By Frazer Holmes
CIP examines threats and possible attacks against the critical assets of a country. It takes an umbrella approach to look at what measures are taken, what measures are effective, and what possible counter attacks can be used in the successful deployment of protecting critical assets.
There is national, Territory and State based guidelines and frameworks for the protection of Critical Infrastructure (CI) geared to provide a framework for a national and consistent approach for the protection of CI assets. Although they primarily are designed to focus on the protection from terrorism, the guidelines recognise that treatment for CI assets will depend on the individual assessment and criticality of the asset, the security posture and profile for the asset or relevant sector. Of which terrorism is but one of many threats from which CI needs to be protected from. As such, the responsibility for the continuity of CI is shared by all Governments and by owners and operators alike.
Further to this, the Australian Government has developed the Trusted Information Sharing Network (TISN) for critical infrastructure resilience. This provides an environment where owners, operators and Government can work together to share information on security related issues affecting CI assets and the continuity of operations associated with all threats.
This strategy has a strong focus on developing partnerships, and illustrates the commitment of the Australian Government to working with owners and operators and State and Territory Governments to achieve complementary and mutually beneficial outcomes.
Why protect Critical Infrastructure?
What is being protected is not always the infrastructure itself but the services it provides. Therefore CIP involves a range of strategies with the objective of protecting not only the physical ‘infrastructure’, but all assets that are deemed ‘critical’ in the sense that we could not do without them. Or at the very least, the disruption to their services would make life difficult, or affect our national security. A number of these strategies include protective security, crime prevention, business continuity and risk management, and emergency management. An asset could be deemed critical when the services it provides are vital to a State or the nation as a whole.
The list of infrastructures and services that may be considered critical includes transportation, defence, industrial, telecommunications, banking and finance, agriculture, food, water, power, public health, Government services and emergency services.
Understanding where the real threat lies
An understanding where the major threats will come from is imperative when determining what needs to be protected and why. Some may argue that attacks on CI may appear to tie more closely with terrorism and war than with any other area.
While events such as the 9/11 attacks on the World Trade Centre and the Pentagon, and the attacks on the London Underground Railway system in the UK, all targeted aspects of what we term CI. However, it may be questioned that we are overplaying terrorism (perhaps out of hype or fear) and underplaying the danger of Mother Nature? Both of these areas call out for a CIP response. The question is which areas should we devote more time, effort and finance towards, man made threats such as terrorism, civil war, issue motivated groups and so forth, or natural threats such as earthquake, flooding, fires, cyclone, drought etc? The answer may not be as simple as one may assume, however, one thing is certain and that is all such incidents must be considered in order to provide a holistic and coordinated approach to CIP.
Emergency Management and Response
The importance of CIP transcends the traditional safety and security regimes, and therefore a shift in the traditional mindset to incorporate a balanced and coordinated approach to not only focus on the protection of the assets themselves, but how can we manage, respond to and recover from such incidents is needed. These actions and tasks refer to deliberate activities that are undertaken in advance of an incident to develop operational capabilities to facilitate an effective response.
Large scale CI threats will take their lead from the global context, however, it behoves us to do our bit and minimise the effect by being prepared as much as possible.
As a result, business continuity of critical infrastructure looks at not only how we deal with incidents, but also the effect any disruption or loss may have. BC provides identification and consensus on criticality of the asset and supply chains as a whole rather than focusing on just how we deal with the incident in isolation.
Challenges
There are many challenges associated with the protection of CI assets and can often include limited security awareness, lack of acceptance or understanding of security requirements. Or even where a person’s perspective may mistakenly adopt the line that security is not required at all. Within Australia, more than 90 percent of CI is owned privately, which is certainly a challenge when determining who will protect, pay and respond to incidents around CI.
Summary
Enhancing capability for prevention, recovery and response relating to incidents against CI is not an easy task. Apathy against CIP will need to change, as advances in technology and changes to internal governance requirements highlight that a dynamic approach is required. These factors only increase the argument that a coordinated approach, such as TISN, is imperative to have, if and when an incident occurs. So that owners, operators and Australia as a nation can prepare, prevent, respond and recover quickly and with as little impact or exposure as possible.
About the Author
Frazer Holmes is a leading SCEC Endorsed Security Consultant (Attorney General’s Department) and member of the International CPTED Association (ICA) and Risk Management Institute of Australasia (RMIA). Holmes has recently joined the team at Amlec House Security Consultants and can be contacted at: frazer.holmes@amlechouse.com
To subscribe to the Australian Security Magazine, click here.
