James Kelly, chief executive of the British Security Industry Association, discusses the importance of protecting national infrastructure and the businesses supporting it
2017 has been a year marked by a shift in terrorist tactics, with tragic consequences for the UK. As seen in the consecutive Westminster Bridge attack, Manchester concert attack as well as London Bridge attack, terrorists have shifted towards strategies that are as crude as they are deadly; targeting the particularly vulnerable and making use of weapons which are difficult to control and track, such as knives and vehicles. What have we learnt from these terrible events? It is not enough to protect the nation from terrorism as we know it, we must continually anticipate new methods of attack designed for maximum disruptive impact.
From the National Grid and communications, to water supply and transport, the systems that underlie our everyday life are all vulnerable in some shape or form to attack. National infrastructure has seen considerable investment recently in the UK. Just recently, the government commenced the development of an £8 million data analytics facility for national infrastructure systems like energy and water. The Data and Analytics Facility for National Infrastructure (DAFNI) will build computational systems, hardware and software platforms for data analytics and database simulation and visitation systems. This information will be used to improve UK resilience to extreme events such as natural disasters and terrorist attacks by spotting vulnerabilities, improving performance and prioritising workloads.
DAFNI will provide a unique space for innovation and greater joint up approaches between the different national infrastructure industries and government - something which is becoming increasingly important amidst increased threat levels. However, DAFNI also highlights the responsibility that accompanies the possession of data that could be deadly in the wrong hands. Imagine a hacker gaining access to vulnerabilities across transport hubs or statistics on which power stations are the most critical within the UK. The consequences could be disastrous. As such, cyber security is equally important to physical security, especially when it comes to infrastructure where the majority of activities take place through electronic systems.
According to a recent article, cyber attackers are regularly trying to attack data networks connected to critical national infrastructure systems. A former senior British security official said it was an ‘article of faith’ that Russian government hackers were seeking to penetrate UK critical infrastructure. Such attacks are not unheard of. In December 2015, Ukraine’s power grid was brought down due to a third party’s illegal entry into computer systems that resulted in the disconnection of multiple substations.
Steve Holliday, former chief of the UK’s National Grid, recently reported that: “The UK stands out uniquely on cyber threats. Nowhere else is as worried as the UK about cyber threats: we are just off the scale on our energy system concerns on cyber.”
With cyber attacks clearly on the increase, what are a few key considerations for businesses supporting National Infrastructure when it comes to protecting themselves?
Cyber security – are you doing enough?
Defending against cyber attacks does not necessarily require complex strategies; simple steps such as regularly updating software and malware protection, ensuring that all firewalls are robust and up to date and restricting access to specific users, can all go a long way in keeping cyber threats at bay. It can be especially useful to configure specialised firewall rules in order to restrict access to the networks, with such firewalls being inaccessible from the internet in order to be less vulnerable to attack.
It can also be wise to enlist the help of a security consultant to help identify any potential weaknesses within a network and develop contingency plans in the event of a breach. A reputable security consultant with a wealth of experience and proven track record in cyber security can carry out penetration testing in order to ensure that the protection already in place is adequate enough to challenge ever-advancing cyber threats. The testing can also identify any weaknesses in the network and address them where necessary.
Do you have a risk register in place?
Perhaps one of the most important elements of an organisation’s contingency plan is the risk register. When planning for safety and creating incident management processes, it is essential that those responsible for crisis planning are able to identify the day-to-day risks they face and the strategies in place to counteract them. Businesses face a number of threats each day, including potential terror attacks, the threat of flooding, an outbreak of fire and the ever present danger of a cyber-attack, all of which have the ability to completely shut down a business. When addressing these various threats, it is important to look at how the organisation operates on a wider level in order to identify what aspects of the business are essential in its ability to continue to function in a crisis. For example, ensuring that employees can work securely offsite, if necessary, is crucial in ensuring business continuity. It is not enough just having plans in place in the case of emergency; it is also paramount that all employees are aware of existing contingency plans so that they may go about their roles as necessary. Such plans should also be efficient in their structure, making sure that incidents are dealt with in a timely manner so as not to compromise the business further.
Should you invest in further training?
As well as enlisting independent professional support from a consultant, it can also be worthwhile investing in specified training in order to ensure that members of staff are able to respond accordingly to potentially threatening situations. To be fully prepared for a crisis, employees, particularly those on a senior management level, can undertake specialist training courses on crisis management. Such training should be delivered by a reputable training provider whose comprehensive courses can help members of a business develop the essential skills and confidence to effectively deal with a crisis. The training available is extensive and can cover all aspects of incident management such as risk assessments, security surveying, continuity management and disaster recovery. Those that deliver the training should also be professionally qualified tutors with real world experience of the industry in order to provide an insightful, valuable course.
In order to ensure the training is truly fit for purpose, it is important to choose a trustworthy training provider. Members of the BSIA’s Training Providers Section are committed to working with fellow training providers, colleges, security companies, trade organisations and the government to drive standards, increase professionalism and ultimately improve the standard of training offered to the security industry. Keeping in line with these values, the section has also created its own ‘Code of Conduct’ in order to help safeguard the interests of consumers of services provided by BSIA members, as well as raising the bar of professionalism amongst its members. Adhering to the code provides tangible evidence of each member company’s commitment to proficiency and probity, helping them to keep abreast of current practice, regulation and applicable laws affecting training, in order to ultimately position themselves as the best in the industry.
The British Security Industry Association (BSIA) recently launched a new Cyber Security Information Portal to allow members access to the latest advice and guidance to help them and their customers reduce the risk they face from cyber attack. The dedicated page includes useful links, guidance and training information.
Ultimately, when implementing security strategies and preparing for the future in an uncertain world, one thing remains steadfast – the importance of quality. Whether it’s a security consultant, training provider or any other form of security, those responsible for procuring security products and services for their organisation should only be enlisting the help of a trusted, professional provider who meets with the necessary British and European standards.