Adrian Prior discusses the benefits that the energy sector can gain from an effective security management system
Security failures within critical national infrastructure (CNI), including energy network systems, are unfortunately nothing new.
But if operators are looking for the next ‘black box’ technical solution, whilst ignoring the importance of an effective security management system (SeMS), they are risking asset damage, financial loss, operational disruption and significant reputational damage to their business.
The concept of a SeMS is born from the same need as that for safety and other related management systems. Security professionals want to ensure their business units are effectively integrated with the enterprise management system, talking the same language and aligned to the same objectives. As a result, some business sectors are now applying a SeMS model to reap the potential benefits of this wider management concept. We can learn from them.
Recent malicious acts against European business include a sophisticated cyber-attack in Ukraine, where adversaries targeted industrial control systems, causing loss of power to a population the size of Swansea; and the suspected physical sabotage of a nuclear power plant safety system, resulting in the temporary closure of half of Belgium’s nuclear capacity.
Given the volume, complexity, and range of threats, and their vectors, managing security risk has perhaps never been more challenging. Cybersecurity incidents cost UK firms alone an estimated à‚£34.1 billion ($42.5 billion) in the past year, according to a recent survey by an internet service provider. Figures published by the Institute of Economics and Peace calculated the cost of global terrorism at over $52 billion in 2014, the largest figure ever. The stakes are high and security managers understandably tend to look for a technical solution, the next ‘black box’ to solve their problems, whilst neglecting the capability offered by an efficient SeMS.
Integrating security activities
The SeMs model draws on the existing well-defined management system frameworks for safety, IT security, quality, risk, environment and the supply chain, where there are international standards to guide us. To date, there is no agreed standard which describes a similar framework for security management in the round. However, both the oil and gas and aviation sectors, through the International Association of Oil and Gas Producers (IOGP) and the International Air Transport Association (IATA) are proponents of a bespoke SeMS approach.
The associations seem to concur on the general approach to SeMS, which could be defined as a framework for integrating security activities into the organization’s management system and ensuring the security business unit can operate most effectively. This framework is underpinned by a healthy security culture and aims to deliver continuous improvement.
There is some divergence between IOGP and IATA on the key features of a SeMS, and the UK Civil Aviation Authority (CAA) has further refined the IATA core elements. There is clear consensus on the importance of risk management, the execution and control of activities including incident response, and the relationship with top management.
An isomorphic approach to this issue would suggest that other key features include: alignment of security objectives with the enterprise strategic plan, to ensure synergy; and growing and nurturing a healthy security culture. There is a wealth of openly available advice in this area, including from the website of the Centre for the Protection of National Infrastructure.
A systems approach
Most businesses would probably consider that they already have a SeMS in place, which may contain some, or all, of the elements described above. Key, however, is the efficiency with which the parts operate together.
To gauge this, a systems approach is useful. Management of complex structures requires a systems perspective, where multi-faceted problems are viewed in total and effectiveness of the system is measured by output. The performance of the complete system depends primarily on how the subsystems interact with each other, and how well they are integrated together into the global scheme.
A well-designed system might include:
à¢€¢ Strong performance and cost-effective;
à¢€¢ Reliable, maintainable and upgradeable;
à¢€¢ Flexible and adaptable; and
à¢€¢ Verifiable and predictable.
Research suggests that much corporate security management is purely responsive to day-to-day issues. It is useful to view this focus in terms of two related continua: the levels of management activity from operational to strategic, and the nature of the activity, from reactive to proactive.
The traditional hunting ground for security management is at the operational level and is generally reactive in nature; at the strategic level greater emphasis could be placed on proactive management, as shown in Figure 1.
Application of a SeMS model offers a range of tangible and intangible benefits to the business. A selection of these, drawn from extensive security management experience in private and public sectors, is shown in Figure 2. These benefits are clearly wide-ranging, but the overriding positive output is greater efficiency through the sharing of resources, risk reduction and the delivery of ongoing improvement.
A mature SeMS delivering benefits is likely to reveal a number of defining characteristics. A critical evaluation of these characteristics should help security professionals and top management determine the maturity level of their SeMS. Examples might include:
à¢€¢ There is a risk-informed approach to security decision-making, based on an endorsed risk management methodology, which provides a clear picture of the untreated, treated and residual risks, clearly related to the risk appetite. This informs the enterprise risk management process;
à¢€¢ Governance arrangements are both outward and inward facing, demonstrating, in particular, effective interfaces with other key parts of the business;
à¢€¢ A desire to achieve continuous improvement is supported by a process which is fed by a lessons-learned process, horizon scanning, internal assurance, external audits, reports and inspections;
à¢€¢ The attitude to security throughout the workforce is on a par with safety;
à¢€¢ A set of well-defined metrics are used to feed the continuous improvement process, and a security dashboard tool is available to monitor the current health of the security system;
à¢€¢ There is a formalized training programme in place to support the application of SeMS.
|There is a clear synergy between security and safety|
Lessons from experience
Working within Frazer-Nash Consultancy, which has a broad CNI and industrial client market, provides us with a unique opportunity to identify some generic lessons relating to SeMS – what works well and what does not. Some useful learning from experience is as follows:
à¢€¢ The SeMS concept for security managers helps to establish a vision of where the change process is heading. Often, change is made incrementally in response to the latest brush fire, without a clear idea of how that piece fits and contributes to the overall system. SeMs offers a platform for proactive management;
à¢€¢ Businesses which have been successful in adopting the SeMS model, and in raising the profile of security within the organization, have taken opportunities to integrate security with safety, be it within governance arrangements, risk management or other related activities. There is clear synergy between security and safety, where the former can benefit from the latter – indeed, one can argue that they cannot be dealt with in isolation. An example is the adoption of Goal Structured Notation (GSN) methodology for the development of a security case, in the same way that many safety cases are constructed;
à¢€¢ When security properly engages with the business and understands its strategic plans and intent, the security output can be optimized to better support those objectives, leading to efficiencies through shared resources. Key to achieving this is a health check on governance arrangements and interdepartmental liaison activity, to ensure the key interface points with other parts of the business are covered at the right level and on an appropriate frequency;
à¢€¢ A useful aid to help establish the start point and inform a SeMS change management programme is a SeMS maturity tool. This can be a quantitative metrics-based method, or a more qualitative approach such as that taken by the Civil Aviation Authority, and informs the support to be provided to individual entities;
à¢€¢ Decentralized security management offers considerable advantages and signals a healthy security culture, where all business units recognize that they have a role in delivering both a safe and a secure environment, in which the business can flourish. This is characterized by Suitably Qualified and Experienced (SQEP) security managers embedded within all key business units, and the devolving of security budgets to operating units. In this way the units are given the means to take on greater security responsibility, and the flexibility to ensure they support business goals.
There are a number of emerging and dominant themes related to the design and implementation of SeMS. The most important resource is often considered to be people, and a proportional investment is necessary to ensure staff are developed to an adequate SQEP standard in order to support the security functions. This is related to a more general issue around the ‘professionalization’ of security which underpins progress in this area.
We see an aspiration to ensure that the domains of security and safety are better integrated at all levels. For example, safety cases should consider security, and vulnerability assessments should consider the safety case.
Indeed, organizations are increasingly realizing benefits through the merging of security functions with related disciplines, such as emergency management, crisis management and business continuity. This raises the issue of how SeMS should be adapted to cater for this wider remit.
While there is an understandable reluctance to share best practice on security failures because of concerns about reputation and exposing vulnerabilities, this is where we learn our most important lessons. There are some innovative approaches in this area, including sector-specific information sharing events, hosted and run by the operators themselves, without regulatory involvement. Best practice is perhaps an easier area in which to share experience for the benefit of all, and online communities of interest are a way forward in this area.
An appetite to implement the SeMS model, and realize its benefits, reflects a growing professionalization within corporate security management and a desire to learn lessons from related disciplines, in particular safety. A rigorous systems engineering approach to the problem can help refine and continually improve that system, delivering meaningful efficiencies and reducing risk.
Perhaps we should pause before reaching for a technical catalogue to select the next ‘black box’ which promises to remove our security concerns, and see what extra value can be generated from the management system itself. The cost of this approach is likely to be less and the benefits greater.
Adrian Prior is a security and resilience professional at Frazer-Nash Consultancy. He has specialist expertise in site security planning within critical national infrastructure, counter-terrorism emergency response, formulating design basis threat, and multi-disciplinary vulnerability assessment.