Security Penetration Test

Wednesday, 21st December 2022

Trident Manor personnel successfully undertook a covert physical penetration test of a chemical plant in Eastern England. There are many lessons to be learnt by commercial organisations about vulnerabilities to their assets by partaking in this type of evaluation.

Following a request for assistance from a colleague/client an operative with many years of experience in covert activities and surveillance was deployed to a chemical production plant that also undertook R&D activities.

Unlike some other organisations Trident Manor will not deploy personnel without a full risk assessment being undertaken, a briefing taking place where questions can be aired and clarifications provided, and where emergency procedures are agreed upon and confirmed (including abandoning the operation) before deployment.

Prior to the deployment, a site review was undertaken that utilised Google Earth Pro, a crime pattern analysis was undertaken that identified low levels of general crime in and around the target site, and a review of OS materials to understand the nature and character of the organisation and staff working within it.

It was at this point that an effective cover story was devised (relating to a forthcoming environmental audit) and the operative was issued with supporting materials. This included an original letter of authority if the operative was stopped or challenged by staff (including contact telephone numbers), a name badge showing a different photo than the operative, and a forged letter from the CEO of the whole international organisation. (Note: We were able to find a fully letterheaded document from the target organisations online. We downloaded it before converting and doctoring the text to falsely grant the operative full access across the whole site. If we can do this in 15 minutes imagine what a competitor, activist, or criminal could do!)

The following morning (0730hrs) the operative deployed to the plant and finding the main gates to the parking area open they drove in and parked in an empty parking bay. This now meant that the operative was inside the perimeter without any checks, challenges, or barriers. Armed with a high-vis vest, other props, and a clipboard they proceeded to investigate and record details in the grounds between the outer fence and the main plant building.

Upon seeing members of staff driving a forklift truck they waved, and the driver waved back. The driver was asked the way into the building, and he showed a side access door that led directly into the manufacturing area. The operative was able to place markers at different points and photograph them as they walked through the building, confirming that access had been gained.

At one point they were approached by one of the workers who asked what they were doing in the building; the operative showed the fake ID card and the letter from the Chairman before explaining they were there for a pre-audit environmental inspection.

It was great that the worker challenged the operative, but unfortunately, they accepted the badge without examining it and just glanced at the forged document without analysing any of the information that was being provided. To make matters worse the worker then proceeded to give the operative a guided tour of the plant, after providing the correct coloured high-vis vest.

The operative was able to continue to place the markers around the site, including in the area of labs, offices, and manufacturing areas while photographing their progress. The staff member asked the operative to sign out, whereupon they explained that they had not signed in as they entered through the back doors, helpfully the member of staff asked the operative to sign in and then sign out so that procedures had been followed.

The operative was able to leave having successfully completed their task.

Now there may be people reading this sucking their teeth and saying this would never happen at their facility. I would like to think that would be true, but the reality is that Trident Manor has undertaken these types of tests all over the world and unfortunately in over 80% of cases we have been able to penetrate and gain access into areas that should be controlled or are vulnerable.

The purpose of this type of activity is not to embarrass individuals or laugh at the company for having poor security but to test the different layers of security that exist or where there are gaps and vulnerabilities that threats can exploit. In fact, it is highly commendable that a Senior Management Team is prepared to test its systems and check for vulnerabilities in a proactive manner instead of responding once the security has been breached and losses incurred.

When thinking about the activities of the member of staff who approached the operative they actually prevented thefts from occurring by accompanying them. However, if this was an intelligence/information gathering activity then they actually facilitated a more in-depth attack.

This particular test identified vulnerabilities in physical security measures, access control systems, operational practices, and training which can all be addressed without resulting in losses or harm to the organisational assets.

Trident Manor supports all types of organisations in reducing the risks they face from adversarial and non-adversarial threats. We are experts in security risk management and working with clients to proactively prevent threats from causing harm to individuals, operations, reputations, and organisational assets.

For further information about this type of activity or any of the other services offered by Trident Manor please feel free to contact us for a free no obligation consultation.