1. Journal of the Institute of Civil Protection and Emergency Management
Autumn
2014
Marauding Terrorist Firearms Attack
Medical cover at airshows
Cyber attacks
Pet evacuation
Beyond the fire risk assessment
PROPORTIONATE
ARRANGEMENTS
2. ICPEM // Alert // Autumn 2014
2
ICPEM // Alert // Spring 2014
IFC Membership Matters
1 Thoughts from the Chair
4 Editorial
5 European News
7 Branch News: Scotland
7 Branch News: North West
8 Announcement: Emergency Services Show
9 Special Interest Group
11 Updates: Joint Emergency Services
Interoperability Programme
12 Updates: The Social Action,
Responsibility and Heroism Bill
13 Incident Reports: Westgate terrorist attack
17 Feature: The Role of the Counter Terrorism
Security Coordinator
21 Feature: Crisis Management in
Cases of Multifaceted Cyber Attacks
26 Role profile: Raynet
27 Feature: Medical support at air displays
in the United Kingdom
33 Feature: Can I bring Rover?
37 Feature: Beyond the Fire Risk Assessment
IBC ICPEM membership details
BC Contacts
Contents
Membership matters I
Subcriptions are the life-blood of the
institute and they can be paid by;
Standing Order
Direct Debit
Cheque
Bank transfer
The institute also benefits from Gift Aid when
you sign up for it, and all the relevant forms
are available for download from the website.
Whatever arrangements you have made for
your subscriptions, can you please ensure
that they are in place, active and have valid
details. Some subscriptions from the start of
the year remain outstanding, so could you
please check? If you have any queries about
arrangements for payment, please contact
the Treasurer (see contact details on the back
page of the journal).
Membership matters II
The Registrar makes a special plea for
members to keep their contact details
and preferences up to date.We make
every effort to keep records accurate, to
ensure that members receive all relevant
communications.
Email and the website will be the main means
of getting information to members, so it is
vital that email addresses are spot on.
You can download an update form from the
website under the membership tab.
Membership matters III
Membership fees remain at the 2013 rate for
2014. Membership fees are due on 1 January
of each year. So, once again, please check
that you have paid the required amount..
Events
If you are holding an event that other
members of the institute might be able to
assist with or attend, such as exercises, and
seminars, please let the Managing Editor of
Alert and the Webmaster know and they can
be advised. The ‘public’ view of the website
includes a calendar of events across the
spectrum of interests, so we would like to
have information on anything that you think
might be relevant.
What else do you do?
Members come from many different and
interesting backgrounds and take part in
many interesting activities. We would like to
reflect these activities and achievements in
Alert in order to show the ‘human’ side of
its membership. So, if you have something
unusual or interesting that you get up to, let
the managing editor know, with some photos
if you have them and we will publish them in
forthcoming editions.
MEMBERSHIP
MATTERS
Malcolm Parker, membership@icpem.net
NEW MEMBERS
For a comprehensive update of new
members please visit the website
at www.icpem.net
Front Cover Photograph: Crowd fleeing sounds of
gunfire near Westgate” by Anne Knight - Direct personal
communication between copyright holder and uploader.
Licensed under Creative Commons Attribution-Share Alike
3.0 via Wikimedia Commons - http://commons.wikimedia.
org/wiki/File:Crowd_fleeing_sounds_of_gunfire_near_
Westgate.jpg#mediaviewer/File:Crowd_fleeing_sounds_
of_gunfire_near_Westgate.jpg
3. ICPEM // Alert // Autumn 2014
3
This is my first view from the Chair having
been elected this spring. Aviation disasters
and conflict seem to have been the most
notable events of the last 6 months with the
baffling disappearance of Malaysia Airlines
MH370 on 8 March and the now assumed
tragic loss 239 lives on-board followed by
the shooting down of MH 17 on 17 July with
the loss of all 298 passengers and crew. The
continuing violence in Syria, Afghanistan,
Iraq, Gaza and Israel confirms we are not a
world at peace and now the Ebola outbreak
which was first identified in Guinea in March
and has since spread to Liberia, Sierra Leone
and Nigeria in Africa reminds us just how
vulnerable we are in this ‘modern’ world.
The natural disasters have not let up either
this year with mudslides in Argentina, floods
in Bolivia, an earthquake triggering fires
in South Africa, flooding and landslides in
Burundi, floods in the Sudan, an earthquake
in Iran, Pune landslide and Odisha floods in
India, landslides and flooding in Nepal, an
earthquake in China, a typhoon in Korea
and a landslide and a volcano eruption in
Indonesia have all killed hundreds of people.
The ICPEM, with its many partners including
the Emergency Planning Society (EPS) and
The Security Institute have a role to play
both nationally and internationally in helping
our government and in turn third world
governments to ensure they have prepared
for disaster along with the training to
respond to the many natural and man-made
disasters that beset us each and every year,
with what seems like a quickening pace. We
need to enlist the help of all our colleagues
and professionals in the field and speak with
one voice from city, county, country and
government levels. The ICPEM and the EPS
would like to help lead that charge and are
exploring the bringing together of our two
organisations to have a stronger more unified
voice to assist our communities and the
world in the field of Resilience.
I would also like to thank all the new
volunteers who have stepped into the breach
to assist in running your institute and would
urge all of you to get involved at a local,
national or international level to contribute
to the discussion, research, training or
delivery of resilience for the good you
your communities.
Thoughts from the Chair
FIRST VIEW
By Les Chapman BEng MBA CMarTech FICPEM FIMarEST AFNI
“Boeing 777-200ER Malaysia AL (MAS) 9M-MRO - MSN 28420 404 (9272090094)” by Laurent ERRERA from L’Union,
France - Boeing 777-200ER Malaysia AL (MAS) 9M-MRO - MSN 28420/404Uploaded by russavia. Licensed under Creative
Commons Attribution-Share Alike 2.0 via Wikimedia Commons
“Map of search for MH370” by Soerfm - Own work.
Licensed under Creative Commons Attribution-Share
Alike 3.0 via Wikimedia Commons - http://commons.
wikimedia.org/wiki/File:Map_of_search_for_MH370.
png#mediaviewer/File:Map_of_search_for_MH370.png
4. 4
Editorial
I
t gives me great pleasure introduce the
Autumn 2014 edition of Alert which,
thanks to the members and interested
parties, includes a diverse range of articles.
Since the Spring edition of Alert, it is hard to
believe the how the national state of affairs has
changed so dramatically both in terms of conflicts
and natural disasters. I would like to focus briefly
on the Ebola situation.
The Ebola outbreak was first reported in West
Africa during March this year and has rapidly
become the deadliest occurrence of the disease
since its discovery in 1976. The World Health
Organisation (WHO) has declared an International
Public Health Emergency. Many people have died,
with Sierra Leona, Guinea and Liberia reported to
be the worst-affected. The 2014 outbreak dwarfs
previous epidemics, with WHO figures indicating
that as of 11 August there were 1,975 probable,
suspected and confirmed cases, and there had
been 1,069 deaths.
Ebola is named after a river in the northern part of
the Democratic Republic of Congo. Statistically, it
is a relatively trivial disease, killing a few thousand
people since its discovery in 1976. In contrast,
malaria and tuberculosis each kill several million
people each year. Measles killed 122,000 in 2012.
Yet, Ebola has captured the public imagination.
It is not known which animal harbours the virus
although bats have long been suspected, and this
makes prevention and control difficult. The clinical
manifestation is dramatic, with rapid progression
from infection to cell death and symptoms that
can include bleeding, vomiting and diarrhoea. The
fatality rate is high, ranging from 50% to 90%.
As the medical professionals and scientists race
to address the problem, an ethical dilemma has
erupted. It is a well known fact that the Ebola
virus has no treatment and no vaccine available
in the market today. But there are
several pharmaceuticals working
to develop a treatment. The United
States government tested the new
drug ‘ZMapp’ on two Americans
infected with the virus. There was
a public protest on why the drugs
were given to the Americans and
not made available to the general
public. This raised several ethical
issues in relation to who should
first receive the limited supplies of
a potentially life saving drug and
also, is it appropriate to distribute
an untested treatment. The World
Health Organisation has to balance
the need to contain the spread of a
rapidly spreading deadly disease and
satisfy the legal and moral aspects
of distributing limited supplies
of untested, but potentially life
saving treatments.
The ReliefWeb is an excellent
website where all natural disasters
are listed with a brief explanation of
the event and the current status.
Visit: www.reliefweb.int
Dave.dowling@icpem.net
EDITORIAL BOARD
Tony Moore (Chair) MPhil FICPEM
Dave Dowling (Secretary) MEd BSc(Hons)
MICPEM MIFireE MCMI TechIOSH
Professor David Alexander PhD Prof FRGS
FRSA FGS FICPEM
Professor Frank Gregory, Hon FICPEM
Professor Gary Silver MSc GCE LLS
(QTLS) FICPEM FEPS
ALERT EDITORIAL
By Dave Dowling MEd BSc(Hons) MICPEM MIFireE MCMI TechIOSH
Professor Ian Davis, PhD
Hon FICPEM FPWRDU
Dr Karen Reddin PhD FICPEM
Kevin Arbuthnot QFSM MPhil
DMS FICPEM FIFireE
Mike Broadbent MSc BSc CEng CSci CEnv
FICPEM FHEA FICE MCMI
Dr Sarita Robinson PhD MSc FICPEM
This image is a work of the Centers for Disease Control and Prevention, part
of the United States Department of Health and Human Services, taken or
made as part of an employee’s official duties. As a work of the U.S. federal
government, the image is in the public domain.
5. ICPEM // Alert // Autumn 2014
5
On 24 May, a gunman shot dead two
women and a man - they were an Israeli
couple in their 50s, and a French female
volunteer - at the Jewish Museum in Brussels.
A fourth man, a Belgian employee at the
museum, who was seriously wounded, died in
hospital on 6 June.
The attacker had arrived by car, got out,
fired on people at the museum entrance, and
returned to the vehicle that then sped away.
The attack was recorded by the museum’s
CTV system and the police were able to
circulate it, through media comapnies, to
a wide public audience ın an effort to
identify the gunman.
One week later, the suspect, 29-year-
old Mehdi Nemmouche, originally from
Roubaix on the Franco-Belgian border, was
arrested at the Saint-Charles train station in
Marseille, France, havıng arrived there by an
overnight coach from Brussels. A Kalachnikov
automatic rifle with Islamist markings, a
revolver and amunition similar to those used
in the shootings were found in his luggage
during a routine drugs check by customs
officers. With the weapons, there was a white
sheet emblazoned with the name of the
Islamic State of Iraq and the Levant, a jihadist
group fighting in Syria and Iraq. French
authorities also found press cuttings on the
museum attack and a film for a miniature
camera holding a record in which he appears
to admit the attack. The Belgian federal
prosecutor, Frédéric Van Leeuw said that it
appeared that the suspect had tried to film
the killings but his camera had failed.
On 15th of July at 08:39 a.m. (Moscow
time) several carriages at the front of a
packed underground train, travelling from
the north-west of Moscow to the City centre,
derailed between Park Pobedy and Slavyansky
Bulvar on the Arbatsko-Pokrovskaya dark
blue line of the Moscow Metro.
As a result 23 people died and more than
160 were seriously wounded, some of whom
were still in a critical condition at the time
of going to press. Most of the dead and
seriously injured were in the front of the
train because, as a result of the derailment,
the carriages concertinaed together as those
from the rear hit those in front. Among the
dead was a citizen of China and one from
Tajikistan; the injured included residents
from 12 Russian regions and five countries
– Ukraine, Moldova, Tajikistan, Uzbekistan
and Kyrgyzstan.
Park Pobedy (Victory station), where disaster
happened, is the deepest metro station in
Moscow, 84m underground, which made
the rescue operation particularly difficult.
More than 1,100 people were evacuated.
Some of those hurt were carried out of
the tunnel on stretchers, with the most
Mehdi Nemmouche is a convicted criminal
with a troubled childhood who became a
Syrian djihadist soon after he left prison
in France in January 2013. He returned to
Europe two months prior to the attack and it
is believed that he spent some time in Britain.
President Hollande later pointed out that the
suspect re-entered Europe through Germany
and then moved on to Belgium. However,
in France he was under close survelliance.
This suggests that despite declared concerns
about militants of European origin returning
to Europe after having fought in Syria,
there is little control over movements of
such people is not there and Europe-wide
cooperation in following ex-Syrian fighters is
inadequate. It would appear that such people
can be under surveillance in one EU country
but they can easily move to another country
EU country without vital information being
passed to the second country.
There are still many questions about Brussels
attack, but the main ones are
• Did the terrorist act alone?
• Did he get orders from any terrorist
group or was the attack carried out on
his own iniative?
If his involvement in the Brussels attack
is proven, Mehdi Nemmouche will be the
first European jihadist volunteer in Syria to
have committed an act of terrorism upon
his return to Europe. That leads to a third
question. Was this an isolated incident or is
it the first of a number of attacks, turning
European fears into reality?
European News
TERRORIST
ATTACK
IN BELGIUM
By Lina Kolesnokova MSc FICPEM
MOSCOW
UNDERGROUND
DISASTER
6. 6
serious cases airlifted to
hospital. >> pg5
>> pg4 The cause of
what was one of the
worst incidents on the
Moscow Metro is reported
to been a power surge.
But the real cause would
appear to be as a result of
inadequate maintenance
work which was carried
out in May when a
switch mechanism, which
had been repaired by a
track supervisor and his
assistant with ordinary
3-mm wire, as a result
of which, at a crucial
moment it snapped. Three
people were subsequently
Malaysian Airlines Flight MH 17 was
shot down on 17 July 2014 during the
ongoing military conflict in Ukraine whilst
on a scheduled international flight from
Amsterdam to Kuala Lumpa. The wreckage
came down in eastern Ukraine close to
the border with Russia. All 283 passengers,
including 80 children, and 15 crew members
were killed. At the time of going to press,
it is believed that the aircraft was shot
down by a soviet-designed Buk surface-
to-air missile fired from within territory
belonging to Ukraine but controlled by pro-
Russian separatists.
On 21 October 2013, a female suicide
bomber set off an explosive device on a
bus, killing 7 and injuring 36 people; on 29
December a male suicide bomber, set off an
explosive device in a train station, killing
CRASH OF
MALAYSIAN
FLIGHT
A view of collapsed Maxima supermarket in Riga, Latvia, Saturday, Nov. 23, 2013
European News
By Lina Kolesnokova MSc FICPEM
18 and injuring about 50 people; and on
30 December a male suicide bomber set off
an explosive device on a trolleybus, killing
16 and injuring 41 people. At the time of
going to press, there are many unanswered
questions. For instance, who (which group)
is responsible for these terrorist attacks?
Who, precisely are the perpetrators of
these attacks? To-date, no-one has claimed
responsibility and only the female suicide
bomber who was involved in the 21 October
incident has been indentified. Are these
attacks related to a threat made in July
2013 by Doko Umarov, the leader of a
Chechen separatist group known as the
Caucasus Emirate, to disrupt the Sochi
Winter Olympics? Umarov is already Russia’s
most wanted man, having been involved
detained on charges of negligence; and
a thorough investigation is underway.
Meanwhile the Chief Executive of Moscow
Underground has been fired.
The Moscow metro, one of the world’s
busiest, is a vital transport artery for the city,
transporting more than nine million people
on weekdays because of heavy traffic on the
streets. It covers 325.4 kilometres of route,
and includes more than 194 stations. Moscow
is a leader among world capitals on traffic
jams, therefore metro is nowadays is the only
way to travel in the busy city. Critics accuse
the authorities of spending too much on
extending the metro system, and not enough
on maintenance of infrastructure. High level
of corruption,mismanagement, cost-cutting
practices and system of sub-contracts are
main factors of low safety level of Russian
transport system.
in a number of terrorist attacks in Russia,
including one in 2009 outside the Cechen
Interior Ministry in 2009; the bombing of
the high-speed Nevsky Express train, in
which 28 people were killed, also in 2009;
the bombings of the Moscow subway that
killed 40 people in 2010; and the bombing of
Domodedova Airport in Moscow in 2011, that
killed 36 people. When the answers to these
questions become clearer, I will write further
on these terrorist attacks.
Author Profile
Lina Kolesnikova is an independent expert in risk,
crisis and disaster management based in Brussels.
She is currently the Institute’s representative to
the European Union.
7. ICPEM // Alert // Autumn 2014
7
Branch News
Northwest
Branch
Dave Dowling MEd BSc(Hons)
MICPEM MIFireE MCMI TechIOSH
Scotland
Branch
David Dalziel QFSM MA FICPEM FInstLM
An event planning meeting took place
with Executive members of the North
West (NW) Branch of the Emergency
Planning Society took place during August
with the aim of developing a joint activity.
The original plans for an event at the
Warrington Peace Centre with a theme of
psychological support for the victims and the
responders, will be postponed until next year.
The current plan is to arrange a joint visit to
a nuclear power station during November
followed by a branch meeting. More
information will be provided in due course via
the local network.
The Emergency Planning Society annual
conference is planned to coincide with the
Emergency Services Show on the 24th and
25th September. The theme will be ‘resilience’
with speakers invited to talk about the
Fukushima nuclear power plant incident.
Anyone interested in joining the North West
Branch should contact Dave Dowling on dave.
dowling@icpem.net
On the Right Tracks: A Resilient
Transport Perspective on the 2014
Commonwealth Gamese.
The 2014 Commonwealth Games in Glasgow
required a huge multi-agency commitment to
ensure the safety of athletes, games visitors
and local communities together with the tens
of thousands of people visiting Glasgow. A
resilient, safe and integrated transport system
across Scotland was an essential feature of
those arrangements.
Global coverage of the event throughout the
duration of the games brought significant
pressure on every agency to ensure that
they were at the highest state of readiness
with robust planning, sound contingency
arrangements and highly effective response
capability well embedded.
One shining example of that was the
partnership between Network Rail in
Scotland, the train operating company that
operates 95% of all services in Scotland,
ScotRail and British Transport Police (BTP).
ScotRail anticipated delivering over one
million passenger journeys over the 11 days
of the games and trained over 3000 of
their staff to enhance passenger experience
over that period.
Network Rail has responsibility for all rail
infrastructure across the UK and directly
manages the main railway station in Glasgow.
They carried out a huge amount of work in
preparation for the games including advancing
upgrade and routine replacement engineering
projects to provide the highest possible level
of safety as well as minimising potential delays
due to faults and freeing up key staff in case
of any incidents.
Network Rail made special arrangements
for the rapid deployment of resources and
specialist staff including joint staffing of
rapid response 4 x 4 vehicles with British
Transport Police. This contingency was further
enhanced by the deployment of two of the
Network Rail’s Eurocopter AS355 helicopters
which were also dual crewed by police
officers from BTP.
As part of the command and control
arrangements both Network Rail and ScotRail
route control centres (co-located in Buchanan
House in Glasgow) underwent additional staff
training on contingency arrangements for the
games linking to the Transport Coordination
Centre in the East end of Glasgow close
to Celtic Park.
Adopting areas of best practice from the
2012 Olympics and adapting them to suit
local circumstances all three organisations
established very comprehensive training,
staff awareness and robust contingency
arrangements to help deliver a safe and
successful 2014 Commonwealth Games.
David Dalziel on Scotland@icpem.net
Regional zones of the ICPEM within the UK and Ireland
8. 8
Announcement
Introduction
From emerging technology to the latest
training and techniques, the upcoming
Emergency Services Show has it all
covered. Aimed at all personnel involved
in emergency response, planning and
recovery, the free-to-attend event taking
place at the NEC in Birmingham on 24
and 25 September features indoor and
outdoor exhibition of over 400 stands,
free seminars and workshops.
Free Seminars and Workshops
Two free seminar programmes will run
at this year’s event for the first time.
The Interoperability Seminars, developed
in partnership with the Joint Emergency
Services Interoperability Programme
(JESIP), will include case studies on
successful multi-agency working presented
by responders from Lincolnshire Emergency
Services and Dorset Emergency Services.
National Occupational Standards,
winter flooding and the future role of
Local Resilience Forums are also on the
agenda and representatives from JESIP,
the College of Policing, CFOA National
Resilience, the National Ambulance
Resilience Unit (NARU), Skills for Justice,
Cabinet Office and the Environment
Agency will all be speaking. Meanwhile
the Innovation Seminars will cover the
latest developments in PPE, Body Worn
Video (BWV), ambulance design, social
media and mobile communications. The full
seminar programmes will be published on
www.emergencyuk.com
Meanwhile the College of Paramedics will
be returning with its popular Continual
Professional Development (CPD) sessions,
comprising a mix of free 30-minute
lectures and workshops.
INNOVATION AND INTEROPERABILITY
AT THE EMERGENCY SERVICES SHOW
2014
UK SAR Zone
The UK SAR Zone will
bring together Mountain Rescue
England & Wales, Association of Lowland
Search & Rescue, British Cave Rescue
Council, RNLI, Maritime and Coastguard
Agency and RAF Mountain Rescue to
promote the search and rescue capabilities
of the UK’s emergency responders.
ICPEM to Network in Emergency
Response Zone
The promotion of multi-agency working
between the key emergency responders
and their partner agencies is the heart of
the show, with a dedicated networking
area – the Emergency Response Zone
sponsored by Draeger UK – featuring
over 80 support responders, voluntary
sector partners and NGOs including the
Institute of Civil Protection and Emergency
Management (ICPEM). Stands of interest
include CFOA National Resilience,
NARU, Public Health England, Training 4
Resilience, JESIP, Home Office ESMCP,
British Association of Public Safety
Communications
Officials and AA
Special Operations.
Running alongside The Emergency Services
Show in private rooms located in the
atrium will be a number of key meetings
held by industry bodies. These include
the Emergency Planning Society’s annual
conference on 25 September.
Getting there:
• Physically linked to Birmingham
International Airport and Birmingham
International Station
• Discounted travel for visitors using
Virgin Trains (see www.emergencyuk.
com for details of how to apply)
• Direct Access to UK motorway network
• No parking costs
• Coaches will run from Birmingham
International Station to the exhibition
halls.
Emergency Services Show
To register and to view the
latest seminar programmes visit
www.emergencyuk.comregister and to view
the latest seminar programmes visit
www.emergencyuk.com
9. ICPEM // Alert // Autumn 2014
9
T
he NHS is one of the most high profile
organisations in the UK and of huge
public, media and political importance.
It has one of the largest budgets and is
amongst the biggest employers in the UK.
Ensuring that all parts of the system (often
referred to as the ‘health economy’) are
able to respond to major incidents and
emergencies, continues to deliver optimum
care during disruptive challenges, has
effective business continuity arrangements
in place and is able to quickly return to
normal are vital to communities across
the UK. As NASA said on the Apollo space
missions, ‘failure is not an option’.
The NHS needs to be able to plan for and
respond to a wide range of emergencies and
incidents that could affect health or patient
safety. This could be anything from severe
weather to an infectious disease outbreak or
a major transport accident. Under the Civil
Contingencies Act 2004 NHS organisations
and providers of NHS funded care must
show that they can effectively respond
to emergencies and business continuity
incidents while maintaining services to
patients. This work is referred to in the health
service as emergency preparedness, resilience
and response (EPRR).
In April 2013 the NHS in England underwent
massive reform creating, amongst other
bodies, Public Health England, NHS
England, various Trusts and the formation
of Clinical Commissioning Groups (CCG’s)
who, by definition, are responsible for
significant parts of the NHS budget and
commissioning care.
The Health and Social Care Act 2012
provides the statutory basis for these
structures. The Civil Contingencies Act 2004
specifies the respective duties of ‘health’
responders and these are;
Category 1 responders
• Department of Health on behalf of
Secretary of State for Health
• Public Health England
• NHS England
• Local authorities (Directors of Public
Health)
• Acute service providers
• Ambulance service providers
Category 2 responders
• Clinical Commissioning Groups (CCGs)
• NHS Property Services.
Primary care (including out of hours
providers), community providers, mental
health, specialist providers and other NHS
ASSURING THE RESILIENCE
OF THE NHS IN ENGLAND
David Dalziel QFSM MA FICPEM FInstLM
organisations (for example NHS Blood,
Transplant and NHS Supply Chain, 111) are
not listed in the Civil Contingencies Act 2004
however the Department of Health and
NHS England guidance expects them to plan
for and respond to emergency and business
continuity incidents in the same way as
Category 1 responders in a manner which is
relevant, necessary and proportionate to the
scale and services provided.
These obligations are contained within the
contracts issued by clinical commissioning
groups although, thus far, there has been
a ‘light touch’ approach to assuring the
extent of resilience beyond the Category 1
responders within the NHS.
In fulfilling its responsibilities on behalf
of the Secretary of State, the Department
of Health represents the health sector in
the development of UK government civil
resilience and counter terrorism policy,
Blue Light Special Interest Group
a National Health Service, Air Ambulance at a Motocross event in Elgin, Moray, Scotland to uplift a patient after a
motorcycle crash on 16 March 2014.
10. 10
with scientific and technical advice from
Public Health England and liaising with
international organisations such as EU and
the World Health Organisation.
The Department also provides assurance
to the Cabinet Office of health system
preparedness for and contribution to the
UK government’s response to domestic
and international emergencies, in line with
the National Risk Assessment and as one
of nine Critical National Infrastructure
sectors ensuring the co-ordination of the
whole system response to high-end risks
impacting on public health, the NHS and the
wider healthcare system, supporting the UK
central government response to emergencies
including ministerial support and briefing
and ensuring effective arrangements for
health emergency preparedness, resilience
and response from April 2013.
The national level arrangements are
underpinned by local assurance processes
conducted since 2013 by NHS England. All
Category 1 and 2 responders are obliged to
complete a comprehensive self-assessment
of their preparedness, resilience (including
business continuity) and response capability
against a set of minimum core standards1
.
This year is the first time Category 2
responders will have to complete the process
on a mandatory basis although many
participated voluntarily in 2013. Primary
care providers are being encouraged to take
part in 2014 in preparation for mandatory
inclusion in 2015 and a number of GP
practices are collaborating in groups to self-
assess their status against the core standards.
The 2014 Core Standards and guidance
were published on July 1st 2014 and the
self-assessment process is being conducted
over August and September with NHS
England carrying out thematic assurance
checks, liaison with providers and Clinical
Commissioning Groups during October
followed by governing bodies signing
off their self-assessments and producing
any subsequent action plans in time
to be presented to the respective Local
Health Resilience Partnerships (LHRP’s)
around November.
LHRP’s were established in April 2013 to
deliver national EPRR strategy in the context
of local risks. They bring together health
sector organisations involved in emergency
preparedness and response at the Local
Resilience Forum (LRF) level and are a forum
for co-ordination, joint working, planning
and response by all relevant health bodies.
LHRP’s in effect formalise arrangements
that already existed in many local health
economies to co-ordinate health sector input
to the LRF’s and emergency response.
Whilst LHRP boundaries are not always
coterminous with LRF’s they do ensure
effective planning, testing and response for
emergencies and enable all health partners
to input to the LRF in turn providing the
multi-agency LRF’s with a clear, robust view
of the health economy and the best way
to support LRF’s to plan for and respond to
health threats.
The arrangements for EPRR in the NHS are set
out in the Department of Health document
‘Arrangements for Health Emergency
Preparedness, Resilience and Response from
April 2013’ published in April 20122
and were
the subject of a Webinar from the Emergency
Planning College in March 20133
References
1. www.england.nhs.uk/wp-content/uploads/2014/07/
eprr-core-standards-0714.pdf
www.england.nhs.uk/ourwork/eprr/gf/#core
2. www.gov.uk/government/uploads/system/uploads/
attachment_data/file/215083/dh_133597.pdf
3. www.epcollege.com/EPC/media/MediaLibrary/
Webinars/EPRR-webinar.pdf
Blue Light Special Interest Group
Ambulance responder in London on NOVEMBER 23, 2013. Ambulance emergency van at street in London
11. ICPEM // Alert // Autumn 2014
11
About the author
David Dalziel was the Chief Fire Officer of
Grampian Fire and Rescue Service for eight
years and was vice chair of Grampian SCG. He
was Secretary of CFOA Scotland for six years
and chair of the Association from 2012 to 2013.
David is also the ICPEM regional representative
for Scotland and is an Associate Lecturer at the
Cabinet Office Emergency Planning College. David
can be contacted on Scotland@icpem.net
Updates
JESIP
By David Dalziel, QSFM MA FICPEM FInstLM, Chair ICPEM
A
ll of those involved in the police,
ambulance and fire service sectors
of the blue light community will be
well aware of the JESIP and its continued
expansion into further areas including, most
recently, Jersey and Guernsey although it has
not yet been adopted in Scotland.
Further development of the programme has
been signed off at Ministerial level and a
legacy structure around doctrine, training,
testing and exercising and joint organisational
learning will be rolled out through a series
of roadshows over the coming months.
JESIP will be at the Emergency Services
show in Birmingham on the 24th and 25th
of September with their ‘Interoperability
Theatre’ featuring a number of presentations
on the programme.
The joint organisational learning strand of
the legacy is of particular importance as
the process will identify what needs to be
learned, act on those lessons, share what
needs to be learnt and check that change has
actually happened.
As the training of operational and tactical
incident commanders continues the figures
(as at July 1st 2014) show that 65% of
those registered for the training have now
completed it with Wales and colleagues
in British Transport Police at 100% so
well done to them.
Increasingly the joint decision making model
and the ‘METHANE’ mnemonic to structure
major incident reporting is being adopted
across other responders and is becoming well
embedded in the routine business of Local
Resilience Forums (LRF’s). There are a number
of good examples of LRF’s inviting other
Category 1 and 2 responders to view JESIP
training and that has been well received by
partners in terms of raising awareness and
improving multi-agency integration.
JESIP does not redefine multi-agency
interoperability but its doctrine is designed to
complement the Cabinet Office ‘Emergency
Response and Recovery’ guidance focusing
specifically on the interoperability of the
three emergency services in the early stages of
response to a major emergency.
For more information on JESIP and access to
downloadable training and guidance material
please visit their website on:
http://www.jesip.org.uk
Multi Agency Communications
Enable information sharing and joint decision making between
Blue Light Commanders by:
Option 1: Face to Face Communication
(Consider setting up Multi Agency Talk Group)
Option 2: Airwave Service - Resilient, Secure, Recordable.
Before you leave the Multi Agency Talk Group you must inform
members of the Talk Group and your Control Room
Carry out a test call to other Agencies to confirm set up
• Do use clear and unambiguous speech
• Check understanding
• Do not use acronyms
• Use clear common understandable roles eg Police
Incident Commander
• Multi Agency Talk Groups are not for individual service working
but for incident commanders communication across the services.
Achieving Joint Understanding of Risk
Do’s and Don’ts when using a Multi Agency Talk Group
Identification of hazards – individual agencies should
identify hazards and then share appropriate information
cross-agency with first responders and control rooms.
Use METHANE to ensure a common approach.
If you wish to monitor another Talk Group a second
handset will be required
Switch a handset to the allocated Talk Group
Your Control Room will allocate you a Talk Group
Contact your Control Room to request an Incident Command Multi
Agency Talk Group (specify which Services are required)
Commanders’ Aide Memoire
Dynamic Risk Assessment – undertaken by individual
agencies, reflecting tasks / objectives to be achieved, hazards
identified and likelihood of harm from those hazards.
Identification of tasks – each individual agency should
identify and consider the specific tasks to be achieved
according to its own role and responsibilities.
Apply control measures – each agency should consider
and apply appropriate control measures to ensure any risk
is as low as reasonably practicable.
Multi-agency response plan – consider hazards identified
and service risk assessments within the context of the
agreed priorities for the incident. Develop an integrated
multi-agency operational response plan.
Recording of decisions – record the outcomes of the joint
assessment of risk, the identified priorities and the agreed
multi-agency response plan.
12. 12
Updates
THE SOCIAL ACTION,
RESPONSIBILITY AND HEROISM BILL
– EMERGENCY RESPONDERS TAKE NOTE
By Roger Gomm QPM, FICPEM
T
he Social Action, Responsibility and
Heroism Bill was introduced in the
House of Commons on 12 June
2014 and is expected to receive Royal
Assent by early 2015.
This piece of legislating is aimed at
encouraging people to ‘volunteer’ to support
activities in the community. Helping out: a
national survey of volunteering and charitable
giving” in 2006/2007 found that this was
one of the significant reasons cited by
47% of respondents to the survey who did
not currently volunteer. This supports the
Government’s broader aims of encouraging
and enabling people to volunteer and to play a
more active role in civil society.
However, the legislation may also have
an impact on ‘emergency response’ by
encouraging ‘first responders’ to help others or
intervening in an emergency without the fear
of risk and/or liability.
The legislation is intended to reassure people,
including employers, that if they demonstrate
a generally responsible approach towards the
safety of others during a particular activity,
the courts will take this into account in the
event they are sued for negligence or for
certain breaches of statutory duty, the obvious
one being the Health and Safety Act. It will
provide reassurance that if something goes
wrong when people are acting for the benefit
of society or intervening to help someone
in an emergency, the courts will take into
account the context of their actions in the
event they are sued.
The Bill would not change the overarching
legal framework, but it would direct the
courts to consider particular factors when
considering whether the defendant took
reasonable care. In any negligence/ breach
of statutory claim that is brought where the
court is determining the steps a defendant
should have taken to meet the applicable
standard of care, it will be required to have
regard to whether:
• the alleged negligence/breach of duty
occurred when the defendant was
acting for the benefit of society or any
of its members (clause 2)
• in carrying out the activity in the
course of which the negligence/
breach of statutory duty occurred, the
defendant had demonstrated a generally
responsible approach towards protecting
the safety or other interests of others
(clause 3); and
• the alleged negligence/breach of duty
occurred when the defendant was
acting heroically by intervening in an
emergency to assist an individual in
danger and without regard to his own
safety or other interests (clause 4).
I would suggest that emergency responders
pay attention to the progress of this legislation
over the next six months.
By Official Navy Page from United States of America U.S. Navy Chief Joshua Treadwell/U.S. Navy [Public domain], via
Wikimedia Commons
13. ICPEM // Alert // Autumn 2014
13
Incident Report
General of police, was given the mandate to
take command and control the incident.
The terrorists did not encounter a counter
attack from the security forces during the
night without any counter attack. They were
also able to view what was going on outside
the mall as the media relayed the response
preparations live over the TV channels.
22nd September 2013
07.00 hours - under the command of the IG,
the police and the KDF attempted to retake
control of the ground floor but were repulsed
by the terrorists - one KDF soldier was killed
and one wounded.
09.00 hours - crowds of well-wishers and
curious on lookers who brought food for the
victims and responders.
14.00 hours - Kenya Police, KDF and Interior
Ministry Secretary, Ole Lenku, announced the
death of 59 innocent people and terrorists
estimated at between 10 to15.
THE WESTGATE TERRORIST ATTACK:
WAS LAPSE SECURITY A CONTRIBUTING FACTOR?
By Adrian Meja MSc FICPEM ABCI ACIArb MEPS(UK)
T
he Westgate shopping mall is a
prestigious shopping centre in the
‘Westlands’ situated some 8 kilometers
west of the Nairobi city centre. The complex
is owned by Israeli nationals and is known to
be frequented by affluent members of the
Kenyan society along with United Nations
staff. The building was insured by Llyods
of London for approximately 6.6 billion
Kenya shillings.
Situation
Saturday 21st September 2013
At approximately 12:30 hours, al-Shabaab
terrorists entered the Westgate Mall in
Nairobi, Kenya and shot dead defenseless
women, children and men in the name of
jihad. A Mitsubishi car, registration KAS 575X,
used the Peponi road entrance to access the
Westgate building where no barriers were
available to prevent unauthorised vehicle
access. The four occupants of the car entered
the building and started shooting at the
shoppers. Initially people thought it was a
bank robbery only to realise that it wasn’t
when some terrorists went beyond the first
floor to the top floors and continued to kill
and maim shoppers. The car is known to
have been purchased on 6th September 2013
which indicates that plans began well over a
month before the attack.
12.40 hours - terrorists had control of the
entire building four storey building from the
basement to the roof top. Kofi Awoonor, a
renowned author from west Africa, was killed
in the basement by terrorists.
13.10 hours - a team of flying squad police
arrived but did not act immediately, during
which time approximately 30 civilian gun
owners, caught in the attack, began engaging
the terrorists.
13.15 hours - two gun men were seen
on the ground floor attacking staff and
visitors in the mall.
13.25 hours – no control of the situation by
the authorities or security forces.
14.30 hours - two attackers were seen
changing clothes and left the mall amongst
rescued shoppers. One shopper pointed
out the terrorist but the security forces did
not take notice.
16.00 hours -The General Service Unit (GSU),
a paramilitary security force, arrived and
within a few minutes, the situation was being
managed to neutralise the terrorists.
17.30 hours – The Kenya Defence Force (KDF)
arrive at the scene and engage the terrorists
with the GSU. During the defensive action,
the lead GSU officer is alleged to have been
killed by the KDF soldiers. This forced the
withdrawal of GSU from the response teams.
There was a lull of two hours as night fell
and eventually David Kimayio, the Inspector
“Smoke above Westgate mall” by Anne Knight - Direct personal communication between copyright holder and uploader.
Licensed under Creative Commons Attribution-Share Alike 3.0 via Wikimedia Commons - http://commons.wikimedia.
org/wiki/File:Smoke_above_Westgate_mall.jpg#mediaviewer/File:Smoke_above_Westgate_mall.jpg
14. 14
15.00 hours - friends and relatives of missing
and rescued people were assembled at the
Oswal Centre, 200 meters from the mall
where medical assistance, food and supplies
were available at the centre for coordination
and information.
16.30 hours – the Israeli military join forces
with the KDF and enter the mall.
23.30 hours - an announcement was made
that the siege was over and that most or all
hostages were out of the mall.
23rd September 2013
KDF Chief, Julius Karangi, took over
command and control from the IG of police.
A large blast was heard after the siege had
been declared over.
13.25 hours - four more blasts were heard
followed by huge columns of smoke .
19.40 hours – the siege re-confirmed to be
over by the KDF Chief.
24th September 2013
20.00 hours - gunfire heard from
the shopping mall.
22.00 hours - the president declares the
operations ‘over’ and states that the
confrontation with the terrorists at the
Westage mall resulted in 240 casualties with
61 civilians and 6 security officers killed.
The cost of the damage to property was
estimated to be over kshs.6 billion.
Investigation
The planning for the attack was traced back
to Evermay and Solar lodges in Eastleigh
about 20 kilometers east of Nairobi City in
an area occupied mainly by Somalis from
Kenyan and Somalia. Some of these people
were traced to have travelled from Sudan,
Somalia and used Kenyan refugee camps to
disguise their presence.
The attack on the Westgate mall had
similarities with the kikambala- hotel
attack, the Nairobi USA embassy attack,
and the failed attack on the Arkia airline in
Mombasa. The target appears to be consistent
with attacks on United States, Israeli and
British government establishments. The
terrorist groups al-Gaeda and al-Shabaab
are well known for targeting western
interests. Kenya has become a victim of such
attacks due to the links with the western
countries and Europe.
It appears there was no specific intelligence
that the Westgate mall was a target for
an attack. However, the local military had
been advised to avoid the complex as it was
considered a likely target for an attack.
The al-Shabaab terrorist group claimed
responsibility for the attack in the name
of Islam even though the terrorists were
not Muslims. No religion or belief supports
any form of violence. Many terrorist
groups regularly claim to be acting in the
name of ‘Islam’ to escape punishment or
to appear as if they are supported by the
Muslim community.
The first person to take charge of the
response team was a police officer of
the rank of Inspector and his action was
commendable in the absence of any other
senior officer or specific body that deals
with terrorism. The General Service Unit
came in as a specialised force and then
the defence forces came in to combine
capabilities. Command and coordination
lapsed somewhere during the response when
friendly fire killed a senior GSU officer. By
morning of the following day, the attackers
had been neutralized by the GSU.
The Terrorists may have escaped at one point
or another because the estimated number of
those involved and those killed or arrested
does not tally. One survivor walked out and
saw a terrorist who had changed clothing
and pointed this out to the security agents,
but no attention was given and the terrorist
slipped out. The fact that all rescued people
were not confined until scrutinised adds
credence to the reasoning that security was
lax. The cross-organisational isomorphism
can be achieved if these teams appreciate
each-others roles, train together and
exercise together since they all provide
state security, though at different levels as
identified by Toft and Reynolds (2005) in
their publication “Learning from Disasters: a
management approach.”
As the rescue efforts continued by the
police, defence forces and General Service
Unit, one would expect a smooth recovery.
However, it was shocking to discover the
level of looting that took place and it is not
clear who was responsible. Shops and banks
were broken into where Jewellery, cash and
other valuables were stolen. The chair of the
Parliamentary investigation- Mr. Kamama
and Army Commander defended the actions
of the security officers by suggesting that
there was no looting until CCTV evidence
presented conflicting evidence. The the Army
commander then suggested that the soldiers
had been allowed to take water from a
supermarket. This was meant to cover up the
poor performance of the soldiers.
The KDF soldiers also caused collateral
damage to the building by setting fire to the
supermarket and used grenades to destroy
the evidence that would connect them to the
crimes of looting. Subsequently a few soldiers
were prosecuted to try and salvage the image
of the security forces.
The search and rescue came to an end
when more than 50 people were claimed to
be “unaccounted for” by the Minister for
Interior. This was maintained even as a foul
smell continued to come out of rubble that
was part of the collapsed structure. This
statement was inappropriate as work was still
Incident Report
15. ICPEM // Alert // Autumn 2014
15
Incident Report
ongoing to recover bodies trapped under the
rubble. The Minister could not have known
how many people were unaccounted for as
there is no method of recording people who
enter a shopping complex.
The media played their role in highlighting
what was going on at the incident scene
but exposed the preparations of the security
forces when they televised the rescue mission
thus giving away information that would
help the terrorists – this is probably that
is one reasons why the terrorists were able
to escape. This was not the type of event
that the media needed to relay live to the
public. Courses are available that inform
the Media on how to categorise disasters
and the methods of reporting that can be
adopted without compromising security. The
author attended such an event delivered
by the Institute of Civil Protection and
Emergency Management which proved to be
very informative.
In an article published in the Autumn 2005
edition of the Alert journal (page 11) it was
explained that terrorists prefer vehicles with
a capacity up-to five tons in weight to carry
large explosive devices. Vehicles may also
be required that carry up to five occupants
with equipment or weapons. To avoid easy
detection, the terrorists are not in a hurry
to register vehicles that are bought in their
names. Experience suggests the need for a
very efficient vehicle registration system
that communicates details of new owners
within the shortest time possible time to the
security agencies including photographs.
One of the vehicles in this case was bought
more than two weeks before the incident and
an efficient system of communication may
have revealed the buyers identity and alerted
relevant authorities in Kenya.
During the incident, terrorists were able to
enter the vehicle entrances unchallenged
and drive close up to the outside of the
building as there were no physical barriers
preventing unauthorised access. A car with
secondary devices was discovered much
later parked near the Westgate entrance.
Entrances to buildings that are next to a road
are vulnerable to forced entry by terrorists
and certain physical preventive measures
must be installed to deter attacks e.g. width
and height restrictions. Security checks for
people bringing vehicles into a building
should be in a dedicated area well before
the controlled access point. Vehicles should
not be allowed to park within 25metres of
a vulnerable building. Some embassies have
taken such precautions that have deterred
any forcible entry into the premises. In fact
terrorists don’t go near such installations
for fear of being identified. The Centre for
the Protection of the National infrastructure
(CPNI) in the UK has published a free leaflet
on Vehicle Security Barriers (VSB) within
the streetscape.
A conspiracy theory has linked the authorities
to a complacent attitude, but can’t be
verified. However, it is worth noting that the
police officer that first took command and
control of the incident was later transferred
out of Nairobi to a hardship area which
may be interpreted as an odd outcome for
such an individual.
An enquiry appears to identify the same
observations made by the author of this
article. The objective findings can help
the Kenyan government, international
communities and any other organisations
facing the threat of terrorism, to adopt
preventive measures to mitigate the
occurrence and impact of terrorist
attacks. The report from the enquiry has
been found wanting and dismissed by a
parliamentary committee.
Managing Risk
Disasters and crises are a consequence of
mismanaged risks. Since risks are identifiable
and treatable, disasters and crises can, in
many cases, be predicted and the potential
causes can be mitigated by an effective
response. Preparedness is the key to ensure
an efficient response.
Security risks are predominantly dominated
by the threat of a deliberate attack. The
security community has to contend with
perpetrators who are willing to sacrifice their
own lives to cause mass casualties. This type
of incident requires a new way of thinking
with regard to planning to prevent such
events and develop effective interventions.
Good intelligence is the most effective
means of preventing such an attack. Some
countries are more sophisticated than others
and have prevented many terrorist attacks.
Shared information with other countries
and between security organisations is
essential. However, whilst warnings may be
issued, unfortunately not all countries or
organisations respond or react.
In the case of the Westage mall attack, it
has been suggested that security agencies
had some warning at one time or another
but were unable to prevent the incident.
A Senator from Nairobi claimed he was
informed of the potential for an attack
and alerted the security agencies. Also, a
Presidential candidate alleged that in March
2013, he received information through his
networks that an attack was planned and
informed the security agencies, but nothing
was done. The National Intelligence Service
(NIS) claimed to have relayed information
on the threat to the relevant body. Toft and
Onlookers near Westgate shopping mall. By Anne Knight
[CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-
sa/3.0)], via Wikimedia Commons.
16. 16
9. Finally, the need to identify contain
everyone involved in the incident
and check their identity is a critical
element of the response by the security
forces. The Special Air Service applied
such a system during the Iranian
siege in London in 1980 where one
of the terrorist posing as a hostage
was discovered.
MARAUDING TERRORIST
FIREARMS ATTACK (MTFA)
A similar incident occurred in Mumbai
during 2008 and introduced the concept of a
Marauding Terrorist Firearms Attack (MTFA).
Previously, the focus had been on vehicle
borne and person borne explosive devices.
The prospect of facing multiple offenders
with no expectation of survival, with military
training and armed with fully automatic
weaponry has dictated a sea change in the
UK police firearms response. CONTEST is the
UKs strategy for countering terrorism and
consists of four elements - Pursue: to stop
terrorist attacks; Prevent: to stop people
becoming terrorists or supporting terrorism;
Protect: to strengthen protection against a
terrorist attack; and Prepare: to mitigate the
impact of a terrorist attack.
About the author
Adrian Meja is Head of the
Disaster Resilience Centre
(East Africa) Trust, Adrian
has qualified and trained in
the field of Risk, Crisis and
Disaster management as
well as Business Continuity
Management.
Email: Meja.adrian@gmail.com
Websites: www.drc- preparedness.com
www.safetyfirstkenya .com
Reynolds (2005) explain in their publication
“Learning from Disasters: a management
approach2 that one of the problems
associated with learning from disasters is the
danger of ignoring advice.
The terrorists involved in planning the
attack were identified to be people from
outside Kenya and some had fake Kenyan
identification documents. This suggests
that the security risk started at the border
control points. It is possible that either the
immigration officials were compromised,
or native Kenyans helped foreigners to
obtain legal papers.
It is suggested that ‘Chance favours the
prepared, the unprepared have no Chance’.
The terrorists were better prepared than the
security forces. When does search and rescue
stop? One needs to read the Alert Journal,
autumn 2004 pg.8-9 to appreciate the
answer to this question.
Lessons learned
1. The human vulnerability caused by
compromised immigration officers or
people under duress to help relatives
of friends with criminal motives
presents a significant risk factor in
disaster management.
2. Security forces that are not
working as a team and don’t train
together or exercise together can
expose the country or responding
organisation to threats.
3. Weak security arrangements will attract
terrorist looking for a ‘soft’ target.
Experience has identified that terrorist
organisations plan the attack and will
carryout reconnaissance missions and
dry runs of the attack to confirm a plan
can be achieved. Cross-organisational
isomorphism can be adopted to draw
true lessons which is explained by
Toft and Reynolds (2005) in their
publication “Learning from Disasters: a
management approach.”
4. Media inadvertently informs the
public on issues that would normally
go unnoticed. Care must be taken
to identify which stories can be
relayed overtly to the public without
affecting security.
5. A degree of initiative, boldness and
creative thinking exists amongst
individauls, non government
organisations (NGOs) and communities
which should be encouraged as it can
assist with managing various aspects
of an incident. During the disaster, the
Oswal community, situated within the
Westlands, established a centre for
receiving casualties, feeding responders
and providing other effective facailities.
6. Looting and collateral damage occurred
during the incident, especially during
the latter phase of the response. This
should be discouraged by disciplined
forces when they arrive on the scene
not least because a crime scene should
be maintained. This topic was covered
by Phillip Buckle, of Coventry University,
in the September 2004 edition of the
Alert Journal in an article entitled
“Responding to Terrorism.”
7. Responders should always search an
incident site and pre-planned assembly
or rendezvous points for secondary
devices that have the potential to cause
more casualties or damage.
8. The response needs to separate rescue
from recovery and explain to the
public the difference where casualties
are concerned. Relatives and friends
of missing persons must be informed
of what action is being taken and
what to expect. Support should be
provided for the next-of-kin and
those affected by the incident and this
includes counselling.
Incident Report
17. ICPEM // Alert // Autumn 2014
17
Origins of the Role:
The role of a Counter Terrorism Security
Coordinator (‘CT SecCo’) was originally
developed by the Metropolitan Police Service
(MPS) nearly twenty years ago. The need
for a coordinating role resulted from the
recognition that various specialist officers
were deployed to major events, such as the
annual Trooping the Colour ceremony, but no
one had the responsibility for devising and
maintaining oversight of a holistic security
plan. As the Gold – Silver – Bronze model for
event command teams matured, a gap in the
arrangements was identified for someone
with wide ranging and in depth knowledge
of protective security assets to complement
the work of other command team members,
such as planning, communications and public
order specialists. In appointing a SecCo to the
team, a Gold commander has the reassurance
that they have, in effect, a tactical advisor
with a specific remit to maintain oversight
of how different protective security assets
can interact and satisfy elements of a well-
structured, proportionate and appropriate
security plan in order to mitigate risk. It
will be of interest to members of ICPEM
that the initial sponsor and early champion
of the SecCo role was none other than
Sir David Veness, when he was Assistant
Commissioner with the protective security
portfolio in the MPS.
The SecCo is, in effect, the glue that binds
seperate highly skilled protective security
disciplines together, and ensures they all work
cohesively and in pursuance of a thorough
and carefully considered security plan. Each
of these disciplines deploys very well trained
and experienced officers. Typically, a major
event might see defensive search activity
utilised in order to secure and/or sterilise an
area or building. Where protected persons
are attending, their personal protection
teams will need to operate in an environment
where they are cognisant of the potential
threat to the safety of their principals, and
who is doing what in order to reduce it.
There might be justification for overt, and
possibly covert, armed deployments. Gold
will need to know how such specialists
link in with the deployment of uniformed
officers monitoring crowds, which in turn
will inform the resourcing decisions they will
make. Working and liaising with external
partners is also a key aspect of the SecCo’s
remit. Understanding the intentions of the
event organisers, and satisfying oneself
they have a realistic understanding of what
they are responsible for, is key. Likewise,
event management companies, especially
where they are subcontracting out roles
such as stewarding. A prestigious event
and the perceived kudos it can bring to
a venue will sometimes be a cause of
distraction from realistic expectation, I have
found. It is therefore vital that SecCo also
develops an effective working relationship
with venue management and maintains a
constructive dialogue leading up to and
throughout an event.
Asking the right questions:
I have learned it pays dividends to ask
external partners to notionally sign up to
a ‘no surprises’ clause, continually raising
questions to remind them of what I would
want to know that might impact on the risk
profile, and accordingly my security plan. I
THE ROLE OF THE COUNTER
TERRORISM SECURITY COORDINATOR
IN POLICING MAJOR EVENTS
By Jonathan Schulten FSyI
Counter Terrorism
“Trooping the Colour form march past” by Ibagli - Own work. Licensed under Public domain via Wikimedia Commons
- http://commons.wikimedia.org/wiki/File:Trooping_the_Colour_form_march_past.JPG#mediaviewer/File:Trooping_the_
Colour_form_march_past.JPG
18. 18
learned the wisdom of doing so following
one event in particular. It was to take place
on a stage in a public open space and
speeches were to be made. The lead organiser,
by way of a casual remark as we were leaving
the final planning meeting, told me how
delighted she was that the Prime Minister
would now be attending. This was just a
few days prior and painted a very different
picture of risk, to the point of changing the
event profile significantly from my point of
view. This PM was at that time subject to
volatile protest when attending such public
facing engagements. I had asked a number
of times if the guest list had altered, but
on expressing my concern I had not been
given this information, was told ‘But he is
on our list of speakers and you didn’t ask me
if that had changed’. So, lesson learnt, off I
went to create a much more robust security
plan, recommending search regimes and
other assets be utilised, where they had not
previously been deemed proportionate. Who
has been invited to the event, or is it a case
of general public access, such as in an open
field site? Where it is invitation only, how and
when have the invitations been despatched?
What, if any, requirements have been made
to ensure the intended recipient is the person
presenting themselves for admission on the
day? Which contractors have been engaged
to support the event logistically and what
do we know about their staff? Is there a
likelihood of casual labour being utilised at
short notice, once the event is in the public
domain for example? These are all typical
questions, the answers to which the SecCo
will want to be satisfied in order to develop
a security plan that identifies residual risk
which Gold is likely to accept.
Selection and Training:
From its origin in the MPS, the SecCo role
has been approved by the Association of
Chief Police Officers (ACPO) and is now a
recommended specialist skill area for each
United Kingdom (UK) police force. Given
the nature and level of negotiating and
influencing often required, senior officers of
at least inspector rank, and commonly chief
inspectors or above, are sought as volunteers
to undertake the role on top of their day
job. The MPS course has developed into a
product delivered nationally through the
College of Policing at Bramshill. I had the
privilege of undertaking the various roles of
course director, professional lead and lead
assessor from 2009-2013. The national course
is now of two weeks duration. Delegates
must pass a written examination, and
progress satisfactorily through exercises in
practical application. The course culminates
in delegates presenting an assessed security
plan. Upon passing all elements, they are
classed as ‘occupationally competent’. Within
the following twelve months each SecCo
must shadow more experienced colleagues in
their own force and comply with minimum
standards in terms of both deployment and
Continuing Professional Development (CPD)
activity. Upon doing so, new SecCos are
then considered to have completed their
initial professionalization and are classed as
‘operationally competent’.
National Governance:
Early in 2012 governance of the SecCo
profession was put on a more formal
footing through the establishment of a
National CT SecCo Board, sponsored by the
MPS Commander for Protective Security as
ACPO national lead. As a founder member
of the national board I was pleased to be
involved in the growth of a recognised
and formally approved structure. This
provided a framework for governance of
the continuing evolution of the role. For the
first time a nationally applied role definition
was established:
‘The CT SecCo role is to develop a security
plan with a view to minimising, managing
and mitigating risk in respect of a
policed event or operation in support of
Gold’s strategy’.
This helped to provide clarity on varying
perceptions of the role, bearing in mind the
operational independence of each UK police
force. Such perceptions had, over time, also
led to differing interpretations on when it
was appropriate for a Gold commander to
utilise the services of a SecCo and recruit one
onto the event command team. In seeking
to address this, the board established the
following parameters:
‘A CT SecCo must be considered in respect of
the following –
• public military events
• high profile ceremonial and civic events
• events involving protected persons
• royal visits
• crowded place events, including high
profile sporting events, and
• any other occasion where the
Gold commander believes that the
appointment of a CT SecCo will support
the delivery of a safe and secure event.’
How SecCo Works:
SecCo’s place in the command chain is
somewhat difficult to define as an absolute.
It will to some extent depend on the scale,
type and nature of the event. Although
appointed by Gold, the reality of the role in
major events is that SecCo will usually work
to, and closely with, Silver as the tactical
lead. He is a key member of Silver’s tactical
planning group in the developmental stages
leading up to an event. During the event,
SecCo will proactively monitor intelligence
and information, in order to continually
reappraise threat and risk. He will also
continually assess the effective deployment
of all protective security assets. Where
necessary he will adjust elements of the
approved security plan in consultation with
Silver, subject to Gold’s approval. Applying
security oversight in this way means it is not
a case of ‘we had a plan and we stuck to
Counter Terrorism
19. ICPEM // Alert // Autumn 2014
19
it’. Rather, ‘we had a plan and it was good.
We constantly questioned its effectiveness
and made adjustments in the light of
what we found’.
Working with police colleagues, the SecCo
will convene a security tasking meeting.
This gives him the opportunity to gauge
the preferred approach and scope of all
other protective security specialists and
practitioners. He will discuss this with them
in the light of the strategy for the event
that Gold has set, together with all relevant
information and intelligence at that time.
SecCo will task colleagues to submit their
respective plans in order for him to produce
an informed report to Gold. This will detail
the proposed security plan for the event
through a series of specific recommendations.
It is then for Gold to accept SecCo’s report
as one which is proportionate and effective
in reducing risk, or otherwise to discuss and
require adjustments.
The Risk Matrix:
Essentially, the SecCo is seeking to
do three things:
• to target harden
• to reduce vulnerability, and thereby
• to lessen risk
The cornerstone that underpins SecCo’s
considerations is a risk matrix. Within this,
threat is determined by a potential attacker’s
hostile intent together with their capability
to carry out such intent. These two elements,
however, are effectively beyond the direct
sphere of influence of the SecCo.
Where SecCo can have a direct affect
through his security plan is in lessening
predictability and applying control measures
to the event. The more predictable an event
is, the easier it will be for those intent on
disruption or attack to plan how they will
go about doing so. It follows, therefore,
that SecCo will take into account the
predictability of an event when considering
appropriate and proportionate control
measures to be applied in respect of
it. These two elements will influence
vulnerability. The residual risk will result
from a combination of the threat with the
vulnerability pertinent to the event.
Influencing predictability is easier in some
circumstances more than others. Depending
on the venue, it might be relatively
straightforward to introduce subtle changes
to public access points, to raise random
search on entry to total search, or even to
utilise a different entry or exit point for a
protected principal. It will be a very different
matter with an iconic ceremonial event.
Matters of protocol will be significant with
such events, making more challenging any
quick win in terms of lessening predictability.
Where that is the case, SecCo will take this
into account in developing the security
plan and will recommend assets in order
to reduce the residual risk around a highly
predictable event.
In making recommendations to Gold, SecCo
will seek to mitigate against unacceptable
risk (the ‘Clapham omnibus’ test), whilst
providing a proportionate response
taking account of the current threat and
intelligence picture. Control measures will
need to be both achievable and acceptable,
not only to Gold but to all key stakeholders.
With a significant proportion of major events
organised by or involving publicly funded
bodies (local authorities, the military, the
royal household, etc.), it comes as no surprise
that one of the primary influencing factors
of acceptability in recent times is cost.
Dealing with Raised Threats:
An important element of the security plan is
to take account of a changing threat picture
and its effect on the risk profile of the event.
Whilst we can all think on our feet to some
extent, the SecCo’s role in accounting for a
range of unspecified occurrences will reduce
the need to do so in the lead up to and
during an event.
Counter Terrorism
Caption
20. 20
Two events where this was
required of me come to
mind. In 2011 I was SecCo
for part of the state visit
to the UK of His Holiness
Pope Benedict XVI. I had
developed the security plan
for his first engagements
within London, which were
three separate events within
a university college campus.
These were a service within
the college chapel, then an
appearance on stage joining several hundred
school children. This lasted about an hour
and was on an open field site. Finally, His
Holiness attended an inter faith discussion
for religious and community leaders and
other invited guests in a stately ball room.
Each of the three events required a different
blend of protective assets. The campus was
a porous site in terms of the potential for
unauthorised access. This presented certain
challenges, especially with regard to the
event on the sports field, where the Pope
would be visible and static for a prolonged
period. Nevertheless, Gold approved my
plan for all three. I ensured the venue was
secured in accordance with the plan the
night before arrival, and off I went home as
I was getting up very early the next morning
to oversee the security operation on site.
Two hours before my alarm went off I got
a phone call. (What follows is in the public
domain and has been covered by the national
media). I was informed that acting on
intelligence a number of people believed to
be in the advanced stages of attack planning
against the Pope had just been arrested.
However, not all those sought had been
located. I therefore had to assume the real
possibility of an imminent threat to the life
of His Holiness at my venue. Whilst it is not
appropriate to go into the specifics of what
was put in place, I was able to adjust the plan
so as to provide a greater level of reassurance
in the light of the intelligence received. Such
a dynamic challenge led me to reflect on
what is achievable within such a tight time
frame, and to identify which measures would
be likely to require a longer lead in time.
This learning was subsequently fed into the
national training course.
The second example of responding
dynamically to a raised threat has also been
in the public domain and national media.
The two largest ‘crowded place’ events in
the UK are the Notting Hill Carnival and the
Central London New Year’s Eve celebrations.
I was SecCo for the latter for three years
and privileged to work to Commander
Bob Broadhurst (retired) FICPEM as Gold
and Superintendent Roger Gomm (retired)
FICPEM as Silver. Intelligence, whilst not
event-specific, led to concern developing
about a possible marauding attack that could
target our event. Again, for obvious reasons,
I cannot go into specifics as to our response.
Suffice it to say that specialist assets
deployed were significantly increased, both in
number and type. Alongside this, new tactics
were devised that would enable any such
threat to be confronted more effectively than
had previously been considered necessary
for this event. Accordingly, there are now
available to command teams of such large
scale crowded place events deployment
options that would not have existed had
we not had to respond to such a dynamic
threat. Following the logic of the
risk matrix outlined above, this
means risk has been lessened
as a result.
Author Profile
Jonathan retired last year from the
Metropolitan Police Service as a senior
officer in Specialist Operations, serving
in the Counter Terrorism (CT) Protective
Security Command. He is one of the
most experienced police CT Security
Coordinators in the country and has
presented internationally on protective
security and risk reduction in major events.
He was a speaker at CT Expo Crowded Places
conference 2013 and has delivered protective
security and major events command training to
police and governmental organisations in Europe,
Central America and the United Arab Emirates.
He has provided risk mitigation strategies for a
broad range of high profile events, including the
royal wedding of Prince William, the state visits of
President Obama and His Holiness Pope Benedict,
the annual Trooping the Colour ceremonies and
London New Year’s Eve celebrations. He was the
national lead security coordinator for the Olympic
and Paralympic Torch Relays, involving not only
the route, but the safety of numerous protected
persons and crowded places every night over the
seventy days of the event. He led the National
Protective Security Advice Cell during the London
2012 games, giving support and advice through
the National Olympic Coordinator to LOCOG and
government.
Having recently transferred his skills into the
corporate sector, Jonathan currently heads
security and business continuity for a leading
property management company based in the City
of London. He develops and oversees the delivery
of security strategy across a wide portfolio of high
end commercial properties. Jonathan is a fellow of
the Security Institute.
Counter Terrorism
London 2012 Olympic Games, Stratford Gate, Olympic Park0
21. ICPEM // Alert // Autumn 2014
21
will be a ‘converged’ one incorporating
systems, procedures, and decision-taking by
managers. Many of the root causes of current
security weaknesses, have been established
by poor management decisions taken over
the past 5-6 years and during a cyber crisis, it
is commonly evident that poor management
decision-making has the potential to further
compound those established vulnerabilities.
. In common with non-cyber crises the
response options chosen by managers are
based on judgments and therefore subject to
what is discovered, further guided by what
is understood, driven by what is known, and
what is familiar. The main differentiator of
cyber crises perpetrated by an ‘advanced
attacker’ is the greater complexity inherent
to the crisis, and therefore the greater
chance of failure.
Like any crisis, this is a test of how effectively
the organisation recognises early warning
signals, how it responds to sudden-impact
events, and how it evaluates risk, which
all expose the influence of internalities
or heuristics; weaknesses of management
processes; and flaws in security and crisis
planning. This is compounded by the
more common failings evident in cyber
crises, which are poor risk awareness,
ineffective anticipation, the inability to deal
with uncertainty, and poor preparation.
Progressing through various stages [see
figure 1] from first response through to
situational awareness and analysis, onto
managing the complexity and consequences,
will challenge all the organisation’s crisis
management processes.
To quote the Concise Oxford English
Dictionary a crisis is ‘a time of intense
Cyber Attacks
Multifaceted Attacks
Response to sophisticated cyber attacks, and
defense against persistent and prolonged
threats is complex. These attacks may be
planned as a campaign of ‘intrusions’ across
multiple vectors, using different methods,
and over many weeks or months. Invariably
the more advanced threats may have
ambitious objectives such as sabotage or
espionage, and are likely to be perpetrated
by well-funded adversaries with access to
advanced methods of digital and physical
penetration. Such converged attacks have
the capability to escalate and progressively
challenge, and even exploit an organisation’s
responses, methods, disparate teams, and
decision-takers.
Given that targeted attacks will rarely
fit a scenario that has been anticipated,
organisations will always need to maintain
‘agility’ in their response capabilities, and be
prepared to respond and pre-empt a plethora
of plausible attack manifestations. This in
itself has a considerable deterrent factor,
as attackers will be forced to invest time
and funding in increasingly sophisticated
methods to effect a breech and all but the
most determined may prefer to seek ‘softer’
targets. Hence those organisations that are
unprepared, are invariably targeted because
they present a more attractive risk-reward
proposition, which requires less attacker time
and investment.
Ultimately, an organisation’s response will
depend on a broad range of factors and how
those factors evolve over the duration of a
cyber crisis. More specifically, the response
CRISIS MANAGEMENT
IN CASES OF MULTIFACETED CYBER ATTACKS
By Dan Solomon, Director of Cyber Security Services, Optimal Risk Management
22. 22
difficulty or danger’. In the eyes of
organisations, nothing is a crisis until
there is recognition of the full extent of
consequences. Most companies will be
reluctant to classify an incident as a crisis
until they realise how intense the difficulty,
or the extent of the danger. There may be
incidents that are dealt with effectively
and early, and as such they never reach the
point of ‘intensity’ or represent real danger.
However the minute that the organisation
reaches the realisation that there is danger
or intense difficulty, it is then, that a crisis
is upon them. Many failings of companies
is the inability to recognise consequences
early and they may be in the full throws of
a crisis without treating it as such, because
of the lack the awareness or the analysis of
likely consequences.
Incident Response
Irrespective of what triggers the first
realisation that an organisation may be
the victim of an attack, and without a
clear perception of whether this is an
ongoing event or not, teams are deployed
with the initial objectives of detection
[what has been detected & identified] and
analysis [type of malware, correlated with
relevant threat intelligence]. Early analysis
is an imperative, to establish the status of
system integrity, and identify any loss of
command and control.
The first steps are therefore to mobilise
the appropriate response, and wait for a
picture to emerge as quickly as possible. This
process may be well understood and should
have been exercised in the past, and the
imperative is to ensure that the right teams,
internal and external, have been mobilised
and are responding. Communications need
to be effective, particularly when dealing
with external parties or staff in other
time zones, and the initial priority is to
manage the communication between the
stakeholders at set intervals, to allow for
the timely exchange of information and
appropriate action.
The early emphasis on managing processes
and communications is central to developing
and maintaining the situational awareness
at this critical stage. Besides the ‘tasking’
of different individuals and teams, the
challenge of monitoring the decisions that
are being taken and evaluating whether
those decisions are based on the appropriate
knowledge, requires close scrutiny to two
main types of processes:
• The process of alerts and indicators and
whether this situational information
is being translated into actionable
intelligence.
• The process of how the intelligence is
appropriately applied, and how this
translates into effective decision-taking.
In the early stage, before the full extent of
the incident becomes apparent, and a fully
informed judgement can be reached about
the scale and scope of the event, it is critical
to resist the temptation to succumb to ‘basic
instincts’ that may shape the response to
unfolding events: The first danger at this
point is complacency in assuming that
the attack will follow the pattern of other
known or previous incidents, and that this
conclusion can be reasonably reached based
on current knowledge.
The core issue is whether the incident
represents a fundamental surprise that was
quite unanticipated even within the context
of the current environment; or a situational
surprise that should have been anticipated
as ‘a possibility’ in the current conditions.
In either case the first question should be
whether events fit a scenario that has been
anticipated, and if this is only partially the
case, whether the incident is ‘what it seems’.
In order to put events into appropriate
context, it is important to avoid reaching any
partial conclusions, and resort to a premature
reaction, but rather to keep asking the right
questions: What don’t we know? What
could happen next?
However it is important to recognise early
where there is no templated response plan
for the potential scenarios that the incident
may fit into, and whether an existing plan
can be appropriately applied and adapted.
If the attack has been a ‘converged’ one,
then a priority is to differentiate between
the symptoms and the causes [particularly if
there is the possibility that the attack is being
facilitated by an ‘insider’ or any planted
hardware] and consider whether this incident
is still an ‘IT problem’ and how to respond to
that possibility.
The challenge at this early stage, especially
when faced with a fundamental surprise or
a level of malicious sophistication that had
not been anticipated, is to maintain clear
and rational consideration under increasing
pressure as the organisation may already be
experiencing the impact of a breech, and
Figure 1 - managing the phases of a cyber attack
Cyber Attacks
23. ICPEM // Alert // Autumn 2014
23
the consequences escalating. There are many
reasons why failures become apparent at
this stage including lack of intelligence or
‘early warning’, and an over-dependence on
these systems.
These common complaints are usually
surpassed by the more complex causes
of decision-making failure due to
misinterpretation, and analytical bias such as
a tendency to focus on more familiar aspects
of the initial attack or those that have
been best rehearsed and prepared for. This
propensity to view events within the context
of the more ‘probable’ scenarios severely
hampers the taking of appropriate decisions
at this initial stage, when established
assumptions about vulnerabilities are being
challenged, and managers are faced with new
uncertainties which expose their threat-
awareness as being outdated.
The Attack Evolution
An advanced attacker will employ a multi-
phase attack and the evolution of the
attack to a second phase is invariably the
‘make or break’ point of the incident and
will determine whether it becomes a crisis.
As the event takes a new direction, the
organisation will be tested to apply and
adapt the knowledge that has been built up
to this point. More importantly it will force
a reassessment of the situation, particularly
if the evolution had not been anticipated,
and raises the important issue of whether the
new development affects decisions taken so
far, and whether previous decisions have now
become counter-productive in the context of
the new reality.
For the crisis leader this should launch a
new cycle of tasking and the priority is to
ensure that the new impact is integrated
quickly into team understanding, and triggers
appropriate response, or proactive actions.
If the situational analysis is accurate at this
point the leader should be able to take more
proactive steps to limit further escalation,
and assess whether to deploy additional
resources, and measures, in parallel. However,
poor decisions taken previously, or the many
potential causes of failure, may all act to
limit the effective options at this point, not
least may be the lack of effective capabilities.
The escalation of the attack is likely to
prompt a re-evaluation of risk as the severity
of the breech has become apparent. The risk
analysis at this point will invariably require
an enterprise assessment of the possible
implications from the recent turn of events
in terms of business operations continuity,
revenue recognition, client/customer impact,
reputation, and input from the legal team.
This will require a clear view of the likely
implications as well as the already apparent
impact of the attack, and this analysis should
have been accumulating throughout the
incident if the indicators are effective, and
the appropriate staff properly involved. The
demarcation between security operations and
incident response & forensics [often through
external specialists] that are both tasked with
tackling threats, and the interface with the
a specific team that is tasked with assessing
risk, can become complex as a single
situational analysis is collated.
Crisis Management
As a risk team is assembled to evaluate the
implications, the incident will now have
been deemed a crisis and will trigger the
involvement of a crisis management team
comprising of a broader mix of senior
managerial and departmental responsibilities
to handle enterprise-wide implications. As
the previous path of ‘containment’ has run
its course, the escalation of the incident to
the crisis management team will introduce
more complexity to the situation. For the
organisation that has not faced such a
crisis before, or not exercised a cyber crisis
scenario, the issues that need to be addressed
are immediate and potentially serious,
because the crisis management team needs
to be ‘fit for task’ with the correct levels of
seniority and capability of staff, as the attack
has become more sophisticated, and the
impact more severe.
The introduction of the new team into
a dynamic and evolving event is fraught
with difficulties in a multi-phase attack,
in deciding at what stage the crisis
management team should become involved,
based on an assessment of how quickly it
will become effective, and how it should
support the response. Before the incident is
deemed a crisis, it may be viewed as counter-
productive to involve the crisis management
team. Foremost, without complete situational
awareness and analysis, it is difficult to brief
the team sufficiently for it to choose the
appropriate course of action and how to
enact a response.
More importantly the team, or senior
members of the team may hamper security
or business continuity decision-making by
placing their departmental or functional
priorities ahead of the overall risk to the
enterprise. For the crisis leader, failing to
effectively manage the interface of one
‘informed’ Chief Information Security
Officer (CISO) with increasingly ill-
informed senior executives and division
heads, and managing their inputs as a
complex attack unfolds, often leads to ‘bad
decisions’ that exacerbate the crisis. This
is particularly the case as consequences
become increasingly apparent, in respect
to in appropriate external communications
with shareholders, suppliers, and attempts to
manage customer expectations and minimise
reputational damage. Managing post-crisis
consequences then has the potential to
become a destructive process of review,
attribution and blame.
Cyber Attacks
24. 24
Large companies will have different teams/
functions particularly for security operations
and incident response/forensics. In many
instances the incident response/forensics will
be experts like Optimal Risk brought in from
outside. Sometimes there will be a risk team
appointed from within the organisation to
assess risk on an ongoing basis, and in some
cases there is cross membership between
this team/committee and others. Crisis
management should have its own team with
the appropriate skills, qualifications, and
authorisations to take appropriate decisions
and this invariably is a group of much more
senior and cross-functional directors. In some
cases these functions are poorly staffed or
non-existent, and that contributes to the
problem. The Crisis Management Team can
become disconnected from the problem and
can respond inappropriately to the crisis
without the proper integration into the
process, and we see this again and again
when Managing Directors storm in and
micro-manage matters that they should not.
Preparing for the Future
The status of ‘crisis’ could be defined by
the potential implications of a security
incident, and in the future it is increasingly
likely that cyber incidents will become
crises, as cyber attacks could lead to severe
impact outcomes, and therefore should
now be considered a board-level concern
and tier-1 threat. The main principles of
crisis management leadership do not differ
fundamentally for cyber crises, but this paper
has described how the management of a
cyber crisis is considerably different when
faced with an ‘advanced attacker’ employing
sophisticated deception. This cyber ‘context’
is not only the most relevant for the present
day, but also the most challenging context in
which managers & leaders need to adapt and
respond effectively to crises that will severely
challenge their abilities.
The characteristics of multifaceted attacks
now compel organisations to adopt a
more proactive approach to security, so it
is disingenuous to consider crisis response
without crisis prevention. In the future the
ability to recover from a severe breech will be
increasingly difficult and slow, and so it will
be a much greater challenge to be sure that
an organisation is resilient or ‘quickly able to
bounce back and resume normal operations’.
The nature of advanced threats such as
espionage or sabotage significantly limits
the effectiveness of reactive measures to
defending against cyber attacks, and severely
complicates incident response options and
the feasibility of achieving ‘resilience’ has
to be questioned.
Anticipating the characteristics of an
‘advanced attacker’ incident requires a
degree of heightened awareness that will
support the simulation of outcomes and
consequences: at first, in theoretical terms so
as to assess how best to further explore the
process of preparation; and latterly in real-
world conditions to identify vulnerabilities
and ‘learn from experience’. Without a
prepared and rehearsed response to a well-
anticipated scenario the response is likely to
be poor, and the recriminations broad.
Preparing for crisis management scenarios,
and developing crisis management
capabilities needs to commence now: as
soon as possible before the next crisis. The
first conclusion that should be reached is
that crisis managers and leaders need to be
informed and prepared for what they might
face, and refine the processes & procedures
to cope with a severe cyber event, and
this should inform the establishment of
more comprehensive preventative security
measures. It should also be recognised
that failure to prepare, is a failure of
organisational leadership.
Specifically, leadership for a cyber crisis
needs a risk-informed manager, with a
clear appreciation of converged threats
who can develop board-level appreciation
of the security risk landscape. Managers
tend to build on hindsight, and in this, they
focus excessively on past threats and past
experience: irrespective of the rapid evolution
of the threats. Similarly, they focus on their
best-known vulnerabilities, often because
they have been previously targeted, and
managers have been forced to focus on what
those most recent vulnerabilities were. Their
failing is typically lack of insight. Insight
into what is within their threat landscape,
Cyber Attacks
25. ICPEM // Alert // Autumn 2014
25
insight into what the potential impacts could
be on the organisation, and insight into the
pace of evolution.
To plan how the organisation should defend,
respond, recover, and ultimately ‘prepare’
for multiple variants of sophisticated
scenarios, is a complex process that exposes
the natural weaknesses of organisations
that struggle with complex problems, and
integrated processes. However effective
preparation for both defence and response,
requires an integrated approach with the
common aim of developing resilience, which
cannot be broken down to a ’simple’ formula
because it is becoming increasingly futile
to consider the individual elements of a
complex and persistent attack in isolation
in order to construct defence against
individual elements of advanced threats. This
is particularly the case if the construction
of an effective defence is not risk-informed
and intelligence-led as far as possible,
and this is especially short-sighted if the
converged nature of enterprise security risk
is not apparent to security planners that are
required to assemble a converged response.
To achieve high levels of security, the
process of security is becoming increasingly
complex and it must now integrate different
elements of the organisation’s preparedness
& planning into an overarching converged
framework to include systems, processes,
policy and management practices. The
need for physical and cyber security
domains to collaborate, challenges both
functions to dovetail their capabilities
effectively, and many organisations struggle
with coordinating security planning and
incident response. In the majority of cases,
organisations rely heavily on well-developed
business continuity plans and tend to
neglect the development and exercising of
defensive and response capabilities against
different advanced scenarios and this has the
potential to hamper their ability to handle
the unexpected or unfamiliar aspects of the
‘next threat’.
Napoléon once said ‘uncertainty is the
essence of war, surprise its rule’ and
preparation for serious security incidents,
must be built on the assumption that there
will be surprises, and the organisation’s
response will have to tackle the unexpected.
This raises two issues: Firstly the nature of
the response and capabilities; Secondly the
ability to deal with the unexpected which is
founded in managerial ability & experience.
Unfortunately experience is gained over
a long period of time, and experience can
also degrade over time, particularly with
staff turnover.
A critical gap exists where organisations
need to ‘exercise’ the ability to anticipate
the unexpected, be able to identify
uncertainties and factor them into their
planning, and tackle them head-on. The
process of simulating real-world attacks
and analysing the performance of security
apparatus forensically to determine its
strengths and weaknesses is a key platform
of organisational preparedness, not only
because ‘practice makes perfect’ but because
it develops an organisational preoccupation
with ‘what if’ scenarios, and the failure to
deal with them effectively. The essence of a
pre-emptive approach should be based upon
developing foresight. Applying a forensic
approach to doing so, is key to developing
insight into both probable, and plausible
outcomes of a breach. The adage that being
forewarned is forearmed is always the
justification for investing in maintaining
awareness and preparation.
Good management practice and preparedness
requires ‘the ability to anticipate events
long before they happen, and develop a
planned response to each scenario’. The
essence of anticipation is to identify threats
Cyber Attacks
no matter what the levels of plausibility or
probability, and in doing so managers need to
accept that the lower probability events are
invariably higher-impact ones. In developing
and refining capabilities, managers need
to be able to review flaws in their plans –
regularly - and spot the barriers to effective
performance through security exercises.
A preoccupation with failure is essential
to combating the complacency that
tends to set in, and it is an attitude that
characterises ‘high-reliability’ teams that
require a near-perfectly synchronised and
effective performance on every occasion. It
requires a commitment to being proactive
in the process of planning – testing –
and reviewing, and this is central to
organisational resilience. This must counter
any tendency to over-simplify plans and
procedures, as the threats are increasingly
sophisticated. So ‘defence’ needs to match
the levels of innovation and sophistication
that threat actors are introducing. If
organisations are not running exercises, not
refining plans, not preparing capabilities, or
not anticipating future events, then their
shareholders and customers cannot have any
confidence in the organisation’s resilience to
sophisticated attack, or ability to survive the
consequences.
Author Profile
Dan Solomon is Director of Cyber Risk & Security
Services at Optimal Risk Management Ltd. He is
a leading proponent of a converged approach to
security risk, and is a regular presenter and chair
at leading cyber security conferences. He is an
industrial espionage specialist and a practitioner
of FAIR [Factor Analysis of Information Risk]
methodology. He is a prominent advocate of red
teaming, and a pioneer of cyber war games as an
approach to developing organisational resilience.
He joined Optimal Risk in 2013, after 3 years
as a Senior Partner at Hawk ISM. During that
time He also served as Director of the Homeland
Security Program at The Atlantic Council UK, and
has published & spoken around the world on
Intelligence Analysis & National Security, Critical
National Infrastructure Protection, Cyber Security
and Enterprise Security Risk Management.
Web: www.optimalrisk.com
Tel: +44 870 766 8424