Industrial Security: New Threats Call for New Tactics
A growing list of threats to industry means today's plant managers must take added steps to safeguard their facilities, workers and proprietary information. Here are some considerations.
On the morning of February 5, 2001, William Baker traveled to Navistar's engine plant in Melrose, IL, as he had every workday for the preceding 39 years. But this day was different because Baker no longer held a job at the sprawling, 2 million-sq.-ft. facility. The former tool-room attendant, 66, had recently been fired for stealing, and was due to begin serving a prison sentence for his crime the next day. Out for revenge, Baker forced his way into his old workplace by holding a security guard at gunpoint. He then pulled an assault rifle from a golf bag he was carrying, and entered an engineering area. He opened fire and shot seven people - three fatally. Baker continued through the plant until he entered another office where he fatally shot one more person before taking his own life.
Could this happen at your facility? A better question might be: How would you prevent this from happening at your facility? Stories like this are not unique. According to government figures, this was one of 600 workplace homicides in 2001 - down from the 1,000 that took place in 1995, but still significant. Experts add that in the post 9/11 envi-ronment, the industrial workplace is also a likely target of terrorist-related violence, as well as electronic data theft, sabotage and other crimes. Building security has never been more important.
"In the industrial realm, security is becoming as important as safety and health," says Michael Regan, chairman of the electric utility subcommittees council with the American Society for Industrial Security (ASIS) International, an Alexandria, VA-based trade group. "And security means the protection of the company, its employees and assets."
That's a big job. And it can be expensive. Where traditional security elements like fencing, security guards and padlocks leave off, modern elements pick up. These can run the gamut from surveillance cameras and computer safeguards to biometric security systems that allow access based on hand or eye characteristics. And that's just the hardware side of it. There are also training costs and, in some cases, the cost of specially trained personnel. According to the Security Industry Association, an Alexandria, VA-based trade group, the market for security hardware and services tops $100 billion, and is growing. Other sources place the market value significantly higher.
But experts say that despite the costly advances of security technology, its effectiveness is based on well-planned strategy. "When it comes to security, there's an old saying," says Robert Moraco, certified protection professional (CPP) and chairman of ASIS Inter-national's oil and gas division. '"If you want to protect the sheep, you have to think like a wolf.' This means you first must look at your potential enemies and risks, devise a plan to thwart those enemies, then put countermeasures in place based on your level of risk."
Recognizing threatsTo know your risks, it's important to identify the security threats that exist for you. In broad terms, the areas of highest concern to industry are workplace violence, criminality, and terrorist threats.
Workplace violence. The most common threat, workplace violence includes cases of disgruntled employees causing harm to a facility, its assets or other employees, and domestic issues that carry over to the workplace. The term "going postal" has entered our language due to a rash of violent outbreaks at U.S. postal facilities. School killings also fall into the category, underscoring the fact that no workplace is immune to the problem. Industrial facilities become more susceptible to violence in times of economic downturns when layoffs increase.
"Most industrial facilities have a workforce that is a microcosm of the world in general," says Moraco. "This means they include different types of people, with various personalities, who may be under stress and duress both at home and in the workplace. Some may have anger and violence issues that can carry over into the workplace. This can be lethal if it's not properly identified and handled early on."
Criminality. Criminal issues include robbery, sabotage to buildings, equipment or files. Perpetrators are usually disgruntled workers, protesters or prank-sters. The growing area of data theft is particularly important as industries of all types rely more on the Internet for everything from resupply to design, operations and maintenance. Regan from ASIS calls data privacy "an enormous issue in terms of a company's ability to operate," largely because of the Internet's weaknesses. "The Internet has viruses, hackers looking for information, and the potential for electronic sabotage by disgruntled employees," says William Gerould, global manager for manufacturing industries with Sun Microsystems, a Santa Clara, CA-based provider of computer networking systems. "Security for manufacturing control systems is critical because of their level of vulnerability."
Terrorism. Since 9/11, industry has a heightened concern about terrorist attacks. According to Moraco, private industry owns 80% of what's deemed the nation's critical infrastructure. This includes power and water utilities, as well as gas-, oil- and chemical-production facilities. "These have the potential to be used as weapons of mass destruction," says Moraco. In particular, security at the nation's nuclear facilities was increased after 9/11, and the industry remains on a high state of alert. Accor-ding to the Nuclear Energy Institute, it has spent $370 million on additional security measures since the terrorist attacks. But any company using toxic chemicals could be a terrorist target.
Assessing risks"The first step in securing a facility is to understand what the risks are," says Dan Donovan, CEO of the Inocon Group, an Atlanta, GA-based provider of crisis-simulation and management training. "Look at these risks from an operations point of view and decide what prevention measures are needed from a planning perspective. Then decide what measures can be put in place from a physical perspective."
Mark DeVoti, CPP and chairman of the utilities security council for ASIS International agrees. "Look at what you make and how you make it," he says. "If you're making widgets in the middle of Idaho, you don't face the same risks as a chemical company near the Holland Tunnel. Assess your risks, consider each, then take actions to mitigate it based on the impact it might have if that scenario were to happen."
Depending on the size of your facility, a risk-assessment may be best conducted by calling in a pro. At BMW's 2.3 million-sq.-ft. assembly plant in Spartan-burg, SC, manager of safety, health and security Greg Jackman says the company brought in "a high-level team of former FBI agents" to perform a complete plant analysis. Though not part of the nation's critical infrastructure, the operation, says Jackman, "is a high-profile business, and we thought it would be prudent to look at it from top to bottom and add security where necessary." Security-team members had backgrounds in controlling terrorism, as well as implementing electronic and physical security. They studied the plant from the perspectives of operations, data integrity, and physical security. As a result, the company introduced contingency plans for various scenarios, improved the plant's physical security, and increased data-protection measures.
"When creating a proactive plan of action, there are two levels to review," says Donovan. "First is the tactile level of the organization. This includes plans for evacuations and emergency response. Second is the strategy. This covers the impact the plan will have on employees, the operation, the company and the community. Planning for breeches in security in this manner and communicating these plans to employees prepares people," he says. "It gives them direction on how to handle themselves during emergency situations."
While the plan you create depends on your operation and its risks, there are standard security essentials that every company should use as impediments to terrorism, workplace violence and criminal acts.
"First," says DeVoti, "make sure your gates are operating and closed in order to keep unwanted visitors off the property. And use ID badges so employees can identify each other." The second line of defense is the exterior of the building. "This should be protected with simple things like 'No Trespassing' signs and lighting," he says. "At the entrances, use a security guard, badge scanner or some access-control device to challenge or approve people who want access."
Inside the building, employees should know visitor guidelines and where non-employees are allowed. He adds that it's useful to create off-limits security zones inside facilities that only authorized employees can access. These include computer rooms, power centers, control rooms and clean rooms.
Planning for specific threatsTo meet specific threats, action plans and security measures are required to address the following:
Workplace violence. Experts say that denying facility access to a disgruntled worker should be the last line of defense against this problem. The first thing to do, they recommend, is form a workplace violence committee that includes representatives from security, human resources, legal, management and medical departments. Members should be trained to identify and handle potential workplace-violence issues, investigate them, and get outside help when necessary. The goal is to recognize and mitigate such problems before they have the chance to escalate.
Also, employees should be trained to recognize and report situations that could turn violent or get out of control. "Many workplace violence issues begin with general harassment," says Moraco. "Things like name-calling, obscene language or gestures, abusive remarks, intimidating activities, throwing of objects, physical harassment or leaving notes, photographs and drawings of violent images should never be tolerated," he says. "If these issues show themselves in the workplace, management has to take action to quickly stop them. Zero tolerance for such activities can thwart serious issues over time."
Data security. The critical job of protecting sensitive data should not be left to everyday security personnel, say experts. "Cyber security requires intimate knowledge of the types of computer systems and programs in use," says Moraco. "You need your IT professional who knows them well so they can research firewalls and protection systems and determine what will work." Types of possible cyber threats need to be identified by conducting an IT risk-assessment. Similar to a full-plant assessment, this looks at the facility's overall IT infrastructure, including networks and remote-access conditions.
With threats identified, a "trusted identity model" can be constructed, says Robert Atherton, worldwide manager for process control at Sun Microsystems. "This includes building methodologies, processes and ways to add, delete, modify and provide access to the appropriate people. It comes down to creating a centralized environment that provides control." These systems can be expensive to install, but with such a large and growing portion of manufacturing operations under electronic control, their value cannot be overestimated.
Terrorism. September 11th immediately made the manufacturing community aware of the need to guard against a direct facility attack. But exactly how sprawling manufacturing facilities can guard against a vehicle bomb, suicide bomber or airborne threat leaves many managers uncertain. After 9/11, one of the government's first tactics was to adopt the color-coded security levels now used by the Department of Homeland Security. Though the system has been criticized, some experts recommend it as a good way to introduce the threat-level concept in your plant.
"If I were managing a company today, I would have a security plan that reflects those levels of alert," says Inocon's Donovan. "Then my organization knows when we've gone from one level to another, and we can make our own risk analysis concerning the threats."
BMW follows a similar strategy. "Our contingency plan is based on the government's threat levels," says Jackman. "But we modified it so we can elevate our security levels based not just on the federal levels, but on state and local levels." He's unable to share the specifics of what occurs when plant security levels are elevated, but says, "We make adjustments to individual task functions. Inspections on incoming containers might go to 100%, for example, versus the normal 50%. Or we might look at which people can access the plant through specific doors. A number of things might change depending on the exact threat or cause of concern."
The cost of securityHigh-tech access-control systems, security personnel, even security appraisals can be expensive. But while the security-industry size is estimated in the multiple billions of dollars, individual company costs vary dramatically. ASIS' Moraco says it's nearly impossible to determine what any one industry spends or should spend on security. Risk levels vary and that information is often not divulged. "When it comes to deciding how much you should spend," he says, "you need to examine your risk factors and the cost of what a potential incident could mean to your operations, your infrastructure and your community."
At an Owens Corning facility in Newark, OH, for example, the company recently decided to install a high-tech system that would replace the screening capabilities of a recently retired receptionist. "The receptionist had let people into the building and signed in visitors," says Rodger Orr, the plant's information systems professional. "But when she retired, management decided not to replace her as part of a larger round of layoffs. We knew we needed to secure the building, but we also wanted a secure entry in case there were disgruntled-employee issues following the job cuts."
Orr searched for a system that would deny access to people who didn't belong, but admit contractors and other, authorized non-employees.
"More than 3,500 visitors a month come into our lobby," he says. "Many are vendors that take care of our consigned inventory. We needed a system that would allow them in without an escort who had to be called away from the job to open the doors." The company chose a biometric security system that allows privileged personnel to punch in a code number, scan their hand and enter the building. Six hand scanners were placed throughout the building; all work in conjunction with badge scanners used by hourly employees.
"With this system I can delete someone's code and scan if they no longer belong in the building, and I can put expiration dates on contractors' scans so they are only permitted into the building for as long as they actually work here," says Orr.
In addition to the hand scanner, Orr set up a motion-sensitive network camera to eliminate the problem of one employee scanning to gain entrance, then letting another person in on the same scan. Images taken by the camera are burned to a CD and stored. "That way we have proof of exactly who entered the building at any given time of day," he says. Price of this system, which includes a security-system PC: $16,700. The company will also soon add nine more high-end security cameras at $2,500 each for a total of $22,000, bringing the cost of this security upgrade to just under $40,000.
Other factors could drive the cost higher. But as security issues become better understood, security budgets should grow, theoretically leading to safer environments for workers and communities. Prompting that may be broad-based federal security standards, which currently do not exist outside of the nuclear industry. Experts stress that it's important, however, not to wait for a catastrophe to assess your risks. By creating and implementing a prevention plan now that addresses the areas described above, they say, your facility will have the best possible - and earliest - chance to avoid disaster.