10 Apr 2017

Protecting against low-tech assaults on our critical infrastructure

Post-US election allegations of Russian hacking have focused attention on cyber security, but such cyber scenarios should not blind us to the possibility of low-tech assaults on our critical national infrastructure. Defence writer Mark Lane examines the nature of such threats to our water supply and how we might guard against them.

In November 2015, Paris was on high alert over a potential chemical attack on its water supply.

This followed threats from ISIS and the theft of 12 protective suits, used to guard against chemical products and viruses such as Ebola, from a hospital complex, along with more than 30 pairs of protective boots. The threat level was so severe that the French army was posted to various key facilities around Paris and regular water tests were undertaken.

The global terrorist threat has not diminished since then and the UK Government, utility companies, rail companies and other guardians of our critical national infrastructure (CNI) are all alert to the importance of keeping that infrastructure secure.

The UK’s Strategy for Countering Chemical, Biological, Radiological and Nuclear (CBRN) Terrorism highlights the fact that the Centre for the Protection of National Infrastructure (CPNI) has advised public sector organisations, particularly those which own parts of the critical national infrastructure, on specific design improvements to protect them from the effects of CBRN agents.

Water companies have taken measures, in line with CPNI advice, to safeguard our water supplies from chemical and physical attack.

Cyber attacks can also present a threat to the water supply. Our critical infrastructure facilities rely upon electrical, mechanical, hydraulic and other types of equipment, and this equipment is controlled and monitored by computer systems. So the possibility of cyber crime targeting that side of operations is still a major consideration and it is one that tends to dominate the headlines at the moment.

However, the water infrastructure is so extensive and key parts of it are remote, increasing the potential for a low-tech attack which could have catastrophic consequences for major centres of population.

This is reflected in the importance placed on ‘resilience’ in the Water Act 2014, which was introduced to encourage reform in the water industry, in terms of both innovation and the resilience of water supplies.

In addition to the primary duties outlined for water providers in England and Wales, the Act stresses the need for long-term resilience of water and wastewater systems and service provision when faced with increasing external stresses. The latest Government advice on the matter is included in a Cabinet Office paper Keeping the Country Running. This guidance defines resilience as “the ability of assets, networks and systems to anticipate, absorb, adapt to and/or rapidly recover from a disruptive event”.

Two of the key pieces of advice covered in Keeping the Country Running are resistance (proofing a system so that it is resistant to known risks) and reliability (a system that operates effectively, irrespective of whether or not risks materialise). Achieving both of these things to avoid disruption to vital water services relies heavily on physical security.

The Centre for the Protection of National Infrastructure, which protects national infrastructure by providing protective security advice, describes physical security as “measures [that] aim to either prevent a direct assault on premises or reduce the potential damage and injuries should an incident occur”.

While high profile cyber attacks have drawn focus to cyber security, we should be aware of low-tech assaults on our critical national infrastructure.

Sue Patton

Sue Paton, Sales and Commercial Director at Morgan Marine in Carmarthenshire, which operates in the rail, power generation, renewables and water and construction sectors, says: “Clearly the safety of our water supply is fundamental. If a terror group was able to tamper with water supplies by introducing a chemical contaminant, that could potentially pose a grave danger to public safety.

“You only have to look at how disruptive an incidence of cryptosporidium in the water supply can be, or how water supplies around the country have been affected by the recent flooding, to see how deeply communities can be affected and how lives can be disrupted by the loss of water. 

“Of course, water companies are quick to act during such incidences of disruption and they have very robust public protection and risk management procedures in place to contain any such threats and to deal with them swiftly. Safeguarding their critical equipment and limiting access to it in order to protect the water supply which is served by that equipment is paramount.

“And there is a regular exchange of information about threat levels and threat mitigation between the Centre for the Protection of National Infrastructure and companies and organisations that look after critical national infrastructure.”

Among the measures CPNI considers to be priorities are CCTV, access control, perimeter protection, hostile vehicle mitigation (HVM) and explosives and ballistics protection. All of which are very important to protect key sites in our national infrastructure such as water treatment plants.

While high profile cyber attacks have drawn focus to cyber security, we should be aware of low-tech assaults on our critical national infrastructure.

Serious damage can be done at the more remote, smaller points – utility kiosks. These kiosks are usually at key points in the water network, including sites with equipment for the chlorination and treatment of the water supply and bore-hole sites, and they are often in remote locations away from populated areas.

The nature of these locations often rules out effective perimeter or access control measures that would isolate these vulnerable areas. This means that the kiosks themselves must be able to withstand any attempt to do harm.

Nick Cowley is the country manager of kiosk and meter box specialist MCL Utility, part of MCL Group Industries, a manufacturer and supplier of engineered composite products for the utility, construction and infrastructure markets.

He says: “A combination of technology, physical security and the deployment of trained personnel is often the most effective method of security integration, creating several layers of defence to protect the most sensitive parts of the network.

“When it comes to utility kiosks, site accessibility must also be a consideration. Characterised by their often remote locations, maintenance visits can be irregular and conducted by different staff; therefore a balance needs to be found between security and accessibility. Solutions which can offer temporary access to mobile employees while balancing the need for high security, the ability to withstand attack and cope with potentially corrosive weather conditions would be beneficial to these sites.

“This is why kiosk manufacturers, like MCL Utility, have to closely examine the materials and techniques they use when designing utility kiosks. We have invested time in researching and developing kiosks that can stand up to tampering. As a result, we can provide glass reinforced plastic (GRP) kiosks which can withstand the elements and possible attack.”

While high profile cyber attacks have drawn focus to cyber security, we should be aware of low-tech assaults on our critical national infrastructure.

Nick Cowley

Morgan Marine’s Paton also emphasises the need for robust products in the water infrastructure.

She notes: “Security products by their nature are always being refined and upgraded in order to meet the changing demands of the marketplace, often in the light of increased threats or the perception of increased threats.”

All of the utility companies across the UK house some of their critical infrastructure in kiosks and housings, which are typically fabricated from GRP, brick or steel. Securing doors, windows and ventilation apertures on those kiosks is a priority, with the ‘gold standard’ security rating being the Loss Prevention Certification Board (LPCB).

Paton adds: We can reduce our vulnerability to CBRN terrorism by ensuring that our infrastructure is resilient to an attack using CBRN materials and ensuring that, wherever possible, we ‘design out’ weakness. The public also have an important part to play by being alert to and reporting suspicious behaviour and creating a hostile environment for terrorist operations.

“We are living in times of heightened security – and security is no longer an issue that is on the minds of governments and security specialists alone, it is something that is very much on the mind of the man and woman in the street in a way that is, perhaps, unprecedented in this country.’’



If you would like to join our community and read more articles like this then please click here

The post Protecting against low-tech assaults on our critical infrastructure appeared first on Defence Online.