Introduction
Good morning ladies and gentlemen. I must admit that I am rather in awe of my audience whilst making this address today. What can I say that may be of interest to such a large bunch of predominantly security professionals.
The tragic events of 9/11 in the United States, and the subsequent attacks in Bali, Madrid and Jakarta have certainly focussed the attention of the world on the issue of national security, and the threat posed by terrorism to our way of life. They have been a brutal wake-up call to us all, and a salutary reminder to those of us in business that security is an important business issue. However, business is also reminded of this by other major threats to business continuity such as the recent outbreak of SARS and the myriad viruses, worms and hackers that threaten our IT systems.
In my address to you today, I would like to outline what I think business can, and should, do to address the issue of safeguarding Australia’s assets under our control. Collectively, those assets are vital to the Australian economy, and the economy needs business to continue to perform to enable further growth of the national GDP and provide Australians with an increased standard of living. However, it is no secret that terrorists want to strike as deeply as they can at the economies of nations like Australia – making it incumbent on us to protect our businesses for the good of our nation. But it is not just terrorist threats that can disrupt our businesses, and by extension the economy at large. Regardless of national terrorist threats, security over our businesses is just good business sense. We must remember that business can be threatened by apparently minor threats as well. For example, IT security is an absolute must in the days of prolific viruses and would-be hackers. Within Shell, we have a sophisticated firewall in place that, each year, stops viruses attacking thousands of individual computers. Any one of these viruses could do untold damage to out computer systems, and to our global business. During my address, I will use my own company, Shell, as a case study of the role business should play in combating security threats in Australia. We have a four tiered strategy:
· Minimise the threat to people and facilities
· Minimise the vulnerability of people and facilities;
· Minimise the potential damage to people and facilities; and finally
· Maximise the speed at which we can recover from any breach of security.
As I said, there is much that business can and should do to protect people and assets. However, there are various actions which are necessary or desirable which only a Government can take. I will outline the crucial role the Government must play in any security strategy, and importantly, why and how business and Government must work together.
Definition of Risk
I thought it would be useful if I gave you an outline of how we in Shell approach the management of security at all our facilities around the globe, before outlining some of the particular measures we have taken here in Australia to guard against security risks
All of our operations are governed by the Shell Global Security Standard. This Standard has three objectives:
· Creating a secure business environment;
· Minimising economic losses and business disruption; and
· Safeguarding Shell’s integrity and reputation.
The Standard governs the protection of personnel, property, information and reputation against security threats to Shell Companies worldwide. The Standard makes it clear that implementation of the security policy is the responsibility of line management, supported by a professional security organisation – whether in-house or, in some smaller operations, contracted out.
Our security policy uses the well-known definition of Risk as being equal to Threat plus Vulnerability plus Impact. First of all, our business units identify the threats to which they may be subject. These are defined broadly– from high-level violence at one end to low-level petty theft at the other. Threats may include terrorism, sabotage, criminal extortion, espionage, robbery, theft, fraud, criminal damage, drug abuse, civil disorder and “Direct Action” protest group activity. Threats do not have to have a physical element to them – the threat of a breach of your IT security can be just as damaging as a breach of the perimeter fence at a refinery. Once the threats have been identified, businesses must assess their vulnerability to those risks. That will include an assessment of the physical situation of our sites, or the accessibility of our information technology, and the possible methods of attack that could be used. Lastly, management determines the impact that any security breach would have on the country or on Shell global activities. Locations and facilities are categorised as:
· Locations fundamental to national and company interests
· Locations critical to company interests
· Locations of importance to company interests
· Other locations.
Once this prioritisation has taken place, security plans are put in place that are appropriate for the level of risk – that is, for criticality of the location and the perceived level of threat and vulnerability. These plans should cover physical security and site security procedures. The requirements will also differ for different types of installations – for example, our policy specifies different levels and types of security measures for onshore and offshore installations, for helicopters servicing offshore platforms, for onshore marine depots and for pipelines. The security plans for each facility are tested against the ALARP principle – that is, they seek to reduce the risk of a breach of security to a level As Low As Reasonably Practicable. There must be a recognition that you cannot eliminate all risk to your facilities and people – but we have a duty our employees and society at large to make sure that this risk is as low as reasonably possible. Successful businesses are good risk managers. The key message is that security risks should be managed in the same way as other business risks. The challenge is for us to recognise all possible risks, identify ways of eliminating or minimising the risk and build those into our risk management systems, and then continue to run our businesses safely and effectively. What Business Should Do: Minimise the Threat
You will recall that I referred to our four-tier approach to what business should do in managing security risks to their people and facilities. I like to use the analogy of your own house and how to reduce the risk of your being burgled. You cannot entirely eliminate the risk that your house will be burgled – the determined burglar will get into any house. All you can seek to do is make it as hard as possible for them to get in, in the hope that they will move onto to a softer target or be dissuaded from the idea altogether. I will use this analogy to illustrate each element of our four step approach.
First: minimise the threat. Unfortunately, burglars will always be out there. However, you can the threat they pose to your house, and those of your neighbours, by creating an unwelcome climate for burglars. This would include reporting suspicious behaviour to the police, setting up and prominently advertising a local Neighbourhood Watch scheme and making sure that your house doesn’t look unlived- in. Ultimately, minimising the threat is all about information sharing, and making it look like you are attuned to the possibility of a burglary. The same theory should be applied to a business context. Business has an obligation to make life as difficult as possible for would-be intruders. It’s all about intelligence – making sure that your people and the authorities are as well informed as possible about potential threats, and that potential security threats have as little information about your business and facilities as possible. Limiting the intelligence to which would-be terrorists or attackers have access not only reduces the likelihood of an attack, but can also reduce the damage an attack can cause. This means strictly controlling access to your facilities, and your files, on a ‘need to know’ basis only. It means keeping plans and blueprints of your plant and equipment under lock and key. It means encouraging your staff to report suspicious behaviour, whether by a stranger or a colleague. It means having an open line of communication between your business and the police. To give you some specific examples, from my own company. Shell has a strict Information Security Classification Standard which applies to all forms of information and data. The Standard requires all information to be classified as Unclassified, Restricted, Confidential and Most Confidential. Once information has been classified, the Standard requires our employees to protect the information with a level of security appropriate to its sensitivity. In terms of physical security, we encourage employees, if they see an unfamiliar face in the office unaccompanied by a staff member, to stop and ask them who they are and who they are here to see. If the visitor does not give a satisfactory answer, security is to be called immediately. These are just two examples of what business can and should do to reduce the threat of a security breach. What Business Should Do: Minimise the Vulnerability
The second element of what business should do is to minimise the vulnerability of its facilities and people to any attack. This is akin to installing strong door and window locks, and possibly a burglar alarm, at your own house. You have to assess where it is most likely a burglar could gain access to your property, and make sure that you strengthen your defences against that access.
The same sorts of precautions can be taken in a business context. You must assess the likely access points for any security threat – whether that be physical or virtual access. It makes sense to keep gates and doors locked or to control access by means of a something as simple as a key or as complex as an electronic security system with individual swipe cards.
In these days, when we are so reliant on computers, IT security is absolutely vital. From a virtual perspective, it means ensuring that company information held on computers is only accessible for authorised people. We are all familiar with the use of computer passwords. In Shell, we have taken this a step further by requiring our employees to present both a ‘smart card’ and the right PIN before they get access to the company data.
Any plan for minimising vulnerability must also include plans for what to do if the threat level increases. Just as home owners who live in known crime hotspots take extra precautions, so business should increase security in times of increased threat. You will no doubt all be familiar with the Australian Government’s four threat levels: Low, Medium, High and Extreme. Under the existing Australian anti-terrorist provisions, businesses are required to ensure that their site security arrangements are able to increase as the level of threat escalates. In any event, we think that this is just good business – as evidenced by the fact that Shell’s global security standard requires exactly the same thing.
What does this mean in practice? Again, I will use the example of our Clyde Refinery. The Refinery, like all of our facilities, maintains site-specific security instructions and procedures, and staff are given security awareness training to assist site security. The Refinery has a variety of conventional physical protection measures, such as gates, fences, locks, road barriers and security lighting. These measures are backed up by electronic intruder detection and surveillance equipment such as electronic access control systems, surveillance cameras and movement detectors. Larger sites, like the Refinery, also maintain a 24-hour guard presence to control security and emergency response. As the perceived threat level rises, for example from Medium to High, we would continue to use all those same security measures, but some of them would intensify – much like a home owner might install additional door locks, or ensure that their burglar alarm is monitored 24 hours a day. For example, we would increase the number of guards and patrols around the site, increase security lighting, restrict access to the site for visitors and vehicles, increase the level of search of people, vehicles and cargo and restrict access to the critical areas of the site. Importantly, as the level of perceived threat changes, either up or down, we confirm our communications links with the local police and emergency response organisations. Should a security breach occur, we want to be 100% confident that we can call on aid from the relevant authorities as quickly as possible.
What Business Should Do: Minimise the damage if security is penetrated
Unfortunately, as I said before, no home is burglar proof, and no business can be immune against all security threats. What we must do is ensure that any damage to our people and property is minimised as far as possible. This requires us to have a good evacuation plan in place to ensure that our people are kept safe in the event of a threat. This should be activated as soon as practicable. For example, our refineries have a system of minor and major alarms, which ring when any important part of the refinery does not work as it should. Whilst these alarms are there to warn us of operational failures as well, they are a critical early warning system in the event of a security breach. Our staff routinely practise emergency evacuation drills, so we can be confident that everyone knows where the safe evacuation place is in response to any alarm sounding.
In terms of protecting property, you will appreciate that our industry needs to have in place mechanisms that can enable us to isolate potentially very dangerous flammable gasses and liquids very quickly. Again, these mechanisms will operate to protect us in the case of operational failure as well as a security breach. For example, at the Clyde Refinery, if a fire was to occur in a bulk fuel tank farm, whether from lightning strike or terrorist action, the fire fighting arrangements will contain the fire to the affected area, and prevent it from spreading to adjoining tanks while the fire-fighters deal with the fire in the original tank. Our refineries are designed so that individual parts of the facility can be shut down in isolation – so that the whole plant does not have to cease operation. However, of course, should complete cessation be required, that can be done. Similarly, oil tankers are designed to minimise the risk of fire and explosion, and to contain the damage should anything happen. In the upstream, our offshore oil and gas platforms have shut-off valves below seabed or ground level that are triggered in the event of anything untoward happening. Not only does this ensure the safety of people, it also avoids any potential oil spills.
From an IT perspective, a plan to minimise the damage is crucial – as anyone who has ever had their computer crash on them is only too aware! We run constant back-ups of our critical data, and encourage our people to do the same of any data that they need that sits on their hard drive. We also require different passwords to access different parts of the database – so that even if an intruder does gain access to some parts of the network, it is not all available to them. Again, this is just good business practice – but one that becomes crucial in the event of a security breach. Another good idea is to use offsite storage for the back-up tapes, just in case something happens to your office or facility. What Business Should Do: Maximise the speed of recovery
The final step in our four-point plan is to maximise the speed of recovery after any security breach. At home, this is akin to keeping a record of your valuable possessions, for example, by making sure that you have a photo or other evidence of ownership. This all makes it much easier to replace any items that are stolen – it certainly makes the whole insurance claims process a whole lot easier.
In a business context, maximising the speed of recovery depends on having and executing a good recovery plan. In the early days, this means getting your people back to work as soon as it is safe to do so, and returning your plant and equipment to normal operations. Our Clyde Refinery has a well-established recovery plan, including an outline of what order facilities should be re-established in the event of partial or full shut-down. In the longer term, it means replacing any equipment damaged, destroyed or stolen, whether through insurance or otherwise.
I would like to make the point here that having a good recovery plan is just good business sense anyway – and it shouldn’t take the threat of a security breach to prompt us to prepare such a plan. We can’t rely on government help to get us back on our feet in the event of a crisis. In reality, very few of us would be in control of facilities on the national critical infrastructure list – facilities which, if they were to be out of operation for a time, would have a deep impact on the economy of the nation, and which therefore might attract the attention and assistance of the Government to get them back up and running as soon as possible. However, whilst our facilities might not be crucial on a national scale, they are crucial to the success of our business. Therefore, it is in our interests to ensure that the refinery gets back to normal as quickly as possible – hence the importance of a good recovery plan. What Business Can’t Do but Government Must Do I have given you many examples of what business can and should do to protect itself against the occurrence and consequences of a security breach. However, there is a sharp line between what business can do to protect itself against attack, and what it must rely on the Government to do. By and large, this comes down to a matter of jurisdiction, over space and liberty. For example, business cannot control access to the land around its facilities which it does not own or control. We cannot control who uses the sea and waterways around our facilities – such as the Harbour just in front of our Gore Bay terminal. And we can’t control access to the air space above our Refinery or our offshore oil and gas platforms. It has been reported that the US Government has said that they have given orders to the military forces to shoot down any plane that strays from its flight path. Even in the event that a business saw a plane headed straight for its building, in the same way that occurred on September 11, there is no action that the business itself could take to prevent damage occurring. Similarly, we cannot arrest people for suspicious behaviour. These are all areas that are – properly –reserved for the relevant authorities. At Shell, we rely on the Government for the following:
· Early warning of likely activities against our facilities and people – with early warning, we can be prepared; without it, we may be vulnerable. This requires the Government to share their security intelligence with us, and for us to tell them about any information of which we become aware. Security intelligence is a bit like a jigsaw – you can never tell which piece will reveal the whole picture. The Government must be in charge of assembling the picture, but we can all contribute our piece. And once the picture is revealed, it is incumbent on the Government to tell us what it shows, and to advise action accordingly.
· Protection in the event of armed threat – businesses have little or no capability to deal with armed terrorist attacks or the like, and Government must step in to deal with those situations.
· Control over the approaches to our facilities – as I outlined above, business cannot control space outside its boundaries, from which the security threat is likely to approach. Government must assist, when necessary, in controlling these spaces, for example roadside check points and waterborne patrols capable of preventing the approach of high-speed vehicles during cargo transfer operations at the Gore Bay Terminal. One regular example of co-operation between Shell and the local police in relation to control over access happens every New Years Eve here in Sydney, when the Police Regional Commander responsible for Gore Bay Terminal closes the roads around the Terminal for fire safety reasons - this prevents sightseers from congregating on the headland near the terminal to watch the fireworks.
· Control of the situation once an attack has occurred – in the event that a security breach has occurred, the Government will need to take over to resolve the breach, particularly where armed forces are necessary to control the situation. The responsibility of business is to expedite the Government’s taking of control, and then to resume responsibility once the situation has been resolved.
Importance of business and Government working together
It is imperative that business and Government work together to develop plans of action in the event of a security breach where the interfaces between Government and business are agreed and understood, and conduct regular crisis exercises to test that the plans work. Business needs to work together with the responsible Government department – which may vary according to jurisdictional boundaries and the type of threat – to develop realistic, practical security plans. Shell has relationships with the three levels of Government – Federal, State and local. For example:
At the Federal Level: The broad management of day to day issues that affect the energy industry are addressed by Canberra-based committees at which the oil and gas industry is represented by the two peak bodies; the Australian Institute of Petroleum and the Australian Petroleum Production and Exploration Association. In addition, direct dialogue is maintained between members of the Shell corporate staff with relevant Commonwealth Departments and intelligence agencies, like the Attorney-General’s Department, the Department of Transport and Regional Services and ASIO.
At the State Level. Under the Australian Constitution the primary responsibility for law and order rests with the States, including the initial response to terrorism. Consequently, within each State and Territory consultative committees have been formed to manage the State's anti terrorism arrangement. The senior Shell manager in each State will be involved at this level. In the case of New South Wales, for example, the Manager of the Shell Clyde Refinery represents the Company in dealing with the State Government and its agencies. Day to day liaison is conduct between key refinery staff members (e.g. the site security supervisor) and officers in various government departments. At the Local Level. The first response by government to a terrorist incident is likely to be provided by the local police regional commander. He is responsible for notifying all critical infrastructure assets in his region of changes in national security alert as well as any specific local security issues. It is important, therefore, that our major sites maintain close working relations with this officer and his staff and seek their advice on security issues. In the case of Clyde Refinery, for example, local police visit the site regularly,. They have conducted security surveys of the site to confirm that arrangements are appropriate, they have assisted in training in bomb search techniques, and participated in security training exercises. A similar level of police support has been given to Gore Bay Terminal. A good overseas example of how business and Government co-operation has worked over many years is our offshore oil and gas platforms in the North Sea. The security of platforms in the North Sea has been under continuous scrutiny by both oil companies and the UK Government ever since they were built. The terrorist campaign against the UK by the IRA, plus other global terrorist campaigns have been the main driver for this constant review. Regular contact is maintained with the Police Offshore Oil Liaison group. Access to the physical space around the platforms – both sea and air – is tightly controlled, in conjunction with the relevant authorities. Cargo deliveries to the platforms are also carefully scrutinised before being allowed near the platforms. In terms of partnership with Governments, most of the standards applying to the North Sea platforms have been adopted following consultation with and guidance from the UK Security Service’s National Security Advice Centre. This Centre provides protective security advice to industries assessed as essential to the UK Critical National Infrastructure, such as the oil and gas industry. The security measures applying to the use of helicopters and stand-by vessels have been adopted across the North Sea oil and gas industry via the United Kingdom Offshore Operators Association in conjunction with the UK Government. The last area of co-operation I want to emphasise is the importance of crisis exercises. Yesterday, Andrew Metcalfe and Major General Hindmarsh mentioned Exercise Mercury ’04. I can confirm how valuable this exercise was for the businesses involved. We all need to practice and learn, and then practice and learn again. Improvements can always be made. It is in the practice exercises that you learn where the interfaces between different agencies might break down. It goes without saying that it is far better to learn these things in a crisis exercise that when the real thing hits. Conclusion
There is no doubt that businesses and employees, especially in the Western world, are constantly at risk from terrorist and other security threats. However, there is much that business can and should do to reduce this risk – much as we all do to protect our homes and loved ones from the threat of a burglary. We should all assess the risk to our operations, using the equation Risk = Threat plus Vulnerability plus Impact. Think about ways in which you could minimise the threat of attack and your vulnerability to it. Remember to think about the ripple effects of a security incident – either in the case of your business being directly affected by the incident or through one of your suppliers, customers or owners of surrounding critical infrastructure being affected. Think about how to minimise the potential damage to your people and facilities if an attack did occur. And then have a good, speedy recovery plan. Make sure that you and your staff know what they can and must do in the event of an emergency – and what you must rely on the government to do. Ensure you have agreed and understood the points of interaction between your business and the Government. Keep the lines of communication with Government at all levels open, and practice, practice, practice those emergency response procedures.
This will be nothing new to most of you – but it bears repeating. The worst thing that we as businesses can do in the face of the heightened security threat is to bury our heads in the sand, and rely on the Government to make it all go away. The Government cannot combat this threat on its own. There are practical things that companies can and should do to protect their operations against security threats, and those that do so successfully may even succeed in developing a competitive advantage over those that don’t. Thank you for your attention this morning. We have a couple of minutes for questions, which I would be happy to take. Thank you.
|
