A Security Operation Center (SOC) is a command center facility from where operations/services can be monitored and controlled. It sits at the heart of any facility with a view to monitor, detect, investigate and respond to threats. It does so by employing people, processes, resources and technology to continuously monitor and impove an organization’s security posture. SOCs for important facilities typically contain multiple electronic displays, various control panels, possibly either a video-wall or a large wall-sized display visible from all locations. Most SOCs are manned 24/7, 365 days a year and have shift system in place for continuous vigilance and ease of operators. There could possibly be different names associated with SOC; Security Operations Room, Control Room, Security Command Center, Command & Control Center, Command & Control Room etc. For the purpose of brevity, in this article, we will use Security Operations Center (SOC) and Control Room (CR) interchangeably. The article is aimed at providing information initiating discussion on SOCs from physical security and security service provider’s perspective.
A brief History of SOCs/Control Rooms
In early 20th century, efficient methods were required to monitor mass production of various products at the assembly line and hence control rooms were then introduced which significantly improved production levels. Earlier 20th century also saw growth in electricity usage whereby grid stations became bigger with extended capacity raising the need for control rooms which improved efficiency and safety alike.
Earlier, pilots used to fly aircrafts using a map and a compass only. This led to increased danger of collateral damage or pilot becoming lost giving rise to the creation of central air traffic control rooms.
Control rooms (underground bunkers) played crucial role during World War II as well where not only they were kept discrete but were also a meeting place for senior military leaders e.g., Churchill’s Cabinet War Rooms.
Space missions have also been coordinated through Control Rooms where each and every aspect of these missions were monitored e.g., NASA’s Mission Control Center in Houston. Famous Apollo missions were also monitored from the same place.
Designing a Security Operation Center
Efforts must be made to consider SOC early in the design and construction phase. This way, you will be able to maximize security and value for money besides having a room fit for purpose else you will find yourself squeezing into the remaining space available resulting into poor value for money spent.
Work environment in a control room has a dramatic effect on operator’s performance. No matter how costly equipment you purchase or how advanced technology you use, the most important aspect in a security control room has always been the operators who physically inhabit and enact responses to various situations. A control room needs to be ergonomically designed to support operators working long shifts. Ample space must be given to access monitors, servers, video walls, etc. Long shift hours not only necessitate comfortable high-quality seating (standing desks, chairs, smart sofas, height adjustable consoles, etc.) arrangements but also reachable and rugged equipment that can withstand long use without replacement. It must be kept in mind that provision of comfort should not be at the cost of operational worthiness. In order to provide comfort to the operators, equal attention must be given to operational considerations like having quality equipment, cable management, or other power/operational needs. If you wish to build a new control room, it is recommended that you do it with someone who understands the business, who has sufficient experience in human factor analysis and knows what the operators need and what their limitations are. There are design standards available by ISO (most widely referenced is ISO 11064:2000). ISO’s Principles for the Ergonomic Design of Control Centers include: –
Part 1: Principles for the design of control centers
Part 2: Principles for the arrangement of control suites
Part 3: Control room layout
Part 4: Layout and dimensions of workstations
Part 5: Displays and controls
Part 6: Environmental requirements for control centers
Part 7: Principles for the evaluation of control centers
Video Walls/Digital Displays
A video wall is a multi-monitor arrangement which is composed of a number of computer monitors, video projectors or TV sets that are adjacent or overlapping with a view to have a single wide frame. These walls have generally become a norm these days; almost all SOCs have them. Not only it creates a common operational picture for everyone, it also contributes well to overall situational awareness. The size of the video walls depends upon the availability of space, number of operators who would man the area, as well as your budget. Though, everyone would prefer high quality displays but it must be remembered that reduction of pixel pitch would not only result in a higher resolution but also in a higher cost. LED video walls can work better for larger distances and larger rooms but are costly whereas LCD walls are better suited for shorter viewing distances and for any room size. Correct choice of technology must be based on your precise needs rather than the budget alone.
Cost involved in the automation, equipment and even in SOC’s operators significantly impact any business, however, if all these elements perform well in thwarting threats, they can reduce cost. Figuring out what is your budget and what you can accomplish within it is a good point to start from. You need to be absolutely clear of what all items, consoles, technology, hardware, lighting, construction, screens etc. would cost so that you are prepared beforehand.
Safety of control room and its inhabitants should be the prime concern while designing the best control room for any organization. While a safe emergency exit right from the control room must be planned in the design phase, the design must also allow the operators to safely exit the room in an organized way should an emergency arise. An effective alarm system should also be there to warn the operators of emergencies.
Adequate Lighting Arrangements
Lighting in a SOC is a tricky affair, however, following guidelines may help:
• Tasks that are required to be performed by the operators must be kept in mind. These may include reading maps, charts, printed material, video walls, diagnostics, emails, etc. and by keeping these tasks in mind, lighting can help promote wellness, reduce stress and increase productivity.
• Dimmable lights may also be given.
• Natural lighting arrangements can also be looked into.
• Ambient light can also be quite comforting for operators particularly around consoles in relatively dark settings.
• Having windows in a control room may also be handy and effective, however, some may find it distractive.
• Operators may be given individual dimmable LED lamps for ease of reading.
• Extra maintenance lighting for engineers and technicians when carrying out maintenance.
In a security operations center, selecting consoles from a wide variety of choices may be daunting. Amongst a number of console types available in the market, four primary console styles are Single Lift, Dual Lift, Split Surface and Single Surface Consoles.
• Single Lift Consoles: Only one set of lifting columns which raises and lowers the desk while the monitors could be fixed or moveable through independent adjustments.
• Dual Lift Consoles: Two sets of lifting columns; first one raises and lowers the desk (as in case of single lift consoles) while the second set raises and lowers the monitor array. This allows the monitor to be adjusted independent of the desk movement. These consoles are generally preferred by the users.
• Split Surface Consoles: Instead of one surface, this has two independent platforms. The front one (keyboard platform) has the keyboard with mouse while the rear one adjusts separately and has the monitor(s) and other auxiliary tools or appliances, if required. Both platforms are capable of moving independently and the operator not only has the luxury of adjusting them but also the monitors which means that the monitors also can either be fixed or adjustable.
• Dual Lift Split Surface: Consoles: Like split surface consoles, these consoles not only have split surfaces but also have dual lifts columns and function the same way as split surface consoles. The monitors can either be fixed or adjustable.
The main purpose of sight line analysis is to ensure that the consoles are placed in such a manner that the SOC operator is able to see them with minimum head/neck movement. It must also cover the area or field of view an operator will have to see his surroundings without moving head. More often than not, the height of video walls will be dependent on the height of the ceiling. For instance, if an 8×6 video wall has to be placed 6 feet above the ground but the ceiling is only 12 feet high, it may not be possible or appropriate. Besides, in case of multiple rows of operators working on adjustable height consoles in a room, field of view of these operators might get restricted. One possible solution to this could be a tiered floor. This all requires detailed optimization using expertise of experienced designer.
Open Communication / Collaboration
The layout of an SOC must foster easy communication among people from different departments. Furniture and consoles arranged in an open manner can also promote free communication and collaboration. Many SOCs may also have dedicated collaboration spaces such as a mini conference room either within or adjacent to the SOC with clear sightlines to the video wall for meaningful discussions.
Collaboration also means how do you use the available technology to work together as teams and solving the problems and one of the best practices would be to try and standardize on fewer technology tools that you can use to collaborate with.
Experienced Building Architect
SOC building architect should be incorporated in the planning stages long before the actual building size or location is determined. The architect must have a well-defined plan (with processes) starting right from predesign to construction to commissioning of SOC.
SOC is a place where operators might have to work 24/7 and therefore must be “operator centric”. This requires a detailed understanding of operations; normal state, shift changeover state, emergencies, responses, e-mailing clients and monitoring overall situations at all times. A good design process will take into account operators working there will perform their tasks in each state.
The seating or the chairs that the operators sit in, have to be extremely good and not just standard office seating, as it has a direct impact on the operators’ health and performance. It is best to have office chairs that has multiple adjustments; is made up of quality material with a very substantial foam backing and cushioning in it.
Since each company has its unique operational requirements to be fulfilled, each should have an independent analysis of how its operation center should be designed. Copying from another company is not advisable, however, reinventing the wheel is also not desirable either, however, SOC should have room for future expansion of people and equipment.
Don’t design a control room without considering some changes that will inevitably occur over time. Technology is changing so rapidly that it will not be very long that the one you used in your control room get obsolete.
Technologies in a Security Operations Room
Big Data Management
Data flow in this information age is extremely fast and complex putting extra demand on SOCs to streamline their flow of information. High volumes of data are being received these days that too in multiple formats which requires extremely powerful visualization tools to sift, collate and display data. Operators in an SOC need to be able to monitor, process and interpret this large amount of data, information and visuals from multiple sources for faster collaborative decision-making.
High Performance Workstations with IP-Based KVM Switching Capability
Security control rooms must have sophisticated KVM (Kernel-based Virtual Machine) switching so that multiple workstations can easily be accessed and monitored. These latest IP-based KVM switches/technology (a hardware-based solution that allows interconnection of a large number of servers) makes access to remote servers, workstations, touch control systems, video wall controllers and a number of other systems running on the same network and talking the same ‘language’. Once these multiple technologies are integrated into an IP-based connectivity solution, not only it is easier but also faster to switch between multiple displays, desktops, share critical visuals (on a video wall) and have the system assist with timely responses to critical events.
LED Video Walls
In order to keep large video walls operational, system/solution would require high speed processing machines that enable video signals to be scaled to meet display requirements which could be single, dual and multi-screen display formats at best possible resolutions keeping the network bandwidth in mind. Besides, LEDs do not take much space as compared to traditional projection systems and can offer up to 8K resolution. In addition, they can display better imagery with the help of HDR and QLED.
Having streamed audio in a control room is not a necessity but may result in improved communication between operators and will be able to collaborate better using the data and media they have access to.
Enhanced Security Requirement
Such a hefty amount of data streaming in an operation center also paves the way to an increased number of security attacks as well. Hence, security precautions, firewalls must continually be improved as hackers will come up with varying ways to create problems.
Modular and Open Architecture
A video wall initially may have only a few displays coming from a dozen cameras but should have the ability to easily expand to hundreds of inputs on up to 64 displays. You may start with such a modular system with a view to start small and expand incrementally while remaining within the budgetary constraints.
Functions of SOC/Responsibilities of Operators in SOC
An SOC is an incident management focal center to respond to emergencies and carrying out liaison with LEAs and other agencies. It should be able to fully monitor and control all security and safety systems, e.g., CCTV sources supplied in real-time. Continuous monitoring and responding to changing operational developments in a timely and effective manner is the basic function of any SOC. Operators in the control room should have real-time update of complete security situation obtained from different sources from all locations, at any given time. They certainly are not engineers or even technicians to fix complex problems, however, they must at least have sound familiarity with the integrated systems deployed in the control room. Some of the functions to be performed by these operators are: –
• Carrying out daily system checks including but not limited to cameras status, video resolution, monitors and displays in working condition.
• Ensuring that the recording system is functional and proactively monitor CCTV cameras with a view to report any unusual activity to the SOC manager/Duty Officer who in turn will immediately inform senior management, if required.
• Monitoring that the guard shifts are changing and reaching their respective duty locations timely.
• Monitor complete security, communications, and fire/life safety systems within the designated region with the help of available monitoring systems.
• Monitor vehicle and staff movements via Geolocation software, if required.
• Responding to incidents and dispatching QRFs or ambulances timely where ever required.
• Monitoring the movement of QRFs and ambulances through Vehicle Tracking System (VTS), if available.
• Monitoring video feeds from all available cameras every 5 minutes to ensure nothing is skipped. If any incident needs further investigation, operators must be able to retrieve the recorded video footage from the backup storage.
• Preparing and sending various reports and returns and emailing them both internally (to own office staff) and externally (to clients/other stakeholders).
• Monitoring and gathering information from multiple sources and preparing them for SOC manager’s review.
• Informing project managers (internal staff managing multiple clients) about any incidents happening in their respective projects.
• Ensure documentation of all routine as well as unusual events with the clients / in the Area of Responibility (AOR) through incident reports, shift reports, or through other established methods.
• Keeping an eye on incidents / protests happening in the city with a view to send timely advisories to clients and other stakeholders.
• Keeping all clients abreast with the latest security situation happening in the country and in their Area of Responsibility (AOR) in particular.
• Maintain control of all equipment and keys in the SOC.
• Recording warnings sent by the checking teams in a centralized database for record and future retrieval.
• Ensuring that the project managers are taking actions on the warnings issued to their respective work force. .
• Ensuring operational worthiness of complete control room equipment and gadgetries.
• Keeping the senior management informed of any unusual activity through fastest available means.
• Be able to think ahead, identify and recommend improvements to overall security operations.
• Train the new incoming operators and explain to them the equipment and correct procedures in place.
• Continuous Proactive Monitoring.
• Carrying out any other duty/operational task as directed by the SOC manager or senior management.
Security and Access Control in the Security Control Room
SOC has a number of critical operational activities going on which are to be known to people on need-to-know basis. Hence, access to SOC must be restricted and can be achieved by maintaining a list of people who can enter the SOC and regularly updating and monitoring visitors’ access. Besides, access control can also be achieved by having a written policy on visitors’ access with valid reason duly authorized by the SOC manager.
Visitors must be escorted inside the SOC; must not be left alone and visitors’ log must be updated regularly. In addition, all visitors should have a clearly identifiable visitor ID for others to know that they are visitors and authorized to be there. Displays in the SOC should have restricted information while the visitors are present inside the SOC and volume of all radio equipment be kept to minimum. SOC should also have a biometric access control system (Eye scanner/Fingerprint reader etc) as an additional security layer.
There are numerous benefits for having an SOC within an organization including but not limited to centralized control and visibility, continuous monitoring, rapid response ability and most importantly improved collaboration. Though, it might be expensive to maintain 24/7 SOC, yet, the benefits accrued far outweigh the cost incurred. An effective SOC can also help an organization save money by reducing the risks that could have materialized without having one.