Different countries define “critical infrastructure” in different ways. The US Department of Homeland Security, for example, describes 16 critical infrastructure sectors – the essential services that fuel the nation’s economy, security and health. Since any downtime or destruction would have debilitating effects, critical infrastructure must be secure and able to rapidly recover from all risks.
While SOS Security has had the privilege and responsibility to protect many critical infrastructure sites, this blog addresses some of the challenges faced when these sites are located far from densely populated areas. This includes sites such as solar fields and data centers – infrastructure that is remote and deemed critical because they are, or directly support, critical infrastructure.
As you’ll see below, the four pillars of protection (people, procedures, physical security and technology) are the same for these sites as they are for other security tasks, but how we work with all of them in isolated locations is different.
- Critical infrastructure security is about both “who” and “what”
In critical infrastructure security, little things matter big time. A thimble-full of a contaminant is enough to poison an entire city’s water supply. An electronic device the size of a USB drive, in the wrong hands, is enough to lay a data center flat. One bad guy can do a lot of harm.
But whereas all security is about “who”, protecting against people with bad intentions, critical infrastructure security is also about “what” – protecting against the consequences of equipment and procedures that go wrong. The types and uses of security-related technology may vary significantly in critical infrastructure compared to other facilities. A forgotten equipment check can trigger a cascade of emergencies and shut down the facility.
For example, HVAC systems are critical to data center operations: excessive heat and humidity due to faulty sensors or other equipment can be just as debilitating as outside attacks. So, unless security’s attention to equipment-checking routines is faultlessly consistent, it’s not good enough.
Similarly, why and how we use magnetometers in data centers is rather different than how they are used in most other applications. We’re looking for tiny USB drives, not just guns. This requires different calibration and training routines.
- Remote locations are different – so be prepared to act differently when it comes to security
Critical infrastructure facilities are often located far from the beaten path – not in heavily populated areas.
There are many reasons for this. Solar and wind farm sites are selected for climatic conditions and cheap land. Major water reservoirs are located where they make sense for hydrological and geological reasons. Enterprise data centers, which are moving from cities to the country in large numbers, have their own exhaustive lists of location search criteria, including access to reasonably priced and sustainably sourced electricity that can scale as needed to support expansion; data centers range in size up to a million square feet (93k m3), another compelling reason to look for real estate far from major population centers.
The remoteness of many critical infrastructure facilities creates a range of specific challenges that we’ll address below.
- Recruitment of quality security staff at all levels is essential – but often difficult in remote locations
You need the best people for critical infrastructure security, but oftentimes there are no qualified security personnel resources available in remote locations – at all. No existing security companies, no experienced personnel, nada. You can’t just put an ad in the local paper and sit back to sort through applications.
Be prepared to import managers from outside of the area. You might even need to bring in some entry-level security officers initially. And be ready to invest heavily in training for security officers so that you develop your own deep bench of talent. As we’ll see below, the investment is not only necessary in the short term, but definitely worth it in the long term.
- Personnel training is key for security, and usually impossible to source in remote locations
In many cases, you’re going to have take people with absolutely no security experience, and do basically everything to get them ready to work. On your own.
This might include whatever training is necessary to get inexperienced people certified as security officers according to local, state or national standards. Once the basics are in place, you’ve just begun. Different types of critical infrastructure require specialized training in procedures and technology, and ongoing training is key to workforce quality and program success. Training needs to be adjusted accordingly and specifically.
Hiring local companies to implement training will not be an option in remote locations. Initially, you will have to bring in resources from outside and put them up locally during training. As programs mature, regular remote training piped in from outside becomes essential, as does the quality of such online methodologies and their management.
- If you can’t find it in a remote location, be prepared to bring it (or build it) yourself
Depending on the situation, security managers and officers may need to be brought into remote locations on rotating shifts, commuting from afar, then staying on the job for days at a time rather than driving home at the end of every shift. They will need accommodations.
In addition to personnel, security providers might well find that there are other essentials lacking in remote locations. We have started up programs in locations that bring new meaning to the term “greenfield”.
We have had to bring in or build temporary offices and arrange for housing for security personnel – both temporary and permanent. Depending on circumstances, security providers might need to bring in food and water, electrical generators, portable restrooms, comms and more. Managing the logistics of these supply lines becomes an important part of the overall security endeavor.
Similar conditions might apply in other security programs, of course, such as when we provide security in disaster relief situations. But for critical infrastructure security in remote locations, these “emergency” conditions are the norm, not the exception.
- Management’s role is different in critical infrastructure security – especially in remote locations
All security depends on the quality of the people who provide it. But critical infrastructure security places extremely high demands on the managers tasked with keeping programs on track. We’ve found that critical infrastructure security managers, especially those working in remote locations, face a unique set of challenges. To put it simply, critical infrastructure security requires rock-star managers.
To be successful, managers must be all-round players who bring together a unique mixture of experience, leadership and communication skills.
- Managers must be able to quickly understand the special security needs, procedures, physical security equipment and technology of the critical infrastructure facility in question.
- They must cooperate efficiently with local law enforcement and fire departments; they must ensure that first responders reach beyond their own organizational silos so they communicate not just with security, but sometimes even with each other.
- Managers must translate complex security protocols into actionable routines and standard operating procedures that can be simply managed. They must motivate remote teams who may not be accustomed to regular contact with their colleagues. And they must follow up relentlessly to ensure adherence to protocols.
Managing staff in a remote location also requires special routines and tools. Proactive and timely reporting is vital; real-time special incident, daily activity, and facility assessment reports are a necessity, not a luxury.
GPS tracking can also play a vital role in remote management. Security managers need to “see” exactly where officers are operating. Geo-fence capability allows managers to define boundaries and receive alerts in a variety of scenarios, including if the officer steps outside of the boundary.
- When you get critical infrastructure security in remote locations right, the results can be outstanding
We’ve pointed out many of the challenges of protecting critical infrastructure in remote locations, but let’s not forget that the fruits of our efforts to get things right can be outstanding.
When you have to build things from scratch and pay attention to every program detail, things turn out rather well. Customizing personnel training and hiring first-rate managers definitely has its advantages. Locally sourced staff are highly motivated and intensely loyal, too. Stringent focus on getting the details right, along with uncompromising control of performance, results in finely-tuned programs that live up to high standards.
Working with critical infrastructure is a great way for security practitioners to sharpen their skills. Transferring this experience to other security areas helps us all to up our game.