ISJ Exclusive: Protecting critical infrastructure and high risk facilities


Share this content


Is security at your site, facility or infrastructure “hardened or penetrable?” This question is one that many seek to understand and spend millions of dollars on trying to answer through internal and external sources. When it comes to critical infrastructure and high risk facilities, it is important to know exactly where we stand concerning any exposure or opportunity areas. 

We know that the threat exists and is knowledgeable, capable and active. Additionally, it is also known that in the last 20 plus years, security organisations, personnel and corporations have mitigated the threat through the implementation of various physical, electronic and procedural security enhancements. The real question is, has it produced the intended results and is it effective against the threat of today?

In order to answer this, you must create a reliable, repeatable system that allows you to adequately assess and quantifiably measure your overall security architecture including physical, electronic and procedural security related to a specific threat or a range of identified threats.

In this article, we will lay out seven steps that are needed in order to create a self-assessment program that will deliver results with a high degree of assurance. Due to limitations in space and time, these steps will be simplified. However, they work when applied and, in fact, this system in its detail has been designed, developed and executed by governments and entities as a dedicated or partial program to test critical infrastructure and high value assets across the globe.

Seven steps

Step one – conduct a thorough threat analysis and assessment and create a design basis threat which is crucial and may vary by type of asset being protected, geographical location and other factors. However, creating a design basis threat is a necessary first step. Some relevant examples of threat parameters to be considered are: Terrorist element (domestic/international), activists, pressure groups, competitors, criminals. This step should be conducted in conjunction with real world intelligence and systematically reviewed and updated.

Step two – provide your design basis threat characteristics and attributes. Whether your threat is comprised of a terrorist element or a criminal element, you must define and apply specifications in the form of characteristics and attributes such as training, aptitude, access, intelligence capabilities.

A very over simplified example of a design basis threat with minimal attributes may be: Three person terrorist element, highly trained in military small unit tactics and operational planning, circumvention, surgical and mechanical breaching expertise, readily available civilian handheld equipment, military grade explosives, weapons system up to and including 7.62mm, ammunition full metal jacket, precision optics, thermal, night vision, communications and communication jamming capabilities, up to a total combined weight of 40 pounds and carried on person.

Step three – document and validate both your adversary capabilities and your friendly force capabilities. For example, likely if you have an armed response force there are marksmanship qualification requirements. These requirements will represent some level of aptitude and extrapolating from this should provide you with accuracy/probability at certain distances on stationary and/or moving targets. This data should then be utilised to assess engagement outcomes from different response locations to various adversary delay barriers.

Additionally, the level of protection that the response force receives from defensive positions (DP) they respond to should be annotated and understood. For example, if a DP protects up to 7.62mm rifle then adversary capabilities and effect must be understood. Additionally, documentation and validation needs to be done for all adversary capabilities and actions, such as time delay calculation for circumvention versus mechanical versus explosive breaching on varying delay barriers in and around target locations and likely avenues of approach.

Step four – train all applicable elements that are a part of your internal assessment program. All personnel must be intimately familiar with all site data as it relates to the previous documentation and validation process referenced in step three. All entities should know what intended actions are at specific locations and probability of those actions. A specific and continuous safety program must be integrated and trained to for all elements. This will equate to a safe and successfully executed exercise. There are customarily six separate groups that need both standard and specific training: 1) adversary force; 2) response force; 3) controller force; 4) leadership; 5) local law enforcement and military response agencies; 6) site personnel.

Within step four, there is a program within itself possible when considering to what detail and depth your program will take on specifically as it relates to the adversary element. In some cases, creating a dedicated adversary element can create career pathing, elevate morale, provide better tests, enhance current response force and provide a continuous improvement system.

Step five – scenario development: Create multiple scenarios that provide adequate testing of a facility’s total security strategy architecture (physical, electronic, procedural), both denial and defense in depth. Ensure that these scenarios utilise a strong sampling of adversary attributes/characteristics as previously defined and test the facility from different avenues of approach with variable courses of actions as deemed applicable to provide a quantifiable test of the overall security strategy. This should be done by multiple individuals.

If your adversary element has received mission planning training, then key leadership/management personnel should provide them the target set to go after, general breach location and attributes/characteristics to employ and allow them to create the mission. Having a third party review is also a good practice on occasion.

Step six – establish exercise methodology and control parameters. The following are just a few: security strategy and target reviews; force-on-force; limited scope testing; tabletop; electronic/modeling; hybrid. A combination of exercise methods can be utilised in conjunction as well as frequency levels. A very beneficial and simple first step is to utilise the tabletop method as you slowly progress to a full force-on-force test. This method, in its simplest form, is just laying a one-dimensional schematic on a table, insuring that all delay barriers, buildings, target sets, response locations and positions are annotated. Once set up and armed with all previous steps, data you place pieces on the schematic that represent both the friendly response force and the adversary element. Then, move those pieces at specified durations in line with expected actions derived from the mission that was created by your adversary force and your documentation and validation expectations.

For example, you may simplify your adversary mission by breaking it into controllable events. If so, you would start with “Event 1”, which may equal an adversary raising an alarm on the zone 22 microwave system, central alarm observing an explosion, followed by three armed individuals with backpacks running at a high rate of speed through a hole in the chain link fence located at zone 22. Next, you now know, based off your site data and existing schematic, that it will take the adversaries approximately 25 seconds until they reach a second fence and/or gate based on their route of travel.

Like chess, you move your adversary pieces to that location. You then move all friendly forces 25 seconds forward in their response actions based on their current location when drills started (this is a tabletop, however using the on-duty response personnel’s current locations when starting your tabletop is a good strategy to provide realism concerning location and time lines). You then continue this back-and-forth movement for specified durations until target set is achieved or the adversary is neutralised.

Step seven – conduct exercise and after-action review. Whether you’ve opted to run a full-blown exercise or decided on a more simplified phased approach, you are about to receive invaluable data on whether you are “hardened or penetrable”. You are also about to receive invaluable data on the self-assessment system you just created and within every step or module we discussed. This data is always going to be present every time you conduct an exercise, no matter to what degree; this allows you to achieve a continuous quality improvement program within your organisation that will continue to evolve as you do and as more data is put within it.

Lastly, you are left with opportunity areas that can be categorised into three buckets: Electronic, physical and procedural. You will then likely have the ability to remedy these areas – that remedy will be in the form of, generally, two categories: Recurring cost or capital expenditure. It is my belief that as security professionals, our job is to be proactive in ensuring appropriate security posture while attempting to mitigate negative impact on our parent company’s core profitability. Thus, everything you address should be looked at through a final lens of “effective – efficiently”.

1-ISJ- ISJ Exclusive: Protecting critical infrastructure and high risk facilities

By Eric F. Wilson, CEO, Global Security Solutions, LLC, USA

This article was originally published in the December 2022 Influencers Edition of International Security Journal. To read your FREE digital edition, click here.

Receive the latest breaking news straight to your inbox