CNI: Looking at the bigger picture

The British Security Industry Association’s director of technical services Alex Carmichael, explains

There is a growing awareness across Europe of the need to ramp up protection of our critical national infrastructure sites and associated resilience planning against the threat of terrorism, criminal activity – like metal theft – and environmental threats, not just on a state-by-state basis but also, crucially, at a wider – big picture – trans-national level. In today’s ‘global village’ there are a wide array of critical infrastructure elements, so-called ‘choke points’, whose footprints stretch well beyond the neat confines of a single country’s border, whether we are talking about telecoms, energy plants, banking, water or transport hubs/connections. To put this into perspective, you could very well have a power station in France which also supplies Belgium or, in the case of the UK, gas pipelines coming in from as far afield as Norway. So although the gas pipeline could, conceivably, be defined as being part of the UK’s critical national infrastructure it is not fully under our jurisdiction.

Crossing Borders
This reality on the ground means that there is a pressing case for stronger international cooperation and the sharing of best practice. A concrete illustration of this imperative is the European Council Directive 2008/114/EC, which relates to the identification and designation of European Critical Infrastructure (ECI), and is currently going through a wide ranging revision process. While Europe now recognises that there is a great deal of interdependency between countries in terms of critical national infrastructure, ultimately, how this is looked after still relies very much on the right things happening at the national level.
As a starting point a country’s government has to identify and make arrangements to protect infrastructure within its borders. In the UK we have the CPNI (Centre for the Protection of National Infrastructure), established in 2007, to take the lead on this. Other countries also have equivalent bodies, although the format may, necessarily, differ from territory to territory to reflect local conditions.

Risk Management
Looking more closely at what happens when a site or infrastructure is singled out as ‘critical’, it is for each country to decide what to do about it, although the same basic principles will apply whether we are taking about Spain, Germany, Serbia or even the UK. Typically, most critical infrastructure is now privately owned or privately operated so public and private co-operation and co‑ordination is definitely the way forward here.

In practice, the relevant body like the UK’s CPNI will provide confidential advice to a site’s owner on what needs to be done.

It is then up to the operator to buy in the appropriate security package. This security package should have, at its foundation, a risk‑based analysis of the threats that the site is likely to face, any specific vulnerabilities that require extra attention and, crucially, the potential impacts. By fully appreciating the risks it is then possible to make informed decisions to identify, select and prioritise, the appropriate counter measures for a graduated response. You may have something like a nuclear power station so there will, necessarily, be strict rules as a minimum, with layers of protection built on top of that to reflect the current threat level which can of course change significantly over time.
As mentioned, it is the remit of each country to determine its own critical national infrastructure and the information about this is necessarily confidential and should remain confidential. Only the government concerned and the owners/operators of such sites really need to know that they have been designated as such. The stark reality is that broadcasting these details more widely would only serve to bring these sites to the attention of terrorist elements who may view them as an attractive target.

Specifying Security
When discussing critical national infrastructure protection I would suggest that a good starting point is to step back and think about it as being built on three interrelated pillars. A weakness in any one of these pillars will, potentially, bring the others tumbling down. These are, in turn, prevention, preparedness and response/recovery (resilience). Protecting the electricity grid and power stations and other critical elements is of course no easy task, in light of the geographically extensive nature of this infrastructure. Given this it is perhaps not surprising that we are seeing a diverse array of ever more sophisticated security techniques being employed in the field. The most visible are physical asset protection measures like ditches, perimeter fencing, bollards and lighting.
On the electronic security front, techniques like video analytics, high definition CCTV, rapidly deployable CCTV towers – which can be moved to key hotspots for added security, thermal imaging, fence-line sensors and biometrics-based access control, are all coming to the fore. Given the imperative to keep the lights on, now more than ever, security solutions in this area need to actively detect and deter attacks. Cyber security is also high on the agenda thanks to the rise in virtual targeting of national critical infrastructure by state and individual operators. In addition, throughout Europe, there is a strong recognition that private security services have a pivotal role to play in detecting and preventing attacks through the use of manned guarding and mobile patrols. This is alongside public security services like the military and the police.

Trusted Partners
Considering the specific role of private security services here, it is important that where manned guarding is undertaken for critical national infrastructure this is placed, firmly, within the context of a public-private partnership, based around high levels of quality and service. Experience suggests that the optimum solution is one where the private security service provider is working as a ‘trusted partner’ with the public authority and, crucially, the critical infrastructure site owner.
The Spanish National Police have a good term – ’do ut des’ – which I like to quote when I am presenting on this topic, encapsulating as it does the need for respect between public and private. For the Spanish it is all about having the right level of trust, a culture of cooperation and working within the right legal framework.  
Of course a wider question in the context of critical infrastructure is how effective are public and private security partnerships? Well in response I would point to an example of best practice here in London in the form of Project Griffin.

Griffin was initiated back in 2004 to assist in the security of the financial district which is so vital to the UK’s national interest. A key part of Project Griffin was setting-up a training package for the private security industry and the right communications systems so they could support the police.
Implementing regular communications between the police and private security officers ensured that intelligence and incident reports could be communicated in a timely manner, whether by conference calls, SMS messages or email. Private security officers also underwent Griffin training for deployment in emergencies to support the police, for example, to help establish cordons. Elsewhere, on mainland Europe, there have been a series of extremely successful security partnership programmes in Germany where the police have asked private security companies, operating mobile patrols around critical infrastructure, to pass on information related to suspect persons and vehicles or unlawful activities. In the case of Düsseldorf alone this has resulted in over 500 reports.  

Driving Best Practice
Returning to the subject of trust, it is essential, wherever you are in Europe, that individuals are security cleared/screened and trained to the right level.
The private security service provider also needs appropriate security clearance, transparent corporate governance and should work to high standards. While there is not, as yet, a generic guarding standard for critical infrastructure, the good news is that there are a range of existing sector-specific guarding standards which have a role to play. These include: EN 6502:2007 – security service providers – terminology; EN 16082:2011 – airport and aviation security services; PD ISO/PAS 28007:2012 – ships and maritime guideline for armed security personnel, and ISO 9001 – quality management systems.
Moving forward, the European security sector recognises the pressing requirement to produce a framework that can help governments and critical infrastructure owners, across the continent, to ensure that they have the right quality of guards to provide the right level of protection. For its part the BSIA (British Security Industry Association) is a member of the Confederation of European Security Services (CoESS) – the umbrella organisation for 26 national private security employers’ associations – whose Critical Infrastructure Committee I chair.
At CoESS we have developed an essential check-list that can help infrastructure owners and operators to ascertain whether a private guarding company has the potential to be a trusted partner in this mission-critical area. The aspects highlighted by the check-list range from personnel security vetting to whether the guarding company is able to carry out a site risk and threat assessment, has the resources to fulfil their contract and has put in place escalation plans and resilience measures.  At a broader level through CoESS we are heavily involved in lobbying the European Commission on the whole gamut of critical infrastructure issues as well as commenting on the proposed revisions to the European Critical Infrastructure Directive and providing on-going, best practice, advice to public authorities Europe-wide.  
Added to this, when there is a human element involved in security, it is imperative that personnel are fully motivated and understand what they are actually there to do. This becomes even more of an issue where critical infrastructure is concerned given the implications if anything is allowed to undermine the heightened security.
Consequently, at the BSIA, we were pleased to welcome the publication, last June, of updated guidance on guard force motivation by the UK’s Centre for the Protection of National Infrastructure (CPNI). This is an initiative that we have been actively supporting since the first edition was  produced back in 2011.    

Interconnected Infrastructure
So, to conclude, on the subject of critical national infrastructure there is little doubt that in today’s interconnected world, if things go wrong, there are serious ramifications not just for individual countries where an incident takes place but, potentially, a domino effect leading to Europe-wide disruption.

This means that, in future, we are likely to witness an even greater drive for public and private cooperation, and best practice, to build in resilience to ensure the wheels are turning where strategically important  European Critical Infrastructure (ECI) is concerned.

Further information

Please register to comment on this article