Neal Skelton, Head of Professional Services, ITS United Kingdom gives an overview of the work of the ITS (UK) Security and Resilience Interest Group.
Since the cessation of armed conflict with Irish Republican organisations and the suicide-bombings by fundamentalist Islamist terrorists the United Kingdom has enjoyed an extended lull in overt terrorist activities leading to an understandable assumption by the population that much of the motivation for terrorist attacks had either been dissipated or was being disrupted through sophisticated counter-terrorist intelligence and /or operations. Measures to address risk, resilience and security appeared to be regarded as unnecessary and past-experience shows that these are the very issues that are ‘the first to go’ under any austerity measure programme. The substantial security operation covering the London Games 2012 was deemed, by certain groups, as unnecessary as no incidents of note had occurred – implying that these elements had been a wasted investment. However consider the implications from a lack of risk and resilience planning if a terrorist incident had occurred. ITS (UK)’s Security and Resilience Interest Group (SRIG) is acutely aware of the dangers associated with complacency regarding safety and security and the emergence of new threats. With this in mind the SRIG revised its remit in 2014 and was re-launched to align itself with contemporaneous national and global events.
Even more recently the plethora of media reports and other evidence on a series of unprecedented global events shows that the world is now at a higher state of tension than it has been since the end of the Cold War. New and unexpected threats and challenges keep emerging and the recent attacks in European cities only accentuate the actual and perceived threats to personal, institutional and commercial safety and / or security. All of this gives confirmation that it was absolutely correct for the SRIG to have revised its remit.
The advent of ‘perpetual connectivity’ and the demand for 24/7 seamless connectivity has increased; this is often at the forefront of business and/or individuals’ communication plans and often the precursor for how commercial models and personal demands are structured.
The need to satisfy these demands often dictates how sophisticated business-models are created – especially as customers are ‘on the move’ between home, the work place and leisure locations and expect to be able to communicate seamlessly without interruption. This urge to satisfy the customer can come at a price if the necessary ‘checks and balances’ on the associated security measures are not addressed or are accorded a lower priority than they should be. Such a failure in the security infrastructure will introduce vulnerabilities into any system if due rigour is not given – and there are too many ill-minded people ‘out there’ who are keen to exploit those weaknesses.
Criminals, terrorist groups and malicious businesses and / or individuals pose an ongoing threat and are always ‘on the lookout’ for opportunities to expose and attack gaps in any infrastructure – albeit physical or electronic – therefore any response needs to be proportionate, perpetually vigilant but hidden ‘behind the scenes’. Physical systems are easier to safeguard against exploitation as they can be seen and addressed. This is not the case with electronic security and cyber-security becoming increasingly important in the fight against organised crime and disaffected individuals.
Transport systems have always been the preferred area of penetration for terrorist groups as they represent the ‘soft underbelly’ targets. Malicious attacks and disruption to the routine operational aspects of transportation – either as physical or cyber attacks – allow the perpetrators to erroneously believe that the associated propaganda reinforces their cause and, notwithstanding the personal tragedies associated with such atrocities, the substantial disruption to operations, loss of revenue and negative affects on ‘brand reputation’ will have the desired long-lasting implications. Sophisticated cyber threats transcend borders with ease therefore critical security measures need to be in place to intervene in a discrete and unobtrusive manner. Cyber security measures are essential to match and counteract increasingly sophisticated threats; too many restrictions and the threats will have been proved successful – too little protection will encourage complacency and a ‘laissez-faire’ approach to preventing any inherent vulnerabilities.
Commercial advantages gleaned from cyber-hacking can have significant safety, security, operational and efficiency impacts whilst malicious activities are extremely frustrating especially as they have no defined purpose other than to disrupt. It is essential therefore that resilience and due diligence are incorporated and fully integrated into systems architecture and not as a ‘bolt-on’ option. The failure to include this vital aspect of any systems infrastructure can have far-reaching and long-term consequences.
A comprehensive array of technical telematics support is now available to vehicles whilst in motion – much of it in ‘real-time’. This currently includes Bluetooth, GSM, GPS technologies however the spectre of being able to access the Internet whilst driving looms in the future. One only has to assess the illegal use of mobile phones and text messaging to consider the impact that that would have. However if the business models and personal demands insist on their introduction then there is a chance that this will become a reality. Vehicles wirelessly ‘connected’ to an infrastructure are a reality, as are ‘autonomous vehicles’ and ‘platooning’, and although mass deployment is a number of years away there is an impetus to integrate them onto the road network as ‘just another vehicle’ – which they evidently are not!
Each of these technologies potentially exposes vulnerabilities that were considered unnecessary hitherto when road vehicles were an independent entity. No longer is this the case as they increasingly have external ‘wireless’ connections. These arguments can be applied equally to other transport modes – except that the only requirement to be in charge of a car on the highway is a rudimentary test of driving skills competence; all other modes necessitate graduated levels of competence to be demonstrated and regularly refreshed.
There is considerable research into the development of autonomous vehicles however the main focus of cyber-attacks relates solely to road safety. This is a crucially important aspect as it should be emphasised that safety resilience should not be confused with security risk resilience. They are not the same thing therefore strenuous efforts need to be devoted to ensuring that both issues are not mixed up and that they are both incorporated.
In recent months the SRIG made a contribution to the revised CCTV Code of Practice by commenting that the use of CCTV in criminal and civil roles should be incorporated. The Information Commissioner’s Office issued its first Code of Practice under the Data Protection Act 1998 (DPA) which covered the use of CCTV. There is value in including extracts from the revised CCTV Code’s Foreword.
‘The Code was developed to explain the legal requirements operators of surveillance cameras were required to meet under the Act and promote best practice. The Code also addressed the inconsistent standards adopted across different sectors at that time and the growing public concern caused by the increasing use of CCTV and other types of surveillance cameras. A lot has changed since this time and, while the original code was updated in 2008, further legal, practical and technological developments mean that updated guidance is required’. CCTV have progressed from being a camera on top of a pole in our local town centre where the images were recorded on to video tapes, to much more sophisticated operations using digital and increasingly portable technology. The use of Automatic Number Plate Recognition (ANPR) is now commonplace and body worn cameras are being routinely used by organisations, such as the police. Surveillance cameras are no longer a passive technology that only records and retains images, but is now a proactive one that can be used to identify people of interest and keep detailed records of people’s activities, such as with ANPR cameras. The use of surveillance cameras in this way has aroused public concern due to the technology no longer being used solely to keep people and their property safe, but increasingly being used to collect evidence to inform other decisions, such as the eligibility of a child to attend a school in a particular area.
The unwarranted use of CCTV and other forms of surveillance cameras has led to a strengthening of the regulatory landscape through the passing of the Protection of Freedoms Act which has seen the introduction of a new surveillance camera code issued by the Secretary of State (since June 2013) and the appointment of a Surveillance Camera Commissioner to promote the code and review its operation and impact. The Information Commissioner’s Office has contributed to this tougher regulatory landscape by taking enforcement action to restrict the unwarranted and excessive use of increasingly powerful and affordable surveillance technologies. While the title of this Code has changed to highlight its focus on the data protection implications of using CCTV and other forms of surveillance cameras, its objectives remain the same. The Information Commissioner’s Office has developed the CCTV Code of Practice to help those who use surveillance cameras to collect personal data to stay within the law’.
The SRIG remains alert to existing and emerging challenges to threats to individuals and organisations and this article is intended to serve as a reminder of the scale of the problem. It also shows how the SRIG is contributing to exploring the dynamic balance of protection which lies somewhere in the indistinct zone of the relationship between safety and security measures and the intrusion into personal and organisational freedom and unfettered access to physical or data infrastructure.
Neal Skelton
ITS (UK) – Head of Professional Services
