Cybersecurity threats to critical national infrastructure

Critical national infrastructure (CNI) is, by its very nature, fundamental to the running of any country. Without contributions from sectors such as communications, society would be severely impacted. It should, therefore, be no surprise that CNI is a perfect target for those who may wish to cause major disruption. 

Threats against CNI may be external or come from the inside and are constantly evolving. The principal threats against CNI include theft or damage to property, assets and materials, unauthorised entry (including terrorist, activist and urban exploration) and cyberattacks.

CNI, therefore, needs to be protected against threat and harm, using modern methods and the latest technology, to ensure that critical operations are not disrupted should an attack occur. Such arrangements need a holistic approach to protect the entire infrastructure, including both physical and cybersecurity, and ensuring that culture, awareness and behaviour (among staff, contractors and others) is driven from the top. 

Cybersecurity risk management 

Threats and risks faced by CNI need to be continually assessed and updated, and this is difficult because of ever-changing circumstances. 

Revisions of the UK threat levels relating to potential terrorist attacks also have an impact, with an expectation that security services have the ability to react to these changes instantly. This means having the resources to upscale security to the appropriate level, depending on the individual CNI environment. Having access to a pool of Suitably Qualified and Experienced Personnel (SQEP), plus a broad range of supporting services (such as canine, which can screen for explosives and firearms etc.), as well as being able to rapidly deploy surveillance technology (such as CCTV Towers), allows organisations such as G4S to effectively react to such demands and build an integrated security solution suitable to mitigate the threat.

Managing ingress and egress

CNI sites take a layered protection approach to security, with security checks kicking in before the perimeter for people, equipment and goods. However, this is frequently not as simple as securing one area, because many sites have multiple entry points, especially larger sites that may have connections via road, rail and ports. It is important that only authorised personnel are admitted to sites, and that they are adequately screened, without causing any unnecessary delays. 

Achieving the required cybersecurity standards

To achieve the required standards in CNI environments it is important to adopt intelligent security, using a risk-based approach, backed by specialist people and approved products. Personnel in design, installation and operations need to be suitably and highly qualified to carry out their roles. Many of these sites are visited by high-profile individuals, making them a target for terrorist activity and regularly selected by protesters. They are also a popular choice for urban exploration.

For these reasons G4S uses enhanced security officers (ESOs) on its high-risk sites, who can undertake a skilled and informed approach to appease any hostile situations. ESOs are highly experienced (often with ex-military backgrounds) in the de-escalation of hostile situations such as protests.

Likewise, only the highest standard of equipment and technology can be employed because external and insider threats are a real risk given the nature of the work undertaken at some locations. The Centre for the Protection of National Infrastructure (CPNI) is the government authority focused on providing advice and assistance to those who have responsibility for protecting these most crucial elements of the UK’s national infrastructure, and reducing their vulnerability to terrorism and other security threats. 

CPNI evaluates security products for use in CNI and Government, against specific CPNI security standards to assist organisations to identify the most appropriate physical security equipment. A product may be given a ‘Class’ level grading, meaning it has characteristics that will defend against surreptitious attacks, or a ‘Protection’ level, meaning it shows resistance to forced attacks. Occasionally, a product will be awarded both grades. The CPNI evaluations are set well above the standard expected of a ‘normal’ security product, even the ‘lowest’ grading is an indication of a very capable product.

Improving the security culture together

It is important to have a good security culture in organisations to mitigate against physical, cyber and internal threats. It also ensures that employees are more engaged with security issues and act in a more compliant way. It helps to raise awareness of security issues across all employees, not just security officers, which reduces the risks of security incidents and breaches. It also improves overall security without the additional need for large expenditure. The CPNI provides crucial guidance and support for those in CNI organisations. This includes marketing materials for use in awareness-raising campaigns and also tools to assess and benchmark security culture, such as a number of survey-based Security Culture Assessment Tools (SeCuRE).

One of the most important contributions to establishing a robust security culture is to invest in training and development, something that G4S knows is critical to do upfront in a contract, moving the agenda from having security, to having effective security. One of the issues with training, even more observed in CNI environments is the need to continuously train for events that might (hopefully) never happen. However, if an incident does happen, it is likely to take place at very short notice and personnel need to quickly apply their expert skills and training. 

Working together to achieve the best, while prioritising sustainability and ESG

The need to establish good relationships with clients, partners and stakeholders cannot be overstated. This should include a shared understanding of culture, processes, and information to work towards common goals. These partnerships also include those with the local police and other parties to understand risk and situational awareness for activities such as moving an abnormal load. A planning workshop may be carried out to consider every eventuality and ensure all stakeholders will deliver their part of the process.

CNI organisations in particular are vulnerable to both supply chain failures and non-delivery from partner organisations, with any delays having a knock-on effect on overall service delivery. G4S works very closely with its partners at all its CNI sites ensuring they support each other with any challenges faced to achieve a speedy resolution. Every single day of missed work can be extraordinarily costly – keeping security present, fully compliant and operational is a requirement for critical infrastructure. 

Corporate Social Responsibility (CSR) plays an increasingly important part in shaping how G4S delivers its services, ensuring a positive impact on society and taking account of environmental, economic and social issues. G4S believes in embedding good practices to support sustainability and add social value, encouraging other service providers and their suppliers to do the same. One positive environmental initiative undertaken recently was the planting of 100 elm trees designed to offset the CO2 emissions from the G4S vehicle fleet. 

For more information on the threats facing CNI and what makes good security, read the G4S online guide.