Securing Infrastructure: How to Prepare for Disruptions to Critical Services and Systems in Your Business

Written by: James Hart

Infrastructure is one of the great blessings of the modern age. Flip a switch, turn on a faucet, launch a browser window, and you can generally assume the giant invisible systems connecting and powering society will work as expected.

The same goes for transportation infrastructure. Running into delays on the interstate? Or maybe your flight is running behind schedule. Give it an hour or two, and many slowdowns will resolve themselves.

But what happens when the return to normal takes days, weeks, or months? The last few years have delivered example after example of just how dependent civilization is on infrastructure — and just how easy it is to disrupt. Business leaders must take those reminders seriously.

“It’s got to be part of their contingency planning,” said Brent C. Brown, Chairman and CEO of Chesley Brown Companies, the national security management and consulting firm. “What if things go down? What if basic communications go down — you know, because nowadays companies are not all sitting in the same corporate headquarters.”

As a security consultant, Brown has often been asked to imagine the worst so that teams could better secure infrastructure. He was part of security planning for the Atlanta Olympics in 1996 and the Salt Lake City Winter Olympics in 2002.

Even a minor outage can cost millions of dollars. Researchers have developed a model for calculating the economic impact of infrastructure outages, and they found that a mild case — a highway system being shut down for a few hours — could cost more than $8 million. A disruption of one or two days from a hurricane evacuation translated to a loss of $256 million or more.

Securing infrastructure is a herculean task. There are just so many ways that a large, complex system can fail or fall to outside attacks.

Fortunately, there are best practices that companies like yours can use to better protect water, power, communication, and other systems from disruption. Or — if you can’t directly affect infrastructure security — you can use these strategies to limit your organization’s risk in case of a catastrophic failure.

Increase Your Awareness of Potential Threats

“I would say that you need to educate yourself as best you can on every possible aspect of any open-source intelligence that’s provided to you,” Brown said.

That intelligence can come in many forms. It could be public alerts from the Department of Homeland Security or the FBI, warning the public about potential threats and calling for greater infrastructure security.

News sources dedicated to specific industries could provide an early warning about problems involving supply chains and materials sourcing.

Your best source for intelligence might be your security contractor. Many of these firms receive alerts from sources like the FBI, DHS, Interpol, and OSAC (the State Department’s Overseas Security Advisory Council) multiple times each day. They will also have knowledge of common concerns for your region and industry, so you can start thinking about how to respond if an emergency happens.

A comprehensive security provider should also be able to offer real-time threat monitoring and alerts, ensuring you are always informed about potential risks. By receiving timely updates on potential threats, you can stay ahead of risks and be better prepared to respond in case of an emergency.

Ask “What If?” and “What Would We Do Next?”

Staying current on known threats is a good idea, but companies also should devote time to brainstorming about other problems — the ones that nobody has pointed out yet — so they can work through how they would or should respond.

If its supply chain is compromised, for example, could the company find other ways to keep producing and delivering its goods? Who would be responsible for each part of a recovery plan?

Or what if cybercriminals attack the leading payment processor for your industry? Does your organization have enough cash on hand to pay critical expenses? Would you have the ability to secure working capital some other way?

Emergencies aren’t always caused by a human being. Sometimes it can just be bad luck. What if your food processing plant needs high volumes of water to run, but your region has been struck by a once-in-a-century drought? How would your facility carry on?

These structured conversations — also called tabletop exercises — are good for thinking about complicated problems in a low-stress environment, so personnel can ask questions and brainstorm better strategies. Internal staff can lead these exercises, but you might find value in bringing in an outside expert to help generate fresh perspectives.

“Try to conduct tabletop exercises at least once a year. Quarterly might be better, though many teams don’t have the bandwidth and too-frequent drills also raise the risk of becoming background noise,” Brown said. You don’t want your team to zone out when planning emergency responses.

The ideas generated should be used to write contingency plans that can be quickly consulted during an emergency.

They may lead you to change policies or invest in new resources, like backup generators if your facility doesn’t already have them. (The smart facilities also make a point of running those generators every few weeks to ensure they’re working correctly.)

Document Your Contingency Plans, and Make Sure It’s Widely Available in Print

When an emergency occurs, you don’t want to waste time trying to remember the plan for that particular situation. Instead, have everything written and printed out in advance. Ideally, you’ll want multiple copies in all your locations, safe and secure in three-ring binders.

Don’t listen to the executive who says the plan “lives in my head.” In a disaster, that person might become unavailable temporarily or permanently. Require them to write out their part of the plan.

And while many companies store the bulk of their documentation in the cloud, contingency plans are one exception that absolutely must have physical copies in case of power or Internet outages — or something more sinister like a ransomware attack.

One other thing: Ideally, contingency plans should be “living documents” that are constantly updated to reflect changes in the world. At the very least, your company should be revising its written plans after every tabletop exercise to take advantage of any innovative ideas or prepare for newly discovered problems.

Case in point: Brown was part of the security planning for the Salt Lake City Winter Olympics in 2002. Months and months of work were put into plans that, because of 9/11, had to be completely redone to reflect the new security landscape.

Harden Your Physical Security

That is, you need to make it harder for bad actors to get inside your properties.

“Start at the most outward level of your physical facility,” Brown said. “Investing in more and better security cameras can increase your ability to spot potential intruders. So can security checkpoints.”

Adding barricades can prevent bad actors from simply barreling onto the property. Even better, barricades don’t necessarily need to look like barricades. A cement flower bed will do the same job and make the property look better.

Any security measures must fit the property and its overall use, Brown cautioned. Concertina wire might be fine around an isolated power plant. It’s not going to work for an elementary school.

Once you’ve hardened the exterior, “then your next level of access is most likely going to be some type of access control, badging system or proximity system,” Brown said.

This type of system — in addition to keeping uninvited parties out — is also useful for keeping track of everyone in the building and studying traffic trends for the property.

You might use another level of access control for sensitive areas inside the property, too — for example, the executive area or the control room for a facility.

It can also be smart to have sufficient camera coverage inside the facility, too. If there’s ever a fire alarm, most security features will go offline so firefighters can quickly get into the building. Cameras, however, should keep working, allowing you to see if anyone tries to use the incident to sneak into the property.

Seek Input on Infrastructure Security from Your Entire Team

Your most useful insights could come from team members who serve as boots on the ground. They see your operations up close every day they come to work, so they notice where defenses are weak and where a potential bad actor could take advantage.

“I used to say some of the best insights came from the security officer that was on the midnight shift, sitting in the lobby all night long,” Brown said. “And what I found as a consultant is that everybody ignored that person and their valuable perspective.”

The Bottom Line on Securing Infrastructure

You probably won’t be able to prepare for every single catastrophe that could disrupt the infrastructure that your company relies on. But with hard work and planning, you can greatly reduce the risk that your organization faces.

Make sure you understand the current threats facing your industry by consulting open-source intelligence. Your team should also spend time identifying potential problems that aren’t on anyone’s radar, and tabletop exercises are a terrific way to do so.

Thinking through those problems will give you the knowledge you need to write a solid contingency plan, one that can be put to work at once when a major outage occurs so the return to normal happens as fast as possible.

Don’t leave your infrastructure security to chance. With Chesley Brown’s ability in security management and consulting, you can confidently protect your business from disruptions and threats. Our comprehensive risk assessments, tailored contingency plans, and top-tier security solutions ensure that your organization is always prepared. Contact Chesley Brown today to secure your infrastructure and safeguard your company’s future.

Sign up!

For industry-leading guides and analysis sign up for our blog below.

  • This field is for validation purposes and should be left unchanged.

Latest News

Picture of the Empire State Building in the foreground on September 11th with the buring World Trade Towers in the background

How the Events of September 11th Have Impacted National Security

By Chesley Brown | September 2, 2021

How Has National Security Evolved Since September 11th, 2001? Written by: Dell Spry As I sit and write this paper, Afghanistan is collapsing.  It is not my intention to point the finger at anyone and…

Read More
The Colonial Pipeline Attack revealed how underprepared our nation's critical infrastructure is to outside threats.

A Nation Under Attack: The Colonial Pipeline Attack

By Chesley Brown | May 20, 2021

Written by: Dell Spry Introduction: Before the Colonial Pipeline Attack In earlier centuries wars were fought between nation states to acquire water and fertile land. Then came the quest for natural resources; gold, silver, oil.…

Read More
security risk firm at a A office tower

Reasons to Hire an Outside Security Risk Firm

By Chesley Brown | February 2, 2021

The security services industry is one of the fastest growing industries in America today. With so many disruptive technologies, emerging threats, and the growing frequency of natural disasters, its easy to understand why — It…

Read More
preventing economic espionage, trade secret theft and intellectual property theft

The Ultimate Guide for Small Businesses to Combat Economic Espionage

By Chesley Brown | January 26, 2021

For decades, the US has been a victim of economic espionage — a foe that is now costing American companies billions of dollars in lost revenue. From hacking government websites to infiltrating research institutions with…

Read More
Protestors storming the captiol in an act of civil unrest, insurection

Preventing Civil Unrest

By Chesley Brown | January 19, 2021

We’ve all recoiled in disbelief and horror as we watched scenes of violence stream across our TVs. The violent insurrection we saw in the U.S. capitol was unprecedented. That is to say nothing of the …

Read More
The 7 Step Guide for Building Business Continuity Plans that Work