Facility perimeter and site access
Fencing, gates, barriers, vehicle access, pedestrian routes, signage, exterior doors, hatches, ladders, roof access, and other entry points.
Physical Security
Protect facilities, field assets, and the systems operations depend on.
Systems Risk Advisory helps utilities, local governments, and critical infrastructure organizations assess physical security risks that could affect safety, operations, cyber systems, emergency response, and service continuity.
Why it matters
Physical access can become operational risk.
For critical infrastructure organizations, physical security is not limited to gates and cameras. Unauthorized access to a facility, cabinet, control room, chemical area, radio site, network room, HMI, or engineering workstation can create safety, cyber, operational, and recovery consequences.
A useful physical security review should help leaders understand which sites and assets matter most, where access is weak, what can be improved quickly, and which improvements require budget, policy, or coordination with partners.
Security that reflects real operations
Systems Risk Advisory reviews physical security in the context of how facilities operate, how staff respond, how vendors work, where critical systems are located, and how disruption could affect essential services.
Questions this service helps answer
Know which sites and assets need attention first.
The assessment is designed to help organizations make practical decisions about site security, access control, monitoring, and response.
- Which facilities, field sites, and assets are most critical to continued service?
- Where could unauthorized physical access affect operations or safety?
- Are doors, gates, locks, hatches, keys, badges, and access codes controlled?
- Do cameras, alarms, lighting, and monitoring support real response needs?
- Are control rooms, network rooms, cabinets, and engineering workstations protected?
- Are chemical, backup power, communications, and storage areas secured?
- Do staff know what to do when an alarm, intrusion, theft, or suspicious activity occurs?
- Which physical security improvements should be addressed now, next, and later?
Core assessment areas
What we review
Each review is scoped to the organization and the facilities involved. Common assessment areas include the physical and cyber-physical controls that protect people, assets, operations, and recovery.
Doors, locks, keys, and badges
Mechanical locks, electronic access control, key control, badge practices, shared codes, contractor access, and procedures for removing access.
Critical assets and spaces
Treatment areas, pump stations, tanks, wells, lift stations, substations, control rooms, server rooms, network rooms, radio sites, and storage areas.
Cameras and monitoring
Camera placement, coverage gaps, recording quality, retention, monitoring expectations, investigation support, and operational use of video.
Alarms, lighting, and detection
Intrusion alarms, door alarms, motion detection, exterior lighting, alarm routing, after-hours notification, testing, and response expectations.
Visitor and vendor control
Sign-in procedures, escorts, contractor access, temporary work, delivery areas, after-hours access, vendor accountability, and site access approval.
Chemicals and hazardous materials
Chemical storage, delivery areas, process chemical access, documentation, separation, monitoring, and response considerations.
Backup power and communications
Generators, fuel, transfer switches, communications rooms, radio equipment, cellular gateways, and other systems needed during disruption.
Response coordination
Internal notification, law enforcement coordination, emergency management coordination, alarm response, incident documentation, and escalation paths.
Cyber-physical risk
Physical security and cybersecurity should not be reviewed in isolation.
Physical access to the wrong location can bypass many cyber controls. A person with access to a control cabinet, network switch, workstation, radio cabinet, server closet, or remote telemetry site may create a cyber or operational pathway that is not visible in a standard IT review.
Systems Risk Advisory looks for these connections so recommendations reflect the way facilities, field systems, OT assets, vendors, and responders actually work.
Common triggers
- Upcoming AWIA Risk and Resilience Assessment update
- New facility, pump station, tank, well, lift station, or substation project
- Concern about unauthorized access, theft, vandalism, or suspicious activity
- Outdated cameras, locks, alarms, keys, or access control systems
- Need to brief leadership on physical security priorities
- Desire to pair physical security review with OT, cyber, or ERP updates
How engagements work
A practical review process
Define the scope
Confirm facilities, field sites, asset types, known concerns, prior assessments, operational constraints, and desired outputs.
Review documents and practices
Examine policies, site lists, access procedures, camera or alarm information, incident history, emergency plans, and existing security controls.
Conduct site assessment
Review selected sites, access points, critical spaces, field assets, monitoring capabilities, response assumptions, and cyber-physical pathways.
Prioritize improvements
Provide findings, practical recommendations, risk-ranked actions, leadership-ready summaries, and optional implementation support.
Deliverables
Clear outputs for leadership and staff.
Deliverables are designed for practical use. The goal is to help the organization understand findings, brief decision-makers, assign owners, and improve security over time.
- Physical security assessment report
- Site observations and risk-ranked findings
- Photo-supported findings when appropriate and authorized
- Prioritized improvement roadmap
- Policy, procedure, and access control recommendations
- Cyber-physical risk notes for OT, network, and control spaces
- Leadership briefing or board-ready summary
- Optional action tracker for implementation
Common assessment locations
Built for distributed infrastructure.
Critical infrastructure organizations often operate many sites with different levels of staffing, visibility, and response time. The review can be scoped to the locations that create the greatest operational, safety, or public confidence risk.
Water and wastewater
Treatment plants, pump stations, tanks, wells, lift stations, chemical areas, lab spaces, control rooms, and maintenance yards.
Electric power
Substations, relay and control buildings, switchgear areas, communications sites, field cabinets, and critical support facilities.
Local government and public works
Public works yards, operations centers, fleet areas, storage facilities, emergency support sites, and shared utility or IT spaces.
Related resource
Need a starting point for utility staff?
The Volume 1 Companion Toolkit supports short cybersecurity tasks for remote access, passwords, MFA, and account security. It pairs well with physical security work because access to buildings, cabinets, control rooms, and vendors often connects to cyber risk.
Download the Volume 1 toolkit
Use the toolkit to track tasks, assign owners, and record progress for practical cyber risk reduction.
Related services
Physical security works best as part of a broader resilience program.
Risk & Resilience Assessments
Use physical security findings to inform AWIA-aligned risk and resilience work.
OT/ICS & SCADA Security
Review physical access to control spaces, network paths, and field equipment.
Emergency Response Planning
Connect site security findings to roles, notifications, response procedures, and recovery priorities.
Tabletop & Operational Exercises
Test response to unauthorized access, vandalism, cyber-physical incidents, or facility disruption.
Ready to review physical security across critical sites?
Systems Risk Advisory can help assess facility access, remote sites, cyber-physical pathways, and response readiness with recommendations that fit real operating environments.