Staying ahead of threats to CNI
Critical national infrastructure (CNI) is, by its very nature, fundamental to the running of any country. Without the contribution from sectors such as aerospace and defence, society would be severely impacted. It should therefore be no surprise that CNI is a perfect target for those who may wish to cause major disruption or harm.
Threats against CNI may be external or come from the inside and are constantly evolving. The principal threats against CNI include theft or damage to property, assets and materials, unauthorised entry (including terrorist, activist and urban exploration) and cyber-attacks.
CNI therefore needs to be protected against threat and harm, using modern methods and the latest technology, to ensure that critical operations are not disrupted should an attack occur.
Such arrangements need a holistic approach to protect the entire infrastructure, including both physical and cyber security and ensuring that culture, awareness and behaviour among staff, contractors and others, is ultimately driven from the top.
Risk management
Threats and risks faced by CNI need to be continually assessed and updated and this is difficult because of ever-changing circumstances.
Revisions of the UK threat levels relating to potential terrorist attacks also have an impact, with an expectation that security services have the ability to react to these changes instantly.
This means having the resources to upscale security to the appropriate level, depending on the individual CNI environment. Having access to a pool of Suitably Qualified and Experienced Personnel (SQEP), plus a broad range of supporting services (such as canine, which can screen for things like explosives and firearms), as well as being able to rapidly deploy surveillance technology (such as CCTV Towers), allows organisations to effectively react to such demands and build an integrated security solution suitable to mitigate the threat.
Managing ingress and egress
CNI sites take a layered protection approach to security, with security checks kicking in before the perimeter for people, equipment and goods. However, this is frequently not as simple as securing one area, because many sites have multiple entry points, especially larger sites that may have connections via road, rail and ports. It is important that only authorised personnel are admitted to site and that they are adequately screened, without causing any unnecessary delays.
Achieving the standards
To achieve the required standards in CNI environments it is important to adopt intelligent security, using a risk-based approach, backed by specialist people and approved products. Personnel in design, installation and operations need to be suitably and highly qualified to carry out their roles.
Many of these sites are visited by high-profile individuals, making them a target for terrorist activity and regularly selected by protesters. They are also a popular choice for urban exploration. For these reasons it is wise to utilise enhanced security officers (ESOs) on high-risk sites, who can undertake a skilled and informed approach to appease any hostile situations. ESOs are highly experienced (often with ex-military backgrounds) in the de-escalation of hostile situations such as protests.
Likewise, only the highest standard of equipment and technology can be employed because external and insider threats are a real risk given the nature of the work undertaken at some locations. The Centre for the Protection of National Infrastructure (CPNI) is the government authority focused on providing advice and assistance to those who have responsibility for protecting these most crucial elements of the UK’s national infrastructure and to reduce their vulnerability to terrorism and other security threats.
CPNI evaluates security products for use in CNI and government, against specific CPNI security standards to assist organisations to identify the most appropriate physical security equipment. A product may be given a ‘Class’ level grading, meaning it has characteristics that will defend against surreptitious attacks, or a ‘Protection’ level, meaning it shows resistance to forced attacks. Occasionally, a product will be awarded both grades. The CPNI evaluations are set well above the standard expected of a ‘normal’ security product, even the ‘lowest’ grading is an indication of a very capable product.
Improving the security culture together
It is important to have a good security culture in organisations to mitigate against physical, cyber and internal threats. It also ensures that employees are more engaged with security issues and act in a more compliant way. It helps to raise awareness of security issues across all employees, not just security officers, which reduces the risks of security incidents and breaches.
It also improves overall security without the additional need for large expenditure. The CPNI provides crucial guidance and support for those in CNI organisations. This includes marketing materials for use in awareness-raising campaigns and also tools to assess and benchmark security culture, such as a number of survey-based Security Culture Assessment Tools (SeCuRE).
Training
One of the most important contributions to establishing a robust security culture is to invest in training and development, moving the agenda from having security, to having effective security. One of the issues with training, often even more observed in CNI environments, is the need to continuously train for events that might (hopefully) never happen. However, if an incident does happen, it is likely to take place at very short notice and personnel need to quickly apply their expert skills and training.
Working together to achieve the best in a responsible way
The need to establish good relationships with client organisations, partners and stakeholders cannot be overstated. This should include a shared understanding of culture, processes and information to work towards common goals. These partnerships also include those with the local police and other parties to understand risk and situational awareness for activities such as moving an abnormal load. A planning workshop may be carried out to consider every eventuality and ensure all stakeholders will deliver their part of the process.
CNI organisations in particular are vulnerable to both supply chain failures and non-delivery from partner organisations, with any delays having a knock-on effect on overall service delivery. Every single day of missed work can be extraordinarily costly – keeping security present, fully compliant and operational is a requirement for critical infrastructure.
Corporate Social Responsibility (CSR) plays an increasingly important part today in shaping delivery of services, ensuring a positive impact on society and taking account of environmental, social and governance (ESG) criteria. This includes embedding good practices to support sustainability and add social value, encouraging other service providers and their suppliers to do the same.
Noah Price is International Director of the G4S Academy which is responsible for sharing specialist threat and security knowledge. It provides regular, free security bulletins on potential threats, which can be a useful part of security planning. London-based global security company G4S is now part of Allied Universal (since 2021).
For more information on the threats facing CNI and what makes good security: www.g4s.com/en-gb/what-we-do/security-solutions/securing-critical-national-infrastructure