In a wide-ranging article about the UK’s Critical National Infrastructure (RUSI Monitor, May 2008), Sir David Omand reflected that ‘a collective ability to get on with life, despite the difficulties, is a huge national asset’. Going on to review how this was currently being addressed, he referred to the establishment of the Centre for the Protection of National Infrastructure (CPNI) in 2007. He said ‘We must now look to the new CPNI to work with the industries, services, agencies and departments concerned to … assess the risk and advise on protective security’.
More than two years on in the life of CPNI, and with protective security generally having a higher profile, it is worth taking stock of the progress that CPNI has made and the impact of CPNI’s advice delivery to businesses and organisations across the national infrastructure. Protection against terrorist attack (‘Protect’) is one of the four key elements of CONTEST, the UK Government’s counter-terrorism strategy. Infrastructure protection also features in the recently published first annual update of the National Security Strategy and its accompanying Cyber Security Strategy, which acknowledges the good work that has been done and paves the way for increased co-ordination of effort. At the same time there is understandably increasing interest in the robustness, integrity, regulation and future investment in the UK’s national infrastructure.
The Evolution of National Infrastructure
Protective security for the UK’s national infrastructure is not a new concept. It should be regarded more as an evolution, drawing on years of past experience and sustained application as well as learning from events such as the London bombings of 2005. The nine sectors that comprise the national infrastructure (communications, emergency services, energy, financial services, food, government, health, transport and water) are very different from each other. All have undergone major changes over recent years, including in relation to structure or ownership, and keeping pace with this change and its implications has been a priority for CPNI to ensure the best understanding of the sectors, the critical assets within them and their vulnerabilities.
The owners and operators of the key assets and networks in these sectors remain responsible for implementing protective security measures in their own organisations, but debate has been taking place for some time about where responsibility for the cost of such measures should reside, particularly for assets that form the critical part of the national infrastructure. There is also debate about the need for regulation in order to ensure measures are adequately implemented. These are ongoing questions for all who are involved in the shaping of future policy, driven by financial pressures, competing resources and the evolution of modern society.
In the meantime the delivery of protective security advice continues. CPNI is staffed by a wide range of sector and subject specialists and security professionals, including secondees from industry. This has resulted in advisers who know their subject areas well, who have been able to build up trusted relationships nationally and internationally, and who have developed a personal knowledge of the businesses and organisations within specific sectors. The challenges for CPNI have been to learn, adapt and anticipate, to ensure that protective security measures will be robust in the face of threats to national security interests.
Such threats continue to be real, coming from a multitude of sources, other countries or companies, for the purposes of terrorism and espionage. The UK remains a high priority espionage target, with a number of countries actively seeking unauthorised access to UK commercial business information in order to benefit their own programmes. Total protection is impossible and to suggest otherwise would serve no purpose. Protecting what matters most, through a sensible approach of prioritisation, is CPNI’s more realistic aim.
Research and Knowledge
Progress has been good. Close working with sectors and their sponsoring government departments has significantly increased our understanding of issues. A new criticality scale is in place, using common criteria based on the extent of likely impact of loss or disruption to essential services. This has helped to determine which assets in the national infrastructure are most critical. It has enabled a new critical national infrastructure catalogue to be drawn up, which represents a significant step forward when compared with the previous situation. Innovation and technology have resulted in the application of a mapping tool which provides visualisation of assets, their geographic locations and layout. All of these are key developments which are now providing a much-improved picture of vulnerabilities in the critical national infrastructure, leading to better targeting of efforts and greater ability to assess progress. They will also help in generating a better understanding of dependencies between assets and networks.
Knowledge plays a major role in ensuring that the advice provided to businesses and organisations in the national infrastructure is authoritative. CPNI’s continuing R&D programme, from participation in blue sky ‘ideas factories’ through to the application of cutting edge research into protection and detection measures, provides a fundamental feed into its advice delivery. Research includes screening and detection of explosives, weapons, chemical, biological and radiological materials. It also covers performance of physical containers and barriers when under impact, as well as the effects of blast and ballistics.
Testing has made a key contribution to the development of contemporary and cost effective countermeasures, for example against threats from penetrative vehicles, including those carrying improvised explosive devices. The crash-testing of large trucks, whilst providing spectacular film footage for the media earlier this year, is only one part of ongoing comprehensive test programmes which CPNI commissions under contract.
Computer network forensics, software vulnerability fixes and SCADA systems also form part of ongoing research, as well as the testing of mitigation measures such as access control. This has enabled early input into process and product development, resulting in better product resilience in the face of potential threats and the ability to inform long-term strategies for the application of protective security measures in the future.
New Challenges, New Initiatives
The need for personnel security measures has tended to be less obvious, which is why it may sometimes have been neglected. No business or organisation should consider itself immune from the ‘insider threat’. Risks are real and may come from staff as well as contractors, with legitimate access used as a cover to obtain information or exploit opportunities for unauthorised purposes. The majority of instances may be minor but the possibility remains of more serious attempts connected to terrorism or state espionage. Insider threat is not fantasy; it is a vulnerability that requires constant attention and appropriate counter-measures. Very close co-operation by HR, security and management at all levels is key to successful mitigation of the insider threat.
Organisations in the critical national infrastructure need to be aware of where personnel security measures can have impact and what resources are readily available for them to employ. CPNI’s recently published guides on personnel security, such as those relating to risk assessment and ongoing personnel security, are intended to enable organisations to embed personnel security good practice as an integral part of their organisational structures. Pre-employment screening, identity checks and document verification need to become routine activities that help to filter out risk before new staff are recruited. Similarly the risk of existing employees becoming disaffected or externally influenced by those who present threats to security can be reduced through the implementation of relevant ongoing personnel security measures and by having appropriate organisational and security cultures designed to minimise and identify behaviours of concern. Guidance on all of these is available on the CPNI website, with further information accessible on a restricted access extranet.
The UK’s Cyber Security Strategy states that ‘As an increasingly digital nation, we need to be realistic about the risks that arise from our use of cyber space, and proportionate in our response’. Information represents potentially valuable data and is a key target for commercial espionage. CPNI’s guides, advisories and alerts provide IT security managers in the critical national infrastructure with advice on defensive measures to protect their systems and networks against attack. Confidential information exchanges, facilitated by CPNI, in which businesses can learn from shared experiences and alert one another to new issues have also played an important role in the protection of information held within the national infrastructure.
Protective security is also being enhanced by the development and promotion of common standards. BSI British Standards on topics as diverse as mail screening and food defence are two more recent examples of CPNI initiatives, demonstrating how good practice can be distilled, explained and disseminated to reach much wider audiences than would normally be possible. This is particularly important for those sectors in the national infrastructure, for example food, where there are many thousands of businesses.
Another initiative led by CPNI, launched at the beginning of the year through the Institution of Civil Engineers, is the Register of Security Engineers and Specialists, a product of considerable co-operative work amongst many organisations and departments. Providing an assurance of technical competence, it represents a good example of the multiplier effect in support of protective security.
Threats to our national security are constantly evolving. The technologies we employ to help our daily lives function effectively are also changing at high speed. In response, protective security has to stay ahead of the game, be alert to change and correctly anticipate its challenges. Two years on in the life of CPNI the overriding conclusion is that protective security is for the long-haul, based on knowledge advancement and informed by intelligence; above all, it has to be sustained through commitment and partnerships.
NOTES Risk Assessment for Personnel Security: A Guide, 3rd Edition, CPNI, March 2009. Guides and standards referred to in this article can be accessed at www.cpni.gov.uk.