

135 s

Event 1

Event 2

Event 3

Total

JER

E P

ELT

ON

EN

Delay

30 s

45 s

60 s

45 s

180 s

Event 1

Event 2

Event 3

Event 4

Total

www.ysecurity.net 19

Jere Peltonen

JER

E P

ELT

ON

EN

Delay, detection

30 s

45 s

60 s

45 s

180 s

Event 1

Event 2

Event 3

Event 4

Total

1st possibility of

detection->detection

JER

E P

ELT

ON

EN

Delay, detection, response time

30 s

45 s

60 s

45 s

180 s

105 s

Response time

Event 1

Event 2

Event 3

Event 4

Total

1st possibility of

detection->detection

www.ysecurity.net 20

Jere Peltonen

JER

E P

ELT

ON

EN

Delay, detection, response time successful interruption

30 s

45 s

60 s

45 s

180 s

105 s

Response time

1st possibility of

detection

Interruption

Event 1

Event 2

Event 3

Event 4

Total

->detection

JER

E P

ELT

ON

EN

Delay, detection, response time ???

30 s

45 s

60 s

45 s

180 s

but NO detection

Event 1

Event 2

Event 3

Event 4

Total

Response time

1st possibility of

detection

www.ysecurity.net 21

Jere Peltonen

JER

E P

ELT

ON

EN

Delay, detection, response time ???

30 s

45 s

60 s

45 s

180 s

1st detection

Event 1

Event 2

Event 3

Event 4

Total

Response time

but NO detection

1st possibility of

detection

JER

E P

ELT

ON

EN

Delay, detection, response time ???

30 s

45 s

60 s

45 s

180 s

105 s

Event 1

Event 2

Event 3

Event 4

Total

Response time

1st detection

but NO detection

1st possibility of

detection

www.ysecurity.net 22

Jere Peltonen

JER

E P

ELT

ON

EN

Delay, detection, response time unsuccessful interruption

30 s

45 s

60 s

45 s

180 s

105 s

Interruption

Event 1

Event 2

Event 3

Event 4

Total

Response time

1st detection

but NO detection

1st possibility of

detection

JER

E P

ELT

ON

EN

Delay, detection, response time

the example uses exact times for the sake of concept simplicity

in the real world, there exists a level of uncertainty that has to be taken into account somehow

www.ysecurity.net 23

Jere Peltonen

JER

E P

ELT

ON

EN

Delay, detection, response time

uncertainty is modelled by assuming that all times follow the normal distribution (Gaussian curve)

JER

E P

ELT

ON

EN

Normal distribution

www.ysecurity.net 24

Jere Peltonen

JER

E P

ELT

ON

EN

Normal distribution

50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 6634 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49

= single measurement measurements 0

JER

E P

ELT

ON

EN

Normal distribution ??

= single measurement measurements 10

50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 6634 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49

10

value 50 is measured 10 times

www.ysecurity.net 25

Jere Peltonen

JER

E P

ELT

ON

EN

Normal distribution

= single measurement measurements 10

50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 6634 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49

10

value 50 is measured 10 times

JER

E P

ELT

ON

EN

Normal distribution

= single measurement measurements 11

50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 6634 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49

2 1 1 11 1 1 2 1

value 50 is measured 2 times

www.ysecurity.net 26

Jere Peltonen

JER

E P

ELT

ON

EN

Normal distribution

= single measurement measurements 41

50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 6634 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49

5 4 4 3 3 2 2 11 2 2 3 3 2 4

value 50 is measured 5 times

JER

E P

ELT

ON

EN

Normal distribution

= single measurement measurements 86

50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 6634 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49

10 9 9 8 5 3 2 1 1 2 11 1 1 2 2 2 4 4 9 81

value 50 is measured 10 times

www.ysecurity.net 27

Jere Peltonen

JER

E P

ELT

ON

EN

Normal distribution

50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 6634 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49

10 9 9 8 5 3 2 1 1 2 11 1 1 2 2 2 4 4 9 81

= single measurement measurements 86

value 50 is measured 10 times

JER

E P

ELT

ON

EN

Standard deviation

standard deviation is a value that shows how much and how often real world times vary around the expected value

www.ysecurity.net 28

Jere Peltonen

JER

E P

ELT

ON

EN

Standard deviation

+s-s µ

standard deviation 3,8

Real world times vary quite lot and oftenfrom the expected value µ

JER

E P

ELT

ON

EN

Standard deviation

+s-s µ

Real world times vary not so much and not so often as in previous example

standard deviation 2,2

www.ysecurity.net 29

Jere Peltonen

JER

E P

ELT

ON

EN

Type

when delay and detection elements exist at the same event

type tells how much delay has been used before detection

three types in the model

JER

E P

ELT

ON

EN

Type H

no delay before detection

whole delay is calculated

for example: a PIR detector that detects an intruder at the beginning of a hallway

www.ysecurity.net 30

Jere Peltonen

JER

E P

ELT

ON

EN

Type K

half of delay before detection

half of delay is calculated

for example: a PIR detector that detects an intruder when he has moved midway of a hallway

JER

E P

ELT

ON

EN

Type J

all delay before detection

no delay of particular delay element is taken into accounct in calculation

for example: magnetic contacts at a door, which give detection only after the lock has been picked and door opens

www.ysecurity.net 31

Jere Peltonen

JER

E P

ELT

ON

EN

Example

Door

Window

WallSafe

95%/H/7200s/3000s

95%/H/30s/10s

95%/J/300s/100s0%/7200s/3000s

JER

E P

ELT

ON

EN

Example

Door

95%/J/300s/100s

Please note that the terminology in TUREAN screenshots used in this presentation is in Finnish.

The TUREAN tool is available in English also.Check www.yhteisturvallisuus.net or

www.ysecurity.net

www.ysecurity.net 32

Jere Peltonen

JER

E P

ELT

ON

EN

Example

Window

95%/H/30s/10s

JER

E P

ELT

ON

EN

Example

Wall

0%/7200s/3000s

www.ysecurity.net 33

Jere Peltonen

JER

E P

ELT

ON

EN

Example

Safe

95%/H/7200s/3000s!

JER

E P

ELT

ON

EN

Example

Going back

95%/H/60s/20s!

www.ysecurity.net 34

Jere Peltonen

JER

E P

ELT

ON

EN

Example

JER

E P

ELT

ON

EN

Example

Report

www.ysecurity.net 35

Jere Peltonen

JER

E P

ELT

ON

EN

Example

JER

E P

ELT

ON

EN

Example

The worst probability of interruption is with the route that goes through the wall!!

WHY??

www.ysecurity.net 36

Jere Peltonen

JER

E P

ELT

ON

EN

EXERCISE

analyze using the following values

JER

E P

ELT

ON

EN

Alternative events

2

345

67

3

0%/600s/200s

3

50%/60s/20s

0%/120s/20s

1

1

1

1 Crossing fence

1 Locked gate

1 Going through

0% / 600s / 200s 0% / 60s / 20s 0% / 120s / 20s

www.ysecurity.net 37

Jere Peltonen

JER

E P

ELT

ON

EN

JER

E P

ELT

ON

EN

Alternative events

13

45

67

3

1

3

5

1

2 Moving accross the yard

1

1

1

2

0%/60s/10s

0% / 60s / 10s

www.ysecurity.net 38

Jere Peltonen

JER

E P

ELT

ON

EN

Alternative events

124

567

1

5

1

3 Going through

3 Window

3 Locked door

1

1

1

2

3

3

3

0%/7200s/3000s

95%/J/300s/100s

95%/H/30s/10s

0% / 7200s / 3000s 95% / H / 30s / 10s 95% / J / 300s / 100sJE

RE P

ELT

ON

EN

Alternative events

12

3

567

3

1

3

5

1

4 Moving inside

1

1

1

2

3

3

3

4

95%/H/60s/10s

95% / H / 60s / 10s

www.ysecurity.net 39

Jere Peltonen

JER

E P

ELT

ON

EN

Alternative events

12

34

67

3

1

3

1

5 Going through

5 Locked door

1

1

1

2

3

3

3

45

5

0%/3600s/1000s95%/J/300s/100s

0% / 3600s / 1000s 95% / J / 300s / 100sJE

RE P

ELT

ON

EN

Alternative events

12

345

7

3

1

3

5

1

6 Moving inside

1

1

2 3

3

45

56

1 3

95%/H/20s/5s

95% / H / 20s / 5s

www.ysecurity.net 40

Jere Peltonen

JER

E P

ELT

ON

EN

Alternative events

12

345

6

3

1

3

5

1

7 Safe

1

1

1

2

3

3

3

45

56 7

95%/H/7200s/3000s

95% / H / 7200s / 3000sJE

RE P

ELT

ON

EN

Alternative events

12

345

67

3

1

3

5

1

8 Going back

1

1

1

2

3

3

3

45

56 7 8

95%/H/300s/100s

95% / H / 300s / 100s

www.ysecurity.net 41

Jere Peltonen

JER

E P

ELT

ON

EN

Other values

response time 900 s / standard deviation 300 s

reliability 95%

JER

E P

ELT

ON

EN

First results

www.ysecurity.net 42

Jere Peltonen

JER

E P

ELT

ON

EN

Sorted and colored result list

JER

E P

ELT

ON

EN

www.ysecurity.net 43

Jere Peltonen

JER

E P

ELT

ON

EN

EXERCISE

the safe is open

delay 0 s, standard deviation 0 s

JER

E P

ELT

ON

EN

Results

www.ysecurity.net 44

Jere Peltonen

JER

E P

ELT

ON

EN

Results

{

JER

E P

ELT

ON

EN

www.ysecurity.net 45

Jere Peltonen

JER

E P

ELT

ON

EN

Questions?

TUREAN tool is available for free at

www.yhteisturvallisuus.netor

www.ysecurity.net