Written by: James Hart
Infrastructure is one of the great blessings of the modern age. Flip a switch, turn on a faucet, launch a browser window, and you can generally assume the giant invisible systems connecting and powering society will work as expected.
The same goes for transportation infrastructure. Running into delays on the interstate? Or maybe your flight is running behind schedule. Give it an hour or two, and many slowdowns will resolve themselves.
But what happens when the return to normal takes days, weeks, or months? The last few years have delivered example after example of just how dependent civilization is on infrastructure — and just how easy it is to disrupt. Business leaders must take those reminders seriously.
“It’s got to be part of their contingency planning,” said Brent C. Brown, Chairman and CEO of Chesley Brown Companies, the national security management and consulting firm. “What if things go down? What if basic communications go down — you know, because nowadays companies are not all sitting in the same corporate headquarters.”
As a security consultant, Brown has often been asked to imagine the worst so that teams could better secure infrastructure. He was part of security planning for the Atlanta Olympics in 1996 and the Salt Lake City Winter Olympics in 2002.
Even a minor outage can cost millions of dollars. Researchers have developed a model for calculating the economic impact of infrastructure outages, and they found that a mild case — a highway system being shut down for a few hours — could cost more than $8 million. A disruption of one or two days from a hurricane evacuation translated to a loss of $256 million or more.
Securing infrastructure is a herculean task. There are just so many ways that a large, complex system can fail or fall to outside attacks.
Fortunately, there are best practices that companies like yours can use to better protect water, power, communication, and other systems from disruption. Or — if you can’t directly affect infrastructure security — you can use these strategies to limit your organization’s risk in case of a catastrophic failure.
Increase Your Awareness of Potential Threats
“I would say that you need to educate yourself as best you can on every possible aspect of any open-source intelligence that’s provided to you,” Brown said.
That intelligence can come in many forms. It could be public alerts from the Department of Homeland Security or the FBI, warning the public about potential threats and calling for greater infrastructure security.
News sources dedicated to specific industries could provide an early warning about problems involving supply chains and materials sourcing.
Your best source for intelligence might be your security contractor. Many of these firms receive alerts from sources like the FBI, DHS, Interpol, and OSAC (the State Department’s Overseas Security Advisory Council) multiple times each day. They will also have knowledge of common concerns for your region and industry, so you can start thinking about how to respond if an emergency happens.
A comprehensive security provider should also be able to offer real-time threat monitoring and alerts, ensuring you are always informed about potential risks. By receiving timely updates on potential threats, you can stay ahead of risks and be better prepared to respond in case of an emergency.
Ask “What If?” and “What Would We Do Next?”
Staying current on known threats is a good idea, but companies also should devote time to brainstorming about other problems — the ones that nobody has pointed out yet — so they can work through how they would or should respond.
If its supply chain is compromised, for example, could the company find other ways to keep producing and delivering its goods? Who would be responsible for each part of a recovery plan?
Or what if cybercriminals attack the leading payment processor for your industry? Does your organization have enough cash on hand to pay critical expenses? Would you have the ability to secure working capital some other way?
Emergencies aren’t always caused by a human being. Sometimes it can just be bad luck. What if your food processing plant needs high volumes of water to run, but your region has been struck by a once-in-a-century drought? How would your facility carry on?
These structured conversations — also called tabletop exercises — are good for thinking about complicated problems in a low-stress environment, so personnel can ask questions and brainstorm better strategies. Internal staff can lead these exercises, but you might find value in bringing in an outside expert to help generate fresh perspectives.
“Try to conduct tabletop exercises at least once a year. Quarterly might be better, though many teams don’t have the bandwidth and too-frequent drills also raise the risk of becoming background noise,” Brown said. You don’t want your team to zone out when planning emergency responses.
The ideas generated should be used to write contingency plans that can be quickly consulted during an emergency.
They may lead you to change policies or invest in new resources, like backup generators if your facility doesn’t already have them. (The smart facilities also make a point of running those generators every few weeks to ensure they’re working correctly.)
Document Your Contingency Plans, and Make Sure It’s Widely Available in Print
When an emergency occurs, you don’t want to waste time trying to remember the plan for that particular situation. Instead, have everything written and printed out in advance. Ideally, you’ll want multiple copies in all your locations, safe and secure in three-ring binders.
Don’t listen to the executive who says the plan “lives in my head.” In a disaster, that person might become unavailable temporarily or permanently. Require them to write out their part of the plan.
And while many companies store the bulk of their documentation in the cloud, contingency plans are one exception that absolutely must have physical copies in case of power or Internet outages — or something more sinister like a ransomware attack.
One other thing: Ideally, contingency plans should be “living documents” that are constantly updated to reflect changes in the world. At the very least, your company should be revising its written plans after every tabletop exercise to take advantage of any innovative ideas or prepare for newly discovered problems.
Case in point: Brown was part of the security planning for the Salt Lake City Winter Olympics in 2002. Months and months of work were put into plans that, because of 9/11, had to be completely redone to reflect the new security landscape.
Harden Your Physical Security
That is, you need to make it harder for bad actors to get inside your properties.
“Start at the most outward level of your physical facility,” Brown said. “Investing in more and better security cameras can increase your ability to spot potential intruders. So can security checkpoints.”
Adding barricades can prevent bad actors from simply barreling onto the property. Even better, barricades don’t necessarily need to look like barricades. A cement flower bed will do the same job and make the property look better.
Any security measures must fit the property and its overall use, Brown cautioned. Concertina wire might be fine around an isolated power plant. It’s not going to work for an elementary school.
Once you’ve hardened the exterior, “then your next level of access is most likely going to be some type of access control, badging system or proximity system,” Brown said.
This type of system — in addition to keeping uninvited parties out — is also useful for keeping track of everyone in the building and studying traffic trends for the property.
You might use another level of access control for sensitive areas inside the property, too — for example, the executive area or the control room for a facility.
It can also be smart to have sufficient camera coverage inside the facility, too. If there’s ever a fire alarm, most security features will go offline so firefighters can quickly get into the building. Cameras, however, should keep working, allowing you to see if anyone tries to use the incident to sneak into the property.
Seek Input on Infrastructure Security from Your Entire Team
Your most useful insights could come from team members who serve as boots on the ground. They see your operations up close every day they come to work, so they notice where defenses are weak and where a potential bad actor could take advantage.
“I used to say some of the best insights came from the security officer that was on the midnight shift, sitting in the lobby all night long,” Brown said. “And what I found as a consultant is that everybody ignored that person and their valuable perspective.”
The Bottom Line on Securing Infrastructure
You probably won’t be able to prepare for every single catastrophe that could disrupt the infrastructure that your company relies on. But with hard work and planning, you can greatly reduce the risk that your organization faces.
Make sure you understand the current threats facing your industry by consulting open-source intelligence. Your team should also spend time identifying potential problems that aren’t on anyone’s radar, and tabletop exercises are a terrific way to do so.
Thinking through those problems will give you the knowledge you need to write a solid contingency plan, one that can be put to work at once when a major outage occurs so the return to normal happens as fast as possible.
Don’t leave your infrastructure security to chance. With Chesley Brown’s ability in security management and consulting, you can confidently protect your business from disruptions and threats. Our comprehensive risk assessments, tailored contingency plans, and top-tier security solutions ensure that your organization is always prepared. Contact Chesley Brown today to secure your infrastructure and safeguard your company’s future.
Sign up!
For industry-leading guides and analysis sign up for our blog below.
Latest News
risk-takers #06. Human Trafficking with Bazzel Baz
Human trafficking touches nearly every city, county, state and locality in America. Yet law enforcement remains critically under prepared to handle this insidious business. Bazzel Baz, star of NBC’s hit show The Blacklist, and real life CIA super spy is often refereed to as the patron saint of missing children. In this week’s episode Baz sits down with Brent and Dell to discuss the ways human trafficking affects our communities us and how we can stop it. This is a fascinating discussion looking into the darker side of human nature — you don’t want to miss it!
Read MorePodcast | Risk Takers Series #06. Human Trafficking with Bazzel Baz
Human trafficking touches nearly every city, county, state and locality in America. Yet law enforcement remains critically under prepared to handle this insidious business. Bazzel Baz, star of NBC’s hit show The Blacklist, and real…
Read Morerisk-takers #05 Corporate Counterespionage
Its not always the stuff of cold war spy novels but corporate or economic espionage continues to affect businesses all over the world both large and small at an exponential rate. It seems like there’s a new breach every time you turn on the news. The difference is the biggest companies have the resources and budget the protect themselves. But where does that leave SMBs? In this week’s episode, Brent and Dell Spry sit down to discuss the growing threat of corporate espionage, how businesses are exposing their intellectual property. They’ll also cover simple steps small businesses can take to stop those efforts in their tracks. Tune in to this fascinating discussion.
Read MorePodcast | Risk Takers Series #05 Corporate Counterespionage
Its not always the stuff of cold war spy novels but corporate or economic espionage continues to affect businesses all over the world both large and small at an exponential rate. It seems like there’s…
Read Morerisk-takers #04 Brad Orsini – Community-based Security
Visiting our places of worship shouldn’t be dangerous. Unfortunately, faith-based organizations are facing the difficult challenge of how to protect their congregations from religion-motivated violence, and still maintain the welcoming, open environment community members expect.
In this week’s episode Brent calls up Bradley Orsini, the Senior National Security Advisor of the Secure Community Network, the official safety and security organization of the Jewish community in North America to discuss these issues, lessons learned from the mass shooting at the Tree of Life Synagogue, and the most effective strategies faith-based organizations can use to protect their congregations.
Read More