The most terrifying thing about terrorism is its reliance on the element of surprise. Most people don’t see the attacks coming, or don’t recognise the indicators when they see them. When terrorists strike, law enforcement is disadvantaged, the victims shocked and by the time an effective response is mounted the perpetrators are often long gone.

Many security managers do not know that through careful antiterrorism planning they can increase their chances of effectively responding to a terrorist attack and in doing so, lessen the likelihood of an attack in the first place.

Antiterrorism and counterterrorism

Terrorism is an act of violence where the victim is not the intended target. When terrorists attacked the USS Cole in October of 2000, their victims were the crew of the warship, but the intended target was the US Government and its Middle East policies. It follows the same logic as a kidnap for ransom: the victim is the person stolen off the street and hidden away against their will, but the target is the relative or business with access to cash.

Antiterrorism serves the same end as counterterrorism, but they are different. Counterterrorism is the actions of the military, law enforcement and diplomats who work to apprehend or neutralise specific terrorist groups or individuals. Antiterrorism is the use of passive measures to harden targets and render them unattractive to terrorists. Antiterrorism and counterterrorism work together by providing each other with information: counterterrorism forces tell antiterrorism planners of general and specific threats and antiterrorism planners tell counterterrorism forces of unusual or suspicious activities in their areas that could indicate interest by a terrorist or terrorist group.

A TVA provides a realistic assessment
of who the terrorists are, what weapons,
explosives, or tools that they use and
what tactics and techniques they employ

Elements of an antiterrorism plan

There are five elements to an antiterrorism plan. It starts with a Threat Vulnerability Assessment (TVA), which provides a realistic assessment of who the terrorists are, what weapons, explosives, or tools that they use and what tactics and techniques they employ. We measure this information against the threat environment: do they exist? What are their capabilities? Do they have the capability and the intention to strike? Are they engaged in targeting right now? How competent are the counterterrorism forces at neutralising or defeating them? From this, we determine our threat level: Negligible, Low, Medium, High, or Critical. The next part of the TVA involves measuring vulnerability. We look in detail at the assets to be protected and we evaluate them against the range of threat types (potential attackers, weapons, tools, tactics and techniques) determined earlier. We then evaluate this information against the full range of threat levels. From this, we develop our Security Measures.

Effective security measures

The functions of effective security measures include access control, deterrence, intrusion detection, assessment, delay, response, or the collection and preservation of evidence. Planners must keep in mind that security measures cost time, money and convenience, so they should always seek to use the minimum appropriate to the threat and deploy or demobilise them as the threat of attack increases or decreases.

For example, the XYZ Processing Plant is designed to operate at a default threat level of Low. It is surrounded by a fence with CCTV cameras on the corners, perimeter lighting and a single guard at the gate. Plant security is told that the threat has been increased to Medium. They respond by positioning Jersey barriers beside the main approach to the plant, adding another guard, deploying a temporary and moveable CCTV camera and deploying a mobile patrol vehicle. If the threat level increased to High or Critical, then increasingly intrusive and expensive measures are applied. The measures are removed as the threat decreases back to Low.

Terrorism is an act of violence where the victim is not the intended target
Few successful terrorist attacks are ever launched without an extensive period of surveillance

Observation plan

Few successful terrorist attacks are ever launched without an extensive period of surveillance. The attackers need to know a lot of information about the target before they can attack: how is it protected? What is its routine? When do the guard shifts change? When are the periods of maximum and minimum activity at the entrance or exit points? How do visitors, couriers and delivery trucks get in? This dependence on information creates an opportunity for antiterrorism planners and is addressed in the Observation plan. The part of the process that is the most active is Observation. Guards, security staff and employees are trained to watch for the following signs of terrorist activity:

  • Surveillance of the facility, especially near entrances and exits
  • Elicitation of information that may be useful to an attacker from guards or employees
  • Testing the security at the facility (for example, a bogus 9-1-1 call placed near the facility to see how long it takes for law enforcement to respond)
  • Unusual people around the facility that normally don’t belong, especially if they appear to be communicating with each other through looks, voice, or hand signals
  • Deploying assets or getting into an attack position

The observation plan instructs
people where to look, for what
activity and to whom they should
pass the information if something
of interest is seen

Countersurveillance operation

The observation plan instructs people where to look, for what activity and to whom they should pass the information if something of interest is seen. Non-emergency information is passed back through security managers to counterterrorism forces. If, for example, there are indications that the facility is under surveillance, then counterterrorist forces will conduct a countersurveillance operation to determine the source of the surveillance and ultimately their intent. If a terrorist group is watching the facility, then a countersurveillance operation is the beginning of the end for them.

If it appears that an attack is imminent, then the observer would report straight to the local law enforcement emergency line, such as 9-1-1.

Random antiterrorism measures

How do we address a terrorist group that might be watching a facility without being detected? We randomly change the security measures used every day, complicating their attempts to figure out what the security plan is. These Random Antiterrorism Measures are particularly useful – they complicate terrorist attack planning and they sow doubt, as the terrorists may suspect that they’ve been discovered and that the changes are a response to it. For example, on Monday they might observe that there are two guards at the gate. On Tuesday, there are three. On Wednesday, they see two guards as the gate, but they are checking the identification of everyone who passes through. On Thursday the two guards have suspended ID checks, but instead are randomly checking the trunks and backseats of all vehicles going through the gate. On Friday there is a police cruiser parked near the gate for several hours. By then, the terrorists don’t know what to expect the next day and will likely determine that it is too hard a target and will move on.

Preventing terrorist attacks is a process by which we convince the terrorists that they are unlikely to be successful
Success in antiterrorism is not random at all, but is the result of careful analysis, planning, and execution [view larger image]

Response planning

Response planning is something that most facilities do, but in addition to the usual fire and evacuation planning, they should include actions upon discovery of suspected or real surveillance and all the activities watched for in the Observation plan. Included in response planning should be all the potential scenarios identified in the TVA.

Preventing terrorist attacks is a process by which we convince the terrorists that they are unlikely to be successful and by doing so inducing them to move on. Success in antiterrorism is not random at all, but is the result of careful analysis, planning and execution.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Ross Johnson Infrastructure Protection Advisor, AWZ Ventures

In case you missed it

What is the role of higher education to create next-gen security leaders?
What is the role of higher education to create next-gen security leaders?

Traditionally, security industry professionals have often come from backgrounds in law enforcement or the military. However, the industry is changing, and today’s security professionals can benefit from a variety of backgrounds and educational disciplines. The industry’s emphasis on technology solutions suggests a need for more students of computer science, engineering and other technology fields. The closer integration of security with related disciplines within the enterprise suggests a need to prepare through a broad array of educational pursuits. We asked this week’s Expert Panel Roundtable: What is the role of higher education to create the next generation of physical security leaders?

Transport security: utilising the cloud to manage passenger flow and improve health & safety
Transport security: utilising the cloud to manage passenger flow and improve health & safety

Throughout the COVID-19 pandemic, ensuring the safety of passengers and staff aboard public transport has been an ongoing concern. The scenes of underground trains, still packed with commuters as infection rates soared, will have raised alarm bells with bus and train managers, transport officials and government representatives alike. Now, as infection rates hold steady and people slowly return to the workplace, a rise in commuter levels, coupled with a need for strong infection control protocols, is putting a strain on an already overburdened transport system. Managing passenger flow through bus terminals and train stations, while ensuring adherence to social distancing and mask-wearing policies, can be a difficult task. On buses and trains, staff have the unenviable task of challenging any individual who flouts the rules, while attempting to maintain safe operation for the benefit of all passengers. This is where advances in digital surveillance technologies can play an important role in enhancing security, improving operations and supporting the customer facing teams in their day to day roles.  The power of the cloud Keeping businesses afloat and people connected throughout the pandemicCloud or hosted technology has played an important part in keeping businesses afloat and people connected throughout the pandemic. When it comes to physical security such as video surveillance and access control, today’s cloud-enabled systems are far removed from the outdated CCTV and manual access control technologies employed in the past. Cloud connectivity brings with it many benefits, from a security, operational and also business intelligence point of view, thanks to the powerful data that these solutions produce which can be used to inform decision making. The advantages of cloud-based physical security technologies are many, and have wide ranging applications for all areas of the transport sector; across stations, transport hubs and vehicles. When used to support staff and complement existing processes, such systems can prove invaluable for transport professionals in helping to create a safer working environment, promoting confidence among personnel and passengers, and assuring passengers who are fearful about the current pandemic that all possible precautions are being taken during their journey. Managing occupancy across bus and rail Monitoring the movement of staff and passengers is an essential part of being able to maintain a safe operation. Through the utilisation of surveillance cameras at entrances and exit points, as well as at key areas within transport terminals and on the transport mode itself, occupancy thresholds can be determined to ensure passenger numbers do not exceed safe limits. Network surveillance cameras, accessed via mobile device, can enable transport officials to check passenger flow in real-time, while live alerts to warn that health and safety protocols are being breached, enable swift drafting of security or operations personnel to address the situation. Live alerts to warn that health and safety protocols are being breached Through internet of things (IoT) connectivity, additional devices can be easily added to complement the surveillance solution and unlock further benefits. Network audio speakers can be triggered to play pre-recorded messages to alert or inform passengers. Similarly, frictionless access control, enabling customers and staff to move ‘hands-free’ through gateways and ticket checkpoints to avoid viral spread, is made possible by having an access reader which is activated, for example, via QR codes on a mobile phone. And when access readers are integrated with surveillance cameras, this will act as a second layer of authentication to grant or refuse access based on valid staff credentials. Improving security in challenging times Such technologies, interconnected and able to share data, can be used to more effectively report in real time on activity that threatens to have an adverse effect on passengers, staff and the transport environment. Significant parts of the rail network are relatively unmonitored, and inevitably these areas are more vulnerable to vandalism. Similarly, on bus services, abuse of passengers and staff, and acts of criminal behaviour remain a concern. By alerting security staff to a developing situation before it occurs, an incident can be dealt with quickly, minimising disruption to transport services. Cloud based technology can be relied on Cloud based technology can be relied on to not only help improve current services, around passenger occupancy in the current pandemic, but also to help transport officials plan for the security challenges of the future. Simple customisation and easy scalability, plus software upgrades and firmware updates to ensure the system is always up to date and operational, form essential components of a future proof solution which is capable of bringing peace of mind to the transport industry. Additionally, predicted future benefits include the potential for customers to check transport occupancy levels via a mobile app. This would inform them of particularly busy times of passenger transit, allowing more choice over when and where to travel based on real-time data, and ultimately helping to even out passenger numbers to balance journeys and greatly improve efficiency and flow. In a busy world where the demands on our rail and bus networks are now impacted by the COVID-19 pandemic, and indeed the possibility for further related challenges in the future, such cloud-connected technologies represent a worthwhile investment.

In a cybersecurity 'wild west', look for the sheriffs!
In a cybersecurity 'wild west', look for the sheriffs!

As the media often reports, the world of cybersecurity can be seen like the ‘Wild West’. There’s now a wide range of Internet of Things (IoT) devices connected to the web, making this a hot topic. Among these devices are security cameras. IoT devices are computers that use software that makes them vulnerable. As the famous cybersecurity evangelist Mikko Hypponen says, "If a device is smart, it's vulnerable!" Hypponen is right. On a daily basis, new vulnerabilities are found in software, regardless of the manufacturer. In 2019, more than 12,000 vulnerabilities worldwide were made public and reported as a CVE (Common Vulnerability and Exposure) in the National Vulnerability Database (NVD). Unfortunately, vulnerabilities are a given. What really matters is how a company deals with and resolves vulnerabilities. Cybersecurity vulnerabilities Awareness of cybersecurity vulnerabilities is vitally important Awareness of cybersecurity vulnerabilities is vitally important to protect you, your business and the Internet, but it’s also important to understand that a vulnerability is not synonymous with “backdoor”, and is not necessarily indicative of “cheap quality.” But there are companies out there that are embedding safeguards into their development processes to reduce the risks. You could see them as ‘Sheriffs’, taking steps to make this Wild West a little safer.   Why Hikvision chooses ‘Secure-by-Design’ Security cameras, like all other IoT devices, are vulnerable to cyberattacks. Fortunately, manufacturers of IoT devices can significantly reduce these vulnerabilities during the production of devices, using a process called ‘Secure-by-Design’. Implementation of Secure-by-Design requires a commitment on the part of the manufacturer’s management team and a serious investment in resources and technology, which can result in a longer production process and a higher cost of the IoT device. Cost is often the reason why some IoT device manufacturers do not use Secure-by-Design (and are indeed cheaper).  Hikvision is a producer of IoT devices that takes security and privacy very seriously and has implemented Secure-by-Design in its production process. Management supports this process and has even set up a dedicated internal cybersecurity structure charged with product cybersecurity. This group is also the central point of contact for all other cybersecurity matters. The Hikvision Security Development Life Cycle (HSDLC) is an essential part of Hikvision's cybersecurity program. Cybersecurity checks take place at every stage of product development — from concept to delivery. Cybersecurity checks take place at every stage of product development For example, product testing takes place during the verification phase, the company also regularly invites well-known security companies and public testing platforms to conduct penetrating testing. Does this mean that all Hikvision products are immune to hacking? No, that guarantee cannot be given, but the HSDLC is a testament to a manufacturer that makes every effort to produce products that are as cyber secure as possible.  Source code transparcency centre In addition to the Secure-by-Design process, Hikvision opened a Source Code Transparency Center (SCTC) lab in California in 2018, being the industry’s first-of-its-kind lab to open such a centre. At this centre, U.S., Canadian government and law enforcement agencies can view and evaluate the source code of Hikvision IoT devices (IP cameras and network video recorders). It’s important to emphasise that no product is 100 percent secure. Hikvision has a Vulnerability Management Program in place when a vulnerability is discovered in a product. To date, vulnerabilities that have been reported to Hikvision and/or made publicly known, have been patched in the latest Hikvision firmware, and are readily available on the Hikvision website. In addition, Hikvision is a CVE CNA, and has committed to continuing to work with third-party white-hat hackers and security researchers, to find, patch and publicly release updates to products in a timely manner. These vulnerabilities are collected in the National Vulnerability Database (NVD) and are public. Hikvision recommends that customers who are interested in purchasing security cameras inquire about a manufacturer’s cybersecurity practices and if they have an established Vulnerability Management Program.    Cybersecurity questions to consider  The cybersecurity of IoT devices is a topic that needs to be addressed in a serious way and it should play an essential role in the product development process, beginning at the concept phase of an IoT product. This requires time, investment and knowledge.  Consider the following questions: Do I trust the manufacturer of a low-cost security camera? Does this manufacturer have a dedicated cybersecurity organisation? How does this manufacturer handle vulnerabilities?   These are the questions that everyone should ask themselves when making a purchase, be it a camera or any other IoT product.  There is no absolute 100% guarantee of security, but Hikvision has industry-leading practices to ensure the cybersecurity for its cameras. Cooperation, with its customers, installers, distributers and partners, and full transparency are key elements to successfully secure IoT devices. When you read cybersecurity news, we invite you to look beyond the headlines, and really get to know the companies that produce the IoT devices. Before you buy a security camera or any IoT device, check out the manufacturer’s cybersecurity practices, look for a company with a robust vulnerability management program, a company that aligns itself with Secure-by-Design and Privacy-by-Design and a company that employs cybersecurity professionals who are ready and eager to answer your questions. Remember, there are Sheriffs out there, as well as bandits.