Countering threats

Udi Bechor, Managing Director of I-SEC Homeland Security B.V., a provider of security solutions to public transportation and mass transit operators, shares his vision of upgrading the level of security by conducting organisation-wide risk assessments and designing comprehensive security concepts and cost-effective systems on their basis, with an emphasis placed on deterrence and prevention.

Background

In recent years, the threats faced by public transportation and mass transit systems have sharply increased. Following the terror attacks of 9/11, newly issued regulatory requirements and additional aviation security measures have made attacks on aircraft much more difficult to perpetrate. In their search for new targets, terrorists have identified public transportation as an attractive choice, for the following main reasons:

• Attacks on public transportation systems hold the promise of:
  • Being high profile
  • Inflicting a large number of casualties
  • Causing extensive damage
  • Disrupting the public’s daily life
  • Instilling panic
  • Gaining widespread media coverage.

• Public transportation systems are a soft target, which can be attacked with relative ease.

Terror attacks resulting in hundreds of fatalities and thousands of injured passengers, such as those perpetrated against the Moscow subway in February 2004, the Madrid commuter train bombings the following month, the London public transport system in July 2005, the Mumbai train bombing one year later, and finally – the attempted bombing of two German trains in the same month, which did not succeed only due to technical failure – have proven that the terrorists’ analysis of the vulnerability of public transportation was precise.

These new, continuously increasing terror threats join existing security concerns that the public transportation industry has been trying to deal with for many years: vandalism and criminal activity directed against mass transit workers and passengers, facilities, vehicles and infrastructure. Several such attacks have been carried out in Europe in recent months, resulting in the death and injury of both public transportation personnel and passengers, and are a cause of concern to mass transit operators and the travelling public alike.

I-SEC Homeland Security’s security concept places major emphasis on preventing hostile incidents (whether criminal acts, vandalism or terror attacks) and deterring potential adversaries. In the event that a security incident does occur, the company’s concept calls for an effective initial response by the organisation itself until the arrival of the emergency forces. Measures directed at achieving the above goals – deterrence, prevention and appropriate initial response – are much more cost beneficial than only dealing with the consequences of an incident that has unfolded and focusing on recovery, for several reasons:

• The direct implementation costs are usually much lower than the recovery costs from even relatively small-scale attacks
• Heavy indirect costs resulting from disruption or complete stoppage of operations are avoided
• Passengers’ confidence in the safety of the public transportation system is not only maintained, but often enhanced
• Mass transit workers are ensured a safer working environment
• And most importantly: lives are saved.

Attempting to deal with the surge of violence, transportation organisations often rely on the installation of security means; however, as these are usually fitted independently and not as components of a comprehensive, integrated security system, they cannot serve as a truly effective deterrence and prevention tool; and their contribution to an effective initial response is marginal at best. Such means usually include technological systems that are far more useful for post-incident investigation purposes than for prevention. Furthermore, there is a basic lack of understanding regarding which technological systems hold the potential of significantly contributing to security enhancement, and which are for the most part ineffectual in public transportation systems. Technological systems alone, and not as part of a broader design, do not only instil a false sense of confidence that security has indeed been substantially enhanced, but in many cases prove to be costly partial measures.

The public transportation industry presently finds itself in the same predicament as the aviation industry in the past, when terrorists started targeting airlines. No comprehensive security concepts for public transportation systems have been developed yet; therefore the private and public organisations that operate mass transit systems lack guidance on how to effectively deal with the new threats.

Terror threats, unfortunately, not only exist, but are continuously increasing, as past ‘successes’ only fuel the terrorists’ ambitions and encourage them. It is imperative that this issue be addressed in an in-depth manner, and with great urgency. Action is required by both mass transit operators and regulators, to whom the industry is turning for guidelines and assistance. The question is – where to begin? How do we develop security solutions that focus resources on preventive measures, reducing the probability of occurrence of security incidents, and mitigating their effects if they do take place, instead of only dealing with their aftermath?

Based on I-SEC Homeland Security’s expertise and past experience, and that of its Director of Public Transportation Security, Mr. Chanan Graf, who formerly served as the Chief Security Officer of Israel Railways for a period of ten years, a public transportation organisation’s level of preparedness can be elevated; and the criminal, vandalism and terror risks it faces reduced, by properly exploiting its existing means and measures and upgrading them as necessary:

• Know-how:
  • Security awareness training for security staff and frontline employees, to improve the organisation’s detection capabilities; training for security manpower at all levels and positions; and periodic refresher training
  • Exercises and drills
  • Development of customised procedures for routine conditions and a wide range of emergency scenarios.

• Assimilation of systems based on innovative security technologies developed to enhance prevention (anti intrusion, video content analysis, etc.), and their integration into one all-inclusive organisational security system, managed from a command and control room.

All the above must be based on a comprehensive security concept in order to provide optimal results.

In order to develop a cost-effective security concept, the threats must be studied in detail, and the potential adversaries and their preferred modi operandi carefully analysed. Subsequently, when developing a comprehensive security solution, the particular characteristics of each specific organisation must be examined, including its sites, facilities and infrastructure – and then assessed in relation to the potential threats. Only by identifying the specific risks and grading them from high to low, can a truly cost-effective security solution be developed – one that meets each organisation’s specific needs and ensures the best value for resources invested. This essential component in the development of a cost-effective security solution is called a risk assessment.

What is a risk assessment?

A risk assessment is a qualitative and/or quantitative determination of the likelihood of a hostile incident occurring (whether originating in criminal activity, vandalism or terrorism), its probability of success – taking into account the target organisation’s vulnerabilities and existing security means and measures, and the potential impact of its consequences. Its product is a detailed report recommending steps to be taken in the short, medium and long term in order to minimise risks and manage them on the basis of a comprehensive work plan and risk management policy. The quantification of the casualty and damage potential carried out within the framework of the risk assessment serves as valuable input for decision makers, who are called upon to determine how to wisely invest their organisation’s resources in order to maximise benefits. The report also details alternative solutions, each presented with its own contribution to the mitigation of casualties, physical damage and disruption of services.

The risk assessment process

The risk assessment is a highly structured process comprising a number of essential phases, which produces a ranking of the relevant potential risks the client is vulnerable to, including cases where two or more risks interact.

Step 1: Site survey of critical assets and sites

A site survey is carried out for the purpose of collecting detailed information concerning each organisation’s particular assets: sites, facilities, infrastructure and operational characteristics. This is done through observation of operational activity, interviews with various members of management and operational staff, etc.

Step 2: Threat evaluation

The collection and analysis of information concerning the types of threats the public transportation organisation may face, relevant hostile elements’ methods of operation, preferred types of attacks, weapons used, etc. Information on past incidents in the client’s country, threats and/or attacks made against comparable organisations, developing and anticipated trends and more is also collected. The relevant threats then form a basis for the selection of potential attack scenarios, which are examined in detail later on in relation to the organisation’s physical and operational characteristics.

Step 3: Vulnerability assessment

The purpose of the vulnerability assessment is to identify the extent to which each asset’s inherent state, condition or deficiency may be exploited to inflict casualties and damage, in relation to countermeasures that have been or may be deployed. Simply put, it is an evaluation of the adversary’s chances of carrying out an attack based on identified vulnerabilities in systems, procedures, exercises, routine operations, personnel and interfaces.

Step 4: Evaluation of the potential consequences of attacks at specific sites and facilities

The operational, functional and financial consequences associated with the loss of functionality of each particular asset are assessed. The criticality of the asset vis-à-vis the entire system plays a major role in this determination.

Step 5: Risk quantification

This stage of the risk assessment involves a quantitative determination of the likelihood of a hostile incident occurring and of its probability of success, and the severity or impact of its consequences on the organisation’s direct assets, public and private assets, operations and indirect effects on the community at large. Security consultants have developed formulas and highly structured models for calculating risk quantification, taking into account all influencing factors.

Figure 1 was taken from a risk assessment performed by I-SEC Homeland Security B.V. for a major European mass transit company operating metro trains, trams and buses. It presents the quantification of the potential damage caused to various assets in each of a variety of attack scenarios, based on the outcome of Step 2. These include casualties with various levels of injury; assets (the mass transit operator’s, private and public assets); and disruption of transportation services (taking into account recovery time).

Step 6: Examination of risk reduction measures and their feasibility

The subsequent step in the risk assessment process is the examination of the effect of various risk reduction measures and the feasibility of their implementation at each of the organisation’s sites.

Figure 2 was also taken from a risk assessment performed by I-SEC Homeland Security B.V. for a major European mass transit company operating metro trains, trams and buses. It demonstrates the effect of the implementation of ‘packages’ of security means and measures at varying degrees of sophistication (indicated as levels 0 to 3), on the consequences of a variety of attack scenarios (suicide bomber, car bomb, IED, etc.). As evidenced by the diagram, the effect of these means and measures on the level of security is extremely significant. The implementation of even the basic package, comprising training for security staff and frontline employees; random checks of vehicles and people; increasing the security awareness of the travelling public; and the assimilation of customised security procedures for routine conditions and emergencies – drastically reduces both the probability of attack and its potential consequences.

Step 7: Cost-benefit analysis

The purpose of the cost-benefit analysis is to enable the construction of an organisational action plan, taking into account budgetary and other constraints, and determine where and in which time frames various countermeasures will be implemented to achieve maximal effectiveness.

Step 8: Development of an Organisational Action Plan

Preparation of an organisational risk management action plan for the short, medium and long term, through which the organisation may define objectives and goals and determine a road map for the assimilation of an operational concept, security plan, procedures, manpower, technological means, supervision and control. The quantification of the potential consequences of each type of attack at each site on the one hand; and the contribution of relatively limited or broader ‘security packages’ on the level of security – on the other hand, allows the organisation’s management to become actively involved in the decision making process determining which means and measures to implement.

The importance of risk assessment

The exceptional importance of risk assessment is that it comprises an essential operative tool. It enables security experts to design a solution tailored to meet the client’s specific security needs, and invest resources in the most cost-effective manner, addressing the most severe and probable threats as a first priority, and devoting lesser means to risks that are ranked lower on the scale. Implementing individual measures in a haphazard and non-integrated manner, as is often done today by many organisations attempting to protect themselves and gain the confidence of the public they serve, does not result in any significant improvement in the level of security, and therefore, to a large extent, is a misuse of precious resources.

Maximising the benefits of the risk assessment

Based on I-SEC Homeland Security’s experience, an organisation may maximise the benefits of the risk assessment process by following the basic principles presented below:

• By selecting a security consultancy expert that is capable of both conducting the risk analysis and assisting to implement its recommendations; and also continuing to provide long-term professional support, if required – the organisation may benefit to the fullest from the risk assessment
• The chosen security expert must also be knowledgeable and experienced in performing risk assessments in public transportation and mass transit systems and developing appropriate solutions, as these systems are singular in nature: they are open, dynamic systems, which must be accessible to a large volume of passengers per day; with distinctive assets – stations, vehicles, operational systems, infrastructure, etc. Additionally, the continued operation of the public transportation system must be maintained and profitability preserved despite the implementation of additional security means and measures, with minimal inconvenience to passengers
• The expert should have broad hands-on operational experience and be familiar with the relevant threats
• Finally, the risk assessment must attain these goals taking into account economic and organisational considerations. Efforts must be made to utilise existing means and measures (technological systems, personnel, etc.), upgrade and integrate them into the overall, customised security system designed for each organisation.

To summarise, the public transportation industry is currently facing threats of an unprecedented magnitude. Up till now, it has handled these threats post factum, instead of taking a preventive approach and placing emphasis on minimising the consequences of attacks through an effective initial response of the organisation. Other sectors, such as the civil aviation industry, have been in a similar position in the past and have undergone the same process. Certain countries, bodies, consulting firms and security experts have accumulated know-how and operational experience in dealing with transportation security issues. By benefiting from their expertise, public transportation organisations may enhance their level of security as quickly and cost-effectively as possible. Terror attacks and other types of hostile activity cannot be entirely prevented; however their probability of occurrence, their chances of success and their consequences on the organisation, can be mitigated. The importance of deterrence and prevention measures and an effective initial response, based on a security concept that had been developed on the basis of a comprehensive risk assessment, cannot be overestimated.