By Stephen Fidler
Financial Times, Defence and Security Editor July 7 2008
The risks posed by employees linked to terrorist groups have been inadequately addressed by companies managing Britain's infrastructure, according to government officials.
The risk of disruption to elements of Britain's critical national infrastructure remains an important official concern two years after the attacks on London's transport network that killed 52 commuters. Ministers have just endorsed a new way of assessing the infrastructure assets that are most important to the economy, following criticism last year that the existing approach to risk assessment was unsatisfactory.
The government has identified nine industry sectors, including telecommunications, energy and finance, as critical to the national infrastructure.
Government advisers to the private sector say many companies in these key industries have moved further to address physical and other security requirements than they have to deal with risks of sabotage from insiders. Only the transport system has so far been targeted by terrorists, and officials say it is possible that it is the complexity of other infrastructure industries that has protected them from attack. This would increase the value to a terrorist group of having members inside key organisations, officials say.
The Centre for the Protection of National Infrastructure, formed last year from the merger of two organisations and run as part of the domestic security service MI5, is advising companies to focus attention on the parts of their organisations where the risks for disruption are concentrated.
Officials stress that this effort is not about "profiling" people who may be viewed as higher risk, but about identifying the jobs or tasks where most vulnerability exists. "It's essential to make this job-focused, not people-focused," says one official.
Financial businesses, long worried about the risk of employees committing fraud, are ahead of other infrastructure companies in addressing this threat.
The new method of risk assessment follows criticism last year of the old method from Admiral Lord West, who was last year appointed parliamentary undersecretary of state for security and counter-terrorism. He told a conference last week that the new approach to terrorism risk assessment had been agreed.
The new assessment rates on a scale of one to five - with category five the most important - the impact of the loss of an asset on life, on the economy and on essential services. Companies are advised to deal with vulnerabilities if their assets fall into category three or above.
The old method concentrated on physical locations, called economic key points. The new one makes clear that physical sites, such as bank branches, or institutions are often less important than systems, such as financial computer networks.
The assessment will, among other things, determine how much time and energy are devoted by the CPNI to helping reduce a business's security vulnerabilities.
Officials said that they would not advertise the result of the new assessment, which is in any case a work in progress, because it amounted to a terrorist target list.
In many cases, the changed approach will not alter priorities. For example, the vulnerability of major energy distribution hubs was exposed by the 2000 fuel strike and their security remains a predominant government concern.
But in other instances the new way of assessing risk could lead to security being handled in a different way. Officials, however, say they do not want it to undermine what they describe as important work already done in these sectors. In advising companies, the CPNI is, says one official, "impact-driven, vulnerability-focused and threat--informed".
This means that work is concentrated on where sabotage would cause the highest impact and concentrates where in those companies the main vulnerabilities lie.
They have concluded that disruption to the food and health sectors - two of the nine defined as part of the critical national infrastructure - may be less damaging than previously believed, because the networks of both are highly diffuse.
Information about how the terrorist threat is evolving from intelligence agencies and elsewhere is also used, but the aim is to avoid a short-term focus on one sector and then another - say from water to energy - based on what the latest "chatter" from terrorist suspects is revealing.
Beverli Rhodes, a security consultant who is also a founder of a 7/7 victims group, said she hoped the risk assessment increased the value attached to a human life compared with economic assets.
But officials say the assessment does not assign an equivalence between the loss of life and economic destruction. Last week, Lord West said the new risk assessment also covered crowded places such as football stadiums, responsibility for which rests with the Office of Security and Counterterrorism, part of the Home Office, headed by a counterterrorism specialist, Charles Farr.
Return to News