ISMI Facility Counterterrorism PDF

Unit 10 – Facility Counterterrorism Introduction Overview Terrorism is a specific form of extreme violence, or the threat of violence, carried out for ideological objectives with the aim of instilling fear, outrage, shock, anger, distress and demoralisation into a target population. Terrorists are organised, deliberate and systematic, and seek publicity by exploiting the instant, far reaching characteristics of global news networks. Most often terrorism is a form of asymmetric warfare in which a group, or an individual, wages war against an established entity, such as a state or political system with the aim of coercing that entity to change its position. The nature of terrorism is such that the intended audience of the terrorist violence is not always the physical victims. Terrorists kill civilians usually in order to convey a message to a government. Terrorism is also a very effective means of motivating and recruiting supporters. A particular characteristic of terrorism is that the attacker can choose the method of attack, target, placement, concealment and activation means and timing of the attack. This was exemplified when the IRA tried to assassinate former UK Prime Minister Margaret Thatcher in 1984. The group declared afterwards: “We only have to be lucky once – you will have to be lucky always”. CPNI, the UK Centre for the Protection of National Infrastructure notes that terrorism is not just expressed as violent attacks on people and property. Disrupted communications systems, damaged assets and tarnished reputations can cause immediate and/or long-term harm to a business and so are equally desirable from the terrorist point of view (CPNI, 2010). This is especially the case with critical national infrastructure. Support for Terrorism Many groups and campaigns enjoy wide support for their use of violence to achieve their ideological objectives. This may take the form of material support – for example, governments have often been accused of state-sponsoring of terrorism – and political support; many campaigns of violence have in parallel a political campaign, led by the group’s “political wing”. It is important for organisations to have policies in place that forbid political activism of any kind in the workplace. Among populations as a whole, there may be widespread support for specific acts of violence. For example, according to the Pew Research Centre (Pew, 2013) support for suicide bombings is a fraction of what it was in many countries ten years ago. Nevertheless, in one non-conflict country surveyed by Pew, projections would indicate that over 10 million inhabitants (1 in 7 persons) would agree with the statement that suicide bombing is often/sometimes justified. 12 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism Ideologies Europol (2013) divides terrorist actions according to adversary ideology. To this end, it presents the following adversaries categories: Religiously-inspired terrorism. Ethno-nationalist and separatist terrorism. Left-wing and anarchist terrorism. Right-wing terrorism. Single-issue terrorism. Some organisations are more prone to one source of terrorism than another. For example, pharmaceutical companies may be exposed to actions by single-issue activists, which may occasionally manifest themselves as terrorism. Individual classifications may be drawn to specific kinds of terrorist act, and will have different levels of resourcing, targeting, objectives and violence threshold, so it is important for an organisation to carry out a threat assessment and to understand the nature, capabilities and intentions of any potential adversaries. The Approach Taken in This Unit The unit will draw a distinction between state-level responsibilities in countering terrorism and the responsibilities of the private sector, focussing on the latter. Private sector responsibilities are primarily: Deploying counter-terrorism protective security measures to protect people, operations and property. Creating operational resilience to an attack. Creating physical resilience to an attack. Creating the ability to manage the aftermath of an attack. The module will focus more on good practice and less on case study, and it will avoid studying in any great detail the various groups that engage in terrorism. Terrorism is an emotive term and what is and isn’t terrorism is influenced by the perspectives and situations of the parties involved. The module will make no attempt to differentiate between terrorists, insurgents, militants, extremists, guerrillas or freedom fighters, but will focus on how corporations can defend themselves again the kinds of actions that these adversaries may employ. Who and who is not a terrorist can be a contentious issue, and is best determined by law. The aim of security professionals must be to protect against a range of attacks, irrespective of who carried them out and why. 13 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism The Threat Assessment Overview Terrorism owes its recent history and development to the many liberation struggles of the 20 th century. Some of these are still ongoing, but to a large extent the 20th century terrorism threat has morphed into an international threat, in which like-minded radicalised extremists have become motivated to unleash violence against nation states they regard as legitimate targets. This 21st century threat is referred to by the UK Government as international terrorism – which it uses as a euphemism for Al Qaeda, its affiliates and those inspired by its ideology. The FBI, for its part, has a slightly different definition of international terrorism, which specifies that the acts “occur primarily outside the territorial jurisdiction of the US, or transcend national boundaries in terms of the means by which they are accomplished, the persons they appear intended to intimidate or coerce, or the locale in which their perpetrators operate or seek asylum”. Often, the fear of terrorism dramatically outweighs the real risk of becoming a victim – one of the fundamental aims of terrorism is to instil fear that is disproportionate to the risk; “kill one, scare ten thousand” suggests ancient Chinese military strategist Sun Tsu. For example, security managers when asked to rate the likelihood of a terrorist attack against an office building in central London on a five-point scale will often indicate a value of around three. The true value is much closer to one or two as there are hundreds of thousands of buildings in London. For most entities, terrorism is a low likelihood, high impact event. Predicting threat is based on an assessment of historical information, intelligence, adversary assessments and It is easy to get carried away with the dramatics of terrorism. In the EU in projections. With terrorism in particular, relying on 2012, for example, there were just 17 historical data can lead to an incorrect threat assessment. deaths as a result of terrorism, For example, across Europe in 2012 just 17 fatalities could according to Europol. be attributed to terrorism (Europol, 2013). By comparison, there is an annual Nevertheless, CPNI warns that the UK faces a substantialaverage of 180 worker deaths in the UK threat from “international terrorism” and its statedfrom various causes, according to the ambitions to mount high impact attacks that UK HSE. combine mass casualties with substantial disruption to key services such as energy, transport and communications. Furthermore, arrests in the UK on terrorism charges during 2012-13 were up 21% on the previous reporting period (BBC News, 2013). This is a threat that is different in scale and intent to any that the UK has faced before. Globally, terrorism kills 10,000 people annually (UK Government, 2011). The UK Government (2011) judges that four factors will continue to enable terrorist groups to grow and to survive: Conflict and instability. 14 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism Aspects of modern technology. A pervasive ideology. Radicalisation. The UK perspective can be found at https://www.mi5.gov.uk/home/about-us/what-we-do/the- threats/terrorism.html. The UK Government’s response to the threat of international terrorism is outlined at https://www.gov.uk/government/policies/protecting-the-uk-against-terrorism. Even with good open source information it is often difficult wading through the mass of contradictory reports to reach a satisfactory conclusion on the level of terrorist threat to your organisation, and you may be able to get more specific information through direct liaison with government agencies or from one of the many commercial research and intelligence companies that specialise in threat assessment development. Threat Levels Many governments communicate their assessment of the terrorist threat level to the public (and the commercial sector) by means of published threat levels. Examples of national systems and associated threat levels are presented below. Australia (National Counter-Terrorism Alert Level) Low – terrorist attack is not expected. Medium – terrorist attack could occur. High – terrorist attack is likely. Extreme – terrorist attack is imminent or has occurred. France (Plan Vigipirate) Yellow – Threat imprecise. Orange – Threat plausible. Red – Threat highly probable. Scarlet – Threat certain. UK (Joint Terrorism Advisory Centre Terrorism Threat Level) Low – an attack is unlikely. Moderate – an attack is possible but not likely. Substantial – an attack is a strong possibility. Severe – an attack is highly likely. Critical – an attack is expected imminently. 15 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism US (Homeland Security Advisory System) Low – Low risk of terrorist attacks. Guarded – General risk of terrorist attacks. Elevated – Significant risk of terrorist attacks. High – High risk of terrorist attacks. Severe – Severe risk of terrorist attacks. Specific sectors, also, may have independent threat level systems. The maritime sector, for example, working to the ISPS (International Shipping and Port Facility Security) Code provides for different threat levels for different circumstances: Security Level 1 – Normal. Security Level 2 – Heightened. Security Level 3 – Exceptional. The Adversaries The UK, specifically, identifies Al Qaeda, its affiliates, and terrorists acting on their own – so called lone-wolves – as the primary threat source. It also identifies an ongoing and serious threat from Northern Ireland-related terrorism (UK Government, 2011). With specific regard to Al Qaeda (AQ), the UK Government notes that AQ itself is responsible for only a small fraction of terrorist attacks. Other groups, independent of AQ but broadly sympathetic to its aims, continue to emerge and to conduct attacks around the world. Adversaries will be different for each locale around the globe, and often different business sectors. Different kinds of enterprises may also attract specific kinds of attack. For example, in recent years we have seen marauder-style attacks (barricade and hostage taking) target hotels, shopping malls, places of entertainment and remote oil and gas facilities. Historically, this kind of attack has also been employed at sporting events, transportation (aviation, rail and maritime) and high-profile conferences. Terrorist adversaries should not be considered as persons who conceal themselves by day and emerge only to carry out an attack. They often blend in with the community at large, have regular jobs and family lives. They could conceivably be amongst your workforce orTIP contractors. They could even harbour pernicious intent against your enterprise and be working as insiders. Ensure you have good personnel screening MI5 (2005) warns that the infiltration of critical national infrastructure is aprocedures in place. The desirable goal for terrorist groups. Many critical national infrastructurepremeditated infiltration of critical national organisations are already familiar with the continuing threat from insiders infrastructure organisations pursuing the aims of single issue groups such as animal rights extremists,is a desirable goal for and there is also a potential threat from insiders who are either members ofterrorist groups. terrorist groups, or who have contacts in such organisations through relatives or associates. 16 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism Bomb Attacks Overview Generally, bombings account for the majority of terrorist attacks, although there are changing trends. For example in 2012 in the EU, according to Europol (2013), terrorists made use of firearms and incendiary devices with greater frequency than improvised explosive devices (IEDs). The drop in use of IEDs may be the result of law enforcement activities to impede terrorists' access to explosives. Nevertheless, explosives and chemical precursors for the production of home-made explosives (HMEs), and suspects in possession of them, are regularly identified during the course of police counter-terrorism operations in Europe. FEMA (2006) notes that the explosive threat is particularly insidious, because all of the ingredients required to assemble an improvised explosive device are readily available at a variety of farm and hardware stores. Furthermore, instruction manuals for the production of HMEs and IEDs were found during Europol investigations in 2012. Common Forms of Bomb Attacks Bomb (IED) attacks may take various forms: The simplest is usually a hand-delivered IED, whereby a device is left in a target location, perhaps disguised in the form of a bag. There is little risk to the bomber as these devices are usually initiated by timer or victim-activated motion switch. The favourite of bombers is the vehicle-borne IED (VBIED) as these have the capability to cause significant causalities and a large radius of devastation. They are usually activated by timing device, unless driven at the target in a suicide attack (below). Postal IEDs are also regularly encountered. They are usually intended for the specific assassination of targeted individuals and have the advantage of not requiring large amounts of explosive as long as the device can reach the intended target. They are usually initiated by the victim when opening. In some environments, suicide attacks are a major concern. These usually take the form of person-borne IEDs (PBIEDs) or moving, penetrative VBIEDs. Both can be used to devastating effect and dramatically increase the terror value of an attack as they give the impression of being unstoppable. In environments where military munitions are readily available, rockets, grenades, guided projectiles and mortars are used. Some of these can be improvised. Where a specific person may be the target of terrorists, IEDs have been placed on vehicles (usually under) for assassination. Such devices are usually activated by motion when the target interferes with the vehicle. Vehicles may also be used as roadside IEDs, designed to destroy specific passing vehicles. There are various means of initiation, including remote control and victim activated systems. 17 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism Suicide bomb attacks, in particular, have become attractive to terrorists, and give greater visibility to their campaigns. The recent history of suicide attacks can be traced back to the Lebanese Civil War of the 1980s, and the concept was extensively honed by the Tamil Tigers of the LTTE. It is in recent years, however, that suicide attacks have seen their greatest growth. According to Karzai (2007), of 700 recorded suicide bomb attacks in history, over 70% have taken place since 2001. The Attraction of Bomb Attacks Terrorists are drawn to bomb attacks in general for the following reasons: The imprecision over who is killed, injured and who survives. This adds to the terror element. High publicity value, creating disproportionate public attention. The relatively larger amount of physical damage than from an armed assault. Devastation, which remains for many weeks, and sometimes months, after the attack. Ability to inflict serious damage or casualties without physically entering a facility. Ability for the attacker to be in a different place when the device detonates. The operational disruption caused by bombs and their effects. The appeal of martyrdom and ultimate self-sacrifice. A key downside is that national agencies have become adept at forensic analysis and with the aid of intelligence analysis can often attribute bombs to a specific source with some degree of accuracy, and if the device fails to detonate there is likely to be considerable forensic evidence that can be exploited, especially through cross-border cooperation. Factors Influencing the Effects of Explosions The destructive power of explosives depends on many factors, including: The charge weight. The quality of the explosives. If low explosives, the type of containment. The chemical composition of the explosives. Obstacles between the device and the target. The extent to which the blast wave is reflected. Whether the explosives are high or low explosives. The orientation of the target in relation to the device. The proximity of the device (stand-off) in relation to the target. The proximity of other materials, especially load-bearing materials. Whether the explosive charge is modified, eg. shaped, in any way. If low explosives, the extent to which the device is enhanced with shrapnel. Thus, it is very difficult to predict with accuracy the effect of an IED on a given target. 18 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism Explosions and the Human Body The characteristics of an IED that cause injuries include: The pressures, blast wave and shock front associated with the explosion are often too great for the human body to survive, but note that the pressures quickly dissipate with distance, according to the cube root scale. Additionally, people will be blown off their feet causing further injury. The heat caused by the change of chemical state in the explosive can reach 4000oC, inflicting fatal burns. There will be primary fragmentation from the components of the device (in a VBIED the car can be considered as a casing component) and secondary fragmentation (debris, glazing etc.) from surrounding structures. Building collapse. This may be responsible for the greater number of fatalities if a moving VBIED is driven into a building before detonation. Anticipated injuries you should consider in your emergency planning include: Fatal organ injury from the explosive pressures. Humans in close proximity to the detonation of a large high explosive charge are unlikely to be able to survive. Gas filled organs will compress and implode under the blast pressures, generating a high mortality rate. In addition, organ tissue will rip apart. Traumatic amputation, either from the proximity of the victim to the explosive or from primary fragmentation. Penetration injuries resulting from primary fragmentation. Burns. Crushing or other injury from the effects of building collapse and secondary fragmentation (eg. glass). Toxic gasses and dust, which if not fatal, may cause chronic health problems. Energy translation injuries when the body picks up the energy of the blast and is thrown into the air and falls. Concussion. Long-term psychological damage. The US Department of Homeland Security sums up the above as: Overpressure damage to the lungs, ears, abdomen, and other pressure-sensitive organs. Blast lung injury, a condition caused by the extreme pressure of an explosion, is the leading cause of illness and death for initial survivors of an explosion. Fragmentation injuries caused by projectiles thrown by the blast – material from the bomb, shrapnel, or flying debris that penetrates the body and causes damage. 19 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism Impact injuries caused when the blast throws a victim into another object, ie. fractures, amputation, and trauma to the head and neck. Thermal injuries caused by burns to the skin, mouth, sinus, and lungs. Other injuries including exposure to toxic substances, crush injuries, and aggravation of pre-existing conditions (asthma, congenital heart disease, etc.). ASIS (2011), drawing on US Army Corps of Engineers and Canadian studies, presents the following table to illustrate pressure-related risks to personnel in the vicinity of a high explosives detonation: Explosive Weight Lung Damage Likely Fatal 5kg 4m 1.75m 10kg 5m 2.2m 25kg 7m 3m Citing Morrison and Williams (2004), ASIS (2011) presents the following projections for probability of death resulting from exposure to the blast pressures associated with a VBIED comprising 200kg of ammonium nitrate/fuel oil. Distance 5m 10m 20m 50m 100m 500m Probability 100% 100% 49% 8% 0.5% 0.03% of Death This has important implications for emergency evacuation and assembly. If you have a workforce of 500 staff and you evacuate only to 100m in the event of a VBIED, your decision may be directly responsible for an average of two or more fatalities. Management must be prepared for the need to deliver immediate first aid for the treatment of multiple trauma. However, if there is any suspicion that chemical, biological or radiological agents have been used, interventions should be left to professional responders. The extent and severity of injuries will be greater if the explosion occurs inside a structure, where the blast energy dissipates slowly and is reflected and re-reflected off walls. When an explosion occurs inside a confined space – and in the absence of walls collapsing in order to vent the blast – blast pressures can build up to many times that of an unconfined explosion in milliseconds. 20 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism The Blast Wave Mays and Smith (1995) observe that as a consequence of a high explosive detonation, there is a violent expansion of gas, forcing the surrounding air out of the volume it occupies. As a consequence a layer of compressed air – the blast wave – forms in front of this gas containing most of the energy released by the explosion. Eventually, with time and distance its pressure reduces to a little below atmospheric pressure due to overexpansion. This leads to a short negative phase, in which the blast wave changes direction. The blast wave carries with it primary fragmentation from its casing (eg. a vehicle) and creates secondary fragmentation from that with which it comes into contact (eg. building façade and windows). When a large blast wave (such as from a VBIED) reaches a structure it will likely engulf the structure, creating pressure on all sides. The side perpendicular to the explosion will suffer greatest damage and may collapse, or at least fragment. Blast pressures are such that they will enter the structure and funnel along corridors, into stairwells etc., causing further fragmentation, damage and injury. The impact on the structural integrity of the building can be devastating, as the diagram (above) courtesy of the US Navy, illustrates. At very least, glazing will fail, with some glass projected into the building and other glass falling outside. It is difficult to predict the behaviour of glazing with any accuracy. There may also be ground shock, causing a brisance effect through the ground and shattering essential services. When large amounts of explosives are used business premises can be extensively and sometimes invisibly damaged. For example, computer systems can be contaminated with minute fragments of glass and building fragments, and the explosive blast wave and shock front can cause unseen damage to cabling, conduits, pipes, water supply, fire-suppression infrastructure, power supply, communications etc. The explosive by-products may also weaken the building fabric. 21 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism Blast Wave and Distance Blast energy at a given stand-off (distance) is inversely proportional to the cube of the distance from the device; thus, each additional increment of stand-off provides progressively more protection (FEMA, 2011). In practice, what this means is that every additional metre of stand-off distance between the weapon and the target generates exponentially more protection against the effects of the blast pressures. For precise calculations you should refer to FEMA 427 (2011) but the following may give you a very rough indication of the effects of the detonation of 200kg TNT equivalent (explosive force is measured in TNT equivalent) as its pressure decreases with distance. Although the assumption is not strictly accurate, we will take the blast pressures at 1m as our 100% starting point. Stand-Off % of original % probability of death Typical Effects blast energy from blast pressures 1m 100% 100% Building destruction unless very specifically blast-hardened. 5m 11% 100% The failure point of typical high- performance concrete. 10m 1.15% 100% Fatal blast pressures. Heavily built concrete buildings are severely damaged or collapse. 20m 0.035% 49% Threshold for lung collapse. Building collapse and fatalities. 30m 0.015% (value not known) Blast resistant windows fail. Building collapse and fatalities. 50m 0.005% 8% Eardrum rupture threshold. Building collapse and fatalities. 100m 0.002% 0.5% Extensive glazing failure and some building collapse. Obviously, when estimating potential blast loads on buildings, the above table is an over-simplification of the physics, and you should consult structural engineers with knowledge of blast loadings. 22 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism Protection Basics Developing protection against bomb attacks requires the application, first and foremost, of the following two principles: a. Create the maximum possible distance between the weapon and the target. b. Upon completion of point a., harden the target against residual blast. The significance of the first point was illustrated on the previous page. ASIS (2011) adds the following principles: Preventing bombs from entering the site through strong access control. The ability for early detection of bomb incidents. The development of appropriate response measures. Careful design of facilities. In relation to the last point, the best principles of CPTED are especially relevant. Fundamentally, defence against explosive threats requires assiduous application of the 4D’s: deter, detect, delay and disrupt. Additionally, Mays and Smith (1995) advise giving consideration to: Disguise – the important parts of a facility so that the energy of an attack, if successful, is wasted on the wrong area and the attack fails to make the impact the terrorist seeks. Disperse – a potential target, so that an attack could never cover a large enough area to cause significant destruction, and thereby impact. There are diverging views on disperse as a risk mitigation strategy. Within a simple campus context dispersal of critical buildings, people and operations across a site reduces the risk that a single attack on any one part will impact on the other parts. However, FEMA (2011) notes that this may reduce the effectiveness of surveillance, increase the complexity of security systems and emergency response, and create a less defensible space. Conversely, grouping high-risk activities, concentrations of personnel and critical functions into a cluster group can help maximise stand-off from the perimeter and create more effective defensible space. This may also reduce the number of access and surveillance points and minimise the size of the perimeter needed to protect the facilities (FEMA, 2011). 23 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism Marauding Terrorist Firearms Attacks Overview Terrorists seeking to bring maximum publicity to their cause by creating a prolonged event may carry out a marauding terrorist firearms attack (MTFA) – an armed assault on a facility, killing and taking hostages. The emphasis is often less on killing the maximum number of people but on garnering global media and getting the maximum number of people around the world watching – perhaps for days. A catalyst for global media attention is the extent to which foreigners are caught up in the event. For example, the gas plant at Amenas in Algeria, which was occupied for four days in 2013 in an MTFA assault, employed over 130 foreign nationals (Statoil, 2013). The prolonged nature of MTFA attacks is also effective propaganda in inspiring terrorist constituencies and attracting recruits. Given that terrorists seek to maximise the psychological impacts of attacks, you can expect the MTFA tactic to continue to be attractive to terrorists with the appropriate resources. There is no shortage of suitable targets. Barricade and hostage-taking attacks have been common throughout recent history, dating back to the 1970s. What has changed significantly in most recent years is: The desire for martyrdom as an inherent element of the attackers’ motivation. The trend towards simultaneous, or near-simultaneous, attacks at different, or related, locations. Targets Attackers will be drawn to targets with a high human density, as these allow terrorists to be economical and efficient by maximising the number of casualties with a limited amount of ammunition. Typical soft targets are tourist infrastructure and hotels, railways and aviation, shopping malls, theatres, places of entertainment, carnivals, sporting events, major public events etc. Here, terrorists can enter without detection or the need to take on a disguise. Attacks on soft targets are not limited to the obvious; in Russia, terrorists have carried out such attacks TIP against a school and a hospital. A hospital was also a target in the Be aware that having Mumbai attacks of 2008. And in the 1970s there were successfulcertain foreign nationals MTFA attacks against a cruise liner in the Mediterranean Sea andat your facility could against an OPEC meeting in Vienna. Attacks against regular citizensincrease exposure to an achieve the greatest publicity, especially if children and foreignMTFA attack due to their nationals are taken hostage. publicity value. Attackers will also be drawn to critical national infrastructure (CNI), especially if it represents foreign interests, which will also 24 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism generate significant publicity. Here, the attack may begin by storming the main gate by force or gaining access by stealth, such as by using a worker transport or a fake military vehicle. CNI should not necessarily be considered as a hard target, especially from the perspective of the attacker. A Statoil report into the Amenas gas plant attack in Algeria concluded that despite the site having layered security with inner and outer perimeters, such security measures are not constructed to withstand or delay an attack of the scale experienced at Amenas. You should also consider the possibility of MTFA attacks on housing compounds, residential blocks and foreign worker transportation, perhaps individually or near-simultaneous with other attacks. Attacks on guarded housing compounds were seen on a number of occasions in Saudi Arabia during the early 2000s. Attacks are likely to become more audacious now that martyrdom has become a motivation in itself. Warnings and Indicators MTFA events usually occur with no actionable warning. There may be vague intelligence reports indicating an element of planning for an attack of some nature, but these are not usually shared by state intelligence with potential targets unless there is some indication of the specific target. The nature of terrorism targets in general is that the attackers have a vast range from which to select. However, you and your staff should be alert to any indications of hostile reconnaissance (addressed briefly on Page 26 and in more detail beginning Page 49) or the discovery of any unusual stockpiles. Furthermore, with the trend towards simultaneous or near-simultaneous attacks, if you are aware of an MTFA attack in your vicinity, you should evaluate whether you may also become a potential target and consider raising your security alert and operating level. The extent to which you employ certain constituencies of foreign workers may be a factor in this decision. Statoil (2013) cautions that companies cannot expect clear tactical warnings, with specific information about where, when and how a particular adversary may attack. They should consider and think through the implications of scenarios where security layers break down. Event Duration Considerations The International Association of Chiefs of Police (2011) warns that the event could become prolonged – adding to the news value – when foreign nationals are taken hostage as this adds to the complexity and the delicacy of the situation by involving diplomats and other foreign services. A further factor which will likely extend the event is if law enforcement officials are able to establish contact with the attackers. If this happens, the event will likely enter a negotiations phase. Thus, your contingency plans should envisage not just hours but potentially days of operational disruption. The duration of the event may also be influenced by the skill – and the policy – of the responding security forces. In some cases the policy is no negotiation and immediate intervention by locally- 25 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism available responders. A more considered response may require the mobilisation of special forces. If you consider your facility to be at risk, you should proactively raise with your liaison contacts in law enforcement the question of response and intervention. Better still, conduct a joint drill. Equipment and Tactics Access to weapons is a significant factor determining A corollary benefit to the terrorists of the whether MTFA attacks are feasible. Where light nonstop news media coverage is the use weaponry is easily available, terrorists are aware that of the media as intelligence sources. In the this can cause more casualties and create greater 2008 Mumbai attacks, the terrorists inside impact (perhaps through periodic executions) in of the Chabad house were receiving specific target locations than difficult-to-manufacture information from their handlers in real explosives. time as they watched television coverage of Indian commandos rappelling onto the roof, allowing them to prepare for the The attackers will likely not only be equipped with counterassault. firearms, but will have communications, possibly to associates engaged in near simultaneous attacks Source: International Association of Chiefs elsewhere, and also explosives. It is conceivable that they of Police will wire up hostages to explosives. In the 2008 Mumbai event the attackers left IEDs in taxis as they disembarked, causing diversions and creating the impression of a much wider-scale attack. During scenario planning exercises, it will be difficult to predict the tactics of the assailants with any degree of accuracy. Much will depend on the actions of the security forces. The size of the attacking teams need not be large, especially if the target is soft. A team of two to four persons may not be sufficient to overcome the defences of a hard target, but is sufficient to maintain a situation at a soft target lasting for many days. Furthermore, the attackers will try to create the impression that there are more attackers than there actually are. This perception is often fuelled by eye-witness and media accounts. The assailants may try to cause further confusion and misinformation by exaggerating the number of hostages that they are holding. Mobile phones make it very easy for them to communicate with outside news agencies to spread disinformation. They may also utilise the mobile phones of captured or dead victims of the attack to make demands to their relatives. One of the tactics often employed by those carrying out MTFA attacks is fire setting. This is especially the case once any security force action begins. Generally, fire and rescue and emergency medical services are not trained, and usually not willing, to enter premises while they are unsecured by security forces. This will often lead to further fatalities amongst those being held hostage or seeking refuge from the attackers. The assailants will likely assemble the hostages into a single location, or perhaps two locations, where they can be used as a human shield. They may separate hostages on the basis of nationality or religion. It is possible that explosives will be wired up to deter hostages from trying to escape or use them as 26 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism shields against gunfire. In any scenario planning, it may be possible to predict which area may be used, and proactively equip it with covert CCTV for use only in an emergency. Reconnaissance It is likely that there will be pre-attack reconnaissance of targets to establish patterns of operation, potential defensive positions and inherent weaknesses. Detailed information on site plans and site operations will be sought and may be available via the Internet. There is significantly more of this kind of material available through the Internet than can be found by a simple Google “top-level” search. On-the-ground reconnaissance may also provide an opportunity to pre-position stockpiles of supplies. This could also be facilitated by an insider. As part of the reconnaissance, terrorists may seek to gain information about the presence of foreigners. For more information on hostile reconnaissance, please refer to the section beginning on Page 49. Crisis and Emergency Management It follows from the preceding that a very capable crisis and emergency management structure is necessary to manage such incidents. Structures will be more effective if they proactively engage and exercise with state responder services. However, in any surprise MTFA attack it is conceivable that members of the emergency management team may be caught up as victims of the assault, so plans need to consider this possibility. Crisis and emergency management in relation to terrorism in general is discussed in detail beginning on Page 42. Immediate Response - Personnel There are several schools of thought on how personnel should respond to an MTFA attack, and you must determine which is best for you, according to your circumstances. In this regard, you should liaise with the police as they are the subject matter experts in this area. A basic rule – and one which often runs against inquisitive human nature – is never to go to a window if gunfire is heard outside. Thereafter, whether personnel should take refuge by lying in situ on the floor, by fleeing to an internal safe refuge area or evacuate the building by any available exit (360 degree evacuation) is a difficult call. Each option carries with it inherent risks. A large group of assailants will likely be able to shoot those fleeing a building, but a safe internal haven may be no less safe as attackers often carry with them explosives. In the initial stages of an attack, it will be difficult to determine the number of assailants, and recent MTFA events have shown that this number is often from one to ten attackers. Obviously, the smaller the number of attackers, the more likely it will be that fleeing from a building will be successful. It is also difficult how to advise personnel if they are outside when the incident begins. Obviously, if they are inside a compound it is likely that the main gate will be impacted by the assault, so they should find some place for concealment and protection. To an extent, there will be further good practice in this area presented in Module 12, as part of the Active Shooter section. 27 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism General Observations on Mitigation Statoil (2013) notes that the layered approach to security at the Amenas gas plant and the presence of military forces underline that this kind of attack is very difficult to thwart. The Amenas attack was particularly problematic as it involved near-simultaneous assaults with changing scenarios. There are cases of blunt attacks on main gates being effectively thwarted by armed forces, however. In these cases a “sally port”, with a neutralisation zone (discussed in M8 Access Management, Page 60) is particularly useful. Nevertheless, your security scenario planning should take into account the likelihood that your perimeter security will fail in the face of an armed assault. Consider the points raised in Module 6 – Perimeter Security, in relation to this kind of attack. Some additional points include: 1. There must be good liaison with government security forces. Where possible, this should extend to joint drills. 2. There must be a means of immediately notifying government response services of an MTFA assault. These are usually the only forces with the capability to suppress such an attack. This means must take into account the possibility that communications services may be sabotaged. 3. Consider the establishment (if necessary through the police) of a rapid armed response unit if you have facilities that are widely dispersed. 4. Be sure that individual responsibilities under the security plan are understood. This is especially complicated if you are using a combination of protective forces (eg. police, contract security, in-house security manager etc.), where there may not always be a high level of mutual respect, trust and collaboration. During an MTFA attack the success of your coordination will be tested to the extreme. 5. Ensure that you get the balance right between the “need to know” of security and active employee contribution to the security plan. It is important that employees don’t feel disengaged with security. This is achieved more through negotiation and liaison and less with notices, posters and strap lines in emails. 6. Notwithstanding the above, consider the risk of the insider threat passing details to outsiders. At its most obvious, you may consider security arrangements to be sought-after information, but in some MTFA events, assailants have demonstrated a level of knowledge of foreign on-site workers that could only have come from an inside source. 7. Ensure that existing security arrangements are efficient and working. This not only means obvious physical security defences such as good access control, but consider other factors such as whether you bus workers into your site – do you provide transport to work and are there persons-on-board checking procedures in place? 8. There must be a means of immediately cascading information of the attack to other parties, as an attack on a facility may be one in a number of near-simultaneous attacks, perhaps on other facilities, or perhaps on targets relating to the main attack site, for example associated 28 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism housing compounds. This should be done by immediately notifying corporate HQ of the incident and by invoking any local communications plans that may exist. 9. There should be a warning siren to alert personnel to a terrorist attack. This shouldn’t be the same as a fire alarm as that may send personnel out into the path of the attackers. A PA system is often a preferred option, but you should consider whether, under such circumstances, there will be time for anybody to operate a PA system – perhaps not. There should be several points from where the warning siren can be activated. 10. There is often a designated muster point in the event of a terrorist attack. In planning your alert system for a MTFA, you should ensure that personnel are not drilled to go to that point in the event of the alarm being raised. For example, if a continuous siren is used for an emergency requiring immediate muster, a siren with a rising and lowering note could be used for scenarios such as MTFA and any other incident which requires personnel to shelter in place. But note the previous point about whether an immediate 360 degree evacuation is better if it can be quickly established that the number of assailants is small. 11. Consideration should be given to establishing hardened internal safe refuge areas. However, such areas are usually signposted, and the assailants may use explosives to break in. 12. If military forces are employed as a protective force, they should not have a practice firing range in the vicinity of the site. This can desensitise personnel to the sound of gunfire and may lead to delays in reacting to an attack. 13. It is unlikely that you will be able to resolve this kind of event at local level, so resolution should not be a feature of your mitigation planning. This is a state-level responsibility. Furthermore, the terrorists may make demands that go beyond the occupied facility. 14. It is likely that some of those caught up in the incident will be in possession of mobile phones. They should be aware of the need to switch these to silent at the onset of an attack, in case a ringing tone gives away their presence if concealed. Your planning should also take into account the possibility of a hiding employee communicating directly with the outside world. 15. Consideration to the use of under-vehicle search mirrors and K9 to detect hidden firearms. Further Study For a very detailed account on how such a scenario may unfold, please email [email protected] for a copy of the Statoil report on the Amenas attack. The report addresses issues such as incident management, next-of-kin support, and communications and media handling. 29 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism Chemical, Biological and Radiological (CBR) Terrorism Overview CBR terrorism has long been a concern, although perhaps not as great today as it was 10 years ago, when western governments expended significant resources training and equipping emergency responders and hospitals with a CBR emergency capability and personal protective equipment. However, as recently as 2010 the UK National Risk Register assessed the risk of terrorist use of non- conventional attacks as medium probability; higher, for example, than the assessed probability of a major industrial accident in the UK. CBR threats are each distinctly different in the way that they might be executed, in their effects and in the countermeasures. It is perhaps unfortunate, therefore, that they are so readily and conveniently packaged together as if they were a single category of threat. The CBR advice that follows is generic. More detailed, specific information can be found in a range of specialist publications that are indexed throughout this section: Chemical Agents Chemical agents may be in the form of irritants, acids, poisons etc. They may, or may not, have an associated odour. They may be used in stand-alone form or combined with explosives to increase their impact (such as in warfare). There are many different kinds of chemicals that can be used to cause casualties. These include choking agents, blood agents, nerve agents, blister agents, irritants and incapacitants, and poisons. The Australian Federal Police (2009) note that the more deadly chemical agents typically associated with military warfare are difficult to acquire. Therefore, terrorists will more likely be drawn to toxic industrial chemicals such as chlorine or sulphuric acid. However, events such as the Syrian civil war throw into sharp relief how easy it might be for AQ-associated groups to acquire chemical weapons. 30 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism In stand-alone form chemicals may be used for small-scale assassinations or to contaminate a large area. There is a risk that when a container is opened a harmful gas may be released. Enclosed spaces are perhaps the most vulnerable, especially buildings with high occupancy density and which have accessible HVAC intakes. In this regard the CDC publication Guidance for Protecting Building Environments from Airborne Chemical, Biological or Radiological Attacks is recommended reading: http://www.cdc.gov/niosh/docs/2002-139/pdfs/2002-139.pdf With most chemical agents symptoms of exposure usually appear very quickly, but poisons can be slow to manifest into symptoms. Possible indicators of a chemical attack include: Unusual smells, not necessarily irritating initially (eg. fresh mown grass, fruity, flowery, garlic, bitter almonds). A number of people experiencing sudden skin irritation, burning eyes, blurred vision, disorientation, difficulty in breathing, fainting, coughing, vomiting, headaches or convulsions. Not all of these symptoms will be present. Oily droplets on exposed surfaces. Low moving mist or clouds. Chemical agents are usually invisible to mail screening devices, such as X-ray and there are no readily-affordable devices that can detect a wide range of chemical threats in real time. Immediate response to exposure to a chemical attack could include: If downwind of the release, get upwind. If the release has been inside a building or into the HVAC system, get outside. The higher the ground the better. Chemical agents are often heavier than air, and seeking refuge in a basement could increase fatalities. To decontaminate use natural soap and water and remove all clothing, working from the head downwards under a shower. However, there may be occasions where water may react with the specific chemical used. Never use bleach or detergents. Affected individuals should be assisted in their immediate decontamination and under no circumstances should their hands touch their face. Biological Agents Biological agents are generally bacteria, viruses and toxins. Examples of fatal bacterial agents include anthrax and plague. Examples of fatal viral agents include smallpox and Ebola. Toxins include botulinum and ricin. The threat from biological agents generally comes in two forms: a. Person-to-person spreading of an infectious disease. b. A biological contaminant which affects persons exposed directly to the agent or the contaminated object (eg. food, water, mail etc). Anthrax bacteria is one example; ricin poison is another. 31 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism A biological attack could take the form of mail contamination, food or water poisoning or the spread of infectious diseases. Infection is usually by: Inhalation of aerosolised particles. Ingestion of contaminated food and drink. Broken skin. Injection. Touching the face. Biological agents could be delivered by contaminated objects or as spores, perhaps in the form of a powder. Anthrax is, of course the most notorious. Some agents, such as anthrax, require a person to come into contact with the spores. Others infect by person-to-person contact. With most biological agents, the symptoms usually take hours or days to develop, meaning that once the diagnosis has been made, many people may be infected. There may be no immediate indication of the release of a biological agent as they are usually colourless and odourless, and are invisible to mail screening devices, such as X-ray. There are no readily-affordable devices that can detect biological agents; this task is always left to specialist laboratories. Immediate reaction to a perceived biological incident should include isolating the victims and turning off the air circulation systems. In the case of suspected anthrax there are potentially more immediate actions than can be done for the victim and this is discussed later on Page 83. Some useful summary actions can be found in the Australian Federal Police publication “Australia – Bombs Defusing the Threat”, available via the ISMI Extranet. Radiological Agents Radiological agents can be delivered in two main ways: a. As a contaminant, perhaps in food, water or by itself. In this form is it usually powder or granular, and has no odour. b. Combined with explosives to produce a radiological dispersal device (RDD) – a so-called “dirty bomb”. The impact will be greater than from the use of explosive material alone because of the contamination of people and buildings that occurs from the spread of the radioactive material. Like biological agents, the symptoms of exposure to radiological agents usually take hours or days to develop. Exposure to radiological agents, if not fatal in the short term, may result in a significantly increased risk of later contracting cancer. Radiological agents are usually invisible to mail screening equipment, such as X-ray but there are inexpensive devices that can detect the presence of radioactivity in real time. Immediate reactions to a suspected dirty bomb explosion include immediate evacuation or if not possible sheltering in a room and trying to seal with anything available (eg. tape). In such explosive 32 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism threat scenarios most of the harmful radiation will be ingestible airborne particles rather that penetrative gamma radiation. Pre-planning measures to limit the spread of contamination can be found in Chapter 3 of the UK Government publication “Precautions to Minimise Effects of a Chemical, Biological, Radiological or Nuclear Event on Buildings and Infrastructure”, available from ISMI. This advice applies equally to biological agents such as anthrax, and chemical agents. Recovery The UK Cabinet Office (2010) cautions that contamination makes recovery from a CBR attack significantly more challenging than recovery from other terrorist actions. The clean-up process may be protracted as well as unfamiliar and untested. Further Study For a detailed treatise on the principles of building design for risk reduction related to chemical, biological, and radiological threats it is recommended that you download the publication “Incremental Protection for Existing Commercial Buildings from Terrorist Attack” in the Online Library. If you are unable to download, please contact ISMI for a copy. For a UK perspective on the same, it is recommended that you consult the UK Government publication “Precautions to Minimise Effects of a Chemical, Biological, Radiological or Nuclear Event on Buildings and Infrastructure”, which is available via the ISMI Extranet. For a detailed description of CBRN weapons, The Chatham House report “Assessing the Threat of Terrorist use of Chemical, Biological, Radiological and Nuclear Weapons in the United Kingdom” is recommended reading, available via the ISMI Extranet. 33 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism Types of Target Business as Targets Terrorist attacks can be against both hard (police, military, government) and soft (businesses, the public) targets. In insurgency hotspots such as Iraq and Afghanistan, there is roughly a 50/50 split between attacks on hard targets and attacks on soft targets. Generally, however, terrorists prefer soft targets. Also, there have been cases where terrorists have set out to attack hard targets only to find them too difficult to access, and have as a result diverted to a soft target. The attraction to soft targets has less to do with the lower level of protection and the lower risk of being thwarted, and more about conveying the message of outrage and terror. Adversaries know that the greatest impact can be achieved – and the loudest message delivered – by directly attacking people, especially crowded, heavily populated targets and creating the impression that security forces are inept at protecting the public. The range of targets is almost limited only to the imagination and audacity of the attackers, but the following have proven to be targets attractive to many groups: Critical national infrastructure Central business districts Economic and industrial base Critical nodes (bridges and major Power generation, distribution and supply road intersections) Aviation infrastructure Iconic targets Public transport (rail and buses) Places of religious assembly Ports and maritime assets Telecommunications infrastructure Tourism infrastructure Oil, gas and chemical infrastructure Hotels and conference centres The public water supply Places of entertainment and Research companies and public assembly critical contractors Political events and polling stations Annual general meetings Sporting events VIPs (home, travel, public appearance Conferences, exhibitions and trade shows etc.) National symbols overseas (including Groups of workers associated with embassies and company offices) a particular enterprise Shopping centres Commercial enterprises are attractive for two reasons: a. They are relatively soft targets. b. They represent the economic well-being of a target country. They may also be seen as symbolic. Sometimes being the victim of an indirect attack can be more devastating than a direct attack. For example, if your organisation finds itself within one hundred metres of a large vehicle-borne improvised explosive device (VBIED) it will likely suffer more extensive damage – and casualties – than if it were the direct target of a postal IED. It is important that contingency planning recognise this, 34 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism especially if you are located in a central business district, or close to an iconic, attractive-to-terrorists target. CPNI (2010) advises organisations to be prepared for both direct attacks and indirect attacks. Some businesses will be more at risk than others because of the services they provide, their relatively high profile or the number of people they accommodate. The impacts of any attack are rarely confined to the target, and other businesses and communities can find themselves within the range of devastation of an attack, especially if an IED is used. In determining if your organisation might be the victim of a direct attack you should: Carry out a threat assessment, focusing not only on the threat assessment questions on Page 15 of Module 1, but also on trying to establish adversary information such as: - Targeting strategies. - Adversary equipment, tools and vehicles. - Mode of operation and tactics preference. - Sophistication, competence and technical ability. - Recent incidents that could give rise to copy-cat attacks. - Numbers of attackers and any indications of inside assistance. Carry out a security vulnerability analysis (SVA). This is explained in outline on Page 18 of Module 7. The SVA should take into account not only vulnerabilities in the physical security systems but also inherent operational vulnerabilities. Many targets have inherent intrinsic vulnerabilities. Critical national infrastructure elements, for example, have limited contingency as much is in the private sector where the economic imperative is paramount and may suffer from cascading of effects by virtue of their interconnectivity. Assess the attractiveness of the organisation to a terrorist adversary. For example, is the organisation attractive because it is part of the nation’s critical national infrastructure, because it identifies with a target nationality, because the nature of its operations means an attack will communicate distress or outrage, because the organisation is engaged in a contentious activity, etc.? CPNI (2010) notes that businesses should be constantly asking what it is about their operations or circumstances that could put their staff or key assets directly in harm’s way. Assess the deterrent posture of your security. This goes further than the SVA. What visible picture does your security convey to any adversary carrying out reconnaissance and considering your organisation as a target? Do you have the capability to identify hostile reconnaissance? Indirect attack considerations, according to CPNI (2010) should consider issues such as whether: You are located near an iconic, high-risk building? Staff would be able to travel if the local transportation network was severely disrupted? 35 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism Critical National Infrastructure Critical national infrastructure (CNI) refers to installations, assets, services, systems and networks – physical and virtual – that are critical to the economic, political and social life of a nation and which, if degraded, disabled, denied, rendered unavailable or destroyed – in whole or in part – would adversely impact on the social or economic well-being of the target nation or affect that nation’s ability to ensure national security. Due to CNI criticality and its capacity – if attacked – to create a cascading impact, CNI is an attractive target to terrorists. CNI often takes the form of a network, so it is also highly vulnerable. CNI elements constitute the foundation for a modern, industrialised society and examples include (but are not limited to): Banking and finance Dams Shipping Communications Certain agricultural Chemical manufacturing services Emergency services Government facilities Energy Energy generation The emergency services and distribution Food supply chain Nuclear reactors, The oil and gas sector materials and waste Transportation systems Public health The defence Drinking water and and healthcare industrial base water treatment systems Information technology and telecommunications CNI is vulnerable not only to physical attack but also to cyber-terrorism. The backbone of much CNI is industrial control systems and supervisory control and data acquisition systems (SCADA) – computer-controlled process management systems, which, if successfully attacked, could cause a miss-operation and potentially a public emergency. CNI SCADA is already under attack from various non-terrorist malicious sources. According to McAfee (2011) nearly two-thirds of critical infrastructure companies report regularly finding malware designed to sabotage their systems, and in 2011 Symantec released details of a newly- discovered pathogen it called “Duqu”, an intelligence-gathering Trojan designed to harvest information about SCADA vulnerabilities for subsequent analysis and exploitation. Duqu code can be introduced by opening email attachments, sharing flash drives or accepting flash drives from vendors etc., and is sufficiently stealthy to hide below the radar of regular anti-virus programs. A good report that encapsulates the current state of cyber-attack preparedness within CNI can be found at: http://www.chathamhouse.org/publications/papers/view/178171 or downloaded from the Members Area of the ISMI website. 36 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism Government Level Protection Responsibilities General The public looks towards the government to take the lead in combatting terrorism. There is no doubt that this is where the key responsibility lies, but since a terrorist attack could conceivably happen anywhere it would be unreasonable to expect government to provide protection for every business target. Typically, government activities involve the following: Stopping terrorist attacks and protecting the public, but at the same time balancing the needs of civil liberties and human rights. Gathering intelligence and evidence against terrorists and defeating them militarily or prosecuting them through the criminal courts. Disrupting groups by denying them resources (financial and materiel). Closing down the sources of finance for terrorism. Tackling the sources of radicalisation, diverting people from becoming terrorists and fostering community inclusion. Offering a political alternative to violence. Putting pressure on other governments which are perceived as helping terrorists or not doing enough to disrupt terrorism and its sources. Taking action against countries that sponsor terrorism. Penetrating groups and cultivating sources. Sharing threat and risk assessments with the target community. Making available good practice in counter-terrorism protective security and advising the private sector (businesses) on how to protect against specific terrorist threats. Creating resilience to be better able to absorb attacks. Liaising with other countries and multilateral organisations to tackle the threats at their source – for example, most of the threats to the UK have very significant overseas connections. Protecting national infrastructure and high-value symbolic targets and VIPs. Emergency response and civil contingencies planning to deal with mass casualty attacks, including CBR and marauding terrorist firearms attacks. Protecting border security. Providing rapid response to terrorist incidents, both those that have occurred (eg. explosions), and those that may be ongoing (eg. barricade and hostage taking). Public reassurance and confidence building and ensuring it is the government’s propaganda that is listened to and not that of the terrorists. 37 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism CONTEST When looking at your national response to terrorism, you may wish to draw parallels with the UK’s CONTEST programme, which is organised around four workstreams, comprising the following key objectives: Pursue To stop terrorist attacks in the UK and against UK interests overseas. This means detecting and investigating threats at the earliest possible stage, disrupting terrorist activity before it can endanger the public and, wherever possible, prosecuting those responsible. Prevent To stop people becoming terrorists or supporting terrorism. Addressing the root causes of radicalisation, fostering common ground and shared values, encouraging participation and the empowerment of all communities. Protect To strengthen protection against a terrorist attack in the UK and against overseas interests, and reducing vulnerabilities. The priorities are informed by an annual National Risk Assessment, a version of which is published and available to the public. Prepare Resilience building in order to mitigate the impact of a terrorist attack. This includes work to bring a terrorist attack to an end and to increase resilience for quick recovery from the aftermath of an attack. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file /716907/140618_CCS207_CCS0218929798-1_CONTEST_3.0_WEB.pdf 38 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism Corporate Level Protection Responsibilities Overview From the preceding, it might appear that the responsibility for defeating terrorism lies exclusively with the state, but the state and its organs can’t protect the multitude of potential soft targets available – and attractive – to terrorists. Thus, if you are in an area or sector that is regarded at elevated risk from terrorism, you should act by taking certain actions and putting in place counter-terrorism protective security measures. Whenever the spectre of terrorism is raised, there is a tendency to rush towards the installation of specialist defences and the procurement of special equipment. While there is no doubt that this is necessary in some circumstances, this must be built on a strong foundation to be effective. The UK National Counter Terrorism Security Office, NaCTSO, (2007) cautions that without a thorough analysis of the risk, you might invest in specialist equipment which is ineffective, unnecessary and expensive. The key to ensuring effective counter-terrorism protective security (CTPS) is to ensure that standard security measures are optimised to the extent possible. Specific Counter-Terrorism Protective Security (CTPS) Actions The following are some CTPS considerations: Ensuring that CTPS measures are “built in” at the design stage, and not “bolted on” afterwards. Ensuring standard baseline security measures are in place and physical security is optimised. In this regard access control and surveillance are particularly important. Do you have a baseline level of security and is it audited regularly? If you face a threat from terrorism, you should have a baseline level of: good physical security (detection, delays, response measures to disrupt etc.); surveillance; personnel security; security procedures; security focal points; notices; access management (access points to a minimum); clear differentiation between public and private areas; security operating levels; key and parking control, information security, etc. Do you have protection in depth? Do you have early detection? Many of these concepts were set out in Module 3 and have since been reinforced in the modules that followed. Ensuring good operational security – this means that information relating to your day-to-day activities should be protected. In isolation information may have little value. But for a terrorist adversary each piece of information is a piece of a jig-saw puzzle. When recruiting staff or contractors, check identities and follow up references. Ensuring that important human assets are protected accordingly. Pay attention to what information is posted where about key staff and their activities and movements. Ensuring that you have intelligence about the local terrorist threat. You may be able to get some information from your local security services, and there are excellent analysis and intelligence companies that produce high-quality intelligence assessment. ISMI may be able to advise you on which companies to consider. With good intelligence you will be able to 39 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism develop a threat assessment, and with a good threat assessment you will be able to carry out a credible risk analysis. Ensuring that you have operational resilience and good business continuity contingency to cope with the impact of a terrorist attack. A VBIED, for example, has a very large radius of destruction. When a truck bomb exploded in Manchester in 1996 it was estimated that over 600 businesses were affected by the event; many of these did not resume trading. It is unlikely that you will be the direct victim of a terrorist attack; terrorist attacks are generally viewed as low likelihood events, but when they occur their impact is likely to be high. Resilience building is addressed beginning on Page 42. Plans should be rehearsed and exercised. Ensuring that you have good physical resilience. A basic principle in VBIED defence is to keep unsearched vehicles as far away from buildings as possible, and harden the facility against the projected residual blast pressures. Ensuring that staff are aware and trained. Security awareness should be part of organisational culture. All too often it is not, and there is a “them” and “us” attitude. Staff are not only your eyes and ears, but may also be the first responders if a device detonates without warning. You should ensure that your regular staff are aware and sensitised to the threat of terrorism. This is more than just looking out for suspicious objects, and extends to suspicious behaviour and unusual enquiries. Security staff should be aware of the indicators of hostile reconnaissance (see Page 49), should be trained in searching and IED recognition, and should know how to respond to an incident. Awareness training should extend to other contractors. NaCTSO (2007) specifically draws attention to concessionaires, cleaning and maintenance staff, the vigilance of whom is essential to ensuring good security. Ensuring that you have a system of security operating and alert states, or that you at least promulgate the national level alert states, where such information is made public. Ensuring that you have an emergency plan capable of addressing credible terrorism scenarios. This should extend to what to do in the event of a no-warning explosion. Ensuring that exterior and interior design, layout, partitions, staff desk orientation (addressed later) etc., minimise, rather than maximise, the risk of injury to staff. Risk and Vulnerability Analysis Specifically You should sit down with your risk analysis forum and determine the conceivable terrorism scenarios that you might become a victim of. You will need to be grounded; there is a tendency to overstate the likelihood of a terrorist attack, and this is unhelpful. Your analysis will be better if you have access to threat assessment information. Don’t consider terrorism as a single threat, but analyse different scenarios such as person-borne suicide attack, postal device etc. It is unlikely that you will face the complete spectrum of different attacks so your analysis needs to be rational. Take into account the possibility also of an indirect attack – you could be in the blast wave envelope of a vehicle-borne IED attack on a nearby facility. For example, is your facility near an at-risk foreign embassy or important government building? Is there an iconic target nearby? Are you housed in an iconic target? One of the factors that influence the terrorism risk analysis process is target attractiveness. 40 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism You should examine your facility (and operations) from the viewpoint of the adversary. Look from the outside in. What operational, security or vulnerability intelligence could an outsider glean from carrying out hostile reconnaissance of your facility? What is posted about your facility on the Internet? How cautious are your staff when taking telephone enquiries? How accessible is your facility to outsiders? One of the factors that influences the terrorism risk analysis process is target accessibility. Have you considered the insider threat? How thoroughly do you conduct background checks and would your background check reveal a terrorism connection or sympathy for a radical cause? What do you know about your contractors, including security contractors? Consider carrying out exercises to test alertness, detection capability and penetration vulnerability. Good Housekeeping Good housekeeping reduces opportunities for bombers to place devices where they might remain unobserved and helps reduce false alarms. If an area is cluttered or untidy, unattended items that would otherwise appear suspicious will be less easy to notice. ASISTIP (2013) recognises that the likelihood of staff detecting unattended items increases if they are trained, aware and willing to identify andIf you allow public report such items. access, consider reducing the number of CPNI (2010) recommends consideration to removing litter bins duringbins and increasing the periods of heightened threat or using clear plastic bags as a temporarynumber of daytime alternative. Special bins that direct blast away from people are alsocleaners. available. NaCTSO (2007) recommends the use of compactors to reduce the volume of stored trash. Particular attention should be given to areas accessible to the public, exits and entrances, corridors, stairs, halls and vestibules, reception areas, elevators, washrooms and any areas such as restaurants and coffee machines where staff congregate. Reception areas, in particular, should remain uncluttered. Clear lines of visibility, strong illumination, absence of bins, legged seats rather than armchairs (that can conceal devices), all make reception areas less attractive to bombers. Good housekeeping includes the locking of areas when not in use and effective control over keys, ensuring that everything has a place, and that items are returned to their respective places after use. In this regard the Australian Federal Police (2009) recommends locking surplus office accommodation and cupboards, where devices could be concealed. NaCTSO (2007) recommends the use of tamperproof seals on maintenance hatches. Housekeeping and Design There is a close relationship between good housekeeping and basic building design. Buildings that have recessed doorways, horizontal window sills, shrubbery below windows etc. increase the availability of places where an IED can be planted. This should be a particular concern with security gatehouses which have walls (or windows/doorway) that border public areas. Tree canopies should be kept well above the ground and bushes should be selected and trimmed in a 41 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism way that they cannot conceal an explosive device. The external design should facilitate the ability to exercise the best principles of CPTED, as set out in Module 2. Consultation As a security manager you should ensure that you liaise regularly. You can network with other security managers locally, with security managers in the same sector, or through associations such as ASIS, which may organise local seminars and invite specialist guest speakers. You may be fortunate to have direct access to specialist government agencies. In the UK, for example, CPNI regularly engages specific sectors and facilities to provide counter-terrorism protective security advice. Additionally, in the UK most regional police forces have counter-terrorism security advisors who can provide advice. When planning new facilities, you must also engage with architects and designers. NaCTSO (2007) states that you, as security managers, should be consulted in such matters, but it is more likely that you will have to take the initiative and ensure that issues such as locking, protective glazing, parking, building hardening and physical barriers that provide stand-off are taken into account. You may encounter a high level of awareness among architects and designers and there are design engineers who specialise in this field. The Royal Institute for British Architects (RIBA) produces guidance on designing for counter-terrorism protective security – available through the ISMI Extranet. Significantly more thorough, however, is the US Federal Emergency Management Agency (FEMA) risk management series of counter-terrorism protective security reference manuals, which can be downloaded from https://www.dhs.gov/xlibrary/assets/st/st-bips-06.pdf and https://www.fema.gov/pdf/plan/prevent/rms/453/fema453.pdf. The publications are intended for the building sciences community of architects and engineers, but as a security manager you will find their content invaluable. Study and Keep up to Date There is probably more published good practice on counter-terrorism protective security than on any other security subject (excluding IT security). It would be impossible for you to read and remember all of the guidance, but you should be aware of its existence. Much can be downloaded from the ISMI Extranet. 42 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism Protection Principles – Resilience Resilience Building ASIS (2009) defines resilience as “the adaptive capacity of an organisation in a complex and changing environment”. Resilience capacity building is critical to organisations which are identified through the threat assessment process that they may be the direct or indirect targets of a terrorist attack. For most organisations, the risk of a direct terrorist attack is relatively low when compared to other kinds of adversary action. Nevertheless, the indirect nature of terrorist attack impact means that organisations should be prepared for worst-case scenarios, and should develop resilience plans to respond to disruption. CPNI (2012) reinforces this message: even if the likelihood of being directly targeted by terrorists is remote, the repercussions of an attack elsewhere can spread right across the economy. Could a business still function if, for example, key suppliers or clients were directly affected, if telephone networks went down or if power supplies were cut? What if deliveries could not be made or payments completed? These issues should be addressed in crisis management and business continuity management planning. Mitigation You will recall from Module 1 (Security Risk Analysis) that the three components of risk are likelihood, impact and vulnerability. In security management we generally focus on reducing likelihood of adversary action by increasing protection, and by reducing the chances of success of adversary action by reducing vulnerabilities. Emergency planning approaches risk from a slightly different perspective. Recognising that some sources of emergencies can’t be mitigated – at least from the perspective of likelihood – the emphasis in emergency planning is on creating resilience and reducing the impact that the threat has on the organisation. For example, the US Federal Emergency Management Agency’s (FEMA) approach is based on the following: Mitigation Mitigation actions involve lasting, often permanent, reduction of exposure to, probability of, or potential loss from adverse events. Can also involve educating businesses on simple measures they can take to reduce loss and injury. Preparedness Actions taken before an event to plan, organize, equip, train, and exercise in order to deal with emergencies that cannot be avoided or entirely mitigated. Response Implementation of the emergency plan to deal with short-term effects of the event. Incident identification, emergency notification, activation and deployment of emergency teams, and evacuation of personnel. Recovery Near-term and long-term actions taken to return the organisation to a pre-emergency level of operation or, in some cases, to a new level of operation. 43 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism Contingency Planning A range of plans will be necessary to deal with the aftermath of a terrorist attack, whether the organisation is directly or indirectly targeted: Emergency Plan – Provides direction on how to deal with a terrorism emergency, ranging from the receipt of a telephone bomb threat to how to deal with the aftermath of a direct attack. The Emergency Plan focusses inwards, identifying tasks, resources and personnel responsible for managing the direct effects of an attack. Good practice for incident response can be found in Protecting against Terrorism (CPNI, 2010) beginning on Page 29. Crisis Management Plan – Establishes a formal structure responsible for steering an organisation through the more strategic implications of an attack. Much of the focus is outwards, towards stakeholder liaison, establishing of contingency facilities, HR issues, ensuring the organisation maintains the confidence of its customers, maintaining its financial well-being, communications etc. Good practice in crisis communications can be found in “Protecting against Terrorism” (CPNI, 2010) beginning on Page 31. Business Continuity Plan – Closely related to the Crisis Management Plan, with primary focus on maintaining business continuity in the event of an attack. Will dovetail into the IT Department’s disaster recovery planning and will establish issues such as recovery time objectives for various aspects of the business operation, off-site recovery contingency capacity. Operates at both the strategic level and at departmental recovery level, with individual responsibilities under the plan cascaded down the organisation. Good practice for business continuity planning can be found in Protecting against Terrorism (CPNI, 2010) beginning on Page 27. The security manager is well placed to be the custodian of such plans and to take on responsibility for the coordination of resilience capacity building. The Terrorism Incident Management Plan Two schools of thought exist in regard to the emergency plan. One is that organisations should develop generic emergency plans and populate them with incident-specific annexes. The other is that separate emergency plans should be developed for specific emergencies, the nature of which is so substantially different to standard emergencies that it requires a separate plan. There is a strong argument for developing separate plans for dealing with terrorist incidents, which can range from telephone bomb threats, through bombings (direct and indirect) to assailants attacking the site and taking hostages. If you decide to go down the path of a Terrorism Incident Management Plan, you should consider the amount of detail you require. Longer plans tend not to be remembered, or even read, but the plan needs to be sufficiently comprehensive so as to be of value. The following are some of the topics that you should consider for inclusion (not in order): 44 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 10 – Facility Counterterrorism Roles and responsibilities Contact procedures for professional emergency responders Local contact lists and call-out procedures Security alert and operating levels On-site emergency notification procedures Command, control and communication Telephone bomb threat procedures Evacuation (or shelter in place) and assembly procedures Cordon and control procedures Site plans Detecting hostile reconnaissance and response actions to suspected hostile reconnaissance Search procedures (including floo

ISMI Facility Counterterrorism PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue