Dan Solomon writes of priorities for critical infrastructure security policy. From the April 2011 print issue of Professional Security magazine.
A new analysis by Hawk ISM has shown that there is a clear and substantial deficit in investment for the protection of critical national infrastructure. Investment in physical security is slower than expected and to a degree has fallen victim of the current economic climate, while cyber-security investment is a clear priority both within the public sector, and the private sector. To take a macro-view of the Europe and its security, the analysis reveals more about the very complex pattern of factors that need to be addressed to create a more secure environment for European critical infrastructure through greater investment. One conclusion is that the private sector is not investing enough to secure the national assets that they have the privileged to operate, and greater directive management from government should be considered. However in countries where critical infrastructure is still under public ownership there is also a lack of investment, but this may be for different reasons, and points towards some consistent factors that are restraining investment among European member states. So while the problem of targeting investment at the appropriate security measures varies by country, it is a European problem and requires a co-ordinated European solution.
While investment in energy transport and storage is considered critical to national energy strategies, the increasing interconnectivity of infrastructure across Europe and beyond, is exerting pressure on requirements for infrastructure security as much as political pressure on energy sourcing strategy. The most serious threats to critical infrastructure are trans-border and affect ‘clusters’ of member states, and the major threats that Europe will face from 2011, expose the weakness of European mechanisms and structures to deal with them. The threats are evolving faster than the steps to mitigate them, or the development of relevant scenarios to support vulnerability assessments for critical infrastructure and national networks. It is therefore unsurprising that investment in security lags the real requirements. The constant challenge remains to balance investment in security of the assets in proportion to the investment in the infrastructure itself, but the report shows that this balance is markedly absent. The goal of harmonising security and investment strategies among many distinct but interdependent sectors with varying degrees of public and private stake-holder presents the most significant challenge.
While the expansion of capacity is more naturally harmonised through demand forecasting, there are fewer incentives for developing security investment plans in tandem, and this creates sector-specific vulnerabilities where one sector can ultimately represent a liability to another. The debate around European energy sourcing and supply strategy may be a leading conduit for aligning European objectives, and among member states this needs to be mirrored in security and protection strategies for critical infrastructure where the challenges and investment requirements are more immediate. It is doubtful whether effective national co-ordination can be achieved without greater public sector guidance and co-ordination, working with owners, operators, and firms offering security solutions. In the current financial climate, investment stimulus may be required to achieve a pace of evolution that is required to mitigate the rapidly evolving threats. At national level, the operators already need to work with many stake-holders to co-ordinate objectives, and capacities as well as business continuity and contingency planning, and may struggle to expand this collaboration, or are reluctant to engage more time and resources in planning and consultation. The strategic imperative for governments is to task the operators with ensuring greater organisational security as an integral part of national security priorities, and try to facilitate this. In Europe where there are trans-border infrastructure development projects and more complex interdependencies, it may also be more effective to engage in defining responsibilities and co-ordinating interagency preparations through government channels.
Governments have preferred to avoid legislation as a route to ensuring infrastructure resilience, even though it has proven effective for health and safety objectives, and compliance is seen to be an effective driver of investment in other sectors like port security. It is also far more potent in effecting rapid change than dialogue or consultation across many interdependent industries, not least because of different approaches among government departments to investment, dialogue, and security. Legislation could therefore create a homogeneous requirement and standards for effectively tasking the private operators.
In the absence of distinct legislation, governments need to ensure that infrastructure owners are held accountable for their decisions on security investments, and for risk management of the critical infrastructure that they operate. While experience is seen as the best teacher, governments can ill afford to await a catastrophic event of terrorism or sabotage before creating a framework of ownership and responsibility that will yield the necessary results of capacity growth and security. The recent rise in profile of cyber-risk and the rush of investment to mitigate cyber-risk at the expense of physical security investment, has demonstrated that investment does respond to immediate needs, but there is the potential for inappropriate balance in trade-offs within security investment. Some oversight could ensure that cyber and physical security investment remain appropriate to the dynamic risk environment that differs within each sector.
However this needs to be accompanied by a recognition among the operators themselves that they cannot embrace more holistic risk mitigation practices if they do not find ways to collaborate with other operators, and will not achieve high levels of resilience that will assure consumers, regulators, or investors that they aspire to high standards of security preparedness and awareness. While operators publicly recognise the importance of security, in practices their investment in security and awareness of more advanced capabilities demonstrates that their focus is lagging, and there is a continued reluctance to invest preventatively in countermeasures to converged risk, and many fail to implement all the recommended basic and intermediary security measures. To combat this, regulators need a common approach for evaluating current standards for security attainment, including the assessment of Security Measure Adoption Rates (SMARs), which could usefully be set more specifically at European level. To create greater security requires strategy, awareness, organisation, resources, and investment which all provide their own challenges on a national level, but not the solutions to cross-border issues. When security is approached on a European level (which it must), it is instinctive to assume that the barriers or distortions are multiplied. However, the opportunity exists to leverage the advantages of European organisation to deal with security matters. While some see this as a necessity, others are quick to point out that the ambition is fraught with barriers and complexities. Security is both a European and a global problem, and requires a large-scale solution to civil defence, infrastructure protection, energy security, and cyber attack. The greatest challenge is to act quickly to establish consensus, boost investment as security risk increases, and inject a sense of urgency that needs to effect change within three years.
About the author: Dan Solomon is Senior Partner, Consulting and Risk, at Hawk ISM. Visit –
