Assessing Risk in Critical National Infrastructure

Assessing risk in critical national infrastructure


18 Jan, 2024

Get in touch

    Input this code:captcha

    See our privacy policy.

    Assessing risk in critical national infrastructure


    18 Jan, 2024

    The Centre of Protection for National Infrastructure describes critical national infrastructure (CNI) as “facilities, systems, sites, information, people, networks and processes, necessary for a country to function and upon which daily life depends.  It also includes some functions, sites and organisations which are not critical to the maintenance of essential services, but which need protection due to the potential danger to the public.”

    There are thirteen sectors identified as part of CNI: Chemicals, Civil Nuclear, Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport, Water.

    ATG Access provides third-party accredited products for perimeter protection and entrance security on CNI sites. Each CNI site is unique and has a set of identified risks and vulnerabilities. The aim of designing a physical security scheme is to remove residual risk for the protection and security of CNI and all of those operating within.


    Where to Start When a Residual Risk is Identified

    Designing a security scheme can seem incredibly daunting but, no matter what the threat, the three main addressing principles to consider are as follows:

    • To Deter – implement measures on-site to stop or displace an attack
    • To Detect – verify an attack and initiate an appropriate response
    • To Delay – prevent the attack from reaching the asset; this includes taking measures to minimise the consequences of an attack.

    The idea is that solutions and measures can be implemented to mitigate an attack. Then, where appropriate, response plans can be exercised involving all relevant stakeholders and on-site operational plans.

    A successful security scheme can be achieved as long as these three principles are kept at the epicentre of any mitigation strategy.

    When first starting the process, it is best to approach your local Counter Terror Security Advisor (CTSA). They can assist you in beginning the process and point you toward the relevant security professionals for your particular site.


    Understanding “Threat” and “Risk”

    The starting point for a security scheme must always be a threat and risk assessment to understand what you are dealing with. To do this, you need to understand “threat” and “risk”.

    The Intention and Capability of potential terrorists or criminals create a Threat to your asset. When isolated on their own, “Intention”, or “capability” are not a threat.

    For example:

    A police-authorised firearms user with guns in a public place has the capability to cause catastrophic loss of life. But they don’t have the intention to do so. Therefore, they are not a threat to the public.

    The Impact and Likelihood of the threat manifesting constitute a risk.

    The impact must be considered against people, property and reputation or a combination of them all, the likelihood is very subjective and additional intelligence and the current UK Threat Level (currently severe), will help to inform this part of the process.

    Once the risk in understood a vulnerability assessment will need to be carried out by physically surveying the site to establish what, if any, existing mitigation measures are in place to prevent the threat and risk from being realised. This covers everything from guard force, CCTV, physical security measures and cyber security.

    It’s important to remember that the vulnerability assessment is about the current situation and not any proposed solution. Once the existing exploitable vulnerabilities have been assessed, you are left with the residual risk to each of the identified threats. The residual risk is what you need to focus on and then match to a proportionate solution which mitigates, manages and minimises the possibility of a successful attack by terrorists or those with criminal intent.


    Understanding “Threat” and “Risk”

    As with everything with a cost, budget is a huge factor. Especially given the current economic environment. Security can be delivered to suit any size of budget. It is important that whatever the budget, it is utilised to deliver a wholly cohesive and effective physical security scheme – not to be used to ‘pick and choose’ elements of a scheme as this can lead to gaps and vulnerabilities.

    Most of all, it is vital that if a risk has been identified, this is not ignored due to budget constraints. This comes down to responsibility; manufacturers within the industry have a responsibility to clients to ensure that appropriate measures are suggested and that propositions are proportionate to the scenario presented.

    Investment in security is like investment in insurance, you do not need it till you need it. However, investing in security might pay dividends by a reduction in insurance premiums, against criminal acts or terrorism. Meanwhile, it is important that the perception of investment in security measures is changed and decisions are not made reluctantly but, instead, with a mind on the safety, security, and responsibility towards people and assets.

    It is imperative that the far-reaching consequences are understood should a security breach or attack happen. This should form the basis of investment.