While few people would deny the need to secure people, assets and operations in any enterprise, there is a tendency for many to think that a security implementation is a once-off job that renders your system secure. This is, of course, a fallacy.
Any security implementation, whether it is made up of physical measures, logical security or combination of both, will have vulnerabilities. The trick in designing and running a security operation is therefore to find a balance between security, vulnerabilities and the need for legitimate access to the various aspects of the operations.
The cabling infrastructure of the Gautrain project is a good example of this. Cable theft is a constant problem for every company that relies on communications, whether via Telkom lines or its own network. Electricity is also supplied via cables, which puts this necessary resource at risk too.
The Gautrain relies on electricity, signalling and digital communications to function. The Gautrain’s Operator’s headquarters is the main power distribution centre, managing the flow of some 80 kW. There are four additional substations managing the electricity to other areas within the rail network. The power supply must serve the 10 stations along the 80 km system as well as provide energy for the train sets to run as per the schedule, creating an effective, efficient and reliable system.
The second critical infrastructure is the signalling cable. This is the most critical asset providing the governance of safety for the system and passengers, allowing the Gautrain to run at speeds of 160 km per hour. If this asset is damaged, the trains are not permitted to go faster than 30 km per hour, making the Gautrain a very slow crawling system, much slower than the traffic on the very congested Ben Schoeman highway. Naturally, communications is a critical part of the Gautrain to provide radio communication for the train drivers, conductors, security, station personnel and maintenance personnel as well data between the stations. Where the physical communication is of utmost importance for the operations of the system, data is the platinum of the system. This supplies business intelligence, passenger flow statistics, parking facilities utilisation etc., to be used for the operational deployment of resources. This is all supplied through kilometres of various strands of copper, signalling, earth and fibre optic cables linking the whole system together and allowing for effective performance and management.
It is therefore logical that protecting this communications network would be a high priority. However, if the solution was to build high walls with regular guard posts and to seal the cabling into the conduits with concrete, for example, the cost of securing the 65 km perimeter – on both sides – would be prohibitive and any maintenance required would be extremely difficult.
As it is, the perimeter security solution was limited by budget constraints and, more importantly, the need to allow maintenance technicians and security personnel to gain access to all areas of the system. The result Snyman and his team came up with was a layered approach to security.
The perimeter is protected on both sides by two palisade fences with barbed wire in some areas, which has the benefit of keeping the site visible at all times and limiting hiding spaces. There are also 108 gates for authorised access. The cabling conduit is accessible via numerous steel plates located next to the tracks, secured by two bolts that require a specific key to unlock – this prevents the plates from being lifted with a crowbar. The cables are buried underground in cable ducts to prevent easy access.
Snyman admits that this is not the most secure option that could have been chosen, but was the best solution given the prerequisites and the available budget. The need for security was balanced with the need for access. (It’s worth noting that multiple parties, from the Gauteng legislature and national government, the police and the National Security Agency were involved in approving the security for the whole project.)
Despite this, Snyman says there are still vulnerabilities in this area due to the human effect. As an example, technicians want quick access and there are times when bolts are not secured after maintenance is done, or only one bolt is secured as the workers hurry to the next job. Training and quality control of work done will assist in preventing this type of vulnerability, but it is something the Gautrain operator has to deal with as it is has to allow maintenance and repair access.
As noted, many people were involved in the approval of the security measures for the Gautrain project. Snyman believes that one person or company cannot have all the answers to a complete security solution and the project managers therefore need to make use of experts in various fields if they want the best solution.
The final solution will be made up of the input of various experts, who will (hopefully) have ensured a skills transfer process to ensure that the operators onsite would be able to maintain the security solution independently into the future. The training of employees in the various aspects of security is also crucial, from the guards through to management.
At its most basic level, this will ensure that all staff are aware of what is happening and what should be happening, as well as what the correct reaction is to various events. Engaging with partners who try to keep their expertise to themselves or will not provide explanations of the ‘why and how’ is a dangerous practice.
In addition, since there will be staff turnover at all levels of the project, documenting these processes from day one is also a crucial aspect of a security operation. These historical legacy records are the lessons learned from the past to be used for any future project. This results in a standards and compliance checklist from challenges, solutions and best practices, which Snyman kept meticulously during his tenure.
In some areas of business, a new manager may be appointed and he/she will immediately try to develop a team that functions the way they want them to. This may or may not be a good idea, depending on the business and the environment. In the security world, however, a 'new broom sweeps clean' approach can cause serious problems. Of course, if the security operation was failing this would require significant changes, but if it was working well, change for the sake of change is a recipe for disaster.
Snyman therefore considers documenting the security processes in detail a critical process. The documentation should be done in a way that any new person coming onboard will be able to understand what was done and why, what the risk tolerance of the company is in various situations, and the company’s best practices in its security operations.
Detailed documentation will also allow for measured improvements and expansion of the security operation that builds on the existing solution. And as the solution expands to cater for new situations and risks, as well as resolving some previous vulnerabilities, the documentation should be updated and extended to detail the expansion. It is also advisable to ensure that the older documentation is available in order to provide a full history of the system for future reference.
Documenting the processes also provides a foundation to effectively measuring and auditing the operation, ensuring the goals and requirements of the company are met. Audits, whether it is ISO 9001:2008 or annual internal audits, should be Risk Based Audits (RBA) and the premise of departure must always be the latest comprehensive risk management plan for the specific environment.
A full security solution for a project the size of the Gautrain operation is a complex project that requires input from internal and external stakeholders, companies, people and experts. It is a lesson in risk assessments and identifying the most important risks to deal with and finding a balance between total security and workable security that permits the operation to function to its maximum capacity over the long term. It requires ongoing skills development and regular reassessments to ensure the security operation maintains the levels of performance required and improves over time.
Nico Snyman is the managing director of Crest Advisory Africa, specialising in risk management, corporate governance and advanced technologies. For more information, contact email@example.com, +27 (0)11 534 8454 (office) or on his mobile +27 (0)76 403 4307.
© Technews Publishing (Pty) Ltd | All Rights Reserved