A bigger picture view of critical national infrastructure
From energy to telecommunications, banking to transport, the UK’s reliance on its critical national infrastructure is indisputable. Securing our country’s valuable network of crucial supplies – including those which originate abroad – is essential, particularly in the face of the continued threats of terrorism and natural disaster.
There is a growing awareness across Europe of the need to ramp up protection of our critical national infrastructure sites and associated resilience planning against the threat of terrorism, criminal activity – like metal theft – and environmental threats. This is not just on a state-by-state basis but also, crucially, at a wider – big picture – trans-national level. In today’s ‘global village’ there are a wide array of critical infrastructure elements, so-called ‘choke points’, whose footprints stretch well beyond the neat confines of a single country’s border, whether we are talking about telecoms, energy plants, banking, water or transport hubs/connections. You could have a power station in France that also supplies Belgium. Or, in the case of the UK, gas pipelines coming in from as far afield as Norway. So although the gas pipeline could be defined as part of the UK’s critical national infrastructure, it is not fully under UK jurisdiction.
Crossing Borders
This reality on the ground means that there is a pressing case for stronger international cooperation and the sharing of best practice. A concrete illustration of this imperative is the European Council Directive 2008/114/EC, which relates to the identification and designation of European Critical Infrastructure (ECI), and is currently going through a wide ranging revision process. While Europe now recognises that there is a great deal of interdependency between countries in terms of critical national infrastructure, ultimately, how this is looked after still relies very much on the right things happening at the national level. As a starting point, a country’s government has to identify and make arrangements to protect infrastructure within its borders. In the UK we have the CPNI (Centre for the Protection of National Infrastructure), established in 2007, to take the lead on this. Other countries have equivalent bodies, although the format may, necessarily, differ from territory to territory to reflect local conditions.
Risk Management
When a site or infrastructure is singled out as ‘critical’, it is for each country to decide what to do about it. The same basic principles will apply whether we are talking about Spain, Germany, Serbia or the UK. Typically, most critical infrastructure is now privately owned or privately operated, so public and private co-operation and co-ordination is definitely the way forward. In practice, the relevant body like the UK’s CPNI will provide confidential advice to a site’s owner on what needs to be done. It is then up to the operator to buy in the appropriate security package. This security package should have, at its foundation, a risk-based analysis of the threats that the site is likely to face, any specific vulnerabilities that require extra attention and, crucially, the potential impacts. By fully appreciating the risks, it is then possible to make informed decisions to identify, select and prioritise the appropriate counter measures for a graduated response. You may have something like a nuclear power station where there are, necessarily, strict safety and security rules as a minimum, with layers of protection built on top of that to reflect the current threat level, which can change significantly over time. Ultimately, it is the remit of each country to determine its own critical national infrastructure and, of course, information about this is necessarily confidential.
Specifying Security
For critical national infrastructure protection, I would suggest that a good starting point is to step back and think about it as being built on three interrelated pillars. A weakness in any one of these pillars will, potentially, bring the others tumbling down. These are, in turn, prevention, preparedness and response/ recovery (resilience). Protecting the electricity grid and power stations and other critical elements is, of course, no easy task, in light of the geographically extensive nature of this infrastructure. Given this, it is perhaps not surprising that we are seeing a diverse array of ever more sophisticated security techniques being employed in the field. The most visible are physical asset protection measures, like ditches, perimeter fencing, bollards and lighting.
On the electronic security front, techniques like video analytics, high definition CCTV, rapidly deployable CCTV towers – (which can be moved to key hotspots for added security), thermal imaging, fence-line sensors and biometrics-based access control, are all coming to the fore. Given the imperative to keep the lights on, now more than ever, security solutions in this area need to actively detect and deter attacks. Cyber security is also high on the agenda thanks to the rise in virtual targeting of national critical infrastructure by state and individual operators. In addition, throughout Europe, there is a strong recognition that private security services have a pivotal role to play in detecting and preventing attacks through the use of manned guarding and mobile patrols. This is alongside public security services like the military and the police.
Trusted Partners
Considering the specific role of private security services here, it is important that where manned guarding is undertaken for critical national infrastructure this is placed, firmly within the context of a public-private partnership, based around high levels of quality and service. Experience suggests that the optimum solution is one where the private security service provider is working as a ‘trusted partner’ with the public authority and, crucially, the critical infrastructure site owner. The Spanish National Police have a good term – ‘do ut des’ – which encapsulates the need for respect between public and private. For the Spanish it is all about having the right level of trust, a culture of co-operation and working within the right legal framework.
Of course, a wider question in the context of critical infrastructure is, how effective are public and private security partnerships? An example of best practice is Project Griffin. Elsewhere, on mainland Europe, there has been a series of extremely successful security partnership programmes in Germany where the police have asked private security companies, operating mobile patrols around critical infrastructure, to pass on information related to suspect persons and vehicles or unlawful activities. In the case of Düsseldorf alone this has resulted in over 500 reports.
Driving Best Practice
Returning to the subject of trust, it is essential, wherever you are in Europe, that individuals are security cleared/screened and trained to the right level.
The private security service provider also needs appropriate security clearance, transparent corporate governance and should work to high standards. While there is not, as yet, a generic guarding standard for critical infrastructure, the good news is that there is a range of existing sector-specific guarding standards which have a role to play. These include: EN 6502:2007 – security service providers – terminology; EN 16082:2011 – airport and aviation security services; PD ISO/PAS 28007:2012 – ships and maritime guideline for armed security personnel; and ISO 9001 – quality management systems.
Moving forward, the European security sector recognises the pressing requirement to produce a framework that can help governments and critical infrastructure owners, across the continent, to ensure that they have the right quality of guards to provide the right level of protection. For its part the BSIA (British Security Industry Association) is a member of the Confederation of European Security Services (CoESS) – the umbrella organisation for 26 national private security employers’ associations – whose Critical Infrastructure Committee I chair. At CoESS we have developed an essential check-list that can help infrastructure owners and operators to ascertain whether a private guarding company has the potential to be a trusted partner in this mission-critical area. The aspects highlighted by the check-list range from personnel security vetting to whether the guarding company is able to carry out a site risk and threat assessment, has the resources to fulfil their contract and has put in place escalation plans and resilience measures. At a broader level through CoESS we are heavily involved in lobbying and providing on-going best practice advice to public authorities Europe-wide.
Added to this, when there is a human element involved in security, it is imperative that personnel are fully motivated and understand what they are actually there to do. This becomes even more of an issue where critical infrastructure is concerned given the implications if anything is allowed to undermine the heightened security. Consequently, at the BSIA, we were pleased to welcome the publication, last June, of updated guidance on guard force motivation by the UK’s Centre for the Protection of National Infrastructure (CPNI). This is an initiative that we have been actively supporting since the first edition was produced back in 2011.
Interconnected Infrastructure
There is little doubt that in today’s interconnected world, if things go wrong in part of the critical national infrastructure, there are serious ramifications, not just for individual countries where an incident takes place but, potentially, a domino effect leading to Europe-wide disruption. This means that, in future, we are likely to witness an even greater drive for public and private co-operation, and best practice, to build in resilience to ensure the wheels are turning where strategically important European Critical Infrastructure (ECI) is concerned.
Alex Carmichael
Director of Technical Services
British Security Industry Association (BSIA)