Critical infrastructure is a term that is widely used to describe assets that are of critical importance to the functioning of today’s society and economy. The US Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience identifies 16 critical infrastructure sectors: chemical; commercial facilities; communications; critical manufacturing; dams; defence industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials and waste; transportation systems; and water and wastewater systems.
Critical infrastructure protection is the practice of securing the functioning of critical infrastructure internal and external non-state actors from acts of terrorism and crime. However, critical infrastructures are now increasingly affected by natural disasters, so disaster management is also widely a part of the practice of critical infrastructure protection.
The threat perception As the backbone for the proper functioning of society, critical infrastructure has always been an attractive target for attackers – both state and non-state actors. It is evident throughout history that warring factions attacked each other’s critical assets such as water resources or food sources as a means of weakening the enemy, which evolved into strategic bombardment of the enemy’s critical infrastructure during the Second World War.
Critical infrastructures continue to be attractive targets for terrorists and dissident groups, primarily due to the attention that attacks on such targets bring to their cause and the widespread indirect economic damage that spreads beyond just the infrastructure itself. Among all the sectors, energy has the most vulnerability – as most recent attacks have demonstrated – because energy has a significant impact on several other segments of critical infrastructure within an economy.
Although a wide majority of attacks on energy infrastructure have happened in the Middle East and North Africa recently, the global nature of the energy industry – and the impact it has on global economies – demands that serious consideration is given to securing critical infrastructure. From pipelines in the US to refineries in China, energy and critical infrastructure around the world face varying threat levels that range from information theft to a terrorist attack. The economic impact and financial damage of such attacks are significant. Being situated in remote locations should be a reason to invest in securing these infrastructures rather than an excuse for not having adequate security.
There have been numerous attacks on oil and gas infrastructure in the Middle East since 1968. In 1975, the Arab Revolution terrorist group seized more than 70 hostages from the OPEC headquarters in Vienna, demanding more than $50 million to release them.
Since 9/11, pipelines, tankers,refineries and oil terminals have been attacked frequently across Iraq. Oil tankers have been a target for terrorists even in Sri Lanka and Israel.
One of the biggest but failed sabotages was that of Ras-Tanura in Saudi Arabia in 2002, which if successful, could have impacted more than 10 per cent of the world’s oil supply. Last year’s incident in Amenas has left companies thinking about the risk of doing business in the highly volatile regions of the world while dealing with the everyday risks and security threats that their infrastructure faces.
Terrorist groups such as Al-Qaeda have been targeting the Western-run oil industries for some time. In 2004, Al-Qaeda attacked infrastructure in the Middle East and the Persian Gulf. The danger is that Al-Qaeda has demonstrated the capacity to adapt its terrorist strategies. This is clear with its call for cyber jihadists.
In 2011, the FBI intercepted an online video featuring an Al-Qaeda operative calling for “electronic jihad” against the US.
Similar significant threats are prevalent across other critical infrastructures as well, including airports, rail stations and government buildings, which are frequently targeted by terrorists and hackers alike.
The remedy Dealing with a spectrum of physical and cyber threats requires failproof levels of security and deterrence. There is a growing preference for total solutions with flexible integration of individual security systems such as access control, video surveillance and intrusion-detection on one platform. Heavy investments in cyber security are also projected due to various attacks on energy facilities in the past five years. Some of the common vulnerabilities include:
- Porous borders allowing terrorists from neighbouring unstable countries to get through undetected to carry out such attacks on critical infrastructure;
- Lack of a layered security approach and perimeters to prevent unauthorised access to critical facilities;
- Lack of technology to provide early warning and detection of threats – both cyber and physical;
- Lack of tools to provide a co-ordinated response to cyber-physical threats;
- Lack of dedicated security forces to protect critical infrastructure in volatile regions of the world. There is much that needs to be done to change the way security is perceived and practised by critical infrastructure owners and operators around the world.
With more than 80 per cent of critical infrastructure owned and operated by the private sector in Western countries, security is not just the responsibility of governments. Both the public and private sectors should work closely to adopt a more proactive approach to securing critical infrastructure, including:
- Conducting periodic risk assessments to measure the level of risk and threat exposure to business operations;
- Addressing porous border issues to prevent terrorist movements across borders – especially in volatile regions;
- Expanding and securing the perimeters of critical sites to allow a multi-layered early detection, warning, deterrence and delay based solution to identify and deal with threats and adopting the use of advanced technology (sensors – manned and unmanned, etc) for early detection of threats, securing pipelines, etc;
- Companies also need to address the security gaps that evolve due to convergence of cyber physical threats – by adopting advanced cyber physical unified threat management solutions;
- Creating a dedicated critical infrastructure security force to deter and counter such attacks against critical infrastructure in volatile regions and countries.
There is a significant need for changing the way security of critical infrastructure is looked at. Building resilience to threats and risks is mandatory and critical infrastructures of the future need to be secure by design.