Heightened alert: Combatting the ‘hybrid security threat’ to critical energy and utilities

Hunter Seymour explores the growing threat to critical energy and utilities facilities, such as oil and gas networks in the Middle East, with real-world examples to highlight the issues. Hunter also identifies the need for a ‘hybrid’ security approach, outlining several strategies private security companies such as GardaWorld are currently taking to mitigate the threat.

At the very start of this year, NATO spelled out the “major and growing challenge” to critical energy security posed by a “hybrid threat” composed of cyber attacks, physical attacks, supply disruptions, drone strike sabotage, intimidation, and covert incursions by irregular armed extremists. In essence, actions that are “complex, destructive and coercive” with the potential to destabilise critical energy infrastructure and assets on which developed economies depend.

Such “hybrid warfare” falls into the category of “grey area” warfare, whose malign actions are just beneath the threshold of armed conflict. As a result the security industry, in its mitigation strategies to increase resilience, is developing countermeasures that respond to these threats with “hybrid solutions” for detection, deterrence and recovery from potentially devastating hybrid attacks.

Credit: GardaWorld

In a similar vein are the views announced this month by the USA National Intelligence Council whose “Global Trends” predictions similarly define such evolving rapid-response countermeasures as specialised deterrence strategies that “can more quickly achieve objectives with smaller footprints and asymmetric techniques.”

Convergence: a synergy of hybrid countermeasures

It is the convergence of these combinations of “hybrid countermeasures”, driven by diverse potential vulnerabilities emerging in the energy sector, which now demands the urgent attention of security specialists. Therefore, for Private Security Companies (PSCs) increasingly involved in the protection of oil and gas infrastructure, the “hybrid” concept is shaping a synergy of aligned security services to protect the integrity of pipeline infrastructure from physical threats at every critical point.

In this brief overview the intention is to outline the key approaches that challenge these evolving hazards by examining, segment-by-segment, the chain of integration as a threat-led holistic solution, including site intelligence gathering and loss prevention audits; robust physical field security measures; security technologies for long range and short range detection; unmanned aerial vehicle (UAVs) surveillance; electronic and surveillance security systems for perimeter protection; and protective services for personnel and transportation. This list is by no means exhaustive.

Intelligence gathering for worst-case scenarios

“Security by bespoke design” is the watchword of PSCs whose services aim for global reach because the demands are invariably more complex and interconnected than traditional practices of supply-chain management. Hence, the operational resilience of a security enhancement programme overseas is necessarily based on detailed local knowledge and informed diplomatic engagements, underpinned by a specialised understanding of threats arising on-the-ground in operational areas. In particular, the impact that “irregular” outside forces can have on the secure day-to-day running of a stakeholder’s enterprise.

Today, in shaping a targeted program of actions, security professionals must factor in such pressing considerations as cyber risks, terrorism, armed drone attacks, sabotage (improvised explosive devices), extortion, and opportunistic crime (e.g. illegal taps) and more. In short, operators must prepare contingency plans for the worst-case scenarios.

To support their risk assessment, they must identify mitigation options to reduce vulnerabilities to within defined loss criteria that ensure minimum disruption. Risk methodology for high-threat environments should also include logistical governance, in line with international best practice, and ensure compliance with the Security Plan, supported by supervision from inception to inspection and commissioning of systems.

A blend of physical guarding and deployed security technology

“We can state that international energy corporations’ reliance on private security companies (PSCs) has increased considerably over the past two decades,” affirms integrated-security experts GardaWorld, “with PSCs playing a central part in the protection of oil and gas infrastructure in the US and other developed countries for many years.”

As indicated in this overview, integrated security services in mobile, static and ad hoc solutions are now recognised as the specification of choice for those contractors in the energy industry challenged by mounting homegrown threats in their regions of operation.

1) Long range and short range pipeline protection: Security technologies for integrated detection and verification include such devices as ground radar tracking, thermal cameras, motion-sensitive cameras, conventional (optical and electro-optical) cameras, supported by configurations of video surveillance and recording.
An example of a current applied technology is the Westminster Group’s Acoustic Fibre Optic Pipeline Security System (AFOPSS), designed to protect gas, oil and other utility pipeline transmission networks and their remote facilities by providing distributed sensing for interpretative monitoring. Essentially, AFOPSS gives early warning of leaks, illegal taps, excavations and intruders that could pose potential critical threats.

2) Robust physical field security measures: Manned guarding, supported by mobile patrol units, comprise an important part of a successful pipeline security system. Not only does their visible presence serve as a deterrent but rapid response times of guards also ensure early warning for alert protection of facilities and assets against criminal acts and hostile incursions. As GardaWorld comments, this increased prominence of PSCs “contrasts with Government security forces generally being responsible in the developing world. Whilst Government Security forces will always play an important role in a holistic security programme, PSCs tend to be favoured for specific and specialised roles, particularly in complex or high-threat environments.”

3) Ground-and-Aerial surveillance: The diverse spread of the oil and gas pipeline infrastructure makes real-time monitoring of the entire network, often traversing vast remote terrain, a demanding and costly operation. For example, Nigeria lost more than $11 billion to crude-oil theft and pipeline vandalisation over the four-year period, 2007 to 2011.

In such scenarios, the deployment of Unmanned Air Vehicles (UAVs) to provide real-time visual monitoring of pipeline sections – whenever a pressure drop, say, or any significant third-party activity is detected – enables timely countermeasures to contain the situation.

Similarly, a technical solution for protecting energy sector assets on large surface areas, scalable to various locations, is the implementation of an economical and easy to install network of efficient Tactical Unattended Ground Sensors (T-UGS). These are discreet ground-based sensors that collect intelligence through seismic, acoustic, radiological nuclear and electro-optic means. To keep intruders under surveillance, these sensors can be concealed below the surface without the need to be supervised and incorporate their own communication protocols, supported by georeferenced alarms to detect each target.

4) Perimeter protection:  Critical static targets within the pipeline infrastructure, such as production plants, pumping stations, holding tanks, terminals or locations where pipelines converge, are sites with particular vulnerabilities requiring a more focused security design.

The design of buildings to combat explosive and ballistic threats is only one element of a security programme. Access control systems (including biometric identification), security lighting, security of locks, windows, doors, fences, walls and gates are all subject to risk assessment on a case-by-case basis.

The complex variations of technologies required for an integrated security plan may be appreciated from the following example. For substations of oil pipelines in Kazakhstan, the European Commission initiated the development of software modules to merge fully electronic security systems (conventional CCTV, microwave and volumetric perimeters) for the interior protection and perimeters with emerging security technologies (Radar, T-UGS) for early warning detection.

Holding tanks and terminals, as threats identified here remind us, are conspicuous targets for the hostile actions that characterise the ‘hybrid warfare’ that PSCs currently confront in their safeguarding of pipeline integrity.

Coltraco Ultrasonics comments: “Pipeline integrity is fundamental to global energy security and the pipeline network is itself a strategic issue. The monitoring and recording of the contents that flow through them and the contents in the tanks that contain their output is essential to their security. Coltraco Ultrasonics is a global leader in the design and manufacture of equipment to monitor the flow through pipes and the contents of their holding tanks. They have just designed one of the world’s first capabilities to calculate the pressure from the flow, a vital component of pipeline movement, and thus create an integrated capability of flow, pressure and contents.”

5) Protective services for personnel and transportation: With the rising threat of vehicle-borne attacks due to terrorism and hostile incursions, a critical component of any Security Design Plan for pipeline infrastructure is the development of HVM (Hostile Vehicle Mitigation) measures, including vehicle security barriers (VSBs), vehicle blockers and security installations for checkpoint search areas. HVM solutions are becoming an increasingly important part of any physical security strategy, particularly countering incidents where the risks of VBIEDs (Vehicle Borne Improvised Explosive Devices) or a VAW (Vehicle As a Weapon) have been identified.

One of the main requirements of HVM systems is the capability to prevent unauthorised vehicles from getting close to, or entering a site. In the event of a hostile vehicle attack, fixed bollards, rising blockers, crash rated fencing, and anti-vehicle defences such as speed gates are designed to provide protection, with HVM specifications based on security assessments for the deployment of proportionate risk-based measures. For example, Bi-folding speed gates can close within a few seconds to resist impact, with low penetration from attack; an assault by a 7.5 tonne class 3 truck accelerating to up to 50mph can be stopped in its tracks.

“Setting tripwires”… a case history

For a clearer picture of the work of a Private Security Company providing integrated security design planning in the field of energy infrastructure, GardaWorld outlines its range of services and explains the challenging realities of protecting a sector often operating in high-threat environments.

“Large-scale oil and gas pipeline projects are a strategic component of many countries’ future crude distribution strategies; being seen as a cost effective, fast and less risky way of getting product to market. Bypassing shipping choke points and removing overland tankers from the supply chain makes a pipeline seem like a panacea. They do carry their own challenges and risks, as seen in October 2020 when exports from Iraq’s semi-autonomous Kurdish region were suspended for a week due to an attack on the Turkish section of their export pipeline and in 2019 Saudi Arabia temporarily halted its main cross-country oil pipeline after an armed drone attack by Yemeni rebels.

“Cost is central to any solution design and with crude at less than $60 per barrel, it is essential that operating costs are managed closely. Experienced PSCs will work closely with, and hire from the local communities within which the work will be executed. Manpower will always be a key aspect of an integrated security programme; however, security technology is increasingly playing a key role. Whilst costly at the front end, security technology can be used to both improve a security programme, and also reduce operating costs. Such security technology might include ground radar systems to cover and provide early approach warning across large expanses of dead ground, UAVs to patrol pipeline routes or perimeters, long-range cameras or ground detection systems to cover key areas of concern, high-spec 360 cameras with visual tripwires covering critical infrastructure internal and external areas, right down to basic CCTV and access control systems to secure perimeters and property.

“GardaWorld uses an intelligence-led approach; mapping the threats along pipeline routes to design a bespoke solution at each critical point of infrastructure in order that those threats can be mitigated. Combining our 17+ years of experience of designing and delivering security programmes in support of large-scale linear projects in complex environments, we can leverage our understanding of the human terrain to understand more than just the traditional physical risks. We can therefore deliver a much more targeted risk management strategy to meet the needs of our clients, and the communities in which they operate. 

“The list of technology commercially available to augment a security programme is endless, so it is vital that clients and PSCs work closely during the security concept design stage in order to configure a viable, cost-effective, holistic security solution which has the right balance of manned guarding provision and deployed security technology.”

A cautionary note: integrated security

It should be noted, of course, that exposing operational technology to greater interconnectivity to serve integrated security planning holds the possibility for creating innumerable attack entry-points, particularly if internet dependence ignores the good housekeeping of “air-gaps” to defeat extraterritorial hacktivists, cybercriminals and state-sponsored cyber attackers. So, theoretically, an IoT hyperconnected world could actually multiply potential risks.

The UK’s National Cyber Security Centre warns of the penalties from failure to air-gap high-security resources from the rest of their IT assets, and prompts questions for security professionals: “Are they using the same internet-facing account to administer the system as they use for normal internet-facing business?” If they answer “Yes”, their system is compromised and in jeopardy.

The infrastructure discussed here is only as secure as the security of the users who operate its networks.

Read more articles on the threat to Critical National Infrastructure:

• Watch: Protecting Critical National Infrastructure webinar 
• Mounting cyber threat to critical infrastructure ramps up UK countermeasures
• How to protect our critical infrastructure from cyber attacks

EBOOK: Lessons from IFSEC 2023 – Big Tech, Martyn’s Law and Drone Threats

Read IFSEC Insider’s exclusive IFSEC eBook and explore the key takeaways from the 2023 show!

Navigate the impact of Big Tech on access control, gain insights from Omdia’s analysts on video surveillance trends, and explore sessions covering topics like futureproofing CCTV networks, addressing the rising drone threat, and the crucial role of user proficiency in security technology.

There's also an exclusive interview with Figen Murray, the driver behind Martyn's Law legislation.

 

Get your copy today!