Not so long ago you could hop in the car, drive to the airport, go up to the counter and purchase a ticket, check your baggage and walk out the door to board the airplane all within an hour and without anyone even asking what was in your bag let alone in your shoes or your pockets.
Times have changed. Time was when industrial plants were justifiably proud of their technology and their place in the community. They displayed signs welcoming visitors and offered guided tours to show off their capability and tout the superiority of their products.
Indeed times have changed. Now private and corporate records have become targets for hackers and the right to telephone privacy a cause for action in the courts.
The genesis of this situation lies in part in the very entity that makes modern commercial communication possible; the desk-top computer.
With the aid of the “black box” on my desk I can accomplish in minutes tasks that previously would have taken hours and often days to complete. I can transfer funds, pay my bills, make a purchase, send work to the copy center, access my medical records or submit this article, all with a click of a mouse from my desk chair.
With the addition of a few “apps” I can, from 500 miles away, see who is ringing my doorbell or, from my table in the hotel coffee shop, I can access my e-mail. From a headquarters half a continent removed a CTC Dispatcher can set a switch and change a signal to govern the movements of trains on an entire rail system or a plant operator can control the entire process of a plant from a single control board.
All of this capability comes at a price and sometimes that price is a bit steep. If I can do all these things from my lap-top or cell phone, what is to stop someone else from doing the same thing? Short answer? “Nothing, really.”
All that is needed is a computer and an operator with sufficient “savvy” to understand how the system works and there are plenty of these around.
The damage perpetrated by “cyber hacking” is not limited to the compromising of sensitive data or the loss of valuable records it can actually become physical.
Nearly all electronic communication devices are “time sensitive.” This means that they contain a timer which receives its signal from some satellite system in outer space. With a few rudimentary hand tools and a little “know how” a perpetrator can convert a cheap throw-away cell phone into a remote controlled detonator that can be actuated by the timer or by hand from hundreds (or even thousands ) of miles away.
All that is necessary is that the perpetrator dial up the number of the altered cell, when it rings the circuit is closed and whatever device or system the altered cell phone is connected to is activated. In the case of an explosive device the cell phone goes up in the explosion leaving nothing behind that can be used to trace the perpetrator.
The advent of the twenty-first century has seen a dramatic increase in the number of incidents of civil unrest, violence, property damage, and human casualties.
Industry has had its share of deliberate acts of violence such as the ammonium nitrate explosion at West, Texas; an event which is now being identified as deliberately initiated as well as a number of airliner crashes and train wrecks, worldwide.
The problem is real and we must take a hard look at just what we can do to protect our industrial assets tangible, personal and intellectual.
One of the easiest ways to protect against incursions into confidential information is not to create it. No one can steal what does not exist. Restrict information so that only that which is actually essential to the task in hand is made available. We have a tendency to try to “cover all the bases.”
If the file gets hacked all the information is there. Example: when I took my wife into an “urgent care” facility to get some blood drawn for laboratory tests all they asked for, in addition to the doctor’s order, was my name, address, etc. and my insurance card number. They drew the blood sample.
When I took my wife to the hospital for a chest X-Ray they filled out paperwork for an hour and the system brought up her entire medical history. It took much longer print out the records than it did to make the X-Ray.
Now comes the question: did the hospital really need all that information at that time for that test? What difference did it make that my wife had an appendectomy in the 1980s? It wasn’t that we objected to the staff having the information but did they really need it?
By opening the file, the record became vulnerable to compromise had anyone wanted it. Apparently someone does want the information because as soon as my wife got home from the hospital we were deluged with solicitations from insurance companies, some of which contained phrases such as ‘now that you are home from the hospital.”
The point here is that information in computer systems is usually not secure unless an encryption program is in place and even then security is not 100 percent. The medical world provides an example but it is by no means the only venue where information can be inadvertently compromised by accessing.
When company operating records such as payroll, accounts payable or purchasing are accessed, many (if not most) systems in current use will open a whole page of data when only one entry (name) is needed. But, we input Doe, John and the whole page opens up and indeed the whole file may be available simply by scrolling up or down.
It is absolutely amazing just how much information about a business can be obtained simply by looking at the account books. For instance: one can determine what materials are being purchased, thus an inkling of what products are being manufactured or what areas of research are under investigation.
What kind and how much of these materials are on site, when they are delivered and where they are stored is also accessible. All this from one computer in the shipping and receiving department. So, one way to protect such data is to have the computer reconfigured so as to provide only the entry actually requested.
Another way to protect confidential or vital information is to compartmentalize computer systems. This means that the system serving the human resources department is completely separate from the one used by inventory control. Thus, if one system should be hacked, the others would remain secure.
Passwords are another vulnerable spot in computer systems. All too often a shrewd guess will allow a hacker access to a targeted computer or computer system. To be most effective, a password should not be associated with anything concerning the operator or the company such as birthdays, addresses or “mother’s maiden name.”
To accomplish this, there is on the market a small program that will generate strings of totally random letters and/or numbers that can be used as passwords. These should be changed frequently and on a random basis so that even if one was secured by a person with nefarious intent it would work for only a short time.
The number of personnel having possession of a password should be limited to those who really “need to know.” The legitimate authorized computer user needs to know the password and there should be a non-electronic copy of it somewhere, in the administrations safe deposit box for example, so that the files can be opened in case of emergency such as the regular user being unavailable or incapacitated.
Finally know your personnel. Know who you are dealing with for your CT work. Use the same technician each time or, in the event that another one must be used vet him/her with the company. Observe the tech at work, particularly a new or different one, in order to prevent him from adding an unauthorized device (such as a camera or microphone) to enable eavesdropping at a later date.
Employees using computers that contain sensitive data or control systems should be well vetted and checked out regularly. Avoid using a disgruntled employee. He or she may seize the opportunity to get even for wrongs, real or imagined.
Keep communication lines open. Be a good listener and have an occasional cup of coffee with employees just to gauge their general attitude. If there is a problem, address it. An ounce of prevention is worth a pound of cure, especially among employees who have access to sensitive data.
Instill in employees a sense of ownership in the company and thereby motivate them to be protective of it. After all, if something happens to the company their jobs and the family income goes down with it. Encourage them to be vigilant and to report anything out of the ordinary; “If you see something, say something.”
Make employees aware of the various scams operating under the guise of protecting your network. It is now, unfortunately, fairly common to have a computer screen suddenly flash up a message purporting to come from Microsoft, Yahoo, Google or some other computer company saying that your computer is sending out a signal that it has been infected with some sort of virus and that it is transmitting data such as your credit card numbers etc. to a third party.
And, if you will call the number on your screen, their engineers will be happy to “walk you through the process” to fix the problem. THIS IS A SCAM!!! to capture your credit card number or other information; DO NOT RESPOND to these notices but do report the incident to your CT department.
Now, at this point the reader might well wonder why this discussion of communication systems appears in a publication devoted to industrial fire protection, hazardous materials and emergency response. The answer is simple; planning.
Those who would do us harm are firm believers in the principle of P5 (Prior Planning Prevents Poor Performance). Industrial accidents occur spontaneously as a result of failure (mechanical, human or coincidental). But incursions happen as a result of planning and preparation. If we can interdict this “Prior Planning” we can prevent, or at least mitigate, the incursive incident and its consequences.
Unfortunately there is far too much evidence that things that should have been seen as a “red flag” were unnoticed or ignored thus allowing the incident to occur. The policy should be “if you see something say something.” A lot of false alarms can occur but the consequences of being wrong just one time can be monumental.
There are several reasons for an industrial incursion.
To put a facility out of action. This is an incident deliberately planned to do as much damage to a facility as possible. It might be a case of arson, or sabotage of equipment or damage to real property; anything to put the facility out of action.
It might be caused by an unscrupulous competitor, as the result of a labor dispute or a desire to make a statement by disrupting production.
To obtain something required for another nefarious undertaking: These incursions are usually stealthy in nature. This might be something like the theft of a few hundred pounds of ammonium nitrate from a fertilizer plant for use in bomb making. The shortage might be made up with sugar to mask the theft.
The theft of small quantities of agricultural anhydrous ammonia from field tanks for use in the manufacture of synthetic drugs is another commonly encountered incursion.
In these cases, the perpetrator will make every effort to cover his tracks; possibly so that he can return and obtain more materials. His goal is not to damage the facility he is penetrating but merely to obtain what he needs without arousing suspicion or notice.
To engender or spread terror. The term terror by definition means fear. The object of this type of incursion is to frighten or intimidate a person or group of persons (population) so that their course of action is manipulated. This is probably the most insidious form of terrorism because its victims are innocent bystanders.
Take the incident at West, Texas, for example. The plant was damaged to be sure but that could be made good. What could not be so easily repaired was the psychological damage to those who lived in fairly close proximity to the plant and who suffered the loss of their tangible property.
One of the problems with industrial installations is that they all too often initiate unwanted growth. A company builds a plant “way out in the country” so as not to disturb the residents with noise, odors, truck traffic etc. What happens?
Access is needed for the plant to operate; so, we build a paved road into it. We need electricity to operate along with water, gas and sewer service; so, we install those services.
Now comes a prospective home owner who might well be an employee of the company. He sees the nice rural setting with all the amenities and it is close to his workplace. He sees a perfect site for his dream home.
Repeat this a hundred times or so and our isolated factory site becomes downtown. In the event of an accident or incursion we have what the military calls “collateral damage” along with lawsuits by the dozens. Bophal, India is, of course, the prime example of this.
Any facility can be a prime target for a terroristic incursion. We need to look at what we can do the thwart such an event.
Again, at the risk of sounding redundant, “if you see something, say something.” Condition your employees to notice anything out of the ordinary and report it immediately. Familiarity breeds contempt. Many of the safeguards that are built into our systems are too often ignored because they work so well.
For example, seals on rail cars and truck trailers are numbered but how many of us have actually checked to see if the number on the seal we break is the same as the one recorded as being put on the shipment at the point of origin?
If the numbers don’t match up then it is entirely possible that an unauthorized entry has been made and the shipment should be removed to a remote area and then checked carefully. Yes it takes time but how much time will it take to correct the consequences if there is something amiss?
Know the people who make deliveries to your facilities. It doesn’t hurt to take a moment to exchange pleasantries. A number of years ago an alert officer at the Mexican border in south Texas initiated the break up of a large drug smuggling operation by simply noticing a departure from the usual routine of things.
In that case, trucks belonging to a local LPG dealer regularly made trips across the border to deliver propane. The truck and driver normally assigned to this operation became familiar to the border officer and they would exchange a few pleasantries as they completed the formalities of the border crossing.
One day a truck painted to match the rest of the fleet approached the crossing; everything seemed to be in order but the officer still had a feeling that something was not right. As the truck pulled away he realized that two things were not as they should be. The operator was not the regular driver and the truck, while bearing the same number as the one usually assigned to that route, was of a different make and model.
The officer picked up the phone and called the LPG dealer and learned that there was no run on that route and that the truck was sitting in the dealer’s yard. So the next call was to law enforcement who promptly intercepted the bogus truck and contacted the LPG division of the Texas Railroad Commission.
It turned out that the truck was indeed a fake and the tank was fitted with a four inch blind pipe that extended from the washout plug to the top of the tank and contained a shipment of drugs worth a considerable amount of money (at the time).
Additional work by law enforcement resulted in the eventual shut down of one of the largest drug smuggling operations in south Texas at that time. All because a border agent who was familiar with the traffic saw something and said (did) something.
Employees should be alert to the questions asked by visitors. How much is stored here? Is this that bad stuff that blows up? Any undue interest in alarm systems or security arrangements should also be noted and subsequently reported.
Areas such as warehouses that contain material that could be made to serve a nefarious purpose can and should be monitored by remote camera systems. If the public knows (or thinks) that a camera system is operational anyone bent on mischief may give it a second thought. If something does happen, the identity of the perpetrator or the evidence needed to defend against a lawsuit is right there on the videotape.
Condition employees to note problems with equipment. If a worker notices a small leak he should report it right away and not just kick some sand over it before going on his way. It shouldn’t be necessary to say this but it is surprising how many employees will walk right by a simulated leak and do nothing.
They might tell you that they didn’t notice it but if so, they need to be trained to look for such things.
A person intent upon obtaining something, material or data, he would be most happy to simply slip into the facility, pick up whatever it is that he is after and leave without alerting anyone. On the other hand if his objective is to do damage to the installation, then he will most likely have to bring something into the area.
This may be something as large as a bundle of explosives or as small as a dynamite cap. It may seem to be an innocuous article such as a cell phone or a lap top but remember that “looks can be deceiving.”
In order to carry out a nefarious act against a facility a perpetrator must get something inside the facility, either himself or some sort of package. Employees and staff members should be observant and report any suspicious objects to the appropriate authority.
There must be a training component in the facility security protocol. Just who is the “appropriate authority?” Is it plant security, the local police department, the county sheriff,or the military? This will vary with the facility but personnel need to know just who is the first responder and how that party should be contacted.
Suspicious packages (those that do not belong where they are located) may be examined visually but DO NOT touch them; call 911 or a bomb disposal agency as set forth in company procedures. Personal safety is the primary consideration at this point.
Look for unscheduled or unexpected deliveries or pickups. These have been used as a ruse to allow an operative to gain access to a targeted facility. “When in doubt, check it out”.
Threats, written, via telephone or internet should always be taken seriously. Upon receipt of a threatening letter, stop handling the document immediately. Simply allow it to drop onto a desk or table and cover it with another sheet of paper.
This is to preserve any latent fingerprints or other evidence that may be on the document and, in the event that the letter has been used to carry some deleterious substance, will help to limit the amount of exposure of the material and the size of the contaminated area.
In the event that a letter contains a substance, such a powder or stain from a liquid, avoid breathing any dust or particulates and avoid any direct skin contact with the substance. Cautiously wash any skin area that might be contaminated with a disinfectant and report this to the responding personnel.
If a “bomb threat” is received via telephone the person answering the call should try to get the caller to repeat as much of the information as possible. Meanwhile get a second person on the line or (even better) record the call if possible.
At least document the information and try to record exactly what the caller said. Try to determine where the call originated. “Caller I D” will be a great help with this. Listen for background noise; the sound of a train or a busy highway may give a clue to the point of origin.
Also determine what the caller wants in return for not detonating the bomb. Keep the caller on the line and talking as long a possible. This is particularly true in the event that an attempt is being made to trace the call. While the bomber is on the line, another employee should notify the authorities and begin evacuation from the building if this is warranted.
Don’t take chances, it is better to evacuate when you don’t need to than to fail to evacuate when you should have.
As can be noted from the foregoing, “Time Was...” when plant security was mainly concerned with keeping outsiders away from dangerous and/or sensitive installations and preventing petty theft of company property. Now it has become a major factor in plant operations and employee safety.
All personnel connected with a company or a facility are impacted by the need to keep the installation free from intrusion and safe for employees. The accomplishment of this goal requires three things.
Commitment by each and every employee; taking “ownership” of the welfare of the installation and realizing that “the job that you are protecting is our own.”
Training is not enough to be committed and to be vigilant. Personnel must know what to do with the information the have and how to respond to an incident. Procedural protocols must be formalized and distributed to the plant personnel and these people must be trained in the implementation of these protocols and under what circumstances this should be done.
Each and every employee must be trained to adequately respond to any type of incident involving plant security according to the protocols in place and updated each time there is a change in conditions or circumstances. If something happens we need to know how to handle the situation and we need to know now.
This is not the time to look it up in the manual. Who do we call? What is the phone number? how do we turn in the alarm? Where do we go in case of an evacuation? Is there a shutdown protocol that must be followed?
All these are important and all are subject to change so, update and do it as soon as possible after the change is initiated. Don’t wait for the next quarterly safety meeting.
Again, “if you see something, say something.” We will never know just how many breaches of plant security have been thwarted by being noted by a vigilant employee.
While an exact value of the damage that has been prevented and the number of injuries that might have been sustained cannot, of course, be calculated even one instance makes it worth the effort.
Security, like safety, is everybody’s job and commitment, vigilance, and training (the “Holy Trinity” of plant security) will make sure that jobs saved today will be available tomorrow.