Computer surveillance

March 4, 2016 ICISSM Leave a comment

Computer surveillance is the act of surveillance of people’s computer activities without their knowledge, by accessing the computer itself. Computers make excellent surveillance tools because they can do things without their owners’ knowledge or consent. Most computers have connections to networks, which can be exploited (through security cracking) to gain access to any confidential data that may be stored on the computer. Additionally, if someone is able to install certain types of software on a system, they can turn it into a surveillance device.

Surveillance techniques

Packet sniffing is the monitoring of data traffic into and out of a computer or network. A packet sniffer is computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network. As data streams flow across the network, the sniffer captures each packet and eventually decodes and analyzes its content according to the appropriate RFC or other specifications. In some networks, data transmissions are sent only to the machine they are intended for, while in others, transmissions are broadcast to all machines connected, but processed only by the target computer. In the latter cases, it is possible to packet-sniff a computer by simply using another computer on the same network, without needing to place any software or equipment on the surveiled machine.

A surveillance program installed on a computer can search the contents of the hard drive for suspicious data, can monitor computer use, collect passwords, and even report back to its operator through the Internet connection. The most common, surely, are commercial spyware designed to collect marketing data. But, such programs are not limited merely to data collection; they can also use more malicious tactics, such as removing or modifying the data. These last are often called viruses, logic bombs, and, generally, malware.

Physical (hardware) surveillance devices (“bugs”) are also possible. A relatively simple bug is a keystroke logger implanted in the keyboard, perhaps broadcasting the key stroke sequence for pickup elsewhere. More sophisticated and more easily detected devices with access to more information can also, in theory, be inserted into, or onto, the computer itself. The disadvantage of hardware devices is that placement and retrieval requires physical entry into the place where the computer is stored, and thus almost entirely restricted (legally) to law enforcement agencies equipped with search warrants, except in situations in which such warrants are not required or may be kept secret.

It is possible to surveillance a computer from a distance, with only commercially available equipment, by receiving the radiation emitted by the CRT monitor. Even the high frequency noise emitted by a CPU includes information about the instructions being executed. More directly, researchers have also found that, for most computer keyboards, each key emits a slightly different noise when pressed. The differences are individually identifiable under some conditions, and so it’s possible to log key strokes without actually requiring logging software to run on the associated computer. Another method of surveillance of a computer use (key strokes, display images, etc) is video cameras, which are becoming small enough to be easily hidden from casual inspection in which case the surveillance can be surreptitious.

Installing surveillance software

The simplest way to place surveillance software on a computer is to gain entry to the place where the computer is stored and install it from a compact disc, floppy disk, or thumb drive. This method shares a disadvantage with hardware devices in that it requires physical access to the computer. A more difficult method is to package the software as a computer virus or Trojan horse. This tactic has the advantage of potentially subjecting multiple computers to surveillance. However, if the virus is allowed to proliferate, it will become a target of antivirus programs, which will allow the software’s removal from affected computers. Another method is to use security cracking to gain access to the computer over a network. An attacker can then install surveillance software remotely. Servers and computers with permanent broadband connections are most vulnerable to this type of attack.

Protection against surveillance

A firewall controls network access to a computer, offering some protection against crackers if properly configured. Unless it controls outbound communication as well, this offers only very limited protection against surveillance even when otherwise properly configured and operating. A highly attractive surveillance target may face highly skilled attempts at physical entry to install software or hardware. Thus, to be truly protected, such targets should be protected by measures such as reinforcing doors, windows and other potential entry points. Password protection can also be effective, particularly if provided by the BIOS during booting. Protection against remote surveillance of radiation emissions is more difficult. Some software has been designed to alter fonts to minimize radiation. The only certain measure at other than exorbitant cost is the purchase of a specially shielded monitor. In the extreme, use of Faraday cage techniques to prevent escape of electromagnetic radiation from equipment out of a physical volume is possible, though expensive.

Cables can be a serious security problem. They carry signals (e.g. printing and display devices, modems, etc) from a computer to other devices and from other devices (e.g. keyboards, mice, scanners, modems, etc) to a computer. They also carry signals between computers. Some cables can be remotely tapped without physical contact; some can be tapped with physical access to the cable, and so on. That cables are often installed in such a manner as to be invisible throughout much of their run (e.g. in plenum spaces, within walls, between floors, etc), they are more vulnerable to physical tapping than is commonly appreciated.

Wireless connections between computers, between computer components (e.g. keyboards, mice, printers, modems …) are an even larger security problem. Many wireless installations are improperly configured at installation and remain unchanged for long periods. This has inspired such things a war driving and Internet lists of insecure wireless access locations. Still worse in some sense, some wireless security protocols are fundamentally flawed, and so are insecure, even when ‘properly’ configured. As new wireless standards are developed with greater range and higher speeds, the requirement for more secure protocols and proper configuration of them will increase.

Other side channel attacks are possible and must be dealt with individually. For instance, power monitoring can provide information about computer use and power monitoring of the CPU itself can provide a good bit more. Filtering and conditioning of power lines can help as can physical isolation of hardware preventing installation of power monitoring devices for the CPU, disk drives, etc.

Challenges in Security Training after the PSAR Act

March 4, 2016 ICISSM Leave a comment

The Private Security Agencies (Regulation) Act, 2005

By: Capt S B Tyagi, FISM, CSC

Scene before passing of PSAR:

The field of security is still in the early stages of growth and evolution in India. Many changes have occurred over the past several years and surely that many more are in store in the years ahead. Even the term used to label the field, let alone, the definitions have undergone changes. Are the security professionals involved with security, safety, and loss prevention or risk management? The correct answer is “all the above”! As the field becomes more professional, the duties of the security practitioner become more complex and encompass a far wider range of responsibilities. No longer is security saddled with a night watchman’s image!

Now when Indian industries are ready for globalization, Indian markets opening up to multinational companies, and, when India is poised for the new millennium eager to become a superpower, there is a dire need to have the standardization in the subject of industrial security management so that industrialists and investors feel safe while opening up new ventures in India.

“The private security business employs more people than the police forces of all States combined and pays to the exchequer Rs. 10,000 crore by way of service tax, provident fund and contribution to the Employees’ State Insurance Corporation.” – The Hindu: 04.12.2006

It is not that there were no training needs for security professionals before PSAR. There were security agencies, there were contract security personnel and then there were proprietary security in many PSUs. Then there were DGR sponsored security agencies providing ex-servicemen. They all needed training!

Contrary to the common concept in India that the ex-armed force / police officers make good security executive, I realized first-hand that it is not so! In fact these ex-officers do not have essential qualifications, experience and the attitude to be successful security executives. The experience, qualifications and the training these officers get are not desirable in the field of industrial security management. Therefore these security personnel need to unlearn more then the learning to come out of fixed mindset working only in confined and constrained environment and straight-jacketed hierarchical structure, their training needs are found to be very peculiar in which they had to mostly unlearn what was leaned in armed forces so that they freshly approach the subject of industrial security which is different to national security!

As proven by the IT sector, every sector creates it niche and also creates it own trained professionals! The NIIT certification course is not the one given by any university, nor was initially approved by the Government. Same is the case with ‘Aptech”. Their quality of contents and training got the approval of the industry players and soon these certificate courses became eligibility criterion for employment in IT sector. Similarly the ‘Industrial Security Sector’ also created it demand of true security professionals and there supply of trained manpower became scarce. Few training institute got their act together and raised their training standards. All this was before passing of PSAR. There was still no bench-marking, there was no minimum syllabus nor were there any minimum training hours fixed. Mostly this was due to no regulatory authority and sector’s own internal co-ordination and self regulation failed to materialize.

What PSAR says about Training:

Conditions for commencement of operation and engagement of supervisors-

(2) Every private security agency shall ensure imparting of such training and skills to its private security guards and supervisors as may be prescribed: Provided that the person carrying on the business of private security agency, before the commencement of this Act, shall ensure the required training to its security guards and supervisors within a period of one year from the date of such commencement.

Eligibility to be a private security guard-

(1) (d) Has completed the prescribed security training successfully;

(e) Fulfils such physical standards as may be prescribed; and

(f) Satisfies such other conditions as may be prescribed.

Conditions of license-

(1) The State Government may frame rules to prescribe the conditions on which license shall be granted under this Act and such conditions shall include requirements as to the training which the licensee is to undergo, details of the person or persons forming the agency, obligation as to the information to be provided from time to time to the Controlling Authority regarding any change in their address, change of management and also about any criminal charge made against them in the course of their performance of duties of the private security agency or as the case may be, a private security guard employed or engaged by them.

(2) The State Government may make provision in the rules to verify about imparting of required training by the private security agency under sub-section (2) of Section 9 and to review continuation or otherwise of license of such private security agency which may not have adhered to the condition of ensuring the required training.

Cancellation and suspension of license-

(1) The Controlling Authority may cancel any license on any one or more of the following grounds, namely:-

(c) That the license holder has violated the provisions of this Act or the rules made there under or any of the conditions of the license;

Register to be maintained by a private security agency-

(1) Every private security agency shall maintain a register containing—

(d) Such other particulars as may be prescribed.

Framing of model rules for adoption by States- The Central Government may frame model rules in respect of all or any of the matters with respect to which the State Government may make rules under this Act.

What are the challenges for security training?

Training institutes of repute: accreditation by central / state governments
Training infrastructure: bench-marking
Training syllabus: elaborate training hour / subject basis
Training faculties: ranking system
Reading & reference material: Indian publication
Finances involved in separate training activities by Individual security agencies

Training institutes of repute: accreditation by central / state governments

“It is estimated that in the next five years, requirement of private security will increase to one crore security personnel which works out to be nine times the present strength of our Army. The private security industry today is operating in the most haphazard manner totally unregulated and suitable to meet the challenges. The manner in which most of the private security agencies function has become a matter of great concern. Many of these agencies conduct their operations without due care for verifying the antecedents of the personnel employed as private security guards and supervisors,” pointed out Major General Satbir Singh,

“The private security personnel are required to be highly skilled, capable of understanding and using the modem security equipments.” says Singh. – Gurgaon Plus – Digital 8.3.2006

There are many training institute which have mushroomed all over the country post PSAR. Some of them have capitalized the opportunity purely on commercial considerations since training has been given major emphasis in the Act. They will need more seasoning time to earn good repute. One notorious training institute in Deolali in fact issues only the certificate without actually imparting any training.

Training infrastructure: benchmarking

The Directorate General of Resettlement, Ministry of Defense, one government organization which has been conducting security training for ex-armed force officers wishing to start their career in industrial security has failed miserably in it’s attempts. These courses are conducted by sundry Training Institutes (?) with grandiose proclamation of being “International” when they do not have even one room office and classes are being held in evening hours in some local schools! Few other training institutes also conduct training in half-hearted manner.

All the training institutes need to have required training infrastructure including the training aids. It has to be kept in mind that the trainees can not be taught in ‘class room style’. All of them would be mature age, sufficient exposure to the industrial world and will also have some experience in industrial security. Understandably they may not be the brightest of the students as other-wise they would have had better career options but still they can be treated as fresh college students. For this purpose the training infrastructure must be appropriate most preferably multi-media based. Flip charts, overhead projectors etc. are no more suitable. Class rooms also must be suitable for circulation of the instructors and effortless interaction with the participants. They must also have wi-fy networking and suitable for LCD projection with good audio system.

Training syllabus: training hours / subjects-wise

There is hardly any standardization of the contents to be taught to the prospective security personnel in India. The Model Rule did a poor job in framing the training standards. The training syllabus drafted so far by certain states appears to be without practical approach and application of industrial experience. More then by the security professionals these appear to have been drafted by the police officers with foggy idea about security duties being synonymous to policing duties. This may not be the case and at least security professionals know it! In fact in one of the article recently published in ‘Security Today’, one of the retired IG has questioned the justification of keeping the subject of “Crowd Psychology and Techniques of crowd control” in the training syllabus of the security guards. Since it will take some time for ‘dust to settle down’, different training institutes will continue to have their own training syllabus.

The Directorate General of Resettlement, Ministry of Defense, one government organization which could have taken some initiative at-least for the security agencies run by ex-armed force personnel has woefully disappointed in this aspect. It could have but done nothing so far regarding finalizing the security training syllabus for ex-servicemen security guards under their sponsored security agencies.

The DGR made half-hearted attempts to specify the training aspects in their ‘Security Agency Guidelines’. Half hearted in the sense that though there was mention of specific training need in different sectors such as oil sector, mining sector etc, there was no syllabus or training hours specified! Further, there were few courses being run by DGR only to train the officers with the emphasis on how to run a security agency rather then becoming security professionals. The concerned portion from their web-site is reproduced –

TRAINING OF GUARDS, SUPERVISORS AND ASSISTANT/SECURITY OFFICERS

All security agencies have to ensure adequate training to the employees either on their own or through any other training institution. DGR has empanelled institutes for training of Personnel below Officer Rank (PBOR). It is mandatory for all ESM to undergo a prescribed security and fire fighting orientation course. The Armed guards will be specially trained for the following:-

Trained in handling of arms and ammunition.
Specifically be instructed to shoot to restrain/injure fugitive or suspect with a view to enable civil police to take further action in the matter.

The security agencies are required to submit following information six monthly: –

Details of guards, supervisors, assistant security officers as per format laid down in Appendix ‘N’.

Details of training imparted with particulars of institute, date of training and nominal roll of personal training.

Training faculties: ranking system

As much there is dearth of reputed training institutes, there is lack of qualified trainers as well. It is misconception that those who had put on police or armed forces uniform in first career will automatically be suitable for career in industrial security. Similarly it is also wrong to assume that these persons will be god trainer too! Far from truth, these persons in fact are most unsuitable as trainer as they carry the knowledge, experience and understanding of different profession all to-gather! Simply, they travel with heavy baggage. Training needs different attitude and aptitude which not all security professionals possess. The world champions do not become good coaches as good coaches may not be champions ever!

The trainers need to have their annual ratings certified by the industry association in which International Council For Security & Safety Management can take lead. It already has impressive list of trainers and their training skills can be evaluated based on the parameter based honest and confidential feedback from the participants. The trainers need to read and write frequently and attend seminars such as the ones organized by ICISSM or other security associations. Star rating introduced for the trainers thus will improve their training skill and knowledge. Such systems once introduced will gather wider acceptability and respectability for the trainers too and if not others they them selves must collect Training Impact Feedback.

Reading & reference material: Indian publications

While setting up the security department in my organization, and while planning the security arrangements at various project sites, I realized that there is not even a single book printed in India by the Indian author for Indian industrial conditions. Several books by foreign authors are available in the library and in the market. These authors had experience of different industries, operating in different conditions and their Indian relevance is nil.

It is not that Indian security professionals are less educated or intelligent. It is also not that Indian security professionals can not read or write. Still indeed, there are hardly any publication in India which could help guide the professionals and the amateurs alike on the subject of security management. There are few odd elementary books published in recent past by the retired police officers without any experience of industrial security.

There is immediate need to have a reference book with various aspects of security management discussed in detail. There is also need to have “Hand Book for Security Professionals” and “Model Security Manual” based on which specific security needs can be addressed. In this direction IISSM once again can take lead. I am sure these efforts will not only put IISSM as undisputed leader of the Protection Industry, it will generate revenue too sine there is market ready for these publications.

Conclusion

Above mentioned are the proximate challenges of the security training post PSRA and needs of training institutes, training manuals and trainers must be immediately addressed by the industry itself.

Need is within, and, within is the response!

HSE & Security as Composite Function

March 2, 2016 ICISSM Leave a comment

captsbtyagi_1427178618_69

Capt SB Tyagi

Security is part of productivity and profitability

Organizations do not exist just to be secure or safe. They exist to produce or provide goods or services. Customers care about the goods or service—that is why they engage with the organization in the first place (Even where security actually is the goal of an organization it is provided as a complement to another product or activity—protection of property, transportation, etc.). This means that an understanding of the fundamental conditions for security and safety begins with an understanding of the balance between production and protection. Humans normally strive for an acceptable (rather than ideal) level of performance in relation to their goals and resources and to not process all available data is a part of this resource-saving strategy. Consequently, action is guided by an intuitive and implicit trade-off between cost and efficiency or between thoroughness and efficiency.

Security now cannot be seen as ‘cost center’ needing budgets for non-productive systems and plans. Security must not be seen as burden which is evil yet essential! There are issues such as insurance, legal compliances, pressure from stakeholders etc. that meager budget is allocated to security department. Mostly security professionals are to be blamed for this misconception.

It is good security that guarantees secured, hassle-free congenial work atmosphere where all production, operation and maintenance or marketing activities are conducted smoothly without fear or danger. No one can work; forget the best performance, if there are chances of attack by miscreants, theft of costly inventory or law-and –order problems inside the premises or at work-floor areas. loss-prevention, fire prevention & fire-fighting, safety and the safe work environment is related field with the security and that all these put together effect productivity and profitability of the organization.

Good security means good production, which in turn means higher profit!

Synergies between Safety and Security

The synergy between safety and security is very strong even when it is not deliberately pursued. The overall protection of a facility can be very effective when the design features of safety and security measures takes into account the synergy between safety and security. Further mitigation measures can be conducted on-site and/or off-site. These measures are synergetic, however, in case of a security incident, additional measures, focused on prevention of further malicious acts by adversaries, may be required.

For many critical facilities, such as nuclear power plants and large defence and research facilities, the protection of the facility against sabotage will also provide protection against theft of the associated critical materials. Theft of such materials may result in ‘unacceptable consequences outside the facility.

Safety-Security Interface Challenges

Different Paradigm: One of the main differences between safety and security is the type of assessment. Safety assesses natural and unintentional man-induced Hazard to determine how the design, procedures or mitigation measures should be made or implemented in order to maintain safe operation of the facility. On the other hand, Security assesses a ‘Threat’ in order to determine what physical protection is needed or what counter-measures or response should be in place. Hazard assessment is basically a technical issue and requires professional expertise. Threat assessment requires different set of specialized knowledge such as intelligence, investigation skills and expertise.

Another important difference between the two paradigms is use of probabilistic tools in safety in modelling equipment failures and human errors and in the risk informed decision making. Security specialists prefer to use deterministic approach in developing a threat scenarios and counter measures. However, the use of probabilistic approach in security for the assessment of threats is possible but not a common practice in the security community.

Transparency versus Confidentiality: Safety requires high degree of transparency. The most important pillar of implementing safety culture and keeping safe operation of facilities is sharing experience, information and engineering solutions between stakeholders. The public needs assurances that facilities are well protected therefore the transparency is required in sharing and making public some security information. In the other hand, a large part of the security information may be used by adversaries to circumvent security systems and security measures; therefore, this part of security information must be protected and shared only on the need to know basis.

The silos mentality: The silos mentality represents a real challenge for safety and security interfaces. Two factors may be considered as the basis of the silos mentality. The first one is due to the fact that the Management have the full responsibility of safety while security is a shared responsibility where threat assessment and protection against sabotage involves state organizations and in some cases, the security is largely under state responsibility. The second factor is due to the fact that traditionally, safety security specialists have worked in isolation. The challenge represented by these two factors could be resolved by having the same regulatory authority responsible of regulating safety and security. This is consistent with the concept of 3S (Safety, Security and Safeguards) that some countries implement with success.

Security and Safety Complement each other

Security and safety share fundamentally important features as operational activities with the goal to protect people, property, and the smooth economical functioning of organizations and society. In safety-critical industries, safety is seen as the positive outcome of management of problems and trade-offs that are rooted in systems’ complexity, goal interaction, and resource limitations. This perspective has led safety research to shift focus and go beyond individual acts and move to systematic aspects of human, technological, and organizational performance. It involves dealing with problems connected to regulations and standardized procedures, technology and automation, and efforts to understand the impact of communication, group dynamics, leadership, and culture on safety.

In spite of distinct differences in the nature of threats (intentional / unintentional), there are many areas (use of standardized procedures, human factors training, and modelling for increased understanding of adverse events) where knowledge and experiences from safety operations can fruitfully spill over to security. To establish cooperation between these two fields, for example on regulatory and procedural development, training and simulation, as well as operational evaluation, would be to produce synergies not yet known today.

Following approach is suggested –

In-depth Analysis of Security & Safety Functions

Security and safety are concepts that share important features; they both involve the risk of occurrence of events with consequences that may range from trivial to disastrous. Yet as concepts they are also different, with security relating to intentional acts by individuals and safety relating to events caused by unintended consequences of a combination of a host of factors. In safety-critical industries, such as aviation, petroleum, chemical and nuclear industry safety is seen as the positive outcome of management of problems and trade-offs that are rooted in systems’ complexity, goal interaction, and resource limitations. This perspective has led safety research to shift focus and go beyond individual acts (such as “human error”) and move to systematic aspects of human, technological, and organizational performance. It involves dealing with problems connected to regulations and standardized procedures, technology and automation, and efforts to understand the impact of communication, group dynamics, leadership, and culture on safety.

The advancement of security issues in a complex modern society should be able to benefit from the knowledge gained through safety industry operations in the field of Human Factors. This knowledge has the potential to make security more safe (for those who design and implement security measures as well as for those who are subjected to them) and effective (in terms of time and resources spent on security measures).

Role of Security in Contingency Planning

The dictionary definition of contingency plan is:

Plans or measures made to handle a particular situation, should it arise.

From this it is possible to infer that every conceivable situation should have a contingency plan. This is not a practical inference and contingency plans, whilst tailored to specific situations, must have some element of flexibility and scope for generalization. The basic framework for a contingency plan should contain provision for –

Containing the emergency
Protection of lives and property
Re-establishing normal operations as soon as possible
Limiting the “after effects” of the emergency
Meeting legal requirements

Since any contingency plan involves coordinated activities from various quarters, the contingency plan should provide for the involvement of:

The Security Team
The workforce
Safety and Environmental Specialists
Emergency Services
Other companies within the area or within the industry
Local Authorities
The Public

Security Department plays very important functions in any contingency planning. When an emergency arises there is a need to evacuate personnel. Depending on the premises and the – situation this can be a simple or a complex operation. In case of evacuation, the coordination of Security and Safety is very necessary as one executes the evacuation plan as per the requirement of other! It is Safety Department which will decide the nature and location of evacuation but it is Security Department which will execute the evacuation exercise with effective traffic management, head counting and verifying that evacuees are moved to safe locations in shortest time. In general the situations are:

Evacuation of persons from their place of work. This is straightforward but should be well drilled.
Evacuation of staff and customers from a retail store or similar premises. Provided the staff is well trained there should be little trouble but provision must be made for the customers who may be elderly, sick, disabled, prone to panic, very young etc. Since fire- fighting team will be busy and Safety Officials will be supervising the entire evacuation drill, it becomes duty of security in-charge to oversee and execute the evacuation drill.
Evacuation from Institutions. Staff in these situations is trained to deal with the type of inmate involved and generally the contingency plan will reflect this. Security team will have role such as area cordoning, area search and traffic management.
Evacuation from places which are open to the public. There are difficulties to categories but would include places of worship, museums, public open spaces such as bus stands and railway stations, beaches etc. Generally members of the public would exceed the numbers of staff present if, indeed, there were any staff present at all. In such places successful evacuation depends on good communication. Panic can easily occur and the casualty level from an ill-conceived evacuation can potentially exceed the casualty rate of the incident itself. Head of Security does the effective liaison and coordination with public authorities.

Involvement of Security in Evacuation

There are two broad causes of evacuation.

Fire or similar tangible incident – exclusively handled by Fire and Safety Team
Bomb threat or other intangible incident – handled by Security Team initially, will have potential where Fire & Safety Team steps in eventually

Each has certain characteristics that are not compatible and one plan cannot be used for both. The contingency plan will cater for both types of evacuation as well as a partial evacuation. Re- entry following evacuation of a building should also be part of the contingency plan.

Here also Security Team has very important role to play and that is of access control which ensures that only those are permitted in which have reasons to be inside as resuming the operation is most critical phase of business resumption. An evacuation is ordered when there is an immediate danger. Sometimes this danger is not readily apparent to the evacuees and therefore degrees of danger must be established.

Defined Role of Security during Fire evacuation

One requirement of the sound safety drill is that no person should have to move towards a fire in order to evacuate. To this end, escape routes must be planned and routed, directly to the open air. In a fire evacuation the Security Staff will have additional duties. Because of the evacuation additional exits will be used. These exits are often left open after evacuation and, depending on the nature of the business, may attract the opportunist thief. Part of the contingency plan should involve the perimeter security of the building or plant that may have been breached. One member of the Security staff should be nominated as Fire Brigade Escort. This duty is particularly important in a large industrial complex. The officer detailed should have the following information available:

Where the fire is situated.
Details of best route to the fire.
Details of any special hazards e.g. unprotected trenches or manholes etc., scaffolding, broken clown vehicles, construction work.
Location of water supplies, risers, inlets etc.
He should also be in possession of any keys needed to access the area.
Details of any persons not accounted for.

Relation to Regulation, Standardization, and Procedures

Economic theories of human behavior provide us with some understanding of its potential problems with regards to security and safety. A seemingly reasonable response would then be to try to control human behavior. This means using laws, regulations, standardized procedures, manuals, guidelines, and other similar means to increase the reliability of human behavior and limit the risk it may induce in systems. Industry has a long tradition of negotiating regulatory frameworks that can ensure a high minimum level of safety. Manufacturing and maintenance, medical and other requirements for employees, selection and training as well as practically all operational aspects are guided by extensive regulation and enforced by nodal authorities. The regulations stipulate that all operators also should have standard operational procedures (SOPs) for all aspects of operation. These standard operating procedures must be regarded by all employees as the main source of safety and security operations. The approach of merging the function of HSE&S will have following cyclic activities –

Summary

Even British Safety Council advocates the comprehensive role and responsibilities clubbed as HSE & S. Their approach is that even when there are legal compliance issues and pre-qualifications of Safety Officers and Fire Officers are mandatory, the leadership of the composite function can be from either mainstream function that is from either security, safety or fire-fighting which all are with minimum qualifications and subsequent hands-on experience and professional practice. The subject of Environment is heavy on study of the subject, formulation of policies and co-ordination and auditing and can be given as additional responsibility to professional from aforementioned stream.

Extensive experience in the chemical industry with on-site emergency planning has provided the need and value of rehearsal of emergency procedures. The organization responsible for developing off-site plan should also test its arrangements in conjunction with on-site exercise. Table – top rehearsals have proved successful in such cases although often requiring sufficient elements of reality in the exercise. Practice Drill (Please don’t call it Mock Drill!) must be conducted with all the sincerity and importance.

The Government of India had recently moved in the direction of merging the HSS&E functions when it rolled-out its Safety and Security Rating System. It had included 19 Key Performance Indicators for security and safety in chemical plants and applicable to petrochemical, and petroleum industries also. These KPIs are to be used as an assessment tool for rating the Chemical organizations in respect of the practices followed by them. The document envisages a star rating system to grade the chemical plants according to their performance. The government’s thrust in this direction indicates that serious thoughts are given in accepting security and safety as composite functions and inclusion of health and environment will be a logical conclusion. Every member of the Industry needs to be ready to respond to the demands of the safe practices and should be equally ready to face the contingencies.

Goethe has once said, “Let everyone sweep its doorsteps and world will be a cleaner place.”

“How to Maximize Security with Existing Infrastructure”

March 2, 2016 ICISSM Leave a comment

Capt SB Tyagi

The environment, in which the Security operates, has changed beyond Untitled recognition. The ease of travel, more open borders and digital technologies have globalized criminality, making it far harder to contain and prosecute. Terrorism, of course, is notoriously borderless. But globalization has also massively expanded opportunities for organized crime. And technology, by spawning new kinds of crime while facilitating the traditional variety, is helping lawbreakers become ever bolder and more difficult to track down.

The shelf-life of security technology and the functional life of security systems have been severely challenged by fast paced innovations and newer technology. Today’s technology is on the verge of obsolescence and yesterday’s technology is obsolete already! The investment on security systems and measures are directly linked to ROI and the operational life of the security systems.

One of the biggest challenges enterprise and public sector organizations face is in leveraging existing infrastructure like video surveillance to deliver more value, better situational awareness, and faster threat recognition and response. We need to gain a better understanding of today’s challenges and best practices in video surveillance and physical security, and how they can maximize existing security assets while minimizing risk.

We need to learn how the combination of PSIM, behaviour recognition technology and video surveillance can improve existing security infrastructure as well as gain insight on how data can be analysed for dramatic improvements in situational awareness, response and resolution.

To maximise the security with existing infrastructure, following are the essential ingredients –

Thinking out-of-the-box!
Innovation and application
Know your inventory
Know your technology
PSIM
Predict and improve through analytics
Data storage – cloud computing
Trust the team
Optimize ways of working
Enhance collaboration
Proactively manage changes

Physical security information management (PSIM) is a category of software that provides a platform and applications created by middleware developers, designed to integrate multiple unconnected security applications and devices and control them through one comprehensive user interface. It collects and correlates events from existing disparate security devices and information systems (video, access control, sensors, analytics, networks, building systems, etc.) to empower personnel to identify and proactively resolve situations. PSIM integration enables numerous organisational benefits, including increased control, improved situation awareness and management reporting. Ultimately, these solutions allow organisations to reduce costs through improved efficiency and to improve security through increased intelligence.

A complete PSIM software system has six key capabilities:

Collection: Device management independent software collects data from any number of disparate security devices or systems.
Analysis: The system analyses and correlates the data, events, and alarms, to identify the real situations and their priority.
Verification: PSIM software presents the relevant situation information in a quick and easily-digestible format for an operator to verify the situation.
Resolution: The system provides Standard Operating Procedures (SOPs), step-by-step instructions based on best practices and an organization’s policies, and tools to resolve the situation.
Reporting: The PSIM software tracks all the information and steps for compliance reporting, training and potentially, in-depth investigative analysis.
Audit trail: The PSIM also monitors how each operator interacts with the system, tracks any manual changes to security systems and calculates reaction times for each event.

A key differential between PSIM based integration and other forms of physical security system integration is the ability for a PSIM platform to connect systems at a data level, contrasting other forms of integration which interface a limited number of products. PSIM allows use of open technologies which are compatible with a large number of manufacturers. These PSIM products offer more opportunities for expansion and can reduce implementation costs through greater use of existing equipment. PSIM solutions in general are deployed to centralize information to single or multiple control hubs. These are referred to as control rooms or command and control centres. Security systems typically integrated into a PSIM solution include;

Access control systems
CCTV
Fire detection
Video wall
Intrusion detection system
Perimeter Intrusion detection system
Radar based detection
GIS mapping systems
Intercom
Automated barriers & bollards
Building management systems
Lighting control system
Power Monitoring System

Behavioral Recognition Systems: It is Behavioural Analytics technology that analyses video content by imitating learning and memory processes of the human brain. This fully automated scalable surveillance technology is different from all Video Analytics systems since it is able to autonomously detect abnormal behaviour in real time, without the need of human intervention. The computer software utilizes the behavioural Analytics technology, which monitors a scene through each camera separately and learns on behaviour. This system combines computer vision with cognitive machine learning processes, and it develops patterns for different classes of objects. These patterns later become rules for the system that autonomously detaches normal situations from those that can be possible threats.

Functionality

Reason-based system: Unlike the traditional, rule-based system, Behavioral Analytics is the reason-based system that enables a machine to learn what is abnormal, without human pre-programing. By decreasing the number of alerts, it helps security officers to perceive more threats in real time.
The Entire Field of View Analysis: BRS analyses the total field of view through each video camera in closed-circuit television system, despite certain difficulties, types of equipment or specific conditions on a scene.
Continuous Learning and Modifying: Unlike the traditional video surveillance rules-based technology, BRS permanently learns and registers when some changes occur, so any on-going programing is not necessary.
Open Standards: It is the “open standards” system which enables it to cooperate easily with different infrastructures, both the existing ones and the new ones. This video surveillance technology has been deployed globally across critical infrastructure facilities, intelligence agency applications, urban areas, seaports, financial institutions and others.
Easy Installation: BRS needs maximum of a few days for the complete hardware and software installation, regardless of the number of cameras that need to be connected into the system and without any changes on the client’s site.

Moving your Infrastructure to the Cloud:

In all probability, the CCTV system needs largest storage space. The need increases with advent of HD cameras. A typical CCTV System with 140 cameras of fixed focal and 10 DH cameras, the storage needed for 30 days recording with reduced frame rate is 20 TB approximately. With the number of HD cameras and the types of video analytics increase, the storage space goes for quantum leap! In such scenario the cloud computing is better alternative.

With Cloud Computing becoming more widely utilized, it is important for organizations to understand ways to maximize benefits and minimize risks of a move to the cloud. Buyers need to appreciate that assessing individual providers is critical to the success of Cloud Computing programs.

How to Finish IS in India even before it enters?

March 2, 2016 ICISSM Leave a comment

As the Shia-Sunni mutual bombings and state-led events in Pakistan, Syria, Sudan, Yemen and several other countries have exposed, the poison once aimed at the so-called “non-believers” is threatening to become a pandemic affecting Islamic nations themselves, in addition to ballooning into a global threat. Coptic Christians, Yazidis, Kurds and Shias have been facing the brunt of IS. Countries like Iraq, Iran, Yemen, Jordan, Kurdistan, Turkey and Kuwait face proximate threats from IS. The countries under threats of attack by IS are US, UK, France, Australia, Canada, Egypt, Russia and India.

India faced with rising Muslim population projected to gain majority status in 2050, is declared battle ground for Muslim jihadis claiming the ‘Gazba-e-Hind’ – the last Muslim crusade before world dominance will be fought in India. India is also the largest country with highest population of Kafirs (non-believers) who need to be defeated to bring ‘Khurasan’ to reality. The term ‘Khurasan’ refers to a region that encompasses large areas of Afghanistan, Pakistan, Uzbekistan, Tajikistan, and Iran. Jihadists consider the Khurasan to be the area where they will inflict the first defeat against their enemies in the Muslim version of Armageddon. The final battle is to take place in the Levant – Israel, Syria, and Lebanon.”

Till date ISIS:

has a territory bigger than Great Britain;
have about 8-10 million people with them;
has launched over 3000 attacks so far.
Abu Bakr Nazi’s book on “Management of Savagery” (2004) offers the role model for the ISIS.

Footprints of IS are seen and footsteps heard in our neighbourhood. Entire countries security forces and agencies involved in maintaining law and order were disturbed last year when few youth from Maharashtra were reported to have been in Syria and involved in IS activities. It was matter of big concern last year when few Indian young men joined IS in faraway shores. Now what is more worrisome is about attempted entry of IS.

Bangladesh has seen footprints of IS and even when its government disagrees, it is clear to the world that not only its elements are present in Bangladeshi soil, they have striking capabilities too. The Islamic State group now claims to have appointed a leader in Bangladesh as its fighters continue to threaten attacks across the globe. The claim comes in the latest release of Dabiq, an online magazine published by the militant group’s propaganda wing. Militants also claimed responsibility for downing a Russian airliner over Egypt’s Sinai Peninsula on Oct. 31. Both attacks, for which ISIS claimed responsibility, were seen to signal that the group based in Syria and Iraq is planning attacks around the globe even as it has lost territory in the Middle East in recent months.(1)

Pakistan is breeding ground of generic muslim terrorists and all the indications are that IS is very much active in Pak with strategic partnership of local jihadi groups. In September 2014, Faridullah Khan, a DW correspondent in the Pakistani city of Peshawar, confirmed the IS was looking to gain influence in the nuclear-armed Islamic country. IS has made an appeal to the local population to support its “struggle for the establishment of an Islamic caliphate.” A former Pakistani Taliban spokesman Shahidullah Shahid can be viewed announcing pledges of allegiance to IS on behalf of leaders of various extremist groups in Afghanistan and Pakistan. (2)

Islamic State’s Sri Lankan outreach is well documented. In recent months, there has been growing evidence of actual and attempted outreach by the Islamic State into Sri Lanka, presently struggling to recover from a three-decade long conflict between its Sinhalese and Tamil ethnic groups. One of the most significant developments was the news of two Sri Lankan nationals fighting with the Islamic State in Syria and Iraq. One such report, in July 2015, indicated that a Sri Lankan national Mohamed Muhsin Sharfaz Nilam (a.k.a. “Abu Shurayh al-Silani”), was killed while fighting in Raqqa, Syria. Many fast shifting situations in Sri Lanka provide an opportunity for Islamic State, which has been attempting to spread its influence beyond its base in Iraq and Syria. (3)

In Myanmar, experts have warned that Islamic State may now be recruiting fighters and families from the persecuted community of Rohingya Muslims fleeing Myanmar, as the terror group looks to expand into wider Asia. Myanmar has tightened security in its border areas following reports that several members of the Islamic State have travelled through neighbouring Thailand. (4)

What Experts Suggest on Eradicating IS in India

KPS Gill:

The overall security architecture will have to be urgently strengthened.
Approach at psychological or philosophical levels will not do.
Presence of positive forces needed in social media.

Arif Mohammad Khan:

Was hopeful that ISIS movement would not last.
Arab World will have to be firmly told that violence cannot be supported by lies and that to curb the ISIS was beyond our capability.
ISIS was only the symptom. The disease will have to be treated.
Ideology of IS needs to be challenged.
It is time for revolution in Islam.
Muslims must remove bad interpretation of Islam.
Interpretation of Jihad in Islam must change.

Prakash Singh:

The ISIS ideology will have to be challenged – the central dictum.
Remove Islam from time warp.
Grand Imam believed the ISIS was making wrong interpretation of Islam.
It would be good to influence the Urdu Press against the ISIS.
Need to encourage moderate Muslims, who are living in a state of denial.
Educating the Muslims – reforming the Madrassa education is long overdue.
To try de-radicalisation programme on the Austrian model.
To strengthen the security architecture, followed up by adequate legal framework.
Revamping of security architecture needed to face IS threats.
Modernization and strengthening police force.

P C Haldar:

The de-radicalisation programme will have to be very carefully chalked out. Otherwise, it may boomerang. That is, counter-de-radicalisation will also have to be planned.
While strengthening the security architecture, the issue of police-public ratio will have to be duly taken care. That is, there has to be some kind of perspective planning.
ISIS have already raised enormous amount of money.
Need to use social media which the ISIS has been very fruitfully doing.
Encourage moderate Muslims.

More Suggestions:

Suitable course lessons for schools.
Need for adopting the Uniform Civic Code.
Moderate Muslims are not ready to come forward. They have to be brought on Board.
Need to check/control free flow of finance to the ISIS jihadis.
Input from the organisers:
- A 32-page Urdu document recovered in a Pak village reconfirmed that the ISIS wanted to trigger off a movement from the Indian soil aiming at the end of the world.
- The primary objective of the Seminar was not to fight violence with violence but to fight off the ISIS both at the psychological and philosophical level.
- There was now a great need for getting educated Muslim ladies in this movement to counter the ISIS. That it would be a long term affair.
- For tackling the problem, it would be a good strategy to work in small areas first and then expand.
- More Seminars will need to be organised at different places at reasonable intervals.

How to eliminate Islamic State?

March 2, 2016 ICISSM Leave a comment

It was jokingly said that whereas all the countries have armies, it is Pakistani Army which has got the country. Soon same expression underwent change and in reference to Nepal it was said that, ‘all terrorists aspire to rule a Nation whereas now ruling is to nationalize the terrorists in Nepal! The Maoists were not even comfortable in changing role they were to play from terrorists to ruling outfit that something dramatic has happened in Syria and Iraq!

ISIS Map The Islamic State of Iraq and Syria (ISIS) declared the areas it occupies in Iraq and Syria as a new Islamic state, removing Iraq and the Levant from its name. ISIS declared its territories a new Islamic state with ‘restoration of caliphate’ in Middle East. It is now known as Islamic State of Khorasan. The Militants named Abu Bakr al-Baghdadi as Caliph in a move representing ‘new era of international jihad’. The announcement will see ISIS now simply refer to itself as ‘The Islamic State’.

In recent fast paced advances, IS has captured large areas of western and northern Iraq and for two years has held parts of Syria, imposing a harsh interpretation of Islamic law and in many cases, killing large numbers of opposition Shia Muslims.

The Israeli Prime Minister, Binyamin Netanyahu, has voiced support for Kurdish statehood, taking a position that appears to clash with the US preference to keep sectarian war-torn Iraq united. Netanyahu has called for the establishment of an independent Kurdistan as part of a broader alliance with moderate forces across the region, adding that Israel would have to maintain a long-term military presence in the West Bank even after any future peace agreement with the Palestinians. This posturing will lead to more deaths and destruction.

We have much more mayhem and madness to witness before order is restored in the region!

Islamic Concept of Nationhood

Attempt is to highlight and analyse the fast expansion of IS and the real explanation lies at the heart of Islam, which combined spiritual and temporal power in one hand. One can only preface any attempt further by saying that, ‘It’s Not The “Occupation” – It’s Islam’, while forcefully exposing certain aspects of Islam, not seen generally. All need to understand the malaise of violence that is clearly embedded in Islam as a religion.

But all the empty words about the “Occupation” and the “Cycle of Violence,” the invocation of a peaceful solution that is always about to arrive, but never does, and the maps that cede more territory to terrorists are addressing a problem that doesn’t exist.

It’s not about physical territory. It’s about spiritual territory. It’s not about nationalism. It’s about Islamism.

This point is the corner stone of activities of ‘Hamas’, the terror group that is not a Palestinian nationalist organization, though it occasionally plays the part. Its charter begins with Allah and ends with Allah. Article Five of its charter states that the group extends to “wherever on earth there are Muslims, who adopt Islam as their way of life.” Its goal is to create an Islamic state. Everything else is secondary.

How much India is affected?

According to a saying attributed to Prophet Muhammad, the “End of Time” battles would start after victory in the East, which then meant Khurasan. Geographically, Khurasan included part of modern Iran, Central Asia, Afghanistan and parts of Pakistan. To these, ISIS has included not only Iraq, parts of Syria as well as Gujarat in India.

Solutions to IS Menace

There are two ways of looking at the worldwide plague of Muslim terrorism. One is to treat every Islamic conflict with Christians, Jews, Buddhists, Hindus and a dozen other religions as being due to some local political grievance of recent vintage. The other is to understand them as local expressions of a historical religious war and the continuation of the wave of conquests that made Islam into a worldwide religion.

There is no political solution to a supremacist conflict. Solutions begin with truth. The truth is that Islamic violence is not recent or exceptional. The murder of Jews by Muslims, whether in Israel or Belgium, is not any different than the Muslim butchery of Christians. Hindus, Buddhists and even minority Muslim splinter faiths. These conflicts cannot be resolved through appeasement. They can only be addressed through resistance.

There can be no peace until Muslims understand that the Mohammedan conquests were a genocidal atrocity that destroyed entire peoples and cultures. Only then can they honestly condemn IS for trying to repeat those atrocities. And only then will they be able to live in peace with the rest of the world.

The world cannot do anything about this, and especially by demonizing Islam – as the West sometimes tend to do. This is an issue internal to Islam and will be addressed only when enough Muslims begin to see the dangers to themselves and their faith from this”, and the current one, appears striking. The current report states, “It is the conquerors who must come to terms with the horrors that they have inflicted through a campaign of colonialism and ethnic cleansing and seek the forgiveness of their victims”.

One section of experts on the subject advocates that these conflicts cannot be resolved through appeasement and can be addressed only through resistance. Therefore, we are faced with what action, if at all, lies with us. We do not see, notwithstanding a very limited few among them exposing the faultiness of Islam, realistic possibility of any significant percentage among those enlightened section in that community, prevailing upon their brethren to think out of the boundary laid-down by their Prophet.

The big powers, which had formally called off the “war on terror” and started addressing the Islamic insurgents as only extremists, have not yet appeared in the scene effectively – specially USA – may be because of the lessons learnt in Afghanistan or Iraq. Some are also busy in managing their home turf, having an ostrich-eye view all these years.

But, the situation unfolding here now, with The Islamic State having called upon all Muslims to join them, is too close to we in India, with Gujarat being specifically included in their scheme, to ignore its full significance and ramifications We do hope security strategists, both in the government and outside, are breaking their heads over this.

Following needs serious consideration and quick implementation –

Presence of positive forces needed in social media. Need to use social media which the ISIS has been very fruitfully doing.
Arab World will have to be firmly told that violence cannot be supported by lies and that to curb the ISIS was beyond our capability.
Ideology of IS needs to be challenged and it is time for revolution in Islam.
Muslims must remove bad interpretation of Islam and interpretation of Jihad in Islam must change. For this remove Islam from time warp.
It would be good to influence the Urdu Press against the ISIS.
Need to encourage moderate Muslims, who are living in a state of denial.
Educating the Muslims – reforming the Madrassa education is long overdue.
To try de-radicalisation programme on the Austrian model.
To strengthen the security architecture, followed up by adequate legal framework. Also revamping of security architecture is needed to face IS threats.
Modernization and strengthening police force.
The de-radicalisation programme will have to be very carefully chalked out. Otherwise, it may boomerang. That is, counter-de-radicalisation will also have to be planned.
- Need to check/control free flow of finance to the ISIS jihadis.
- There was now a great need for getting educated Muslim ladies in this movement to counter the ISIS. That it would be a long term affair.
- For tackling the problem, it would be a good strategy to work in small areas first and then expand.

Perhaps, there is need for another prophet to emerge! Or, will the “true believers” continue to prove their nuisance for a longer period of time? Whatever be their ability, they cannot ultimately prevail. We Believe In That!

The seriousness of the situation has to be taken to the members of the public, not only in the cities but to the rural areas as well. Sad to say but it is true more patriots are found in villages than among educated elites and so-called intellectuals. In any case and on the whole, public opinion has to be built up to remain on the look-out for already identified/banned or not, outfits, spies and fifth columnists in all walks of life as also the “sleeper cells” suddenly becoming active. Coming times, friends, will be trying. We should not be found wanting in our response. We have been warned!

DSC_06678 Edited — Capt SB Tyagi, COAS’CC

Capt. SB Tyagi holds Masters’ degrees in Philosophy, Sociology, Defence Studies & Political Science beside B.Sc. and LLB. He also holds master’s degree in Business Administration and post graduate diplomas in Business Administration, Personnel Management & Industrial Relations and Safety & Security Management. He had short but outstanding tenure in Indian Army where he was awarded Commendations by Chief of The Army Staff twice for devotion to duty and exemplary performance.

He has thirty three years’ experience (including Army) in the field of industrial security management. He has been regular faculty in Management Institutes. Various articles are published in related magazines and internet sites. He also has made presentations in more than 27 international seminars on the subjects of homeland security and industrial security.

He is astute security consultant with in-depth knowledge of best practices and the technologies suitable to specific needs. His cost-effective security solutions are found to be pragmatic and helpful in loss prevention. His ‘out-of-the-box’ approaches have been path-breaking in modeling new concepts in security management. He has co-authored best-selling book – “Industrial Security: Management & Strategies”. Both as ‘thought leader’ and outstanding professional, Capt Tyagi is well recognized world over for his achievements.

He is Co-founder and Chief Councilor of International Council For Security & Safety Management.

The Global Threat of Terrorism Targeting Oil and Gas Industries

March 2, 2016 ICISSM Leave a comment

‘Energy security is among the most serious security and economic challenges, both today and in the future. As the economies of the World grow and societies develop, so does the importance of energy. And so does the importance of the infrastructures that produce and supply this energy’. This brings Oil & Gas Sector under sharp focus!

Terrorist organizations have always been interested in targeting oil and gas facilities. Striking pipelines, tankers, refineries and oil fields accomplishes two desired goals: undermining the internal stability of the regimes they are fighting, and economically weakening foreign powers with vested interests in their region. In the past decade alone, there have been scores of attacks against oil targets primarily in the Middle East, Africa and Latin America. These attacks have never received much attention and have been treated as part of the ‘industry’s risk.’

As long ago as 2004 an Al Qaeda manifesto set out “laws” of targeting petroleum-related interests, pertaining to the “economic Jihad” with one of the primary targets being pipelines and supporting facilities and especially industry personnel “the easiest targets to attack and offer the greatest reward”. The threats from terrorism to energy critical infrastructure exist for all to see, if they are willing to see that is, and that these so-call wicked risks are not going to diminish any time soon.

Today, a growing number of interconnected and diverse threats, mainly physical and cyber threats are challenging critical infrastructures. In that regard, terrorist threat is not a new phenomenon and critical infrastructures have long been attractive targets for terrorist groups and malicious acts. Especially, as being one of the most vulnerable sectors, Critical Energy Infrastructures have been subjected to increasing terrorist threat which is correlated with the growing political and economic instability in oil and gas producing regions. Furthermore, despite its enormous economic and political consequences, unlike other types of terrorism, energy terrorism could not attract a significant level of attention.

According to the University of Maryland’s Global Terrorism Database, terrorist threats targeting oil and gas sectors have risen sharply. More precisely, during the mid-1990’s, attacks on oil and installations reflected less than 2.5 of all attacks whereas in 2013, 600 out of 2600 total terror attacks targeted oil and gas sectors.(1) In fact, a wide majority of attacks concentrates in the Middle East and North Africa. However, from U.S to China, energy infrastructures are facing a varying level of threat (from theft to sabotage) which means that energy facilities worldwide have common vulnerabilities including inadequate controls at the borders; lack of a holistic security approach; lack of technology and lack of dedicated security forces etc. (2)

Examining this trend more closely it can be seen that in 2003 roughly 25% of terrorist attacks were aimed at the energy sector, having jumped to 30% and 35% between 2003 and 2007 –the long-term trend revealing more attacks aimed at energy infrastructure (EI) occurring annually–. With oil accounting for nearly ‘40% of the world’s energy and 96% of its transportation’, the protection of energy infrastructure has thus become a top priority for most industrialised nations. (3)

The Threats over the Sea:

There is growing evidence that terrorists find the un-policed sea to be their preferred domain of operation. Today, over 60% of the world’s oil is shipped on 3,500 tankers through a small number of ‘chokepoints’ – straits and channels narrow enough to be blocked, and vulnerable to piracy and terrorism. The most important chokepoints are the Strait of Hormuz, through which 13 million barrels of oil are moved daily, Bab el-Mandab, which connects the Red Sea to the Gulf of Aden and the Arabian Sea, and the Strait of Malacca, between Indonesia and Malaysia. Thirty percent of the world’s trade and 80% of Japan’s crude oil passes through the latter, including half of all sea shipments of oil bound for East Asia and two-thirds of global liquefied natural gas shipments. (4)

Pipeline sabotage is terrorist’s favorite

Until recently, the pipeline industry has been preoccupied primarily with environmental, safety and maintenance issues. Beyond occasional cases of vandalism, the human factor was hardly perceived as a threat to the world’s vast web of oil and gas pipelines, which, all told, carry roughly half of the world’s oil and most of its natural gas.

Weapon of Choice

Pipelines, through which about 40% of world’s oil flows, are another Achilles heel! They run over thousands of miles and across some of the most volatile areas in the world. Pipelines are also very easily sabotaged. A simple explosive device can put a critical section of pipeline out of operation for weeks. This is why pipeline sabotage has become the weapon of choice of the insurgents in Iraq. An attack on major oil installation, a chokepoint or a pipeline hub would be detrimental to any country’s economy and likely to affect every aspect of lives of its citizens.

Petrochemical complexes and Oil installations on the hand are highly critical, highly vulnerable and sabotage and terrorist attack is highly provable. This makes them also very attractive target with high “Terror Quotient” as damages here are likely to the lives and economy! The new breed of terrorists inspired or encouraged by ISIS will have knowledge of oil and gas installations operation and maintenance details and also would understand the vulnerabilities. Thus with more informed new breed of terrorists, world will see the renewed threats to this sector.

Threat Mitigation Philosophy

The only effective counter is through a
• Joint approach, incorporating whole-of-government and the energy operating companies.
• An approach that is at once –

o pro-active and robust (has authority and acts),
o builds resilience and recovery into its plans,
o is coordinated,
o cooperates in that both parties come out of their respective siloes and cultivate a Need-to-Share mind-set to information and intelligence rather than the traditional Need-to-Know model; and
o allocates the necessary funding, training and resources (dedicated specialist response force) to be effective at deterring, detecting,

Security Solutions

The existing passive model of risk management, normally utilised by the industry to mitigate safety, criminal, or environmental risks through weighing probability and impact is of little use in predicting wicked risks, whose probability cannot be assessed (not quantifiable or insufficient statistical data) and whose impact can be catastrophic and far reaching both economically and socially. Typically, these risks have the characteristics of being unexpected and did not feature on risk assessments and planning; they were different than anticipated; were unpredictable in location, scope and impact; and can overwhelm the capacity to respond and deal with it immediately. The only effective counter is through a joint approach, incorporating whole-of-government and the energy operating companies.

With the threat of terrorism looming, pipeline operators in the industrialized world have taken action to prevent terrorism from harming energy infrastructure with steps that include:

Increasing system redundancy,
Deploying state-of-the-art surveillance equipment,
Deploying aerial and ground patrols, and
Fortifying pipeline systems against cyber-security breaches

‘Lessons learned from accidents and safety incidents have been regrettable but they are critical contributions to instil safety in the DNA and operating culture of any prudent oil and gas operator.’ In other words, it could be said that in order to implement and exercise best security practices for the energy industry, lessons learned from previous incidents should be well understood.

Numbers of best practices could be recommended for the Oil & Gas Sector –

‘Security’ should be considered and studied as an independent and distinct discipline from ‘Safety’ and it should be defined with clear objectives.
Establishing proper mechanisms for ‘Intelligence’ and ‘Information Sharing’ is critical for assessing terrorism risks for a critical infrastructure. For instance, in order to eliminate insider threat and reach deeper information about their employees, companies could cooperate with state agencies in information sharing.
A holistic and integrated security approach seems as a must in implementing corporate security policies.

Developing alternative ‘threat scenarios’ with various inputs and outputs is an essential part for a company’s security plans. In other words, security departments should be capable to answer ‘what if’ questions regarding the changing conjuncture and threat and risk levels.

Conclusion

Terrorist attacks carried out by radical Islamist groups within the EU’s borders are a concern and measures to prevent future catastrophic attacks must continue. However, as North Africa becomes a more significant supplier of energy to Western Europe, threats to the energy infrastructure in the region must also be considered.
Attacks or threats against energy infrastructures can lead to uncertainty amongst market players and overall insecurity, thereby raising global energy costs and placing additional budgetary pressures on states and consumers. To counter this trend and the inflexibility of the current energy environment, states need to adopt a multifaceted approach.

1) Energy Policy Information Center, ‘The Growing Connection between Oil and Terror’, 04.09.2014
2) 2)Balaji Srimoolanathan, ‘Adopting a Holistic Approach to Protecting Critical Infrastructure’, 18.06.2014
3) G. Luft (2005), ‘Pipeline Sabotage is Terrorist’s Weapon of Choice’, Institute for Analysis of Global Security (IAGS) Energy Security, 25/III/2005, http://www.iags.org/n0328051.htm
4) Terror’s next target, By Gal Luft and Anne Korin, The Journal of International Security Affairs, December 2003.