By R.J. Hope, Burns & McDonnell
Look around the community or watch the news; utilities in the U.S. are facing a changing security environment. Over the last 20 years, Americans have “lost our innocence” watching violent events unfold in our neighborhoods and businesses. Events that at one time occurred distantly “over there” are now occurring in our hometowns and work places. These incidents have ushered in a new operational reality for corporate security. Some companies are already adjusting; others may not be ready.
One of the biggest changes to the security environment is how site vulnerabilities are evaluated and addressed. The days of walking around a location (such as an electrical substation, water pump station, or an office building) with a clipboard and a one-page check list have passed. While traditional adversaries remain (copper thieves, vandals, etc.), today’s dangerous adversaries are more complex. They change and adapt their means and methods faster and are more determined than their predecessors. To meet these challenges, security professionals must evolve to effectively address organizational weaknesses.
It is well known that a significant amount of data and analysis goes into a detailed and through security assessment, but one component worth extra discussion is the vulnerability evaluation. As utilities move to a more active and dynamic threat environment, one of the most effective ways to address vulnerabilities is to gain the bad guy’s perspective. In the past, checklist-type assessments have been focused on fences: height, cameras and lighting. All of these are good components to consider, but what exactly is being assessed and are those features still viable given the current adversary model? Many of these attributes were being evaluated for presence and serviceability, not how they address vulnerabilities to a specific adversary model. Determining the presence and serviceability of these assets is important but how these measures affect our adversary’s model is often overlooked.
Whether an adversary is planning to steal copper to sell to a scrapper or planning to shoot critical assets to disable a station he will go through a target selection process to evaluate different sites and the targets within. Corporate Security’s job is to affect the adversary by preventing the event from occurring in the first place. Much like the military draws up attack plans seeking out an advantage that can tip the scales in its favor, this type of adversary will do the same. The goal is to identify the attributes of a location that support the end goal and try to identify a site that offers a high probability of success. When conducting vulnerability assessments, the key to success for effective security planning is understanding your adversary and assessing your sites as he would during the target selection phase.
While not an exhaustive list, consider the following site vulnerabilities:
Ease of target identification – How easy is it for the adversary to identify the targets he may seek? Are high value commodities left unsecured in plain view? Are there clear lines of sight to easily identifiable critical assets?
Perception of security – What is the perception of security on the site? Is the site clean, well maintained and obviously cared for? Are there signs of disrepair or damage to security features or devices?
Ease of execution – How easy or hard is it to execute the attack at this site versus those in the area? Are their terrain features and/or site characteristics that negatively affect the attack method chosen?
Ease of ingress and egress – How will the adversary insert, ingress, egress, and extract from the area? Is there a high probability of casual detection or are there many avenues to avoid interaction?
The adversary will seek to limit and control these variables as best as possible to increase the probability of success. The job of Corporate Security is to affect those variables in a negative way thus deterring selection of your facility as a target. While the threats to your business and the means in which they will carry out an event will change, evaluating sites from the adversary’s perspective will increase the deterrence factor and likely produce Corporate Security’s definition of success: the non-event.