S E C T I O N
Newsletter
About Newsletter
Editorial
IISSM News
Training Programme
Book Review
Book Reference
Responses
Article
Monthly Summary
Print Newsletter
HomeNewsletterArticle
Volume No. 6,   Issue No. 5,   October 2007

The Changing Face of Industrial Security

- Mr. R. Swaminathan, IPS (Retd.),
Former Special Secretary, DG (Security),
Government of India and President & DG, IISSM, Chennai.

The concept and practice of industrial security are as old as industry itself. It is essential that they keep pace with the technological and other developments in industry; and the changing patterns of vulnerabilities and threats. The original and basic objectives of industrial security were the prevention/detection of pilferage (mostly by dishonest workers) and sabotage (mostly by disgruntled workers). New developments and technologies in industry have created new vulnerabilities and it has become necessary for the managers and practitioners of industrial security to adapt to face such vulnerabilities and device/learn new techniques.

Economic liberalization and globalization have led to the growth of large and diversified industrial enterprises, many of them trans-national in character. Some of the very factors that contribute to the successful functioning of such Multi National Companies (MNCs) tend to become security vulnerabilities. Many MNCs include a multitude of economic and technological systems (that are like networks) for their efficient functioning. The more developed and complex the interconnected networks become, the more they have features that make their behaviour non-linear; i.e. a small shock to a critical node produces a disproportionately large disruption. MNCs also tend to disperse their manufacturing facilities in different countries, based on availability of raw materials, inexpensive real estate / power / labour etc. They try to reduce the cost of capital-intensive products by building larger production facilities. Placing expensive equipment and highly skilled people in a single location provides for easier access, more efficiency and synergies that lead to the creation of wealth. Manufacturing and storage facilities of many MNCs are likely to contain devices packed with energy, combustibles, and poisons; creating specialized vulnerabilities. The concentration of high-value and/or hazardous assets in relatively compact locations, in order to achieve economies of scale, creates extraordinary vulnerabilities that call for extraordinary efforts from those responsible for industrial security. Industrial security managers and practitioners are required to be able to advise their managements about possible steps to reduce the vulnerabilities related to complex technologies used by them. They have to learn about the possible dispersal of high-value assets, loosening the couplings in the corporate’s networks, building buffers into these networks, introducing "circuit breakers" that interrupt dangerous feedback, etc.

Though terrorism is itself not a new phenomenon, internationalized networking (often based on religious considerations) poses security threats to industrial units, based on causes that may lie far from the location of the industrial unit, e.g. real or imaginary grievances against the government and/or the prevailing disparate economic order. Sophisticated terrorists are may increasingly use non-weapon technologies for destructive ends. Technological advances in communications and information technology (IT) help them to give another meaning to the acronym WMD - Weapons of Mass Disruption, not necessarily of Mass Destruction. Security planners have to learn to pinpoint and protect the critical complex networks for producing and distributing energy, information, water, and food. Disruption of these would be most susceptible to the multiplier effect of technology-amplified emotional response. Systems handling energy and hazardous materials are easy targets for turning supposedly benign technology to destructive ends.

Specialist analysts around the world have warned that future terrorist acts may include more sophisticated forms of destruction and extortion, such as disabling or penetrating vital commercial computer systems. Sheikh Omar Bakri Muhammad, Syrian-born founder of the London-based group Jama'at Al-Muhajirun and the spokesman for Osama bin Laden's International Islamic Front for Jihad Against Jews and Crusaders, had claimed in an interview, that "I would not be surprised if tomorrow I hear of a big economic collapse because of somebody attacking the main technical systems in big companies."

"Cyber-terrorism" is often used as a blanket term covering the threat of viruses, hackers and miscellaneous security breaches, regardless of whether or not they actually originated from terrorists. Although it is theoretically possible for electronic intrusions to damage critical infrastructure, taking control of well protected systems from the outside is extremely difficult; and can be almost totally prevented through well-planned computerised and non-computerised fail-safe measures. Digital intrusions can also compromise intellectual property and sensitive research data, that can lead to long-term economic loss. They can place customer data at risk and erode confidence and trust in an enterprise and its affiliates. The number of organised hacking syndicates targeting financial and investment institutions around the world are growing at a disturbingly rapid rate. The financial industry's increasing dependence on the public telecommunications system, rapid adoption of wireless systems and outsourcing of operations to third parties pose growing security challenges. Cyber-security within an enterprise is not merely a technical problem, but should be handled as a management challenge. The scope of the risks is such that it can be effectively managed only by engaging senior corporate leadership. Preparedness plans should ensure that digital security is factored into the overall operations of the enterprise.

Business espionage, often referred to by the elegant euphemism of "competitive intelligence" probably started when the first competitor set up business. Though many companies already go to great lengths to obtain trade secrets and other business information about their competitors, it has been assessed that these efforts will intensify and be more aggressively pursued in the coming years. They may use any combination of legal, illegal, ethical, and unethical techniques. The ushering in of the digital and information age has brought about a sea change in the methods of business espionage. Many new and not-so-widely-recognised threats and points of vulnerability have been created. Some of the new threats may seem to belong to the realm of science fiction, but they are very real. What others get to know about a company can make or break the company's ability to compete effectively.

Many companies are gradually starting to recognize that fences and gates, locks and guards, cameras and alarm systems no longer provide adequate protection. Even a company that has strict standards of physical security can be devastated by attacks on its information resources. One of the basic premises of counterintelligence is that there is no such thing as coincidence. Counterintelligence programmes should be in place to recognise the indicators of business espionage operations that could adversely affect the company. It would be a grave mistake, however, to assume that the old rules of physical security no longer apply. Though all security requirements should become an integral part of every company's business strategy, managements would expect the industrial security division to be primarily responsible.

Risk is the result of vulnerabilities and threats. Vulnerability is a weakness in the system and threat is what someone can do to hurt you by exploiting vulnerability. As threats are most likely to originate from hostile elements, one may not be able to eliminate them. Total elimination of vulnerabilities may, however, require unacceptably drastic measures. The most practical countermeasure in most situations would therefore be to prioritize the vulnerabilities and to reduce the risk through them.

A listing of all the possible security threats would be enough to discourage anyone from wanting to become a manager or practitioner of industrial security. It is not realistic to expect any individual to be totally conversant with all kinds of vulnerabilities, threats and preventive measures. A successful industrial security practitioner or manager should be aware of the risks and be able to get necessary expert help to tackle them.

Go Top