Advertisers
Click here to advertise your jobs
to thousands of job seekers
monthly.
|
|
|
Analysis Careers Ebusiness Education Government ICT Management Legal Issues Security Society Technology Trends Search for Jobs Build a Resume Media Releases Contact Us Privacy Policy Email the Editor IDG registered user login Subscribe to IDG Publications    |
Critical infrastructure protection and the terrorist threat12/10/2004 12:39:54
For decades Australia has, through a mix of isolation and good fortune, been able to avoid the destruction that terrorism can inflict on society. Now, however, with the threat very much a reality, what message must we send to the masters of the bomb and bullet? From critical infrastructure operators the message must be clear, and convey a statement to terrorists that the business sector is determined and prepared to counter their efforts. With the introduction across all states and territories of new legislation to protect against terrorism, there is now a specific compliance requirement that must be met, demanding operators provide measures to both minimise the likelihood of a terrorist incident, and mitigate the resultant damage should such an event occur. Under the terms of the National Counter Terrorism Agreement, Victoria alone has identified and developed a database of more than 600 items of critical infrastructure. The operators of these assets, having been declared Essential Service Providers, are then deemed to require the development of a risk management plan, the main objectives of which are: to prevent terrorist acts in relation to the declared essential service, to mitigate the effects of a terrorist act, to recover the service from a terrorist act, and to ensure continuity of the service at all times. What are the ramifications for those responsible for security within such facilities? With high-profile or trophy buildings often presenting more probable targets, both physical and cyber security has an increased duty of care to address potential security lapses and weaknesses. Managers must examine and consider the nature and the likelihood of a terrorist incident either in their facility, or close by, and take steps to defend against the risks and consequences of such attack. Failure to discharge this duty will leave the company exposed to legal liability, but equally as damning for the business will be the anatomy of blame that follows. This is the resultant expectation that the company should have foreseen the risk, and prepared itself to deal with it. If management wasn't prepared and thus couldn't respond effectively, or effected decisions that worsened the outcome, corporate governance culpability could readily arise. Another emerging legal theory, "negligent failure to plan', can find employers negligent if they do not take reasonable steps to eliminate or diminish known or reasonably foreseeable risks that could cause harm. Following recent terrorist spectaculars, the range of known hazards is widely perceived to have broadened. In fact, all kinds of incidents that could affect an organisation should be considered, and the organisation itself needs to be able to anticipate elevated degrees of danger in order to step up their level of preparedness through suitable response planning. With increasing private sector ownership and management of utilities and essential services, governments are developing a coordinated approach to the protection of critical infrastructure. A policy of nurturing risk management and cooperative planning within the private sector, which integrates disaster recovery planning and business continuity planning, is their preferred methodology. The thrust of this campaign is to place the onus with the private operator and adapt an overseeing role for the assigned government agency to ensure appropriate best practice is met, and benchmark security standards reached. In these circumstances, critical infrastructure security managers need to merge the organisational and functional elements for both IT security and physical security to establish an effective systems security program to provide functional asset protection. However these two areas are often at different poles within the business process. Knowledge gaps often exist that allow inherent weaknesses to flourish within the company. Organisational size often dictates that both of these elements are represented as a "clip on" function to other departments such as HR or OH & S. It is important therefore that organisations establish and appoint one person with the ability to speak for both areas. Lines of communication need to be established directly to the upper echelon of corporate management and the support of senior executives secured. Without this level of support, security culture improvements would flounder. To effectively create the one-stop security solution, both the physical security and IT security elements must already be established with suitable objectives, key personnel roles, responsibilities and duties defined. Both areas share similar characteristics and vulnerabilities, however technical skill sets of personnel vary between them. Recent trends suggest that both the core elements of IT security and physical security are converging, but still have a way to travel before key personnel have the individual capacity to cover the knowledge required for both areas. How much physical, IT and risk management experience are needed in the mix has not yet been defined, but as broad a skill set as possible is desirable. Security is about educating the business leaders of the threats the organisation faces, the likely negative consequences and costs of those threats, and the necessary control measures that need to be implemented as effective safeguards. To raise the security culture of the organisation it is important to develop an omnipresent security program that promotes effective security as an essential business reality, which avoids a weaker security stance based on the dangerously outdated notion that it "won't happen to us", improves lines of communication directly through to executive level, and in turn coordinates an approach to integrate physical security, information protection, and risk management. With these elements in place, the real work can then begin. Both the physical and IT security aspects of the business must converge, recognise each other and put aside territorial issues for the greater good of the organisation. Each must be aware of the other's threats and vulnerabilities and their interdependencies. The first stage in the process is to utilise a sound risk analysis process as a tool, tempered by the parameters set by the scope of task to form the foundation of a systems security program. The first blocks are laid by identifying the assets to be protected, the real threats to those assets, probability of those threats eventuating, and understanding the subsequent impact or consequences to the business. A structured approach through threat identification and determination of the likelihood of occurrence help determine the true 'expected cost' from any given occurrence. This in turn allows management to arrive at a rational business oriented decision. To take a proactive stance, or outline the process of a reactive stance - or combination of both - to control, mitigate or even accept the risk. Effective business solutions can then be based on sound principals of cost benefit analysis, allowing for and considering the real 'cost' of the human factor alongside the purely empirical aspects of the organisation. Ultimately, examination of company antecedents for the current security profile may reveal areas of security that need reinforcement and assistance in development of the determined counter assurances, and to allow effectual change of the security culture across the organisation's business functions. The vulnerability assessment is perhaps the most important step in the security planning process. In the current context of mitigating against terrorist attacks, care must be taken to ensure that the assessment is correctly focused on identifying how a potential attacker could take advantage of any given opportunity. The subsequent security planning and its effectiveness for providing a protective solution are directly related to how effectively the vulnerability assessment was performed in the first instance. The first analysis is often the most costly in dollar terms, due to a lack of groundwork or security presence in the company, but subsequent assessments can be based on the knowledge gained of the business environment and processes that have been recorded in this first instance. Then, in order to remain truly effective, the analysis must be a recurring process that keeps abreast of new threats and risks - and methodologies to combat them - as they arrive. The need to provide for the changing risk environment is probably best illustrated by the process of terrorists deploying improved weapons and methodology to attack assets, and security planners upgrading the protective measures to resist those weapons, not in dissimilar fashion to a conventional arms race. Previous terrorist campaigns, such as that waged by the Provisional Irish Republican Army (PIRA) in Northern Ireland, reveal a process whereby the PIRA attempted to gain control by increasing the size and capacity of their arsenal. Early in their campaign small hand-delivered bombs, small arms and other small hand-held type devices were the order of the day. These were followed by small car bombs (typically 150kg). These resulted in structural damage and casualties that in turn led to the introduction of wire mesh fences and stand-off barriers to keep vehicles at a distance. To overcome these barriers, terrorists moved to stand-off attacks using rifles, grenades and RPG7 rockets. This in turn forced security planners to introduce bullet resistant glazing and wall hardening to protect personnel. Sangars (bulwarks) to guard the perimeter were added and walls made high to reduce the size of explosive devices that could be thrown over. Vehicular access was withdrawn from affected facilities, but this led to booby traps on cars being parked in adjacent offset car parks. Bombs became larger and blast walls were constructed and larger stand-offs provided. The PIRA responded with the Mark 10 Improvised mortars in 1981. Weighing 60kg, they contained 20kg of homemade explosives (HME) and were capable of demolishing a large building. Proxy bomb attacks were used in delivery vans. Next came spigot bombs, which were made from an oil drum filled with 300kg of HME. The Mk15 Mortars appeared in 1992. They weighed 118kg and contained 80kg of HME. Improvised terrorist weapons are difficult to mathematically model and thus make designing protective measures that much more difficult. This can be said for both the physical and information security arenas. As in Northern Ireland where they applied a systematic approach, using a vulnerability analysis as the first step, they were able to eventually harden facilities to such an extent that no further loss of life has occurred in a hardened building since their introduction. Good security planning based on a systematic risk analysis, rigorously practised, regularly reviewed and audited, can provide the solution to security vulnerabilities - even as serious as those faced by the security industry in Northern Ireland. Allen Fleckner is director of security and risk, Emergency Management Experts, Melbourne.
[ Printer Friendly Version ] [ Other stories about Echelon, Empirical, ACT ] |
