Securing Infrastructure: How to Prepare for Disruptions to Critical Services and Systems in Your Business

Written by: James Hart

Infrastructure is one of the great blessings of the modern age. Flip a switch, turn on a faucet, launch a browser window, and you can generally assume the giant invisible systems connecting and powering society will work as expected.

The same goes for transportation infrastructure. Running into delays on the interstate? Or maybe your flight is running behind schedule. Give it an hour or two, and many slowdowns will resolve themselves.

But what happens when the return to normal takes days, weeks, or months? The last few years have delivered example after example of just how dependent civilization is on infrastructure — and just how easy it is to disrupt. Business leaders must take those reminders seriously.

“It’s got to be part of their contingency planning,” said Brent C. Brown, Chairman and CEO of Chesley Brown Companies, the national security management and consulting firm. “What if things go down? What if basic communications go down — you know, because nowadays companies are not all sitting in the same corporate headquarters.”

As a security consultant, Brown has often been asked to imagine the worst so that teams could better secure infrastructure. He was part of security planning for the Atlanta Olympics in 1996 and the Salt Lake City Winter Olympics in 2002.

Even a minor outage can cost millions of dollars. Researchers have developed a model for calculating the economic impact of infrastructure outages, and they found that a mild case — a highway system being shut down for a few hours — could cost more than $8 million. A disruption of one or two days from a hurricane evacuation translated to a loss of $256 million or more.

Securing infrastructure is a herculean task. There are just so many ways that a large, complex system can fail or fall to outside attacks.

Fortunately, there are best practices that companies like yours can use to better protect water, power, communication, and other systems from disruption. Or — if you can’t directly affect infrastructure security — you can use these strategies to limit your organization’s risk in case of a catastrophic failure.

Increase Your Awareness of Potential Threats

“I would say that you need to educate yourself as best you can on every possible aspect of any open-source intelligence that’s provided to you,” Brown said.

That intelligence can come in many forms. It could be public alerts from the Department of Homeland Security or the FBI, warning the public about potential threats and calling for greater infrastructure security.

News sources dedicated to specific industries could provide an early warning about problems involving supply chains and materials sourcing.

Your best source for intelligence might be your security contractor. Many of these firms receive alerts from sources like the FBI, DHS, Interpol, and OSAC (the State Department’s Overseas Security Advisory Council) multiple times each day. They will also have knowledge of common concerns for your region and industry, so you can start thinking about how to respond if an emergency happens.

A comprehensive security provider should also be able to offer real-time threat monitoring and alerts, ensuring you are always informed about potential risks. By receiving timely updates on potential threats, you can stay ahead of risks and be better prepared to respond in case of an emergency.

Ask “What If?” and “What Would We Do Next?”

Staying current on known threats is a good idea, but companies also should devote time to brainstorming about other problems — the ones that nobody has pointed out yet — so they can work through how they would or should respond.

If its supply chain is compromised, for example, could the company find other ways to keep producing and delivering its goods? Who would be responsible for each part of a recovery plan?

Or what if cybercriminals attack the leading payment processor for your industry? Does your organization have enough cash on hand to pay critical expenses? Would you have the ability to secure working capital some other way?

Emergencies aren’t always caused by a human being. Sometimes it can just be bad luck. What if your food processing plant needs high volumes of water to run, but your region has been struck by a once-in-a-century drought? How would your facility carry on?

These structured conversations — also called tabletop exercises — are good for thinking about complicated problems in a low-stress environment, so personnel can ask questions and brainstorm better strategies. Internal staff can lead these exercises, but you might find value in bringing in an outside expert to help generate fresh perspectives.

“Try to conduct tabletop exercises at least once a year. Quarterly might be better, though many teams don’t have the bandwidth and too-frequent drills also raise the risk of becoming background noise,” Brown said. You don’t want your team to zone out when planning emergency responses.

The ideas generated should be used to write contingency plans that can be quickly consulted during an emergency.

They may lead you to change policies or invest in new resources, like backup generators if your facility doesn’t already have them. (The smart facilities also make a point of running those generators every few weeks to ensure they’re working correctly.)

Document Your Contingency Plans, and Make Sure It’s Widely Available in Print

When an emergency occurs, you don’t want to waste time trying to remember the plan for that particular situation. Instead, have everything written and printed out in advance. Ideally, you’ll want multiple copies in all your locations, safe and secure in three-ring binders.

Don’t listen to the executive who says the plan “lives in my head.” In a disaster, that person might become unavailable temporarily or permanently. Require them to write out their part of the plan.

And while many companies store the bulk of their documentation in the cloud, contingency plans are one exception that absolutely must have physical copies in case of power or Internet outages — or something more sinister like a ransomware attack.

One other thing: Ideally, contingency plans should be “living documents” that are constantly updated to reflect changes in the world. At the very least, your company should be revising its written plans after every tabletop exercise to take advantage of any innovative ideas or prepare for newly discovered problems.

Case in point: Brown was part of the security planning for the Salt Lake City Winter Olympics in 2002. Months and months of work were put into plans that, because of 9/11, had to be completely redone to reflect the new security landscape.

Harden Your Physical Security

That is, you need to make it harder for bad actors to get inside your properties.

“Start at the most outward level of your physical facility,” Brown said. “Investing in more and better security cameras can increase your ability to spot potential intruders. So can security checkpoints.”

Adding barricades can prevent bad actors from simply barreling onto the property. Even better, barricades don’t necessarily need to look like barricades. A cement flower bed will do the same job and make the property look better.

Any security measures must fit the property and its overall use, Brown cautioned. Concertina wire might be fine around an isolated power plant. It’s not going to work for an elementary school.

Once you’ve hardened the exterior, “then your next level of access is most likely going to be some type of access control, badging system or proximity system,” Brown said.

This type of system — in addition to keeping uninvited parties out — is also useful for keeping track of everyone in the building and studying traffic trends for the property.

You might use another level of access control for sensitive areas inside the property, too — for example, the executive area or the control room for a facility.

It can also be smart to have sufficient camera coverage inside the facility, too. If there’s ever a fire alarm, most security features will go offline so firefighters can quickly get into the building. Cameras, however, should keep working, allowing you to see if anyone tries to use the incident to sneak into the property.

Seek Input on Infrastructure Security from Your Entire Team

Your most useful insights could come from team members who serve as boots on the ground. They see your operations up close every day they come to work, so they notice where defenses are weak and where a potential bad actor could take advantage.

“I used to say some of the best insights came from the security officer that was on the midnight shift, sitting in the lobby all night long,” Brown said. “And what I found as a consultant is that everybody ignored that person and their valuable perspective.”

The Bottom Line on Securing Infrastructure

You probably won’t be able to prepare for every single catastrophe that could disrupt the infrastructure that your company relies on. But with hard work and planning, you can greatly reduce the risk that your organization faces.

Make sure you understand the current threats facing your industry by consulting open-source intelligence. Your team should also spend time identifying potential problems that aren’t on anyone’s radar, and tabletop exercises are a terrific way to do so.

Thinking through those problems will give you the knowledge you need to write a solid contingency plan, one that can be put to work at once when a major outage occurs so the return to normal happens as fast as possible.

Don’t leave your infrastructure security to chance. With Chesley Brown’s ability in security management and consulting, you can confidently protect your business from disruptions and threats. Our comprehensive risk assessments, tailored contingency plans, and top-tier security solutions ensure that your organization is always prepared. Contact Chesley Brown today to secure your infrastructure and safeguard your company’s future.