SlideShare ist ein Scribd-Unternehmen logo

ALERT

S
Stephen Elliott-Hunter
1 von 44
Downloaden Sie, um offline zu lesen
Journal of the Institute of Civil Protection and Emergency Management Autumn 2014 Marauding Terrorist Firearms Attack Medical cover at airshows Cyber attacks Pet evacuation Beyond the fire risk assessment PROPORTIONATE ARRANGEMENTS
ICPEM // Alert // Autumn 2014 2 ICPEM // Alert // Spring 2014 IFC Membership Matters 1 Thoughts from the Chair 4 Editorial 5 European News 7 Branch News: Scotland 7 Branch News: North West 8 Announcement: Emergency Services Show 9 Special Interest Group 11 Updates: Joint Emergency Services Interoperability Programme 12 Updates: The Social Action, Responsibility and Heroism Bill 13 Incident Reports: Westgate terrorist attack 17 Feature: The Role of the Counter Terrorism Security Coordinator 21 Feature: Crisis Management in Cases of Multifaceted Cyber Attacks 26 Role profile: Raynet 27 Feature: Medical support at air displays in the United Kingdom 33 Feature: Can I bring Rover? 37 Feature: Beyond the Fire Risk Assessment IBC ICPEM membership details BC Contacts Contents Membership matters I Subcriptions are the life-blood of the institute and they can be paid by; Standing Order Direct Debit Cheque Bank transfer The institute also benefits from Gift Aid when you sign up for it, and all the relevant forms are available for download from the website. Whatever arrangements you have made for your subscriptions, can you please ensure that they are in place, active and have valid details. Some subscriptions from the start of the year remain outstanding, so could you please check? If you have any queries about arrangements for payment, please contact the Treasurer (see contact details on the back page of the journal). Membership matters II The Registrar makes a special plea for members to keep their contact details and preferences up to date.We make every effort to keep records accurate, to ensure that members receive all relevant communications. Email and the website will be the main means of getting information to members, so it is vital that email addresses are spot on. You can download an update form from the website under the membership tab. Membership matters III Membership fees remain at the 2013 rate for 2014. Membership fees are due on 1 January of each year. So, once again, please check that you have paid the required amount.. Events If you are holding an event that other members of the institute might be able to assist with or attend, such as exercises, and seminars, please let the Managing Editor of Alert and the Webmaster know and they can be advised. The ‘public’ view of the website includes a calendar of events across the spectrum of interests, so we would like to have information on anything that you think might be relevant. What else do you do? Members come from many different and interesting backgrounds and take part in many interesting activities. We would like to reflect these activities and achievements in Alert in order to show the ‘human’ side of its membership. So, if you have something unusual or interesting that you get up to, let the managing editor know, with some photos if you have them and we will publish them in forthcoming editions. MEMBERSHIP MATTERS Malcolm Parker, membership@icpem.net NEW MEMBERS For a comprehensive update of new members please visit the website at www.icpem.net Front Cover Photograph: Crowd fleeing sounds of gunfire near Westgate” by Anne Knight - Direct personal communication between copyright holder and uploader. Licensed under Creative Commons Attribution-Share Alike 3.0 via Wikimedia Commons - http://commons.wikimedia. org/wiki/File:Crowd_fleeing_sounds_of_gunfire_near_ Westgate.jpg#mediaviewer/File:Crowd_fleeing_sounds_ of_gunfire_near_Westgate.jpg
ICPEM // Alert // Autumn 2014 3 This is my first view from the Chair having been elected this spring. Aviation disasters and conflict seem to have been the most notable events of the last 6 months with the baffling disappearance of Malaysia Airlines MH370 on 8 March and the now assumed tragic loss 239 lives on-board followed by the shooting down of MH 17 on 17 July with the loss of all 298 passengers and crew. The continuing violence in Syria, Afghanistan, Iraq, Gaza and Israel confirms we are not a world at peace and now the Ebola outbreak which was first identified in Guinea in March and has since spread to Liberia, Sierra Leone and Nigeria in Africa reminds us just how vulnerable we are in this ‘modern’ world. The natural disasters have not let up either this year with mudslides in Argentina, floods in Bolivia, an earthquake triggering fires in South Africa, flooding and landslides in Burundi, floods in the Sudan, an earthquake in Iran, Pune landslide and Odisha floods in India, landslides and flooding in Nepal, an earthquake in China, a typhoon in Korea and a landslide and a volcano eruption in Indonesia have all killed hundreds of people. The ICPEM, with its many partners including the Emergency Planning Society (EPS) and The Security Institute have a role to play both nationally and internationally in helping our government and in turn third world governments to ensure they have prepared for disaster along with the training to respond to the many natural and man-made disasters that beset us each and every year, with what seems like a quickening pace. We need to enlist the help of all our colleagues and professionals in the field and speak with one voice from city, county, country and government levels. The ICPEM and the EPS would like to help lead that charge and are exploring the bringing together of our two organisations to have a stronger more unified voice to assist our communities and the world in the field of Resilience. I would also like to thank all the new volunteers who have stepped into the breach to assist in running your institute and would urge all of you to get involved at a local, national or international level to contribute to the discussion, research, training or delivery of resilience for the good you your communities. Thoughts from the Chair FIRST VIEW By Les Chapman BEng MBA CMarTech FICPEM FIMarEST AFNI “Boeing 777-200ER Malaysia AL (MAS) 9M-MRO - MSN 28420 404 (9272090094)” by Laurent ERRERA from L’Union, France - Boeing 777-200ER Malaysia AL (MAS) 9M-MRO - MSN 28420/404Uploaded by russavia. Licensed under Creative Commons Attribution-Share Alike 2.0 via Wikimedia Commons “Map of search for MH370” by Soerfm - Own work. Licensed under Creative Commons Attribution-Share Alike 3.0 via Wikimedia Commons - http://commons. wikimedia.org/wiki/File:Map_of_search_for_MH370. png#mediaviewer/File:Map_of_search_for_MH370.png
4 Editorial I t gives me great pleasure introduce the Autumn 2014 edition of Alert which, thanks to the members and interested parties, includes a diverse range of articles. Since the Spring edition of Alert, it is hard to believe the how the national state of affairs has changed so dramatically both in terms of conflicts and natural disasters. I would like to focus briefly on the Ebola situation. The Ebola outbreak was first reported in West Africa during March this year and has rapidly become the deadliest occurrence of the disease since its discovery in 1976. The World Health Organisation (WHO) has declared an International Public Health Emergency. Many people have died, with Sierra Leona, Guinea and Liberia reported to be the worst-affected. The 2014 outbreak dwarfs previous epidemics, with WHO figures indicating that as of 11 August there were 1,975 probable, suspected and confirmed cases, and there had been 1,069 deaths. Ebola is named after a river in the northern part of the Democratic Republic of Congo. Statistically, it is a relatively trivial disease, killing a few thousand people since its discovery in 1976. In contrast, malaria and tuberculosis each kill several million people each year. Measles killed 122,000 in 2012. Yet, Ebola has captured the public imagination. It is not known which animal harbours the virus although bats have long been suspected, and this makes prevention and control difficult. The clinical manifestation is dramatic, with rapid progression from infection to cell death and symptoms that can include bleeding, vomiting and diarrhoea. The fatality rate is high, ranging from 50% to 90%. As the medical professionals and scientists race to address the problem, an ethical dilemma has erupted. It is a well known fact that the Ebola virus has no treatment and no vaccine available in the market today. But there are several pharmaceuticals working to develop a treatment. The United States government tested the new drug ‘ZMapp’ on two Americans infected with the virus. There was a public protest on why the drugs were given to the Americans and not made available to the general public. This raised several ethical issues in relation to who should first receive the limited supplies of a potentially life saving drug and also, is it appropriate to distribute an untested treatment. The World Health Organisation has to balance the need to contain the spread of a rapidly spreading deadly disease and satisfy the legal and moral aspects of distributing limited supplies of untested, but potentially life saving treatments. The ReliefWeb is an excellent website where all natural disasters are listed with a brief explanation of the event and the current status. Visit: www.reliefweb.int Dave.dowling@icpem.net EDITORIAL BOARD Tony Moore (Chair) MPhil FICPEM Dave Dowling (Secretary) MEd BSc(Hons) MICPEM MIFireE MCMI TechIOSH Professor David Alexander PhD Prof FRGS FRSA FGS FICPEM Professor Frank Gregory, Hon FICPEM Professor Gary Silver MSc GCE LLS (QTLS) FICPEM FEPS ALERT EDITORIAL By Dave Dowling MEd BSc(Hons) MICPEM MIFireE MCMI TechIOSH Professor Ian Davis, PhD Hon FICPEM FPWRDU Dr Karen Reddin PhD FICPEM Kevin Arbuthnot QFSM MPhil DMS FICPEM FIFireE Mike Broadbent MSc BSc CEng CSci CEnv FICPEM FHEA FICE MCMI Dr Sarita Robinson PhD MSc FICPEM This image is a work of the Centers for Disease Control and Prevention, part of the United States Department of Health and Human Services, taken or made as part of an employee’s official duties. As a work of the U.S. federal government, the image is in the public domain.
ICPEM // Alert // Autumn 2014 5 On 24 May, a gunman shot dead two women and a man - they were an Israeli couple in their 50s, and a French female volunteer - at the Jewish Museum in Brussels. A fourth man, a Belgian employee at the museum, who was seriously wounded, died in hospital on 6 June. The attacker had arrived by car, got out, fired on people at the museum entrance, and returned to the vehicle that then sped away. The attack was recorded by the museum’s CTV system and the police were able to circulate it, through media comapnies, to a wide public audience ın an effort to identify the gunman. One week later, the suspect, 29-year- old Mehdi Nemmouche, originally from Roubaix on the Franco-Belgian border, was arrested at the Saint-Charles train station in Marseille, France, havıng arrived there by an overnight coach from Brussels. A Kalachnikov automatic rifle with Islamist markings, a revolver and amunition similar to those used in the shootings were found in his luggage during a routine drugs check by customs officers. With the weapons, there was a white sheet emblazoned with the name of the Islamic State of Iraq and the Levant, a jihadist group fighting in Syria and Iraq. French authorities also found press cuttings on the museum attack and a film for a miniature camera holding a record in which he appears to admit the attack. The Belgian federal prosecutor, Frédéric Van Leeuw said that it appeared that the suspect had tried to film the killings but his camera had failed. On 15th of July at 08:39 a.m. (Moscow time) several carriages at the front of a packed underground train, travelling from the north-west of Moscow to the City centre, derailed between Park Pobedy and Slavyansky Bulvar on the Arbatsko-Pokrovskaya dark blue line of the Moscow Metro. As a result 23 people died and more than 160 were seriously wounded, some of whom were still in a critical condition at the time of going to press. Most of the dead and seriously injured were in the front of the train because, as a result of the derailment, the carriages concertinaed together as those from the rear hit those in front. Among the dead was a citizen of China and one from Tajikistan; the injured included residents from 12 Russian regions and five countries – Ukraine, Moldova, Tajikistan, Uzbekistan and Kyrgyzstan. Park Pobedy (Victory station), where disaster happened, is the deepest metro station in Moscow, 84m underground, which made the rescue operation particularly difficult. More than 1,100 people were evacuated. Some of those hurt were carried out of the tunnel on stretchers, with the most Mehdi Nemmouche is a convicted criminal with a troubled childhood who became a Syrian djihadist soon after he left prison in France in January 2013. He returned to Europe two months prior to the attack and it is believed that he spent some time in Britain. President Hollande later pointed out that the suspect re-entered Europe through Germany and then moved on to Belgium. However, in France he was under close survelliance. This suggests that despite declared concerns about militants of European origin returning to Europe after having fought in Syria, there is little control over movements of such people is not there and Europe-wide cooperation in following ex-Syrian fighters is inadequate. It would appear that such people can be under surveillance in one EU country but they can easily move to another country EU country without vital information being passed to the second country. There are still many questions about Brussels attack, but the main ones are • Did the terrorist act alone? • Did he get orders from any terrorist group or was the attack carried out on his own iniative? If his involvement in the Brussels attack is proven, Mehdi Nemmouche will be the first European jihadist volunteer in Syria to have committed an act of terrorism upon his return to Europe. That leads to a third question. Was this an isolated incident or is it the first of a number of attacks, turning European fears into reality? European News TERRORIST ATTACK IN BELGIUM By Lina Kolesnokova MSc FICPEM MOSCOW UNDERGROUND DISASTER
6 serious cases airlifted to hospital. >> pg5 >> pg4 The cause of what was one of the worst incidents on the Moscow Metro is reported to been a power surge. But the real cause would appear to be as a result of inadequate maintenance work which was carried out in May when a switch mechanism, which had been repaired by a track supervisor and his assistant with ordinary 3-mm wire, as a result of which, at a crucial moment it snapped. Three people were subsequently Malaysian Airlines Flight MH 17 was shot down on 17 July 2014 during the ongoing military conflict in Ukraine whilst on a scheduled international flight from Amsterdam to Kuala Lumpa. The wreckage came down in eastern Ukraine close to the border with Russia. All 283 passengers, including 80 children, and 15 crew members were killed. At the time of going to press, it is believed that the aircraft was shot down by a soviet-designed Buk surface- to-air missile fired from within territory belonging to Ukraine but controlled by pro- Russian separatists. On 21 October 2013, a female suicide bomber set off an explosive device on a bus, killing 7 and injuring 36 people; on 29 December a male suicide bomber, set off an explosive device in a train station, killing CRASH OF MALAYSIAN FLIGHT A view of collapsed Maxima supermarket in Riga, Latvia, Saturday, Nov. 23, 2013 European News By Lina Kolesnokova MSc FICPEM 18 and injuring about 50 people; and on 30 December a male suicide bomber set off an explosive device on a trolleybus, killing 16 and injuring 41 people. At the time of going to press, there are many unanswered questions. For instance, who (which group) is responsible for these terrorist attacks? Who, precisely are the perpetrators of these attacks? To-date, no-one has claimed responsibility and only the female suicide bomber who was involved in the 21 October incident has been indentified. Are these attacks related to a threat made in July 2013 by Doko Umarov, the leader of a Chechen separatist group known as the Caucasus Emirate, to disrupt the Sochi Winter Olympics? Umarov is already Russia’s most wanted man, having been involved detained on charges of negligence; and a thorough investigation is underway. Meanwhile the Chief Executive of Moscow Underground has been fired. The Moscow metro, one of the world’s busiest, is a vital transport artery for the city, transporting more than nine million people on weekdays because of heavy traffic on the streets. It covers 325.4 kilometres of route, and includes more than 194 stations. Moscow is a leader among world capitals on traffic jams, therefore metro is nowadays is the only way to travel in the busy city. Critics accuse the authorities of spending too much on extending the metro system, and not enough on maintenance of infrastructure. High level of corruption,mismanagement, cost-cutting practices and system of sub-contracts are main factors of low safety level of Russian transport system. in a number of terrorist attacks in Russia, including one in 2009 outside the Cechen Interior Ministry in 2009; the bombing of the high-speed Nevsky Express train, in which 28 people were killed, also in 2009; the bombings of the Moscow subway that killed 40 people in 2010; and the bombing of Domodedova Airport in Moscow in 2011, that killed 36 people. When the answers to these questions become clearer, I will write further on these terrorist attacks. Author Profile Lina Kolesnikova is an independent expert in risk, crisis and disaster management based in Brussels. She is currently the Institute’s representative to the European Union.
ICPEM // Alert // Autumn 2014 7 Branch News Northwest Branch Dave Dowling MEd BSc(Hons) MICPEM MIFireE MCMI TechIOSH Scotland Branch David Dalziel QFSM MA FICPEM FInstLM An event planning meeting took place with Executive members of the North West (NW) Branch of the Emergency Planning Society took place during August with the aim of developing a joint activity. The original plans for an event at the Warrington Peace Centre with a theme of psychological support for the victims and the responders, will be postponed until next year. The current plan is to arrange a joint visit to a nuclear power station during November followed by a branch meeting. More information will be provided in due course via the local network. The Emergency Planning Society annual conference is planned to coincide with the Emergency Services Show on the 24th and 25th September. The theme will be ‘resilience’ with speakers invited to talk about the Fukushima nuclear power plant incident. Anyone interested in joining the North West Branch should contact Dave Dowling on dave. dowling@icpem.net On the Right Tracks: A Resilient Transport Perspective on the 2014 Commonwealth Gamese. The 2014 Commonwealth Games in Glasgow required a huge multi-agency commitment to ensure the safety of athletes, games visitors and local communities together with the tens of thousands of people visiting Glasgow. A resilient, safe and integrated transport system across Scotland was an essential feature of those arrangements. Global coverage of the event throughout the duration of the games brought significant pressure on every agency to ensure that they were at the highest state of readiness with robust planning, sound contingency arrangements and highly effective response capability well embedded. One shining example of that was the partnership between Network Rail in Scotland, the train operating company that operates 95% of all services in Scotland, ScotRail and British Transport Police (BTP). ScotRail anticipated delivering over one million passenger journeys over the 11 days of the games and trained over 3000 of their staff to enhance passenger experience over that period. Network Rail has responsibility for all rail infrastructure across the UK and directly manages the main railway station in Glasgow. They carried out a huge amount of work in preparation for the games including advancing upgrade and routine replacement engineering projects to provide the highest possible level of safety as well as minimising potential delays due to faults and freeing up key staff in case of any incidents. Network Rail made special arrangements for the rapid deployment of resources and specialist staff including joint staffing of rapid response 4 x 4 vehicles with British Transport Police. This contingency was further enhanced by the deployment of two of the Network Rail’s Eurocopter AS355 helicopters which were also dual crewed by police officers from BTP. As part of the command and control arrangements both Network Rail and ScotRail route control centres (co-located in Buchanan House in Glasgow) underwent additional staff training on contingency arrangements for the games linking to the Transport Coordination Centre in the East end of Glasgow close to Celtic Park. Adopting areas of best practice from the 2012 Olympics and adapting them to suit local circumstances all three organisations established very comprehensive training, staff awareness and robust contingency arrangements to help deliver a safe and successful 2014 Commonwealth Games. David Dalziel on Scotland@icpem.net Regional zones of the ICPEM within the UK and Ireland
8 Announcement Introduction From emerging technology to the latest training and techniques, the upcoming Emergency Services Show has it all covered. Aimed at all personnel involved in emergency response, planning and recovery, the free-to-attend event taking place at the NEC in Birmingham on 24 and 25 September features indoor and outdoor exhibition of over 400 stands, free seminars and workshops. Free Seminars and Workshops Two free seminar programmes will run at this year’s event for the first time. The Interoperability Seminars, developed in partnership with the Joint Emergency Services Interoperability Programme (JESIP), will include case studies on successful multi-agency working presented by responders from Lincolnshire Emergency Services and Dorset Emergency Services. National Occupational Standards, winter flooding and the future role of Local Resilience Forums are also on the agenda and representatives from JESIP, the College of Policing, CFOA National Resilience, the National Ambulance Resilience Unit (NARU), Skills for Justice, Cabinet Office and the Environment Agency will all be speaking. Meanwhile the Innovation Seminars will cover the latest developments in PPE, Body Worn Video (BWV), ambulance design, social media and mobile communications. The full seminar programmes will be published on www.emergencyuk.com Meanwhile the College of Paramedics will be returning with its popular Continual Professional Development (CPD) sessions, comprising a mix of free 30-minute lectures and workshops. INNOVATION AND INTEROPERABILITY AT THE EMERGENCY SERVICES SHOW 2014 UK SAR Zone The UK SAR Zone will bring together Mountain Rescue England & Wales, Association of Lowland Search & Rescue, British Cave Rescue Council, RNLI, Maritime and Coastguard Agency and RAF Mountain Rescue to promote the search and rescue capabilities of the UK’s emergency responders. ICPEM to Network in Emergency Response Zone The promotion of multi-agency working between the key emergency responders and their partner agencies is the heart of the show, with a dedicated networking area – the Emergency Response Zone sponsored by Draeger UK – featuring over 80 support responders, voluntary sector partners and NGOs including the Institute of Civil Protection and Emergency Management (ICPEM). Stands of interest include CFOA National Resilience, NARU, Public Health England, Training 4 Resilience, JESIP, Home Office ESMCP, British Association of Public Safety Communications Officials and AA Special Operations. Running alongside The Emergency Services Show in private rooms located in the atrium will be a number of key meetings held by industry bodies. These include the Emergency Planning Society’s annual conference on 25 September. Getting there: • Physically linked to Birmingham International Airport and Birmingham International Station • Discounted travel for visitors using Virgin Trains (see www.emergencyuk. com for details of how to apply) • Direct Access to UK motorway network • No parking costs • Coaches will run from Birmingham International Station to the exhibition halls. Emergency Services Show To register and to view the latest seminar programmes visit www.emergencyuk.comregister and to view the latest seminar programmes visit www.emergencyuk.com
ICPEM // Alert // Autumn 2014 9 T he NHS is one of the most high profile organisations in the UK and of huge public, media and political importance. It has one of the largest budgets and is amongst the biggest employers in the UK. Ensuring that all parts of the system (often referred to as the ‘health economy’) are able to respond to major incidents and emergencies, continues to deliver optimum care during disruptive challenges, has effective business continuity arrangements in place and is able to quickly return to normal are vital to communities across the UK. As NASA said on the Apollo space missions, ‘failure is not an option’. The NHS needs to be able to plan for and respond to a wide range of emergencies and incidents that could affect health or patient safety. This could be anything from severe weather to an infectious disease outbreak or a major transport accident. Under the Civil Contingencies Act 2004 NHS organisations and providers of NHS funded care must show that they can effectively respond to emergencies and business continuity incidents while maintaining services to patients. This work is referred to in the health service as emergency preparedness, resilience and response (EPRR). In April 2013 the NHS in England underwent massive reform creating, amongst other bodies, Public Health England, NHS England, various Trusts and the formation of Clinical Commissioning Groups (CCG’s) who, by definition, are responsible for significant parts of the NHS budget and commissioning care. The Health and Social Care Act 2012 provides the statutory basis for these structures. The Civil Contingencies Act 2004 specifies the respective duties of ‘health’ responders and these are; Category 1 responders • Department of Health on behalf of Secretary of State for Health • Public Health England • NHS England • Local authorities (Directors of Public Health) • Acute service providers • Ambulance service providers Category 2 responders • Clinical Commissioning Groups (CCGs) • NHS Property Services. Primary care (including out of hours providers), community providers, mental health, specialist providers and other NHS ASSURING THE RESILIENCE OF THE NHS IN ENGLAND David Dalziel QFSM MA FICPEM FInstLM organisations (for example NHS Blood, Transplant and NHS Supply Chain, 111) are not listed in the Civil Contingencies Act 2004 however the Department of Health and NHS England guidance expects them to plan for and respond to emergency and business continuity incidents in the same way as Category 1 responders in a manner which is relevant, necessary and proportionate to the scale and services provided. These obligations are contained within the contracts issued by clinical commissioning groups although, thus far, there has been a ‘light touch’ approach to assuring the extent of resilience beyond the Category 1 responders within the NHS. In fulfilling its responsibilities on behalf of the Secretary of State, the Department of Health represents the health sector in the development of UK government civil resilience and counter terrorism policy, Blue Light Special Interest Group a National Health Service, Air Ambulance at a Motocross event in Elgin, Moray, Scotland to uplift a patient after a motorcycle crash on 16 March 2014.
10 with scientific and technical advice from Public Health England and liaising with international organisations such as EU and the World Health Organisation. The Department also provides assurance to the Cabinet Office of health system preparedness for and contribution to the UK government’s response to domestic and international emergencies, in line with the National Risk Assessment and as one of nine Critical National Infrastructure sectors ensuring the co-ordination of the whole system response to high-end risks impacting on public health, the NHS and the wider healthcare system, supporting the UK central government response to emergencies including ministerial support and briefing and ensuring effective arrangements for health emergency preparedness, resilience and response from April 2013. The national level arrangements are underpinned by local assurance processes conducted since 2013 by NHS England. All Category 1 and 2 responders are obliged to complete a comprehensive self-assessment of their preparedness, resilience (including business continuity) and response capability against a set of minimum core standards1 . This year is the first time Category 2 responders will have to complete the process on a mandatory basis although many participated voluntarily in 2013. Primary care providers are being encouraged to take part in 2014 in preparation for mandatory inclusion in 2015 and a number of GP practices are collaborating in groups to self- assess their status against the core standards. The 2014 Core Standards and guidance were published on July 1st 2014 and the self-assessment process is being conducted over August and September with NHS England carrying out thematic assurance checks, liaison with providers and Clinical Commissioning Groups during October followed by governing bodies signing off their self-assessments and producing any subsequent action plans in time to be presented to the respective Local Health Resilience Partnerships (LHRP’s) around November. LHRP’s were established in April 2013 to deliver national EPRR strategy in the context of local risks. They bring together health sector organisations involved in emergency preparedness and response at the Local Resilience Forum (LRF) level and are a forum for co-ordination, joint working, planning and response by all relevant health bodies. LHRP’s in effect formalise arrangements that already existed in many local health economies to co-ordinate health sector input to the LRF’s and emergency response. Whilst LHRP boundaries are not always coterminous with LRF’s they do ensure effective planning, testing and response for emergencies and enable all health partners to input to the LRF in turn providing the multi-agency LRF’s with a clear, robust view of the health economy and the best way to support LRF’s to plan for and respond to health threats. The arrangements for EPRR in the NHS are set out in the Department of Health document ‘Arrangements for Health Emergency Preparedness, Resilience and Response from April 2013’ published in April 20122 and were the subject of a Webinar from the Emergency Planning College in March 20133 References 1. www.england.nhs.uk/wp-content/uploads/2014/07/ eprr-core-standards-0714.pdf www.england.nhs.uk/ourwork/eprr/gf/#core 2. www.gov.uk/government/uploads/system/uploads/ attachment_data/file/215083/dh_133597.pdf 3. www.epcollege.com/EPC/media/MediaLibrary/ Webinars/EPRR-webinar.pdf Blue Light Special Interest Group Ambulance responder in London on NOVEMBER 23, 2013. Ambulance emergency van at street in London
ICPEM // Alert // Autumn 2014 11 About the author David Dalziel was the Chief Fire Officer of Grampian Fire and Rescue Service for eight years and was vice chair of Grampian SCG. He was Secretary of CFOA Scotland for six years and chair of the Association from 2012 to 2013. David is also the ICPEM regional representative for Scotland and is an Associate Lecturer at the Cabinet Office Emergency Planning College. David can be contacted on Scotland@icpem.net Updates JESIP By David Dalziel, QSFM MA FICPEM FInstLM, Chair ICPEM A ll of those involved in the police, ambulance and fire service sectors of the blue light community will be well aware of the JESIP and its continued expansion into further areas including, most recently, Jersey and Guernsey although it has not yet been adopted in Scotland. Further development of the programme has been signed off at Ministerial level and a legacy structure around doctrine, training, testing and exercising and joint organisational learning will be rolled out through a series of roadshows over the coming months. JESIP will be at the Emergency Services show in Birmingham on the 24th and 25th of September with their ‘Interoperability Theatre’ featuring a number of presentations on the programme. The joint organisational learning strand of the legacy is of particular importance as the process will identify what needs to be learned, act on those lessons, share what needs to be learnt and check that change has actually happened. As the training of operational and tactical incident commanders continues the figures (as at July 1st 2014) show that 65% of those registered for the training have now completed it with Wales and colleagues in British Transport Police at 100% so well done to them. Increasingly the joint decision making model and the ‘METHANE’ mnemonic to structure major incident reporting is being adopted across other responders and is becoming well embedded in the routine business of Local Resilience Forums (LRF’s). There are a number of good examples of LRF’s inviting other Category 1 and 2 responders to view JESIP training and that has been well received by partners in terms of raising awareness and improving multi-agency integration. JESIP does not redefine multi-agency interoperability but its doctrine is designed to complement the Cabinet Office ‘Emergency Response and Recovery’ guidance focusing specifically on the interoperability of the three emergency services in the early stages of response to a major emergency. For more information on JESIP and access to downloadable training and guidance material please visit their website on: http://www.jesip.org.uk Multi Agency Communications Enable information sharing and joint decision making between Blue Light Commanders by: Option 1: Face to Face Communication (Consider setting up Multi Agency Talk Group) Option 2: Airwave Service - Resilient, Secure, Recordable. Before you leave the Multi Agency Talk Group you must inform members of the Talk Group and your Control Room Carry out a test call to other Agencies to confirm set up • Do use clear and unambiguous speech • Check understanding • Do not use acronyms • Use clear common understandable roles eg Police Incident Commander • Multi Agency Talk Groups are not for individual service working but for incident commanders communication across the services. Achieving Joint Understanding of Risk Do’s and Don’ts when using a Multi Agency Talk Group Identification of hazards – individual agencies should identify hazards and then share appropriate information cross-agency with first responders and control rooms. Use METHANE to ensure a common approach. If you wish to monitor another Talk Group a second handset will be required Switch a handset to the allocated Talk Group Your Control Room will allocate you a Talk Group Contact your Control Room to request an Incident Command Multi Agency Talk Group (specify which Services are required) Commanders’ Aide Memoire Dynamic Risk Assessment – undertaken by individual agencies, reflecting tasks / objectives to be achieved, hazards identified and likelihood of harm from those hazards. Identification of tasks – each individual agency should identify and consider the specific tasks to be achieved according to its own role and responsibilities. Apply control measures – each agency should consider and apply appropriate control measures to ensure any risk is as low as reasonably practicable. Multi-agency response plan – consider hazards identified and service risk assessments within the context of the agreed priorities for the incident. Develop an integrated multi-agency operational response plan. Recording of decisions – record the outcomes of the joint assessment of risk, the identified priorities and the agreed multi-agency response plan.
12 Updates THE SOCIAL ACTION, RESPONSIBILITY AND HEROISM BILL – EMERGENCY RESPONDERS TAKE NOTE By Roger Gomm QPM, FICPEM T he Social Action, Responsibility and Heroism Bill was introduced in the House of Commons on 12 June 2014 and is expected to receive Royal Assent by early 2015. This piece of legislating is aimed at encouraging people to ‘volunteer’ to support activities in the community. Helping out: a national survey of volunteering and charitable giving” in 2006/2007 found that this was one of the significant reasons cited by 47% of respondents to the survey who did not currently volunteer. This supports the Government’s broader aims of encouraging and enabling people to volunteer and to play a more active role in civil society. However, the legislation may also have an impact on ‘emergency response’ by encouraging ‘first responders’ to help others or intervening in an emergency without the fear of risk and/or liability. The legislation is intended to reassure people, including employers, that if they demonstrate a generally responsible approach towards the safety of others during a particular activity, the courts will take this into account in the event they are sued for negligence or for certain breaches of statutory duty, the obvious one being the Health and Safety Act. It will provide reassurance that if something goes wrong when people are acting for the benefit of society or intervening to help someone in an emergency, the courts will take into account the context of their actions in the event they are sued. The Bill would not change the overarching legal framework, but it would direct the courts to consider particular factors when considering whether the defendant took reasonable care. In any negligence/ breach of statutory claim that is brought where the court is determining the steps a defendant should have taken to meet the applicable standard of care, it will be required to have regard to whether: • the alleged negligence/breach of duty occurred when the defendant was acting for the benefit of society or any of its members (clause 2) • in carrying out the activity in the course of which the negligence/ breach of statutory duty occurred, the defendant had demonstrated a generally responsible approach towards protecting the safety or other interests of others (clause 3); and • the alleged negligence/breach of duty occurred when the defendant was acting heroically by intervening in an emergency to assist an individual in danger and without regard to his own safety or other interests (clause 4). I would suggest that emergency responders pay attention to the progress of this legislation over the next six months. By Official Navy Page from United States of America U.S. Navy Chief Joshua Treadwell/U.S. Navy [Public domain], via Wikimedia Commons
ICPEM // Alert // Autumn 2014 13 Incident Report General of police, was given the mandate to take command and control the incident. The terrorists did not encounter a counter attack from the security forces during the night without any counter attack. They were also able to view what was going on outside the mall as the media relayed the response preparations live over the TV channels. 22nd September 2013 07.00 hours - under the command of the IG, the police and the KDF attempted to retake control of the ground floor but were repulsed by the terrorists - one KDF soldier was killed and one wounded. 09.00 hours - crowds of well-wishers and curious on lookers who brought food for the victims and responders. 14.00 hours - Kenya Police, KDF and Interior Ministry Secretary, Ole Lenku, announced the death of 59 innocent people and terrorists estimated at between 10 to15. THE WESTGATE TERRORIST ATTACK: WAS LAPSE SECURITY A CONTRIBUTING FACTOR? By Adrian Meja MSc FICPEM ABCI ACIArb MEPS(UK) T he Westgate shopping mall is a prestigious shopping centre in the ‘Westlands’ situated some 8 kilometers west of the Nairobi city centre. The complex is owned by Israeli nationals and is known to be frequented by affluent members of the Kenyan society along with United Nations staff. The building was insured by Llyods of London for approximately 6.6 billion Kenya shillings. Situation Saturday 21st September 2013 At approximately 12:30 hours, al-Shabaab terrorists entered the Westgate Mall in Nairobi, Kenya and shot dead defenseless women, children and men in the name of jihad. A Mitsubishi car, registration KAS 575X, used the Peponi road entrance to access the Westgate building where no barriers were available to prevent unauthorised vehicle access. The four occupants of the car entered the building and started shooting at the shoppers. Initially people thought it was a bank robbery only to realise that it wasn’t when some terrorists went beyond the first floor to the top floors and continued to kill and maim shoppers. The car is known to have been purchased on 6th September 2013 which indicates that plans began well over a month before the attack. 12.40 hours - terrorists had control of the entire building four storey building from the basement to the roof top. Kofi Awoonor, a renowned author from west Africa, was killed in the basement by terrorists. 13.10 hours - a team of flying squad police arrived but did not act immediately, during which time approximately 30 civilian gun owners, caught in the attack, began engaging the terrorists. 13.15 hours - two gun men were seen on the ground floor attacking staff and visitors in the mall. 13.25 hours – no control of the situation by the authorities or security forces. 14.30 hours - two attackers were seen changing clothes and left the mall amongst rescued shoppers. One shopper pointed out the terrorist but the security forces did not take notice. 16.00 hours -The General Service Unit (GSU), a paramilitary security force, arrived and within a few minutes, the situation was being managed to neutralise the terrorists. 17.30 hours – The Kenya Defence Force (KDF) arrive at the scene and engage the terrorists with the GSU. During the defensive action, the lead GSU officer is alleged to have been killed by the KDF soldiers. This forced the withdrawal of GSU from the response teams. There was a lull of two hours as night fell and eventually David Kimayio, the Inspector “Smoke above Westgate mall” by Anne Knight - Direct personal communication between copyright holder and uploader. Licensed under Creative Commons Attribution-Share Alike 3.0 via Wikimedia Commons - http://commons.wikimedia. org/wiki/File:Smoke_above_Westgate_mall.jpg#mediaviewer/File:Smoke_above_Westgate_mall.jpg
14 15.00 hours - friends and relatives of missing and rescued people were assembled at the Oswal Centre, 200 meters from the mall where medical assistance, food and supplies were available at the centre for coordination and information. 16.30 hours – the Israeli military join forces with the KDF and enter the mall. 23.30 hours - an announcement was made that the siege was over and that most or all hostages were out of the mall. 23rd September 2013 KDF Chief, Julius Karangi, took over command and control from the IG of police. A large blast was heard after the siege had been declared over. 13.25 hours - four more blasts were heard followed by huge columns of smoke . 19.40 hours – the siege re-confirmed to be over by the KDF Chief. 24th September 2013 20.00 hours - gunfire heard from the shopping mall. 22.00 hours - the president declares the operations ‘over’ and states that the confrontation with the terrorists at the Westage mall resulted in 240 casualties with 61 civilians and 6 security officers killed. The cost of the damage to property was estimated to be over kshs.6 billion. Investigation The planning for the attack was traced back to Evermay and Solar lodges in Eastleigh about 20 kilometers east of Nairobi City in an area occupied mainly by Somalis from Kenyan and Somalia. Some of these people were traced to have travelled from Sudan, Somalia and used Kenyan refugee camps to disguise their presence. The attack on the Westgate mall had similarities with the kikambala- hotel attack, the Nairobi USA embassy attack, and the failed attack on the Arkia airline in Mombasa. The target appears to be consistent with attacks on United States, Israeli and British government establishments. The terrorist groups al-Gaeda and al-Shabaab are well known for targeting western interests. Kenya has become a victim of such attacks due to the links with the western countries and Europe. It appears there was no specific intelligence that the Westgate mall was a target for an attack. However, the local military had been advised to avoid the complex as it was considered a likely target for an attack. The al-Shabaab terrorist group claimed responsibility for the attack in the name of Islam even though the terrorists were not Muslims. No religion or belief supports any form of violence. Many terrorist groups regularly claim to be acting in the name of ‘Islam’ to escape punishment or to appear as if they are supported by the Muslim community. The first person to take charge of the response team was a police officer of the rank of Inspector and his action was commendable in the absence of any other senior officer or specific body that deals with terrorism. The General Service Unit came in as a specialised force and then the defence forces came in to combine capabilities. Command and coordination lapsed somewhere during the response when friendly fire killed a senior GSU officer. By morning of the following day, the attackers had been neutralized by the GSU. The Terrorists may have escaped at one point or another because the estimated number of those involved and those killed or arrested does not tally. One survivor walked out and saw a terrorist who had changed clothing and pointed this out to the security agents, but no attention was given and the terrorist slipped out. The fact that all rescued people were not confined until scrutinised adds credence to the reasoning that security was lax. The cross-organisational isomorphism can be achieved if these teams appreciate each-others roles, train together and exercise together since they all provide state security, though at different levels as identified by Toft and Reynolds (2005) in their publication “Learning from Disasters: a management approach.” As the rescue efforts continued by the police, defence forces and General Service Unit, one would expect a smooth recovery. However, it was shocking to discover the level of looting that took place and it is not clear who was responsible. Shops and banks were broken into where Jewellery, cash and other valuables were stolen. The chair of the Parliamentary investigation- Mr. Kamama and Army Commander defended the actions of the security officers by suggesting that there was no looting until CCTV evidence presented conflicting evidence. The the Army commander then suggested that the soldiers had been allowed to take water from a supermarket. This was meant to cover up the poor performance of the soldiers. The KDF soldiers also caused collateral damage to the building by setting fire to the supermarket and used grenades to destroy the evidence that would connect them to the crimes of looting. Subsequently a few soldiers were prosecuted to try and salvage the image of the security forces. The search and rescue came to an end when more than 50 people were claimed to be “unaccounted for” by the Minister for Interior. This was maintained even as a foul smell continued to come out of rubble that was part of the collapsed structure. This statement was inappropriate as work was still Incident Report
ICPEM // Alert // Autumn 2014 15 Incident Report ongoing to recover bodies trapped under the rubble. The Minister could not have known how many people were unaccounted for as there is no method of recording people who enter a shopping complex. The media played their role in highlighting what was going on at the incident scene but exposed the preparations of the security forces when they televised the rescue mission thus giving away information that would help the terrorists – this is probably that is one reasons why the terrorists were able to escape. This was not the type of event that the media needed to relay live to the public. Courses are available that inform the Media on how to categorise disasters and the methods of reporting that can be adopted without compromising security. The author attended such an event delivered by the Institute of Civil Protection and Emergency Management which proved to be very informative. In an article published in the Autumn 2005 edition of the Alert journal (page 11) it was explained that terrorists prefer vehicles with a capacity up-to five tons in weight to carry large explosive devices. Vehicles may also be required that carry up to five occupants with equipment or weapons. To avoid easy detection, the terrorists are not in a hurry to register vehicles that are bought in their names. Experience suggests the need for a very efficient vehicle registration system that communicates details of new owners within the shortest time possible time to the security agencies including photographs. One of the vehicles in this case was bought more than two weeks before the incident and an efficient system of communication may have revealed the buyers identity and alerted relevant authorities in Kenya. During the incident, terrorists were able to enter the vehicle entrances unchallenged and drive close up to the outside of the building as there were no physical barriers preventing unauthorised access. A car with secondary devices was discovered much later parked near the Westgate entrance. Entrances to buildings that are next to a road are vulnerable to forced entry by terrorists and certain physical preventive measures must be installed to deter attacks e.g. width and height restrictions. Security checks for people bringing vehicles into a building should be in a dedicated area well before the controlled access point. Vehicles should not be allowed to park within 25metres of a vulnerable building. Some embassies have taken such precautions that have deterred any forcible entry into the premises. In fact terrorists don’t go near such installations for fear of being identified. The Centre for the Protection of the National infrastructure (CPNI) in the UK has published a free leaflet on Vehicle Security Barriers (VSB) within the streetscape. A conspiracy theory has linked the authorities to a complacent attitude, but can’t be verified. However, it is worth noting that the police officer that first took command and control of the incident was later transferred out of Nairobi to a hardship area which may be interpreted as an odd outcome for such an individual. An enquiry appears to identify the same observations made by the author of this article. The objective findings can help the Kenyan government, international communities and any other organisations facing the threat of terrorism, to adopt preventive measures to mitigate the occurrence and impact of terrorist attacks. The report from the enquiry has been found wanting and dismissed by a parliamentary committee. Managing Risk Disasters and crises are a consequence of mismanaged risks. Since risks are identifiable and treatable, disasters and crises can, in many cases, be predicted and the potential causes can be mitigated by an effective response. Preparedness is the key to ensure an efficient response. Security risks are predominantly dominated by the threat of a deliberate attack. The security community has to contend with perpetrators who are willing to sacrifice their own lives to cause mass casualties. This type of incident requires a new way of thinking with regard to planning to prevent such events and develop effective interventions. Good intelligence is the most effective means of preventing such an attack. Some countries are more sophisticated than others and have prevented many terrorist attacks. Shared information with other countries and between security organisations is essential. However, whilst warnings may be issued, unfortunately not all countries or organisations respond or react. In the case of the Westage mall attack, it has been suggested that security agencies had some warning at one time or another but were unable to prevent the incident. A Senator from Nairobi claimed he was informed of the potential for an attack and alerted the security agencies. Also, a Presidential candidate alleged that in March 2013, he received information through his networks that an attack was planned and informed the security agencies, but nothing was done. The National Intelligence Service (NIS) claimed to have relayed information on the threat to the relevant body. Toft and Onlookers near Westgate shopping mall. By Anne Knight [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by- sa/3.0)], via Wikimedia Commons.
16 9. Finally, the need to identify contain everyone involved in the incident and check their identity is a critical element of the response by the security forces. The Special Air Service applied such a system during the Iranian siege in London in 1980 where one of the terrorist posing as a hostage was discovered. MARAUDING TERRORIST FIREARMS ATTACK (MTFA) A similar incident occurred in Mumbai during 2008 and introduced the concept of a Marauding Terrorist Firearms Attack (MTFA). Previously, the focus had been on vehicle borne and person borne explosive devices. The prospect of facing multiple offenders with no expectation of survival, with military training and armed with fully automatic weaponry has dictated a sea change in the UK police firearms response. CONTEST is the UKs strategy for countering terrorism and consists of four elements - Pursue: to stop terrorist attacks; Prevent: to stop people becoming terrorists or supporting terrorism; Protect: to strengthen protection against a terrorist attack; and Prepare: to mitigate the impact of a terrorist attack. About the author Adrian Meja is Head of the Disaster Resilience Centre (East Africa) Trust, Adrian has qualified and trained in the field of Risk, Crisis and Disaster management as well as Business Continuity Management. Email: Meja.adrian@gmail.com Websites: www.drc- preparedness.com www.safetyfirstkenya .com Reynolds (2005) explain in their publication “Learning from Disasters: a management approach2 that one of the problems associated with learning from disasters is the danger of ignoring advice. The terrorists involved in planning the attack were identified to be people from outside Kenya and some had fake Kenyan identification documents. This suggests that the security risk started at the border control points. It is possible that either the immigration officials were compromised, or native Kenyans helped foreigners to obtain legal papers. It is suggested that ‘Chance favours the prepared, the unprepared have no Chance’. The terrorists were better prepared than the security forces. When does search and rescue stop? One needs to read the Alert Journal, autumn 2004 pg.8-9 to appreciate the answer to this question. Lessons learned 1. The human vulnerability caused by compromised immigration officers or people under duress to help relatives of friends with criminal motives presents a significant risk factor in disaster management. 2. Security forces that are not working as a team and don’t train together or exercise together can expose the country or responding organisation to threats. 3. Weak security arrangements will attract terrorist looking for a ‘soft’ target. Experience has identified that terrorist organisations plan the attack and will carryout reconnaissance missions and dry runs of the attack to confirm a plan can be achieved. Cross-organisational isomorphism can be adopted to draw true lessons which is explained by Toft and Reynolds (2005) in their publication “Learning from Disasters: a management approach.” 4. Media inadvertently informs the public on issues that would normally go unnoticed. Care must be taken to identify which stories can be relayed overtly to the public without affecting security. 5. A degree of initiative, boldness and creative thinking exists amongst individauls, non government organisations (NGOs) and communities which should be encouraged as it can assist with managing various aspects of an incident. During the disaster, the Oswal community, situated within the Westlands, established a centre for receiving casualties, feeding responders and providing other effective facailities. 6. Looting and collateral damage occurred during the incident, especially during the latter phase of the response. This should be discouraged by disciplined forces when they arrive on the scene not least because a crime scene should be maintained. This topic was covered by Phillip Buckle, of Coventry University, in the September 2004 edition of the Alert Journal in an article entitled “Responding to Terrorism.” 7. Responders should always search an incident site and pre-planned assembly or rendezvous points for secondary devices that have the potential to cause more casualties or damage. 8. The response needs to separate rescue from recovery and explain to the public the difference where casualties are concerned. Relatives and friends of missing persons must be informed of what action is being taken and what to expect. Support should be provided for the next-of-kin and those affected by the incident and this includes counselling. Incident Report
ICPEM // Alert // Autumn 2014 17 Origins of the Role: The role of a Counter Terrorism Security Coordinator (‘CT SecCo’) was originally developed by the Metropolitan Police Service (MPS) nearly twenty years ago. The need for a coordinating role resulted from the recognition that various specialist officers were deployed to major events, such as the annual Trooping the Colour ceremony, but no one had the responsibility for devising and maintaining oversight of a holistic security plan. As the Gold – Silver – Bronze model for event command teams matured, a gap in the arrangements was identified for someone with wide ranging and in depth knowledge of protective security assets to complement the work of other command team members, such as planning, communications and public order specialists. In appointing a SecCo to the team, a Gold commander has the reassurance that they have, in effect, a tactical advisor with a specific remit to maintain oversight of how different protective security assets can interact and satisfy elements of a well- structured, proportionate and appropriate security plan in order to mitigate risk. It will be of interest to members of ICPEM that the initial sponsor and early champion of the SecCo role was none other than Sir David Veness, when he was Assistant Commissioner with the protective security portfolio in the MPS. The SecCo is, in effect, the glue that binds seperate highly skilled protective security disciplines together, and ensures they all work cohesively and in pursuance of a thorough and carefully considered security plan. Each of these disciplines deploys very well trained and experienced officers. Typically, a major event might see defensive search activity utilised in order to secure and/or sterilise an area or building. Where protected persons are attending, their personal protection teams will need to operate in an environment where they are cognisant of the potential threat to the safety of their principals, and who is doing what in order to reduce it. There might be justification for overt, and possibly covert, armed deployments. Gold will need to know how such specialists link in with the deployment of uniformed officers monitoring crowds, which in turn will inform the resourcing decisions they will make. Working and liaising with external partners is also a key aspect of the SecCo’s remit. Understanding the intentions of the event organisers, and satisfying oneself they have a realistic understanding of what they are responsible for, is key. Likewise, event management companies, especially where they are subcontracting out roles such as stewarding. A prestigious event and the perceived kudos it can bring to a venue will sometimes be a cause of distraction from realistic expectation, I have found. It is therefore vital that SecCo also develops an effective working relationship with venue management and maintains a constructive dialogue leading up to and throughout an event. Asking the right questions: I have learned it pays dividends to ask external partners to notionally sign up to a ‘no surprises’ clause, continually raising questions to remind them of what I would want to know that might impact on the risk profile, and accordingly my security plan. I THE ROLE OF THE COUNTER TERRORISM SECURITY COORDINATOR IN POLICING MAJOR EVENTS By Jonathan Schulten FSyI Counter Terrorism “Trooping the Colour form march past” by Ibagli - Own work. Licensed under Public domain via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:Trooping_the_Colour_form_march_past.JPG#mediaviewer/File:Trooping_the_ Colour_form_march_past.JPG
18 learned the wisdom of doing so following one event in particular. It was to take place on a stage in a public open space and speeches were to be made. The lead organiser, by way of a casual remark as we were leaving the final planning meeting, told me how delighted she was that the Prime Minister would now be attending. This was just a few days prior and painted a very different picture of risk, to the point of changing the event profile significantly from my point of view. This PM was at that time subject to volatile protest when attending such public facing engagements. I had asked a number of times if the guest list had altered, but on expressing my concern I had not been given this information, was told ‘But he is on our list of speakers and you didn’t ask me if that had changed’. So, lesson learnt, off I went to create a much more robust security plan, recommending search regimes and other assets be utilised, where they had not previously been deemed proportionate. Who has been invited to the event, or is it a case of general public access, such as in an open field site? Where it is invitation only, how and when have the invitations been despatched? What, if any, requirements have been made to ensure the intended recipient is the person presenting themselves for admission on the day? Which contractors have been engaged to support the event logistically and what do we know about their staff? Is there a likelihood of casual labour being utilised at short notice, once the event is in the public domain for example? These are all typical questions, the answers to which the SecCo will want to be satisfied in order to develop a security plan that identifies residual risk which Gold is likely to accept. Selection and Training: From its origin in the MPS, the SecCo role has been approved by the Association of Chief Police Officers (ACPO) and is now a recommended specialist skill area for each United Kingdom (UK) police force. Given the nature and level of negotiating and influencing often required, senior officers of at least inspector rank, and commonly chief inspectors or above, are sought as volunteers to undertake the role on top of their day job. The MPS course has developed into a product delivered nationally through the College of Policing at Bramshill. I had the privilege of undertaking the various roles of course director, professional lead and lead assessor from 2009-2013. The national course is now of two weeks duration. Delegates must pass a written examination, and progress satisfactorily through exercises in practical application. The course culminates in delegates presenting an assessed security plan. Upon passing all elements, they are classed as ‘occupationally competent’. Within the following twelve months each SecCo must shadow more experienced colleagues in their own force and comply with minimum standards in terms of both deployment and Continuing Professional Development (CPD) activity. Upon doing so, new SecCos are then considered to have completed their initial professionalization and are classed as ‘operationally competent’. National Governance: Early in 2012 governance of the SecCo profession was put on a more formal footing through the establishment of a National CT SecCo Board, sponsored by the MPS Commander for Protective Security as ACPO national lead. As a founder member of the national board I was pleased to be involved in the growth of a recognised and formally approved structure. This provided a framework for governance of the continuing evolution of the role. For the first time a nationally applied role definition was established: ‘The CT SecCo role is to develop a security plan with a view to minimising, managing and mitigating risk in respect of a policed event or operation in support of Gold’s strategy’. This helped to provide clarity on varying perceptions of the role, bearing in mind the operational independence of each UK police force. Such perceptions had, over time, also led to differing interpretations on when it was appropriate for a Gold commander to utilise the services of a SecCo and recruit one onto the event command team. In seeking to address this, the board established the following parameters: ‘A CT SecCo must be considered in respect of the following – • public military events • high profile ceremonial and civic events • events involving protected persons • royal visits • crowded place events, including high profile sporting events, and • any other occasion where the Gold commander believes that the appointment of a CT SecCo will support the delivery of a safe and secure event.’ How SecCo Works: SecCo’s place in the command chain is somewhat difficult to define as an absolute. It will to some extent depend on the scale, type and nature of the event. Although appointed by Gold, the reality of the role in major events is that SecCo will usually work to, and closely with, Silver as the tactical lead. He is a key member of Silver’s tactical planning group in the developmental stages leading up to an event. During the event, SecCo will proactively monitor intelligence and information, in order to continually reappraise threat and risk. He will also continually assess the effective deployment of all protective security assets. Where necessary he will adjust elements of the approved security plan in consultation with Silver, subject to Gold’s approval. Applying security oversight in this way means it is not a case of ‘we had a plan and we stuck to Counter Terrorism
ICPEM // Alert // Autumn 2014 19 it’. Rather, ‘we had a plan and it was good. We constantly questioned its effectiveness and made adjustments in the light of what we found’. Working with police colleagues, the SecCo will convene a security tasking meeting. This gives him the opportunity to gauge the preferred approach and scope of all other protective security specialists and practitioners. He will discuss this with them in the light of the strategy for the event that Gold has set, together with all relevant information and intelligence at that time. SecCo will task colleagues to submit their respective plans in order for him to produce an informed report to Gold. This will detail the proposed security plan for the event through a series of specific recommendations. It is then for Gold to accept SecCo’s report as one which is proportionate and effective in reducing risk, or otherwise to discuss and require adjustments. The Risk Matrix: Essentially, the SecCo is seeking to do three things: • to target harden • to reduce vulnerability, and thereby • to lessen risk The cornerstone that underpins SecCo’s considerations is a risk matrix. Within this, threat is determined by a potential attacker’s hostile intent together with their capability to carry out such intent. These two elements, however, are effectively beyond the direct sphere of influence of the SecCo. Where SecCo can have a direct affect through his security plan is in lessening predictability and applying control measures to the event. The more predictable an event is, the easier it will be for those intent on disruption or attack to plan how they will go about doing so. It follows, therefore, that SecCo will take into account the predictability of an event when considering appropriate and proportionate control measures to be applied in respect of it. These two elements will influence vulnerability. The residual risk will result from a combination of the threat with the vulnerability pertinent to the event. Influencing predictability is easier in some circumstances more than others. Depending on the venue, it might be relatively straightforward to introduce subtle changes to public access points, to raise random search on entry to total search, or even to utilise a different entry or exit point for a protected principal. It will be a very different matter with an iconic ceremonial event. Matters of protocol will be significant with such events, making more challenging any quick win in terms of lessening predictability. Where that is the case, SecCo will take this into account in developing the security plan and will recommend assets in order to reduce the residual risk around a highly predictable event. In making recommendations to Gold, SecCo will seek to mitigate against unacceptable risk (the ‘Clapham omnibus’ test), whilst providing a proportionate response taking account of the current threat and intelligence picture. Control measures will need to be both achievable and acceptable, not only to Gold but to all key stakeholders. With a significant proportion of major events organised by or involving publicly funded bodies (local authorities, the military, the royal household, etc.), it comes as no surprise that one of the primary influencing factors of acceptability in recent times is cost. Dealing with Raised Threats: An important element of the security plan is to take account of a changing threat picture and its effect on the risk profile of the event. Whilst we can all think on our feet to some extent, the SecCo’s role in accounting for a range of unspecified occurrences will reduce the need to do so in the lead up to and during an event. Counter Terrorism Caption
20 Two events where this was required of me come to mind. In 2011 I was SecCo for part of the state visit to the UK of His Holiness Pope Benedict XVI. I had developed the security plan for his first engagements within London, which were three separate events within a university college campus. These were a service within the college chapel, then an appearance on stage joining several hundred school children. This lasted about an hour and was on an open field site. Finally, His Holiness attended an inter faith discussion for religious and community leaders and other invited guests in a stately ball room. Each of the three events required a different blend of protective assets. The campus was a porous site in terms of the potential for unauthorised access. This presented certain challenges, especially with regard to the event on the sports field, where the Pope would be visible and static for a prolonged period. Nevertheless, Gold approved my plan for all three. I ensured the venue was secured in accordance with the plan the night before arrival, and off I went home as I was getting up very early the next morning to oversee the security operation on site. Two hours before my alarm went off I got a phone call. (What follows is in the public domain and has been covered by the national media). I was informed that acting on intelligence a number of people believed to be in the advanced stages of attack planning against the Pope had just been arrested. However, not all those sought had been located. I therefore had to assume the real possibility of an imminent threat to the life of His Holiness at my venue. Whilst it is not appropriate to go into the specifics of what was put in place, I was able to adjust the plan so as to provide a greater level of reassurance in the light of the intelligence received. Such a dynamic challenge led me to reflect on what is achievable within such a tight time frame, and to identify which measures would be likely to require a longer lead in time. This learning was subsequently fed into the national training course. The second example of responding dynamically to a raised threat has also been in the public domain and national media. The two largest ‘crowded place’ events in the UK are the Notting Hill Carnival and the Central London New Year’s Eve celebrations. I was SecCo for the latter for three years and privileged to work to Commander Bob Broadhurst (retired) FICPEM as Gold and Superintendent Roger Gomm (retired) FICPEM as Silver. Intelligence, whilst not event-specific, led to concern developing about a possible marauding attack that could target our event. Again, for obvious reasons, I cannot go into specifics as to our response. Suffice it to say that specialist assets deployed were significantly increased, both in number and type. Alongside this, new tactics were devised that would enable any such threat to be confronted more effectively than had previously been considered necessary for this event. Accordingly, there are now available to command teams of such large scale crowded place events deployment options that would not have existed had we not had to respond to such a dynamic threat. Following the logic of the risk matrix outlined above, this means risk has been lessened as a result. Author Profile Jonathan retired last year from the Metropolitan Police Service as a senior officer in Specialist Operations, serving in the Counter Terrorism (CT) Protective Security Command. He is one of the most experienced police CT Security Coordinators in the country and has presented internationally on protective security and risk reduction in major events. He was a speaker at CT Expo Crowded Places conference 2013 and has delivered protective security and major events command training to police and governmental organisations in Europe, Central America and the United Arab Emirates. He has provided risk mitigation strategies for a broad range of high profile events, including the royal wedding of Prince William, the state visits of President Obama and His Holiness Pope Benedict, the annual Trooping the Colour ceremonies and London New Year’s Eve celebrations. He was the national lead security coordinator for the Olympic and Paralympic Torch Relays, involving not only the route, but the safety of numerous protected persons and crowded places every night over the seventy days of the event. He led the National Protective Security Advice Cell during the London 2012 games, giving support and advice through the National Olympic Coordinator to LOCOG and government. Having recently transferred his skills into the corporate sector, Jonathan currently heads security and business continuity for a leading property management company based in the City of London. He develops and oversees the delivery of security strategy across a wide portfolio of high end commercial properties. Jonathan is a fellow of the Security Institute. Counter Terrorism London 2012 Olympic Games, Stratford Gate, Olympic Park0
ICPEM // Alert // Autumn 2014 21 will be a ‘converged’ one incorporating systems, procedures, and decision-taking by managers. Many of the root causes of current security weaknesses, have been established by poor management decisions taken over the past 5-6 years and during a cyber crisis, it is commonly evident that poor management decision-making has the potential to further compound those established vulnerabilities. . In common with non-cyber crises the response options chosen by managers are based on judgments and therefore subject to what is discovered, further guided by what is understood, driven by what is known, and what is familiar. The main differentiator of cyber crises perpetrated by an ‘advanced attacker’ is the greater complexity inherent to the crisis, and therefore the greater chance of failure. Like any crisis, this is a test of how effectively the organisation recognises early warning signals, how it responds to sudden-impact events, and how it evaluates risk, which all expose the influence of internalities or heuristics; weaknesses of management processes; and flaws in security and crisis planning. This is compounded by the more common failings evident in cyber crises, which are poor risk awareness, ineffective anticipation, the inability to deal with uncertainty, and poor preparation. Progressing through various stages [see figure 1] from first response through to situational awareness and analysis, onto managing the complexity and consequences, will challenge all the organisation’s crisis management processes. To quote the Concise Oxford English Dictionary a crisis is ‘a time of intense Cyber Attacks Multifaceted Attacks Response to sophisticated cyber attacks, and defense against persistent and prolonged threats is complex. These attacks may be planned as a campaign of ‘intrusions’ across multiple vectors, using different methods, and over many weeks or months. Invariably the more advanced threats may have ambitious objectives such as sabotage or espionage, and are likely to be perpetrated by well-funded adversaries with access to advanced methods of digital and physical penetration. Such converged attacks have the capability to escalate and progressively challenge, and even exploit an organisation’s responses, methods, disparate teams, and decision-takers. Given that targeted attacks will rarely fit a scenario that has been anticipated, organisations will always need to maintain ‘agility’ in their response capabilities, and be prepared to respond and pre-empt a plethora of plausible attack manifestations. This in itself has a considerable deterrent factor, as attackers will be forced to invest time and funding in increasingly sophisticated methods to effect a breech and all but the most determined may prefer to seek ‘softer’ targets. Hence those organisations that are unprepared, are invariably targeted because they present a more attractive risk-reward proposition, which requires less attacker time and investment. Ultimately, an organisation’s response will depend on a broad range of factors and how those factors evolve over the duration of a cyber crisis. More specifically, the response CRISIS MANAGEMENT IN CASES OF MULTIFACETED CYBER ATTACKS By Dan Solomon, Director of Cyber Security Services, Optimal Risk Management
22 difficulty or danger’. In the eyes of organisations, nothing is a crisis until there is recognition of the full extent of consequences. Most companies will be reluctant to classify an incident as a crisis until they realise how intense the difficulty, or the extent of the danger. There may be incidents that are dealt with effectively and early, and as such they never reach the point of ‘intensity’ or represent real danger. However the minute that the organisation reaches the realisation that there is danger or intense difficulty, it is then, that a crisis is upon them. Many failings of companies is the inability to recognise consequences early and they may be in the full throws of a crisis without treating it as such, because of the lack the awareness or the analysis of likely consequences. Incident Response Irrespective of what triggers the first realisation that an organisation may be the victim of an attack, and without a clear perception of whether this is an ongoing event or not, teams are deployed with the initial objectives of detection [what has been detected & identified] and analysis [type of malware, correlated with relevant threat intelligence]. Early analysis is an imperative, to establish the status of system integrity, and identify any loss of command and control. The first steps are therefore to mobilise the appropriate response, and wait for a picture to emerge as quickly as possible. This process may be well understood and should have been exercised in the past, and the imperative is to ensure that the right teams, internal and external, have been mobilised and are responding. Communications need to be effective, particularly when dealing with external parties or staff in other time zones, and the initial priority is to manage the communication between the stakeholders at set intervals, to allow for the timely exchange of information and appropriate action. The early emphasis on managing processes and communications is central to developing and maintaining the situational awareness at this critical stage. Besides the ‘tasking’ of different individuals and teams, the challenge of monitoring the decisions that are being taken and evaluating whether those decisions are based on the appropriate knowledge, requires close scrutiny to two main types of processes: • The process of alerts and indicators and whether this situational information is being translated into actionable intelligence. • The process of how the intelligence is appropriately applied, and how this translates into effective decision-taking. In the early stage, before the full extent of the incident becomes apparent, and a fully informed judgement can be reached about the scale and scope of the event, it is critical to resist the temptation to succumb to ‘basic instincts’ that may shape the response to unfolding events: The first danger at this point is complacency in assuming that the attack will follow the pattern of other known or previous incidents, and that this conclusion can be reasonably reached based on current knowledge. The core issue is whether the incident represents a fundamental surprise that was quite unanticipated even within the context of the current environment; or a situational surprise that should have been anticipated as ‘a possibility’ in the current conditions. In either case the first question should be whether events fit a scenario that has been anticipated, and if this is only partially the case, whether the incident is ‘what it seems’. In order to put events into appropriate context, it is important to avoid reaching any partial conclusions, and resort to a premature reaction, but rather to keep asking the right questions: What don’t we know? What could happen next? However it is important to recognise early where there is no templated response plan for the potential scenarios that the incident may fit into, and whether an existing plan can be appropriately applied and adapted. If the attack has been a ‘converged’ one, then a priority is to differentiate between the symptoms and the causes [particularly if there is the possibility that the attack is being facilitated by an ‘insider’ or any planted hardware] and consider whether this incident is still an ‘IT problem’ and how to respond to that possibility. The challenge at this early stage, especially when faced with a fundamental surprise or a level of malicious sophistication that had not been anticipated, is to maintain clear and rational consideration under increasing pressure as the organisation may already be experiencing the impact of a breech, and Figure 1 - managing the phases of a cyber attack Cyber Attacks
ICPEM // Alert // Autumn 2014 23 the consequences escalating. There are many reasons why failures become apparent at this stage including lack of intelligence or ‘early warning’, and an over-dependence on these systems. These common complaints are usually surpassed by the more complex causes of decision-making failure due to misinterpretation, and analytical bias such as a tendency to focus on more familiar aspects of the initial attack or those that have been best rehearsed and prepared for. This propensity to view events within the context of the more ‘probable’ scenarios severely hampers the taking of appropriate decisions at this initial stage, when established assumptions about vulnerabilities are being challenged, and managers are faced with new uncertainties which expose their threat- awareness as being outdated. The Attack Evolution An advanced attacker will employ a multi- phase attack and the evolution of the attack to a second phase is invariably the ‘make or break’ point of the incident and will determine whether it becomes a crisis. As the event takes a new direction, the organisation will be tested to apply and adapt the knowledge that has been built up to this point. More importantly it will force a reassessment of the situation, particularly if the evolution had not been anticipated, and raises the important issue of whether the new development affects decisions taken so far, and whether previous decisions have now become counter-productive in the context of the new reality. For the crisis leader this should launch a new cycle of tasking and the priority is to ensure that the new impact is integrated quickly into team understanding, and triggers appropriate response, or proactive actions. If the situational analysis is accurate at this point the leader should be able to take more proactive steps to limit further escalation, and assess whether to deploy additional resources, and measures, in parallel. However, poor decisions taken previously, or the many potential causes of failure, may all act to limit the effective options at this point, not least may be the lack of effective capabilities. The escalation of the attack is likely to prompt a re-evaluation of risk as the severity of the breech has become apparent. The risk analysis at this point will invariably require an enterprise assessment of the possible implications from the recent turn of events in terms of business operations continuity, revenue recognition, client/customer impact, reputation, and input from the legal team. This will require a clear view of the likely implications as well as the already apparent impact of the attack, and this analysis should have been accumulating throughout the incident if the indicators are effective, and the appropriate staff properly involved. The demarcation between security operations and incident response & forensics [often through external specialists] that are both tasked with tackling threats, and the interface with the a specific team that is tasked with assessing risk, can become complex as a single situational analysis is collated. Crisis Management As a risk team is assembled to evaluate the implications, the incident will now have been deemed a crisis and will trigger the involvement of a crisis management team comprising of a broader mix of senior managerial and departmental responsibilities to handle enterprise-wide implications. As the previous path of ‘containment’ has run its course, the escalation of the incident to the crisis management team will introduce more complexity to the situation. For the organisation that has not faced such a crisis before, or not exercised a cyber crisis scenario, the issues that need to be addressed are immediate and potentially serious, because the crisis management team needs to be ‘fit for task’ with the correct levels of seniority and capability of staff, as the attack has become more sophisticated, and the impact more severe. The introduction of the new team into a dynamic and evolving event is fraught with difficulties in a multi-phase attack, in deciding at what stage the crisis management team should become involved, based on an assessment of how quickly it will become effective, and how it should support the response. Before the incident is deemed a crisis, it may be viewed as counter- productive to involve the crisis management team. Foremost, without complete situational awareness and analysis, it is difficult to brief the team sufficiently for it to choose the appropriate course of action and how to enact a response. More importantly the team, or senior members of the team may hamper security or business continuity decision-making by placing their departmental or functional priorities ahead of the overall risk to the enterprise. For the crisis leader, failing to effectively manage the interface of one ‘informed’ Chief Information Security Officer (CISO) with increasingly ill- informed senior executives and division heads, and managing their inputs as a complex attack unfolds, often leads to ‘bad decisions’ that exacerbate the crisis. This is particularly the case as consequences become increasingly apparent, in respect to in appropriate external communications with shareholders, suppliers, and attempts to manage customer expectations and minimise reputational damage. Managing post-crisis consequences then has the potential to become a destructive process of review, attribution and blame. Cyber Attacks
24 Large companies will have different teams/ functions particularly for security operations and incident response/forensics. In many instances the incident response/forensics will be experts like Optimal Risk brought in from outside. Sometimes there will be a risk team appointed from within the organisation to assess risk on an ongoing basis, and in some cases there is cross membership between this team/committee and others. Crisis management should have its own team with the appropriate skills, qualifications, and authorisations to take appropriate decisions and this invariably is a group of much more senior and cross-functional directors. In some cases these functions are poorly staffed or non-existent, and that contributes to the problem. The Crisis Management Team can become disconnected from the problem and can respond inappropriately to the crisis without the proper integration into the process, and we see this again and again when Managing Directors storm in and micro-manage matters that they should not. Preparing for the Future The status of ‘crisis’ could be defined by the potential implications of a security incident, and in the future it is increasingly likely that cyber incidents will become crises, as cyber attacks could lead to severe impact outcomes, and therefore should now be considered a board-level concern and tier-1 threat. The main principles of crisis management leadership do not differ fundamentally for cyber crises, but this paper has described how the management of a cyber crisis is considerably different when faced with an ‘advanced attacker’ employing sophisticated deception. This cyber ‘context’ is not only the most relevant for the present day, but also the most challenging context in which managers & leaders need to adapt and respond effectively to crises that will severely challenge their abilities. The characteristics of multifaceted attacks now compel organisations to adopt a more proactive approach to security, so it is disingenuous to consider crisis response without crisis prevention. In the future the ability to recover from a severe breech will be increasingly difficult and slow, and so it will be a much greater challenge to be sure that an organisation is resilient or ‘quickly able to bounce back and resume normal operations’. The nature of advanced threats such as espionage or sabotage significantly limits the effectiveness of reactive measures to defending against cyber attacks, and severely complicates incident response options and the feasibility of achieving ‘resilience’ has to be questioned. Anticipating the characteristics of an ‘advanced attacker’ incident requires a degree of heightened awareness that will support the simulation of outcomes and consequences: at first, in theoretical terms so as to assess how best to further explore the process of preparation; and latterly in real- world conditions to identify vulnerabilities and ‘learn from experience’. Without a prepared and rehearsed response to a well- anticipated scenario the response is likely to be poor, and the recriminations broad. Preparing for crisis management scenarios, and developing crisis management capabilities needs to commence now: as soon as possible before the next crisis. The first conclusion that should be reached is that crisis managers and leaders need to be informed and prepared for what they might face, and refine the processes & procedures to cope with a severe cyber event, and this should inform the establishment of more comprehensive preventative security measures. It should also be recognised that failure to prepare, is a failure of organisational leadership. Specifically, leadership for a cyber crisis needs a risk-informed manager, with a clear appreciation of converged threats who can develop board-level appreciation of the security risk landscape. Managers tend to build on hindsight, and in this, they focus excessively on past threats and past experience: irrespective of the rapid evolution of the threats. Similarly, they focus on their best-known vulnerabilities, often because they have been previously targeted, and managers have been forced to focus on what those most recent vulnerabilities were. Their failing is typically lack of insight. Insight into what is within their threat landscape, Cyber Attacks
ICPEM // Alert // Autumn 2014 25 insight into what the potential impacts could be on the organisation, and insight into the pace of evolution. To plan how the organisation should defend, respond, recover, and ultimately ‘prepare’ for multiple variants of sophisticated scenarios, is a complex process that exposes the natural weaknesses of organisations that struggle with complex problems, and integrated processes. However effective preparation for both defence and response, requires an integrated approach with the common aim of developing resilience, which cannot be broken down to a ’simple’ formula because it is becoming increasingly futile to consider the individual elements of a complex and persistent attack in isolation in order to construct defence against individual elements of advanced threats. This is particularly the case if the construction of an effective defence is not risk-informed and intelligence-led as far as possible, and this is especially short-sighted if the converged nature of enterprise security risk is not apparent to security planners that are required to assemble a converged response. To achieve high levels of security, the process of security is becoming increasingly complex and it must now integrate different elements of the organisation’s preparedness & planning into an overarching converged framework to include systems, processes, policy and management practices. The need for physical and cyber security domains to collaborate, challenges both functions to dovetail their capabilities effectively, and many organisations struggle with coordinating security planning and incident response. In the majority of cases, organisations rely heavily on well-developed business continuity plans and tend to neglect the development and exercising of defensive and response capabilities against different advanced scenarios and this has the potential to hamper their ability to handle the unexpected or unfamiliar aspects of the ‘next threat’. Napoléon once said ‘uncertainty is the essence of war, surprise its rule’ and preparation for serious security incidents, must be built on the assumption that there will be surprises, and the organisation’s response will have to tackle the unexpected. This raises two issues: Firstly the nature of the response and capabilities; Secondly the ability to deal with the unexpected which is founded in managerial ability & experience. Unfortunately experience is gained over a long period of time, and experience can also degrade over time, particularly with staff turnover. A critical gap exists where organisations need to ‘exercise’ the ability to anticipate the unexpected, be able to identify uncertainties and factor them into their planning, and tackle them head-on. The process of simulating real-world attacks and analysing the performance of security apparatus forensically to determine its strengths and weaknesses is a key platform of organisational preparedness, not only because ‘practice makes perfect’ but because it develops an organisational preoccupation with ‘what if’ scenarios, and the failure to deal with them effectively. The essence of a pre-emptive approach should be based upon developing foresight. Applying a forensic approach to doing so, is key to developing insight into both probable, and plausible outcomes of a breach. The adage that being forewarned is forearmed is always the justification for investing in maintaining awareness and preparation. Good management practice and preparedness requires ‘the ability to anticipate events long before they happen, and develop a planned response to each scenario’. The essence of anticipation is to identify threats Cyber Attacks no matter what the levels of plausibility or probability, and in doing so managers need to accept that the lower probability events are invariably higher-impact ones. In developing and refining capabilities, managers need to be able to review flaws in their plans – regularly - and spot the barriers to effective performance through security exercises. A preoccupation with failure is essential to combating the complacency that tends to set in, and it is an attitude that characterises ‘high-reliability’ teams that require a near-perfectly synchronised and effective performance on every occasion. It requires a commitment to being proactive in the process of planning – testing – and reviewing, and this is central to organisational resilience. This must counter any tendency to over-simplify plans and procedures, as the threats are increasingly sophisticated. So ‘defence’ needs to match the levels of innovation and sophistication that threat actors are introducing. If organisations are not running exercises, not refining plans, not preparing capabilities, or not anticipating future events, then their shareholders and customers cannot have any confidence in the organisation’s resilience to sophisticated attack, or ability to survive the consequences. Author Profile Dan Solomon is Director of Cyber Risk & Security Services at Optimal Risk Management Ltd. He is a leading proponent of a converged approach to security risk, and is a regular presenter and chair at leading cyber security conferences. He is an industrial espionage specialist and a practitioner of FAIR [Factor Analysis of Information Risk] methodology. He is a prominent advocate of red teaming, and a pioneer of cyber war games as an approach to developing organisational resilience. He joined Optimal Risk in 2013, after 3 years as a Senior Partner at Hawk ISM. During that time He also served as Director of the Homeland Security Program at The Atlantic Council UK, and has published & spoken around the world on Intelligence Analysis & National Security, Critical National Infrastructure Protection, Cyber Security and Enterprise Security Risk Management. Web: www.optimalrisk.com Tel: +44 870 766 8424
ALERT
ALERT
ALERT
ALERT
ALERT
ALERT
ALERT
ALERT
ALERT
ALERT
ALERT
ALERT
ALERT
ALERT
ALERT
ALERT
ALERT
ALERT
ALERT

Empfohlen

World Economic Forum Global Risks 2021
World Economic Forum Global Risks 2021World Economic Forum Global Risks 2021
World Economic Forum Global Risks 2021VanTran329
 
5.tuoyo okorosobo 42 62
5.tuoyo okorosobo 42 625.tuoyo okorosobo 42 62
5.tuoyo okorosobo 42 62Alexander Decker
 
World Economic Forum Global Risk Report 2020
World Economic Forum Global Risk Report 2020World Economic Forum Global Risk Report 2020
World Economic Forum Global Risk Report 2020Energy for One World
 
Wef global risks_report_2019
Wef global risks_report_2019Wef global risks_report_2019
Wef global risks_report_2019Mariano Soto Alvarado
 
Equatorial guinea-20100317
Equatorial guinea-20100317Equatorial guinea-20100317
Equatorial guinea-20100317Sos Malabo Ecuatorial Guinea
 
Economics of malaria v03 050720
Economics of malaria v03 050720Economics of malaria v03 050720
Economics of malaria v03 050720Peter Burgess
 
Reseach Paper University of Manitoba Chapter
Reseach Paper University of Manitoba ChapterReseach Paper University of Manitoba Chapter
Reseach Paper University of Manitoba ChapterKristen Webster
 
reader-on-microfinanceandhiv
reader-on-microfinanceandhivreader-on-microfinanceandhiv
reader-on-microfinanceandhivJulie Earne
 

Empfohlen

World Economic Forum Global Risks 2021
World Economic Forum Global Risks 2021World Economic Forum Global Risks 2021
World Economic Forum Global Risks 2021VanTran329
 
5.tuoyo okorosobo 42 62
5.tuoyo okorosobo 42 625.tuoyo okorosobo 42 62
5.tuoyo okorosobo 42 62Alexander Decker
 
World Economic Forum Global Risk Report 2020
World Economic Forum Global Risk Report 2020World Economic Forum Global Risk Report 2020
World Economic Forum Global Risk Report 2020Energy for One World
 
Wef global risks_report_2019
Wef global risks_report_2019Wef global risks_report_2019
Wef global risks_report_2019Mariano Soto Alvarado
 
Equatorial guinea-20100317
Equatorial guinea-20100317Equatorial guinea-20100317
Equatorial guinea-20100317Sos Malabo Ecuatorial Guinea
 
Economics of malaria v03 050720
Economics of malaria v03 050720Economics of malaria v03 050720
Economics of malaria v03 050720Peter Burgess
 
Reseach Paper University of Manitoba Chapter
Reseach Paper University of Manitoba ChapterReseach Paper University of Manitoba Chapter
Reseach Paper University of Manitoba ChapterKristen Webster
 
reader-on-microfinanceandhiv
reader-on-microfinanceandhivreader-on-microfinanceandhiv
reader-on-microfinanceandhivJulie Earne
 
President Ramaphosa COVID-19 address 13 May 2020
President Ramaphosa COVID-19 address 13 May 2020President Ramaphosa COVID-19 address 13 May 2020
President Ramaphosa COVID-19 address 13 May 2020SABC News
 
President Cyril Ramaphosa Addresses the Nation
President Cyril Ramaphosa Addresses the NationPresident Cyril Ramaphosa Addresses the Nation
President Cyril Ramaphosa Addresses the NationCelestineHendricks
 
President Cyril Ramaphosa 12 July address
President Cyril Ramaphosa 12 July addressPresident Cyril Ramaphosa 12 July address
President Cyril Ramaphosa 12 July addressSABC News
 
CGI Newsletter 26 October 2014
CGI Newsletter 26 October 2014CGI Newsletter 26 October 2014
CGI Newsletter 26 October 2014Dr. Chris Stout
 
AssignmentPurposePretend you are a homeowner and need to get.docx
AssignmentPurposePretend you are a homeowner and need to get.docxAssignmentPurposePretend you are a homeowner and need to get.docx
AssignmentPurposePretend you are a homeowner and need to get.docxnormanibarber20063
 
211128 c19 president's message
211128 c19 president's message211128 c19 president's message
211128 c19 president's messagePreggie Moodley
 
Goodlife Fitness
Goodlife FitnessGoodlife Fitness
Goodlife FitnessSusan Cox
 
Speaking notes for president cyril ramaphosa for the 1st extraordinary inter ...
Speaking notes for president cyril ramaphosa for the 1st extraordinary inter ...Speaking notes for president cyril ramaphosa for the 1st extraordinary inter ...
Speaking notes for president cyril ramaphosa for the 1st extraordinary inter ...SABC News
 
Social Stigma and other Consequences of COVID-19 Pandemic in Low Resource Set...
Social Stigma and other Consequences of COVID-19 Pandemic in Low Resource Set...Social Stigma and other Consequences of COVID-19 Pandemic in Low Resource Set...
Social Stigma and other Consequences of COVID-19 Pandemic in Low Resource Set...International Multispeciality Journal of Health
 
2014 Nov 28 CGI Newsletter
2014 Nov 28 CGI Newsletter2014 Nov 28 CGI Newsletter
2014 Nov 28 CGI NewsletterDr. Chris Stout
 
Address by president Cyril Ramaphosa on South Africa’s response to the corona...
Address by president Cyril Ramaphosa on South Africa’s response to the corona...Address by president Cyril Ramaphosa on South Africa’s response to the corona...
Address by president Cyril Ramaphosa on South Africa’s response to the corona...SABC News
 
Topic Ebola under EpidemiologyThis topic interests me to a grea.docx
Topic Ebola under EpidemiologyThis topic interests me to a grea.docxTopic Ebola under EpidemiologyThis topic interests me to a grea.docx
Topic Ebola under EpidemiologyThis topic interests me to a grea.docxedwardmarivel
 
2014 Sept 21 CGI Newsletter
2014 Sept 21 CGI Newsletter2014 Sept 21 CGI Newsletter
2014 Sept 21 CGI NewsletterDr. Chris Stout
 
002 Essay Example Sample High School Admission Essays Writing
002 Essay Example Sample High School Admission Essays Writing002 Essay Example Sample High School Admission Essays Writing
002 Essay Example Sample High School Admission Essays WritingKim Stephens
 
Chairman's welcome
Chairman's welcomeChairman's welcome
Chairman's welcomeGlobal Risk Forum GRFDavos
 
4. international health organization
4. international health organization4. international health organization
4. international health organizationRajeev Kumar
 
Mundo Offshore - Coronavirus update - Luigi Wewege article (English)
Mundo Offshore - Coronavirus update - Luigi Wewege article (English)Mundo Offshore - Coronavirus update - Luigi Wewege article (English)
Mundo Offshore - Coronavirus update - Luigi Wewege article (English)Luigi Wewege
 
Study guide ecosoc topic-area-a rotaract global mun 2015
Study guide ecosoc topic-area-a rotaract global mun 2015Study guide ecosoc topic-area-a rotaract global mun 2015
Study guide ecosoc topic-area-a rotaract global mun 2015Adrian Dan Pop
 
Developing Integrated Mobile Applications to Provide Culturally Responsive S...
Developing Integrated Mobile Applications to Provide Culturally Responsive S...Developing Integrated Mobile Applications to Provide Culturally Responsive S...
Developing Integrated Mobile Applications to Provide Culturally Responsive S...Remi Douah, Ph.D., M.P.H
 
Covid 19 Risk , uncertainty and judgement
Covid 19 Risk , uncertainty and judgementCovid 19 Risk , uncertainty and judgement
Covid 19 Risk , uncertainty and judgementHenry Tapper
 

Weitere ähnliche Inhalte

Ähnlich wie ALERT

President Ramaphosa COVID-19 address 13 May 2020
President Ramaphosa COVID-19 address 13 May 2020President Ramaphosa COVID-19 address 13 May 2020
President Ramaphosa COVID-19 address 13 May 2020SABC News
 
President Cyril Ramaphosa Addresses the Nation
President Cyril Ramaphosa Addresses the NationPresident Cyril Ramaphosa Addresses the Nation
President Cyril Ramaphosa Addresses the NationCelestineHendricks
 
President Cyril Ramaphosa 12 July address
President Cyril Ramaphosa 12 July addressPresident Cyril Ramaphosa 12 July address
President Cyril Ramaphosa 12 July addressSABC News
 
CGI Newsletter 26 October 2014
CGI Newsletter 26 October 2014CGI Newsletter 26 October 2014
CGI Newsletter 26 October 2014Dr. Chris Stout
 
AssignmentPurposePretend you are a homeowner and need to get.docx
AssignmentPurposePretend you are a homeowner and need to get.docxAssignmentPurposePretend you are a homeowner and need to get.docx
AssignmentPurposePretend you are a homeowner and need to get.docxnormanibarber20063
 
211128 c19 president's message
211128 c19 president's message211128 c19 president's message
211128 c19 president's messagePreggie Moodley
 
Goodlife Fitness
Goodlife FitnessGoodlife Fitness
Goodlife FitnessSusan Cox
 
Speaking notes for president cyril ramaphosa for the 1st extraordinary inter ...
Speaking notes for president cyril ramaphosa for the 1st extraordinary inter ...Speaking notes for president cyril ramaphosa for the 1st extraordinary inter ...
Speaking notes for president cyril ramaphosa for the 1st extraordinary inter ...SABC News
 
2014 Nov 28 CGI Newsletter
2014 Nov 28 CGI Newsletter2014 Nov 28 CGI Newsletter
2014 Nov 28 CGI NewsletterDr. Chris Stout
 
Address by president Cyril Ramaphosa on South Africa’s response to the corona...
Address by president Cyril Ramaphosa on South Africa’s response to the corona...Address by president Cyril Ramaphosa on South Africa’s response to the corona...
Address by president Cyril Ramaphosa on South Africa’s response to the corona...SABC News
 
Topic Ebola under EpidemiologyThis topic interests me to a grea.docx
Topic Ebola under EpidemiologyThis topic interests me to a grea.docxTopic Ebola under EpidemiologyThis topic interests me to a grea.docx
Topic Ebola under EpidemiologyThis topic interests me to a grea.docxedwardmarivel
 
2014 Sept 21 CGI Newsletter
2014 Sept 21 CGI Newsletter2014 Sept 21 CGI Newsletter
2014 Sept 21 CGI NewsletterDr. Chris Stout
 
002 Essay Example Sample High School Admission Essays Writing
002 Essay Example Sample High School Admission Essays Writing002 Essay Example Sample High School Admission Essays Writing
002 Essay Example Sample High School Admission Essays WritingKim Stephens
 
4. international health organization
4. international health organization4. international health organization
4. international health organizationRajeev Kumar
 
Mundo Offshore - Coronavirus update - Luigi Wewege article (English)
Mundo Offshore - Coronavirus update - Luigi Wewege article (English)Mundo Offshore - Coronavirus update - Luigi Wewege article (English)
Mundo Offshore - Coronavirus update - Luigi Wewege article (English)Luigi Wewege
 
Study guide ecosoc topic-area-a rotaract global mun 2015
Study guide ecosoc topic-area-a rotaract global mun 2015Study guide ecosoc topic-area-a rotaract global mun 2015
Study guide ecosoc topic-area-a rotaract global mun 2015Adrian Dan Pop
 
Developing Integrated Mobile Applications to Provide Culturally Responsive S...
Developing Integrated Mobile Applications to Provide Culturally Responsive S...Developing Integrated Mobile Applications to Provide Culturally Responsive S...
Developing Integrated Mobile Applications to Provide Culturally Responsive S...Remi Douah, Ph.D., M.P.H
 
Covid 19 Risk , uncertainty and judgement
Covid 19 Risk , uncertainty and judgementCovid 19 Risk , uncertainty and judgement
Covid 19 Risk , uncertainty and judgementHenry Tapper
 

Ähnlich wie ALERT (20)

President Ramaphosa COVID-19 address 13 May 2020
President Ramaphosa COVID-19 address 13 May 2020President Ramaphosa COVID-19 address 13 May 2020
President Ramaphosa COVID-19 address 13 May 2020
 
President Cyril Ramaphosa Addresses the Nation
President Cyril Ramaphosa Addresses the NationPresident Cyril Ramaphosa Addresses the Nation
President Cyril Ramaphosa Addresses the Nation
 
President Cyril Ramaphosa 12 July address
President Cyril Ramaphosa 12 July addressPresident Cyril Ramaphosa 12 July address
President Cyril Ramaphosa 12 July address
 
CGI Newsletter 26 October 2014
CGI Newsletter 26 October 2014CGI Newsletter 26 October 2014
CGI Newsletter 26 October 2014
 
AssignmentPurposePretend you are a homeowner and need to get.docx
AssignmentPurposePretend you are a homeowner and need to get.docxAssignmentPurposePretend you are a homeowner and need to get.docx
AssignmentPurposePretend you are a homeowner and need to get.docx
 
211128 c19 president's message
211128 c19 president's message211128 c19 president's message
211128 c19 president's message
 
Goodlife Fitness
Goodlife FitnessGoodlife Fitness
Goodlife Fitness
 
Speaking notes for president cyril ramaphosa for the 1st extraordinary inter ...
Speaking notes for president cyril ramaphosa for the 1st extraordinary inter ...Speaking notes for president cyril ramaphosa for the 1st extraordinary inter ...
Speaking notes for president cyril ramaphosa for the 1st extraordinary inter ...
 
Social Stigma and other Consequences of COVID-19 Pandemic in Low Resource Set...
Social Stigma and other Consequences of COVID-19 Pandemic in Low Resource Set...Social Stigma and other Consequences of COVID-19 Pandemic in Low Resource Set...
Social Stigma and other Consequences of COVID-19 Pandemic in Low Resource Set...
 
2014 Nov 28 CGI Newsletter
2014 Nov 28 CGI Newsletter2014 Nov 28 CGI Newsletter
2014 Nov 28 CGI Newsletter
 
Address by president Cyril Ramaphosa on South Africa’s response to the corona...
Address by president Cyril Ramaphosa on South Africa’s response to the corona...Address by president Cyril Ramaphosa on South Africa’s response to the corona...
Address by president Cyril Ramaphosa on South Africa’s response to the corona...
 
Topic Ebola under EpidemiologyThis topic interests me to a grea.docx
Topic Ebola under EpidemiologyThis topic interests me to a grea.docxTopic Ebola under EpidemiologyThis topic interests me to a grea.docx
Topic Ebola under EpidemiologyThis topic interests me to a grea.docx
 
2014 Sept 21 CGI Newsletter
2014 Sept 21 CGI Newsletter2014 Sept 21 CGI Newsletter
2014 Sept 21 CGI Newsletter
 
002 Essay Example Sample High School Admission Essays Writing
002 Essay Example Sample High School Admission Essays Writing002 Essay Example Sample High School Admission Essays Writing
002 Essay Example Sample High School Admission Essays Writing
 
Chairman's welcome
Chairman's welcomeChairman's welcome
Chairman's welcome
 
4. international health organization
4. international health organization4. international health organization
4. international health organization
 
Mundo Offshore - Coronavirus update - Luigi Wewege article (English)
Mundo Offshore - Coronavirus update - Luigi Wewege article (English)Mundo Offshore - Coronavirus update - Luigi Wewege article (English)
Mundo Offshore - Coronavirus update - Luigi Wewege article (English)
 
Study guide ecosoc topic-area-a rotaract global mun 2015
Study guide ecosoc topic-area-a rotaract global mun 2015Study guide ecosoc topic-area-a rotaract global mun 2015
Study guide ecosoc topic-area-a rotaract global mun 2015
 
Developing Integrated Mobile Applications to Provide Culturally Responsive S...
Developing Integrated Mobile Applications to Provide Culturally Responsive S...Developing Integrated Mobile Applications to Provide Culturally Responsive S...
Developing Integrated Mobile Applications to Provide Culturally Responsive S...
 
Covid 19 Risk , uncertainty and judgement
Covid 19 Risk , uncertainty and judgementCovid 19 Risk , uncertainty and judgement
Covid 19 Risk , uncertainty and judgement
 

ALERT

  • 1. Journal of the Institute of Civil Protection and Emergency Management Autumn 2014 Marauding Terrorist Firearms Attack Medical cover at airshows Cyber attacks Pet evacuation Beyond the fire risk assessment PROPORTIONATE ARRANGEMENTS
  • 2. ICPEM // Alert // Autumn 2014 2 ICPEM // Alert // Spring 2014 IFC Membership Matters 1 Thoughts from the Chair 4 Editorial 5 European News 7 Branch News: Scotland 7 Branch News: North West 8 Announcement: Emergency Services Show 9 Special Interest Group 11 Updates: Joint Emergency Services Interoperability Programme 12 Updates: The Social Action, Responsibility and Heroism Bill 13 Incident Reports: Westgate terrorist attack 17 Feature: The Role of the Counter Terrorism Security Coordinator 21 Feature: Crisis Management in Cases of Multifaceted Cyber Attacks 26 Role profile: Raynet 27 Feature: Medical support at air displays in the United Kingdom 33 Feature: Can I bring Rover? 37 Feature: Beyond the Fire Risk Assessment IBC ICPEM membership details BC Contacts Contents Membership matters I Subcriptions are the life-blood of the institute and they can be paid by; Standing Order Direct Debit Cheque Bank transfer The institute also benefits from Gift Aid when you sign up for it, and all the relevant forms are available for download from the website. Whatever arrangements you have made for your subscriptions, can you please ensure that they are in place, active and have valid details. Some subscriptions from the start of the year remain outstanding, so could you please check? If you have any queries about arrangements for payment, please contact the Treasurer (see contact details on the back page of the journal). Membership matters II The Registrar makes a special plea for members to keep their contact details and preferences up to date.We make every effort to keep records accurate, to ensure that members receive all relevant communications. Email and the website will be the main means of getting information to members, so it is vital that email addresses are spot on. You can download an update form from the website under the membership tab. Membership matters III Membership fees remain at the 2013 rate for 2014. Membership fees are due on 1 January of each year. So, once again, please check that you have paid the required amount.. Events If you are holding an event that other members of the institute might be able to assist with or attend, such as exercises, and seminars, please let the Managing Editor of Alert and the Webmaster know and they can be advised. The ‘public’ view of the website includes a calendar of events across the spectrum of interests, so we would like to have information on anything that you think might be relevant. What else do you do? Members come from many different and interesting backgrounds and take part in many interesting activities. We would like to reflect these activities and achievements in Alert in order to show the ‘human’ side of its membership. So, if you have something unusual or interesting that you get up to, let the managing editor know, with some photos if you have them and we will publish them in forthcoming editions. MEMBERSHIP MATTERS Malcolm Parker, membership@icpem.net NEW MEMBERS For a comprehensive update of new members please visit the website at www.icpem.net Front Cover Photograph: Crowd fleeing sounds of gunfire near Westgate” by Anne Knight - Direct personal communication between copyright holder and uploader. Licensed under Creative Commons Attribution-Share Alike 3.0 via Wikimedia Commons - http://commons.wikimedia. org/wiki/File:Crowd_fleeing_sounds_of_gunfire_near_ Westgate.jpg#mediaviewer/File:Crowd_fleeing_sounds_ of_gunfire_near_Westgate.jpg
  • 3. ICPEM // Alert // Autumn 2014 3 This is my first view from the Chair having been elected this spring. Aviation disasters and conflict seem to have been the most notable events of the last 6 months with the baffling disappearance of Malaysia Airlines MH370 on 8 March and the now assumed tragic loss 239 lives on-board followed by the shooting down of MH 17 on 17 July with the loss of all 298 passengers and crew. The continuing violence in Syria, Afghanistan, Iraq, Gaza and Israel confirms we are not a world at peace and now the Ebola outbreak which was first identified in Guinea in March and has since spread to Liberia, Sierra Leone and Nigeria in Africa reminds us just how vulnerable we are in this ‘modern’ world. The natural disasters have not let up either this year with mudslides in Argentina, floods in Bolivia, an earthquake triggering fires in South Africa, flooding and landslides in Burundi, floods in the Sudan, an earthquake in Iran, Pune landslide and Odisha floods in India, landslides and flooding in Nepal, an earthquake in China, a typhoon in Korea and a landslide and a volcano eruption in Indonesia have all killed hundreds of people. The ICPEM, with its many partners including the Emergency Planning Society (EPS) and The Security Institute have a role to play both nationally and internationally in helping our government and in turn third world governments to ensure they have prepared for disaster along with the training to respond to the many natural and man-made disasters that beset us each and every year, with what seems like a quickening pace. We need to enlist the help of all our colleagues and professionals in the field and speak with one voice from city, county, country and government levels. The ICPEM and the EPS would like to help lead that charge and are exploring the bringing together of our two organisations to have a stronger more unified voice to assist our communities and the world in the field of Resilience. I would also like to thank all the new volunteers who have stepped into the breach to assist in running your institute and would urge all of you to get involved at a local, national or international level to contribute to the discussion, research, training or delivery of resilience for the good you your communities. Thoughts from the Chair FIRST VIEW By Les Chapman BEng MBA CMarTech FICPEM FIMarEST AFNI “Boeing 777-200ER Malaysia AL (MAS) 9M-MRO - MSN 28420 404 (9272090094)” by Laurent ERRERA from L’Union, France - Boeing 777-200ER Malaysia AL (MAS) 9M-MRO - MSN 28420/404Uploaded by russavia. Licensed under Creative Commons Attribution-Share Alike 2.0 via Wikimedia Commons “Map of search for MH370” by Soerfm - Own work. Licensed under Creative Commons Attribution-Share Alike 3.0 via Wikimedia Commons - http://commons. wikimedia.org/wiki/File:Map_of_search_for_MH370. png#mediaviewer/File:Map_of_search_for_MH370.png
  • 4. 4 Editorial I t gives me great pleasure introduce the Autumn 2014 edition of Alert which, thanks to the members and interested parties, includes a diverse range of articles. Since the Spring edition of Alert, it is hard to believe the how the national state of affairs has changed so dramatically both in terms of conflicts and natural disasters. I would like to focus briefly on the Ebola situation. The Ebola outbreak was first reported in West Africa during March this year and has rapidly become the deadliest occurrence of the disease since its discovery in 1976. The World Health Organisation (WHO) has declared an International Public Health Emergency. Many people have died, with Sierra Leona, Guinea and Liberia reported to be the worst-affected. The 2014 outbreak dwarfs previous epidemics, with WHO figures indicating that as of 11 August there were 1,975 probable, suspected and confirmed cases, and there had been 1,069 deaths. Ebola is named after a river in the northern part of the Democratic Republic of Congo. Statistically, it is a relatively trivial disease, killing a few thousand people since its discovery in 1976. In contrast, malaria and tuberculosis each kill several million people each year. Measles killed 122,000 in 2012. Yet, Ebola has captured the public imagination. It is not known which animal harbours the virus although bats have long been suspected, and this makes prevention and control difficult. The clinical manifestation is dramatic, with rapid progression from infection to cell death and symptoms that can include bleeding, vomiting and diarrhoea. The fatality rate is high, ranging from 50% to 90%. As the medical professionals and scientists race to address the problem, an ethical dilemma has erupted. It is a well known fact that the Ebola virus has no treatment and no vaccine available in the market today. But there are several pharmaceuticals working to develop a treatment. The United States government tested the new drug ‘ZMapp’ on two Americans infected with the virus. There was a public protest on why the drugs were given to the Americans and not made available to the general public. This raised several ethical issues in relation to who should first receive the limited supplies of a potentially life saving drug and also, is it appropriate to distribute an untested treatment. The World Health Organisation has to balance the need to contain the spread of a rapidly spreading deadly disease and satisfy the legal and moral aspects of distributing limited supplies of untested, but potentially life saving treatments. The ReliefWeb is an excellent website where all natural disasters are listed with a brief explanation of the event and the current status. Visit: www.reliefweb.int Dave.dowling@icpem.net EDITORIAL BOARD Tony Moore (Chair) MPhil FICPEM Dave Dowling (Secretary) MEd BSc(Hons) MICPEM MIFireE MCMI TechIOSH Professor David Alexander PhD Prof FRGS FRSA FGS FICPEM Professor Frank Gregory, Hon FICPEM Professor Gary Silver MSc GCE LLS (QTLS) FICPEM FEPS ALERT EDITORIAL By Dave Dowling MEd BSc(Hons) MICPEM MIFireE MCMI TechIOSH Professor Ian Davis, PhD Hon FICPEM FPWRDU Dr Karen Reddin PhD FICPEM Kevin Arbuthnot QFSM MPhil DMS FICPEM FIFireE Mike Broadbent MSc BSc CEng CSci CEnv FICPEM FHEA FICE MCMI Dr Sarita Robinson PhD MSc FICPEM This image is a work of the Centers for Disease Control and Prevention, part of the United States Department of Health and Human Services, taken or made as part of an employee’s official duties. As a work of the U.S. federal government, the image is in the public domain.
  • 5. ICPEM // Alert // Autumn 2014 5 On 24 May, a gunman shot dead two women and a man - they were an Israeli couple in their 50s, and a French female volunteer - at the Jewish Museum in Brussels. A fourth man, a Belgian employee at the museum, who was seriously wounded, died in hospital on 6 June. The attacker had arrived by car, got out, fired on people at the museum entrance, and returned to the vehicle that then sped away. The attack was recorded by the museum’s CTV system and the police were able to circulate it, through media comapnies, to a wide public audience ın an effort to identify the gunman. One week later, the suspect, 29-year- old Mehdi Nemmouche, originally from Roubaix on the Franco-Belgian border, was arrested at the Saint-Charles train station in Marseille, France, havıng arrived there by an overnight coach from Brussels. A Kalachnikov automatic rifle with Islamist markings, a revolver and amunition similar to those used in the shootings were found in his luggage during a routine drugs check by customs officers. With the weapons, there was a white sheet emblazoned with the name of the Islamic State of Iraq and the Levant, a jihadist group fighting in Syria and Iraq. French authorities also found press cuttings on the museum attack and a film for a miniature camera holding a record in which he appears to admit the attack. The Belgian federal prosecutor, Frédéric Van Leeuw said that it appeared that the suspect had tried to film the killings but his camera had failed. On 15th of July at 08:39 a.m. (Moscow time) several carriages at the front of a packed underground train, travelling from the north-west of Moscow to the City centre, derailed between Park Pobedy and Slavyansky Bulvar on the Arbatsko-Pokrovskaya dark blue line of the Moscow Metro. As a result 23 people died and more than 160 were seriously wounded, some of whom were still in a critical condition at the time of going to press. Most of the dead and seriously injured were in the front of the train because, as a result of the derailment, the carriages concertinaed together as those from the rear hit those in front. Among the dead was a citizen of China and one from Tajikistan; the injured included residents from 12 Russian regions and five countries – Ukraine, Moldova, Tajikistan, Uzbekistan and Kyrgyzstan. Park Pobedy (Victory station), where disaster happened, is the deepest metro station in Moscow, 84m underground, which made the rescue operation particularly difficult. More than 1,100 people were evacuated. Some of those hurt were carried out of the tunnel on stretchers, with the most Mehdi Nemmouche is a convicted criminal with a troubled childhood who became a Syrian djihadist soon after he left prison in France in January 2013. He returned to Europe two months prior to the attack and it is believed that he spent some time in Britain. President Hollande later pointed out that the suspect re-entered Europe through Germany and then moved on to Belgium. However, in France he was under close survelliance. This suggests that despite declared concerns about militants of European origin returning to Europe after having fought in Syria, there is little control over movements of such people is not there and Europe-wide cooperation in following ex-Syrian fighters is inadequate. It would appear that such people can be under surveillance in one EU country but they can easily move to another country EU country without vital information being passed to the second country. There are still many questions about Brussels attack, but the main ones are • Did the terrorist act alone? • Did he get orders from any terrorist group or was the attack carried out on his own iniative? If his involvement in the Brussels attack is proven, Mehdi Nemmouche will be the first European jihadist volunteer in Syria to have committed an act of terrorism upon his return to Europe. That leads to a third question. Was this an isolated incident or is it the first of a number of attacks, turning European fears into reality? European News TERRORIST ATTACK IN BELGIUM By Lina Kolesnokova MSc FICPEM MOSCOW UNDERGROUND DISASTER
  • 6. 6 serious cases airlifted to hospital. >> pg5 >> pg4 The cause of what was one of the worst incidents on the Moscow Metro is reported to been a power surge. But the real cause would appear to be as a result of inadequate maintenance work which was carried out in May when a switch mechanism, which had been repaired by a track supervisor and his assistant with ordinary 3-mm wire, as a result of which, at a crucial moment it snapped. Three people were subsequently Malaysian Airlines Flight MH 17 was shot down on 17 July 2014 during the ongoing military conflict in Ukraine whilst on a scheduled international flight from Amsterdam to Kuala Lumpa. The wreckage came down in eastern Ukraine close to the border with Russia. All 283 passengers, including 80 children, and 15 crew members were killed. At the time of going to press, it is believed that the aircraft was shot down by a soviet-designed Buk surface- to-air missile fired from within territory belonging to Ukraine but controlled by pro- Russian separatists. On 21 October 2013, a female suicide bomber set off an explosive device on a bus, killing 7 and injuring 36 people; on 29 December a male suicide bomber, set off an explosive device in a train station, killing CRASH OF MALAYSIAN FLIGHT A view of collapsed Maxima supermarket in Riga, Latvia, Saturday, Nov. 23, 2013 European News By Lina Kolesnokova MSc FICPEM 18 and injuring about 50 people; and on 30 December a male suicide bomber set off an explosive device on a trolleybus, killing 16 and injuring 41 people. At the time of going to press, there are many unanswered questions. For instance, who (which group) is responsible for these terrorist attacks? Who, precisely are the perpetrators of these attacks? To-date, no-one has claimed responsibility and only the female suicide bomber who was involved in the 21 October incident has been indentified. Are these attacks related to a threat made in July 2013 by Doko Umarov, the leader of a Chechen separatist group known as the Caucasus Emirate, to disrupt the Sochi Winter Olympics? Umarov is already Russia’s most wanted man, having been involved detained on charges of negligence; and a thorough investigation is underway. Meanwhile the Chief Executive of Moscow Underground has been fired. The Moscow metro, one of the world’s busiest, is a vital transport artery for the city, transporting more than nine million people on weekdays because of heavy traffic on the streets. It covers 325.4 kilometres of route, and includes more than 194 stations. Moscow is a leader among world capitals on traffic jams, therefore metro is nowadays is the only way to travel in the busy city. Critics accuse the authorities of spending too much on extending the metro system, and not enough on maintenance of infrastructure. High level of corruption,mismanagement, cost-cutting practices and system of sub-contracts are main factors of low safety level of Russian transport system. in a number of terrorist attacks in Russia, including one in 2009 outside the Cechen Interior Ministry in 2009; the bombing of the high-speed Nevsky Express train, in which 28 people were killed, also in 2009; the bombings of the Moscow subway that killed 40 people in 2010; and the bombing of Domodedova Airport in Moscow in 2011, that killed 36 people. When the answers to these questions become clearer, I will write further on these terrorist attacks. Author Profile Lina Kolesnikova is an independent expert in risk, crisis and disaster management based in Brussels. She is currently the Institute’s representative to the European Union.
  • 7. ICPEM // Alert // Autumn 2014 7 Branch News Northwest Branch Dave Dowling MEd BSc(Hons) MICPEM MIFireE MCMI TechIOSH Scotland Branch David Dalziel QFSM MA FICPEM FInstLM An event planning meeting took place with Executive members of the North West (NW) Branch of the Emergency Planning Society took place during August with the aim of developing a joint activity. The original plans for an event at the Warrington Peace Centre with a theme of psychological support for the victims and the responders, will be postponed until next year. The current plan is to arrange a joint visit to a nuclear power station during November followed by a branch meeting. More information will be provided in due course via the local network. The Emergency Planning Society annual conference is planned to coincide with the Emergency Services Show on the 24th and 25th September. The theme will be ‘resilience’ with speakers invited to talk about the Fukushima nuclear power plant incident. Anyone interested in joining the North West Branch should contact Dave Dowling on dave. dowling@icpem.net On the Right Tracks: A Resilient Transport Perspective on the 2014 Commonwealth Gamese. The 2014 Commonwealth Games in Glasgow required a huge multi-agency commitment to ensure the safety of athletes, games visitors and local communities together with the tens of thousands of people visiting Glasgow. A resilient, safe and integrated transport system across Scotland was an essential feature of those arrangements. Global coverage of the event throughout the duration of the games brought significant pressure on every agency to ensure that they were at the highest state of readiness with robust planning, sound contingency arrangements and highly effective response capability well embedded. One shining example of that was the partnership between Network Rail in Scotland, the train operating company that operates 95% of all services in Scotland, ScotRail and British Transport Police (BTP). ScotRail anticipated delivering over one million passenger journeys over the 11 days of the games and trained over 3000 of their staff to enhance passenger experience over that period. Network Rail has responsibility for all rail infrastructure across the UK and directly manages the main railway station in Glasgow. They carried out a huge amount of work in preparation for the games including advancing upgrade and routine replacement engineering projects to provide the highest possible level of safety as well as minimising potential delays due to faults and freeing up key staff in case of any incidents. Network Rail made special arrangements for the rapid deployment of resources and specialist staff including joint staffing of rapid response 4 x 4 vehicles with British Transport Police. This contingency was further enhanced by the deployment of two of the Network Rail’s Eurocopter AS355 helicopters which were also dual crewed by police officers from BTP. As part of the command and control arrangements both Network Rail and ScotRail route control centres (co-located in Buchanan House in Glasgow) underwent additional staff training on contingency arrangements for the games linking to the Transport Coordination Centre in the East end of Glasgow close to Celtic Park. Adopting areas of best practice from the 2012 Olympics and adapting them to suit local circumstances all three organisations established very comprehensive training, staff awareness and robust contingency arrangements to help deliver a safe and successful 2014 Commonwealth Games. David Dalziel on Scotland@icpem.net Regional zones of the ICPEM within the UK and Ireland
  • 8. 8 Announcement Introduction From emerging technology to the latest training and techniques, the upcoming Emergency Services Show has it all covered. Aimed at all personnel involved in emergency response, planning and recovery, the free-to-attend event taking place at the NEC in Birmingham on 24 and 25 September features indoor and outdoor exhibition of over 400 stands, free seminars and workshops. Free Seminars and Workshops Two free seminar programmes will run at this year’s event for the first time. The Interoperability Seminars, developed in partnership with the Joint Emergency Services Interoperability Programme (JESIP), will include case studies on successful multi-agency working presented by responders from Lincolnshire Emergency Services and Dorset Emergency Services. National Occupational Standards, winter flooding and the future role of Local Resilience Forums are also on the agenda and representatives from JESIP, the College of Policing, CFOA National Resilience, the National Ambulance Resilience Unit (NARU), Skills for Justice, Cabinet Office and the Environment Agency will all be speaking. Meanwhile the Innovation Seminars will cover the latest developments in PPE, Body Worn Video (BWV), ambulance design, social media and mobile communications. The full seminar programmes will be published on www.emergencyuk.com Meanwhile the College of Paramedics will be returning with its popular Continual Professional Development (CPD) sessions, comprising a mix of free 30-minute lectures and workshops. INNOVATION AND INTEROPERABILITY AT THE EMERGENCY SERVICES SHOW 2014 UK SAR Zone The UK SAR Zone will bring together Mountain Rescue England & Wales, Association of Lowland Search & Rescue, British Cave Rescue Council, RNLI, Maritime and Coastguard Agency and RAF Mountain Rescue to promote the search and rescue capabilities of the UK’s emergency responders. ICPEM to Network in Emergency Response Zone The promotion of multi-agency working between the key emergency responders and their partner agencies is the heart of the show, with a dedicated networking area – the Emergency Response Zone sponsored by Draeger UK – featuring over 80 support responders, voluntary sector partners and NGOs including the Institute of Civil Protection and Emergency Management (ICPEM). Stands of interest include CFOA National Resilience, NARU, Public Health England, Training 4 Resilience, JESIP, Home Office ESMCP, British Association of Public Safety Communications Officials and AA Special Operations. Running alongside The Emergency Services Show in private rooms located in the atrium will be a number of key meetings held by industry bodies. These include the Emergency Planning Society’s annual conference on 25 September. Getting there: • Physically linked to Birmingham International Airport and Birmingham International Station • Discounted travel for visitors using Virgin Trains (see www.emergencyuk. com for details of how to apply) • Direct Access to UK motorway network • No parking costs • Coaches will run from Birmingham International Station to the exhibition halls. Emergency Services Show To register and to view the latest seminar programmes visit www.emergencyuk.comregister and to view the latest seminar programmes visit www.emergencyuk.com
  • 9. ICPEM // Alert // Autumn 2014 9 T he NHS is one of the most high profile organisations in the UK and of huge public, media and political importance. It has one of the largest budgets and is amongst the biggest employers in the UK. Ensuring that all parts of the system (often referred to as the ‘health economy’) are able to respond to major incidents and emergencies, continues to deliver optimum care during disruptive challenges, has effective business continuity arrangements in place and is able to quickly return to normal are vital to communities across the UK. As NASA said on the Apollo space missions, ‘failure is not an option’. The NHS needs to be able to plan for and respond to a wide range of emergencies and incidents that could affect health or patient safety. This could be anything from severe weather to an infectious disease outbreak or a major transport accident. Under the Civil Contingencies Act 2004 NHS organisations and providers of NHS funded care must show that they can effectively respond to emergencies and business continuity incidents while maintaining services to patients. This work is referred to in the health service as emergency preparedness, resilience and response (EPRR). In April 2013 the NHS in England underwent massive reform creating, amongst other bodies, Public Health England, NHS England, various Trusts and the formation of Clinical Commissioning Groups (CCG’s) who, by definition, are responsible for significant parts of the NHS budget and commissioning care. The Health and Social Care Act 2012 provides the statutory basis for these structures. The Civil Contingencies Act 2004 specifies the respective duties of ‘health’ responders and these are; Category 1 responders • Department of Health on behalf of Secretary of State for Health • Public Health England • NHS England • Local authorities (Directors of Public Health) • Acute service providers • Ambulance service providers Category 2 responders • Clinical Commissioning Groups (CCGs) • NHS Property Services. Primary care (including out of hours providers), community providers, mental health, specialist providers and other NHS ASSURING THE RESILIENCE OF THE NHS IN ENGLAND David Dalziel QFSM MA FICPEM FInstLM organisations (for example NHS Blood, Transplant and NHS Supply Chain, 111) are not listed in the Civil Contingencies Act 2004 however the Department of Health and NHS England guidance expects them to plan for and respond to emergency and business continuity incidents in the same way as Category 1 responders in a manner which is relevant, necessary and proportionate to the scale and services provided. These obligations are contained within the contracts issued by clinical commissioning groups although, thus far, there has been a ‘light touch’ approach to assuring the extent of resilience beyond the Category 1 responders within the NHS. In fulfilling its responsibilities on behalf of the Secretary of State, the Department of Health represents the health sector in the development of UK government civil resilience and counter terrorism policy, Blue Light Special Interest Group a National Health Service, Air Ambulance at a Motocross event in Elgin, Moray, Scotland to uplift a patient after a motorcycle crash on 16 March 2014.
  • 10. 10 with scientific and technical advice from Public Health England and liaising with international organisations such as EU and the World Health Organisation. The Department also provides assurance to the Cabinet Office of health system preparedness for and contribution to the UK government’s response to domestic and international emergencies, in line with the National Risk Assessment and as one of nine Critical National Infrastructure sectors ensuring the co-ordination of the whole system response to high-end risks impacting on public health, the NHS and the wider healthcare system, supporting the UK central government response to emergencies including ministerial support and briefing and ensuring effective arrangements for health emergency preparedness, resilience and response from April 2013. The national level arrangements are underpinned by local assurance processes conducted since 2013 by NHS England. All Category 1 and 2 responders are obliged to complete a comprehensive self-assessment of their preparedness, resilience (including business continuity) and response capability against a set of minimum core standards1 . This year is the first time Category 2 responders will have to complete the process on a mandatory basis although many participated voluntarily in 2013. Primary care providers are being encouraged to take part in 2014 in preparation for mandatory inclusion in 2015 and a number of GP practices are collaborating in groups to self- assess their status against the core standards. The 2014 Core Standards and guidance were published on July 1st 2014 and the self-assessment process is being conducted over August and September with NHS England carrying out thematic assurance checks, liaison with providers and Clinical Commissioning Groups during October followed by governing bodies signing off their self-assessments and producing any subsequent action plans in time to be presented to the respective Local Health Resilience Partnerships (LHRP’s) around November. LHRP’s were established in April 2013 to deliver national EPRR strategy in the context of local risks. They bring together health sector organisations involved in emergency preparedness and response at the Local Resilience Forum (LRF) level and are a forum for co-ordination, joint working, planning and response by all relevant health bodies. LHRP’s in effect formalise arrangements that already existed in many local health economies to co-ordinate health sector input to the LRF’s and emergency response. Whilst LHRP boundaries are not always coterminous with LRF’s they do ensure effective planning, testing and response for emergencies and enable all health partners to input to the LRF in turn providing the multi-agency LRF’s with a clear, robust view of the health economy and the best way to support LRF’s to plan for and respond to health threats. The arrangements for EPRR in the NHS are set out in the Department of Health document ‘Arrangements for Health Emergency Preparedness, Resilience and Response from April 2013’ published in April 20122 and were the subject of a Webinar from the Emergency Planning College in March 20133 References 1. www.england.nhs.uk/wp-content/uploads/2014/07/ eprr-core-standards-0714.pdf www.england.nhs.uk/ourwork/eprr/gf/#core 2. www.gov.uk/government/uploads/system/uploads/ attachment_data/file/215083/dh_133597.pdf 3. www.epcollege.com/EPC/media/MediaLibrary/ Webinars/EPRR-webinar.pdf Blue Light Special Interest Group Ambulance responder in London on NOVEMBER 23, 2013. Ambulance emergency van at street in London
  • 11. ICPEM // Alert // Autumn 2014 11 About the author David Dalziel was the Chief Fire Officer of Grampian Fire and Rescue Service for eight years and was vice chair of Grampian SCG. He was Secretary of CFOA Scotland for six years and chair of the Association from 2012 to 2013. David is also the ICPEM regional representative for Scotland and is an Associate Lecturer at the Cabinet Office Emergency Planning College. David can be contacted on Scotland@icpem.net Updates JESIP By David Dalziel, QSFM MA FICPEM FInstLM, Chair ICPEM A ll of those involved in the police, ambulance and fire service sectors of the blue light community will be well aware of the JESIP and its continued expansion into further areas including, most recently, Jersey and Guernsey although it has not yet been adopted in Scotland. Further development of the programme has been signed off at Ministerial level and a legacy structure around doctrine, training, testing and exercising and joint organisational learning will be rolled out through a series of roadshows over the coming months. JESIP will be at the Emergency Services show in Birmingham on the 24th and 25th of September with their ‘Interoperability Theatre’ featuring a number of presentations on the programme. The joint organisational learning strand of the legacy is of particular importance as the process will identify what needs to be learned, act on those lessons, share what needs to be learnt and check that change has actually happened. As the training of operational and tactical incident commanders continues the figures (as at July 1st 2014) show that 65% of those registered for the training have now completed it with Wales and colleagues in British Transport Police at 100% so well done to them. Increasingly the joint decision making model and the ‘METHANE’ mnemonic to structure major incident reporting is being adopted across other responders and is becoming well embedded in the routine business of Local Resilience Forums (LRF’s). There are a number of good examples of LRF’s inviting other Category 1 and 2 responders to view JESIP training and that has been well received by partners in terms of raising awareness and improving multi-agency integration. JESIP does not redefine multi-agency interoperability but its doctrine is designed to complement the Cabinet Office ‘Emergency Response and Recovery’ guidance focusing specifically on the interoperability of the three emergency services in the early stages of response to a major emergency. For more information on JESIP and access to downloadable training and guidance material please visit their website on: http://www.jesip.org.uk Multi Agency Communications Enable information sharing and joint decision making between Blue Light Commanders by: Option 1: Face to Face Communication (Consider setting up Multi Agency Talk Group) Option 2: Airwave Service - Resilient, Secure, Recordable. Before you leave the Multi Agency Talk Group you must inform members of the Talk Group and your Control Room Carry out a test call to other Agencies to confirm set up • Do use clear and unambiguous speech • Check understanding • Do not use acronyms • Use clear common understandable roles eg Police Incident Commander • Multi Agency Talk Groups are not for individual service working but for incident commanders communication across the services. Achieving Joint Understanding of Risk Do’s and Don’ts when using a Multi Agency Talk Group Identification of hazards – individual agencies should identify hazards and then share appropriate information cross-agency with first responders and control rooms. Use METHANE to ensure a common approach. If you wish to monitor another Talk Group a second handset will be required Switch a handset to the allocated Talk Group Your Control Room will allocate you a Talk Group Contact your Control Room to request an Incident Command Multi Agency Talk Group (specify which Services are required) Commanders’ Aide Memoire Dynamic Risk Assessment – undertaken by individual agencies, reflecting tasks / objectives to be achieved, hazards identified and likelihood of harm from those hazards. Identification of tasks – each individual agency should identify and consider the specific tasks to be achieved according to its own role and responsibilities. Apply control measures – each agency should consider and apply appropriate control measures to ensure any risk is as low as reasonably practicable. Multi-agency response plan – consider hazards identified and service risk assessments within the context of the agreed priorities for the incident. Develop an integrated multi-agency operational response plan. Recording of decisions – record the outcomes of the joint assessment of risk, the identified priorities and the agreed multi-agency response plan.
  • 12. 12 Updates THE SOCIAL ACTION, RESPONSIBILITY AND HEROISM BILL – EMERGENCY RESPONDERS TAKE NOTE By Roger Gomm QPM, FICPEM T he Social Action, Responsibility and Heroism Bill was introduced in the House of Commons on 12 June 2014 and is expected to receive Royal Assent by early 2015. This piece of legislating is aimed at encouraging people to ‘volunteer’ to support activities in the community. Helping out: a national survey of volunteering and charitable giving” in 2006/2007 found that this was one of the significant reasons cited by 47% of respondents to the survey who did not currently volunteer. This supports the Government’s broader aims of encouraging and enabling people to volunteer and to play a more active role in civil society. However, the legislation may also have an impact on ‘emergency response’ by encouraging ‘first responders’ to help others or intervening in an emergency without the fear of risk and/or liability. The legislation is intended to reassure people, including employers, that if they demonstrate a generally responsible approach towards the safety of others during a particular activity, the courts will take this into account in the event they are sued for negligence or for certain breaches of statutory duty, the obvious one being the Health and Safety Act. It will provide reassurance that if something goes wrong when people are acting for the benefit of society or intervening to help someone in an emergency, the courts will take into account the context of their actions in the event they are sued. The Bill would not change the overarching legal framework, but it would direct the courts to consider particular factors when considering whether the defendant took reasonable care. In any negligence/ breach of statutory claim that is brought where the court is determining the steps a defendant should have taken to meet the applicable standard of care, it will be required to have regard to whether: • the alleged negligence/breach of duty occurred when the defendant was acting for the benefit of society or any of its members (clause 2) • in carrying out the activity in the course of which the negligence/ breach of statutory duty occurred, the defendant had demonstrated a generally responsible approach towards protecting the safety or other interests of others (clause 3); and • the alleged negligence/breach of duty occurred when the defendant was acting heroically by intervening in an emergency to assist an individual in danger and without regard to his own safety or other interests (clause 4). I would suggest that emergency responders pay attention to the progress of this legislation over the next six months. By Official Navy Page from United States of America U.S. Navy Chief Joshua Treadwell/U.S. Navy [Public domain], via Wikimedia Commons
  • 13. ICPEM // Alert // Autumn 2014 13 Incident Report General of police, was given the mandate to take command and control the incident. The terrorists did not encounter a counter attack from the security forces during the night without any counter attack. They were also able to view what was going on outside the mall as the media relayed the response preparations live over the TV channels. 22nd September 2013 07.00 hours - under the command of the IG, the police and the KDF attempted to retake control of the ground floor but were repulsed by the terrorists - one KDF soldier was killed and one wounded. 09.00 hours - crowds of well-wishers and curious on lookers who brought food for the victims and responders. 14.00 hours - Kenya Police, KDF and Interior Ministry Secretary, Ole Lenku, announced the death of 59 innocent people and terrorists estimated at between 10 to15. THE WESTGATE TERRORIST ATTACK: WAS LAPSE SECURITY A CONTRIBUTING FACTOR? By Adrian Meja MSc FICPEM ABCI ACIArb MEPS(UK) T he Westgate shopping mall is a prestigious shopping centre in the ‘Westlands’ situated some 8 kilometers west of the Nairobi city centre. The complex is owned by Israeli nationals and is known to be frequented by affluent members of the Kenyan society along with United Nations staff. The building was insured by Llyods of London for approximately 6.6 billion Kenya shillings. Situation Saturday 21st September 2013 At approximately 12:30 hours, al-Shabaab terrorists entered the Westgate Mall in Nairobi, Kenya and shot dead defenseless women, children and men in the name of jihad. A Mitsubishi car, registration KAS 575X, used the Peponi road entrance to access the Westgate building where no barriers were available to prevent unauthorised vehicle access. The four occupants of the car entered the building and started shooting at the shoppers. Initially people thought it was a bank robbery only to realise that it wasn’t when some terrorists went beyond the first floor to the top floors and continued to kill and maim shoppers. The car is known to have been purchased on 6th September 2013 which indicates that plans began well over a month before the attack. 12.40 hours - terrorists had control of the entire building four storey building from the basement to the roof top. Kofi Awoonor, a renowned author from west Africa, was killed in the basement by terrorists. 13.10 hours - a team of flying squad police arrived but did not act immediately, during which time approximately 30 civilian gun owners, caught in the attack, began engaging the terrorists. 13.15 hours - two gun men were seen on the ground floor attacking staff and visitors in the mall. 13.25 hours – no control of the situation by the authorities or security forces. 14.30 hours - two attackers were seen changing clothes and left the mall amongst rescued shoppers. One shopper pointed out the terrorist but the security forces did not take notice. 16.00 hours -The General Service Unit (GSU), a paramilitary security force, arrived and within a few minutes, the situation was being managed to neutralise the terrorists. 17.30 hours – The Kenya Defence Force (KDF) arrive at the scene and engage the terrorists with the GSU. During the defensive action, the lead GSU officer is alleged to have been killed by the KDF soldiers. This forced the withdrawal of GSU from the response teams. There was a lull of two hours as night fell and eventually David Kimayio, the Inspector “Smoke above Westgate mall” by Anne Knight - Direct personal communication between copyright holder and uploader. Licensed under Creative Commons Attribution-Share Alike 3.0 via Wikimedia Commons - http://commons.wikimedia. org/wiki/File:Smoke_above_Westgate_mall.jpg#mediaviewer/File:Smoke_above_Westgate_mall.jpg
  • 14. 14 15.00 hours - friends and relatives of missing and rescued people were assembled at the Oswal Centre, 200 meters from the mall where medical assistance, food and supplies were available at the centre for coordination and information. 16.30 hours – the Israeli military join forces with the KDF and enter the mall. 23.30 hours - an announcement was made that the siege was over and that most or all hostages were out of the mall. 23rd September 2013 KDF Chief, Julius Karangi, took over command and control from the IG of police. A large blast was heard after the siege had been declared over. 13.25 hours - four more blasts were heard followed by huge columns of smoke . 19.40 hours – the siege re-confirmed to be over by the KDF Chief. 24th September 2013 20.00 hours - gunfire heard from the shopping mall. 22.00 hours - the president declares the operations ‘over’ and states that the confrontation with the terrorists at the Westage mall resulted in 240 casualties with 61 civilians and 6 security officers killed. The cost of the damage to property was estimated to be over kshs.6 billion. Investigation The planning for the attack was traced back to Evermay and Solar lodges in Eastleigh about 20 kilometers east of Nairobi City in an area occupied mainly by Somalis from Kenyan and Somalia. Some of these people were traced to have travelled from Sudan, Somalia and used Kenyan refugee camps to disguise their presence. The attack on the Westgate mall had similarities with the kikambala- hotel attack, the Nairobi USA embassy attack, and the failed attack on the Arkia airline in Mombasa. The target appears to be consistent with attacks on United States, Israeli and British government establishments. The terrorist groups al-Gaeda and al-Shabaab are well known for targeting western interests. Kenya has become a victim of such attacks due to the links with the western countries and Europe. It appears there was no specific intelligence that the Westgate mall was a target for an attack. However, the local military had been advised to avoid the complex as it was considered a likely target for an attack. The al-Shabaab terrorist group claimed responsibility for the attack in the name of Islam even though the terrorists were not Muslims. No religion or belief supports any form of violence. Many terrorist groups regularly claim to be acting in the name of ‘Islam’ to escape punishment or to appear as if they are supported by the Muslim community. The first person to take charge of the response team was a police officer of the rank of Inspector and his action was commendable in the absence of any other senior officer or specific body that deals with terrorism. The General Service Unit came in as a specialised force and then the defence forces came in to combine capabilities. Command and coordination lapsed somewhere during the response when friendly fire killed a senior GSU officer. By morning of the following day, the attackers had been neutralized by the GSU. The Terrorists may have escaped at one point or another because the estimated number of those involved and those killed or arrested does not tally. One survivor walked out and saw a terrorist who had changed clothing and pointed this out to the security agents, but no attention was given and the terrorist slipped out. The fact that all rescued people were not confined until scrutinised adds credence to the reasoning that security was lax. The cross-organisational isomorphism can be achieved if these teams appreciate each-others roles, train together and exercise together since they all provide state security, though at different levels as identified by Toft and Reynolds (2005) in their publication “Learning from Disasters: a management approach.” As the rescue efforts continued by the police, defence forces and General Service Unit, one would expect a smooth recovery. However, it was shocking to discover the level of looting that took place and it is not clear who was responsible. Shops and banks were broken into where Jewellery, cash and other valuables were stolen. The chair of the Parliamentary investigation- Mr. Kamama and Army Commander defended the actions of the security officers by suggesting that there was no looting until CCTV evidence presented conflicting evidence. The the Army commander then suggested that the soldiers had been allowed to take water from a supermarket. This was meant to cover up the poor performance of the soldiers. The KDF soldiers also caused collateral damage to the building by setting fire to the supermarket and used grenades to destroy the evidence that would connect them to the crimes of looting. Subsequently a few soldiers were prosecuted to try and salvage the image of the security forces. The search and rescue came to an end when more than 50 people were claimed to be “unaccounted for” by the Minister for Interior. This was maintained even as a foul smell continued to come out of rubble that was part of the collapsed structure. This statement was inappropriate as work was still Incident Report
  • 15. ICPEM // Alert // Autumn 2014 15 Incident Report ongoing to recover bodies trapped under the rubble. The Minister could not have known how many people were unaccounted for as there is no method of recording people who enter a shopping complex. The media played their role in highlighting what was going on at the incident scene but exposed the preparations of the security forces when they televised the rescue mission thus giving away information that would help the terrorists – this is probably that is one reasons why the terrorists were able to escape. This was not the type of event that the media needed to relay live to the public. Courses are available that inform the Media on how to categorise disasters and the methods of reporting that can be adopted without compromising security. The author attended such an event delivered by the Institute of Civil Protection and Emergency Management which proved to be very informative. In an article published in the Autumn 2005 edition of the Alert journal (page 11) it was explained that terrorists prefer vehicles with a capacity up-to five tons in weight to carry large explosive devices. Vehicles may also be required that carry up to five occupants with equipment or weapons. To avoid easy detection, the terrorists are not in a hurry to register vehicles that are bought in their names. Experience suggests the need for a very efficient vehicle registration system that communicates details of new owners within the shortest time possible time to the security agencies including photographs. One of the vehicles in this case was bought more than two weeks before the incident and an efficient system of communication may have revealed the buyers identity and alerted relevant authorities in Kenya. During the incident, terrorists were able to enter the vehicle entrances unchallenged and drive close up to the outside of the building as there were no physical barriers preventing unauthorised access. A car with secondary devices was discovered much later parked near the Westgate entrance. Entrances to buildings that are next to a road are vulnerable to forced entry by terrorists and certain physical preventive measures must be installed to deter attacks e.g. width and height restrictions. Security checks for people bringing vehicles into a building should be in a dedicated area well before the controlled access point. Vehicles should not be allowed to park within 25metres of a vulnerable building. Some embassies have taken such precautions that have deterred any forcible entry into the premises. In fact terrorists don’t go near such installations for fear of being identified. The Centre for the Protection of the National infrastructure (CPNI) in the UK has published a free leaflet on Vehicle Security Barriers (VSB) within the streetscape. A conspiracy theory has linked the authorities to a complacent attitude, but can’t be verified. However, it is worth noting that the police officer that first took command and control of the incident was later transferred out of Nairobi to a hardship area which may be interpreted as an odd outcome for such an individual. An enquiry appears to identify the same observations made by the author of this article. The objective findings can help the Kenyan government, international communities and any other organisations facing the threat of terrorism, to adopt preventive measures to mitigate the occurrence and impact of terrorist attacks. The report from the enquiry has been found wanting and dismissed by a parliamentary committee. Managing Risk Disasters and crises are a consequence of mismanaged risks. Since risks are identifiable and treatable, disasters and crises can, in many cases, be predicted and the potential causes can be mitigated by an effective response. Preparedness is the key to ensure an efficient response. Security risks are predominantly dominated by the threat of a deliberate attack. The security community has to contend with perpetrators who are willing to sacrifice their own lives to cause mass casualties. This type of incident requires a new way of thinking with regard to planning to prevent such events and develop effective interventions. Good intelligence is the most effective means of preventing such an attack. Some countries are more sophisticated than others and have prevented many terrorist attacks. Shared information with other countries and between security organisations is essential. However, whilst warnings may be issued, unfortunately not all countries or organisations respond or react. In the case of the Westage mall attack, it has been suggested that security agencies had some warning at one time or another but were unable to prevent the incident. A Senator from Nairobi claimed he was informed of the potential for an attack and alerted the security agencies. Also, a Presidential candidate alleged that in March 2013, he received information through his networks that an attack was planned and informed the security agencies, but nothing was done. The National Intelligence Service (NIS) claimed to have relayed information on the threat to the relevant body. Toft and Onlookers near Westgate shopping mall. By Anne Knight [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by- sa/3.0)], via Wikimedia Commons.
  • 16. 16 9. Finally, the need to identify contain everyone involved in the incident and check their identity is a critical element of the response by the security forces. The Special Air Service applied such a system during the Iranian siege in London in 1980 where one of the terrorist posing as a hostage was discovered. MARAUDING TERRORIST FIREARMS ATTACK (MTFA) A similar incident occurred in Mumbai during 2008 and introduced the concept of a Marauding Terrorist Firearms Attack (MTFA). Previously, the focus had been on vehicle borne and person borne explosive devices. The prospect of facing multiple offenders with no expectation of survival, with military training and armed with fully automatic weaponry has dictated a sea change in the UK police firearms response. CONTEST is the UKs strategy for countering terrorism and consists of four elements - Pursue: to stop terrorist attacks; Prevent: to stop people becoming terrorists or supporting terrorism; Protect: to strengthen protection against a terrorist attack; and Prepare: to mitigate the impact of a terrorist attack. About the author Adrian Meja is Head of the Disaster Resilience Centre (East Africa) Trust, Adrian has qualified and trained in the field of Risk, Crisis and Disaster management as well as Business Continuity Management. Email: Meja.adrian@gmail.com Websites: www.drc- preparedness.com www.safetyfirstkenya .com Reynolds (2005) explain in their publication “Learning from Disasters: a management approach2 that one of the problems associated with learning from disasters is the danger of ignoring advice. The terrorists involved in planning the attack were identified to be people from outside Kenya and some had fake Kenyan identification documents. This suggests that the security risk started at the border control points. It is possible that either the immigration officials were compromised, or native Kenyans helped foreigners to obtain legal papers. It is suggested that ‘Chance favours the prepared, the unprepared have no Chance’. The terrorists were better prepared than the security forces. When does search and rescue stop? One needs to read the Alert Journal, autumn 2004 pg.8-9 to appreciate the answer to this question. Lessons learned 1. The human vulnerability caused by compromised immigration officers or people under duress to help relatives of friends with criminal motives presents a significant risk factor in disaster management. 2. Security forces that are not working as a team and don’t train together or exercise together can expose the country or responding organisation to threats. 3. Weak security arrangements will attract terrorist looking for a ‘soft’ target. Experience has identified that terrorist organisations plan the attack and will carryout reconnaissance missions and dry runs of the attack to confirm a plan can be achieved. Cross-organisational isomorphism can be adopted to draw true lessons which is explained by Toft and Reynolds (2005) in their publication “Learning from Disasters: a management approach.” 4. Media inadvertently informs the public on issues that would normally go unnoticed. Care must be taken to identify which stories can be relayed overtly to the public without affecting security. 5. A degree of initiative, boldness and creative thinking exists amongst individauls, non government organisations (NGOs) and communities which should be encouraged as it can assist with managing various aspects of an incident. During the disaster, the Oswal community, situated within the Westlands, established a centre for receiving casualties, feeding responders and providing other effective facailities. 6. Looting and collateral damage occurred during the incident, especially during the latter phase of the response. This should be discouraged by disciplined forces when they arrive on the scene not least because a crime scene should be maintained. This topic was covered by Phillip Buckle, of Coventry University, in the September 2004 edition of the Alert Journal in an article entitled “Responding to Terrorism.” 7. Responders should always search an incident site and pre-planned assembly or rendezvous points for secondary devices that have the potential to cause more casualties or damage. 8. The response needs to separate rescue from recovery and explain to the public the difference where casualties are concerned. Relatives and friends of missing persons must be informed of what action is being taken and what to expect. Support should be provided for the next-of-kin and those affected by the incident and this includes counselling. Incident Report
  • 17. ICPEM // Alert // Autumn 2014 17 Origins of the Role: The role of a Counter Terrorism Security Coordinator (‘CT SecCo’) was originally developed by the Metropolitan Police Service (MPS) nearly twenty years ago. The need for a coordinating role resulted from the recognition that various specialist officers were deployed to major events, such as the annual Trooping the Colour ceremony, but no one had the responsibility for devising and maintaining oversight of a holistic security plan. As the Gold – Silver – Bronze model for event command teams matured, a gap in the arrangements was identified for someone with wide ranging and in depth knowledge of protective security assets to complement the work of other command team members, such as planning, communications and public order specialists. In appointing a SecCo to the team, a Gold commander has the reassurance that they have, in effect, a tactical advisor with a specific remit to maintain oversight of how different protective security assets can interact and satisfy elements of a well- structured, proportionate and appropriate security plan in order to mitigate risk. It will be of interest to members of ICPEM that the initial sponsor and early champion of the SecCo role was none other than Sir David Veness, when he was Assistant Commissioner with the protective security portfolio in the MPS. The SecCo is, in effect, the glue that binds seperate highly skilled protective security disciplines together, and ensures they all work cohesively and in pursuance of a thorough and carefully considered security plan. Each of these disciplines deploys very well trained and experienced officers. Typically, a major event might see defensive search activity utilised in order to secure and/or sterilise an area or building. Where protected persons are attending, their personal protection teams will need to operate in an environment where they are cognisant of the potential threat to the safety of their principals, and who is doing what in order to reduce it. There might be justification for overt, and possibly covert, armed deployments. Gold will need to know how such specialists link in with the deployment of uniformed officers monitoring crowds, which in turn will inform the resourcing decisions they will make. Working and liaising with external partners is also a key aspect of the SecCo’s remit. Understanding the intentions of the event organisers, and satisfying oneself they have a realistic understanding of what they are responsible for, is key. Likewise, event management companies, especially where they are subcontracting out roles such as stewarding. A prestigious event and the perceived kudos it can bring to a venue will sometimes be a cause of distraction from realistic expectation, I have found. It is therefore vital that SecCo also develops an effective working relationship with venue management and maintains a constructive dialogue leading up to and throughout an event. Asking the right questions: I have learned it pays dividends to ask external partners to notionally sign up to a ‘no surprises’ clause, continually raising questions to remind them of what I would want to know that might impact on the risk profile, and accordingly my security plan. I THE ROLE OF THE COUNTER TERRORISM SECURITY COORDINATOR IN POLICING MAJOR EVENTS By Jonathan Schulten FSyI Counter Terrorism “Trooping the Colour form march past” by Ibagli - Own work. Licensed under Public domain via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:Trooping_the_Colour_form_march_past.JPG#mediaviewer/File:Trooping_the_ Colour_form_march_past.JPG
  • 18. 18 learned the wisdom of doing so following one event in particular. It was to take place on a stage in a public open space and speeches were to be made. The lead organiser, by way of a casual remark as we were leaving the final planning meeting, told me how delighted she was that the Prime Minister would now be attending. This was just a few days prior and painted a very different picture of risk, to the point of changing the event profile significantly from my point of view. This PM was at that time subject to volatile protest when attending such public facing engagements. I had asked a number of times if the guest list had altered, but on expressing my concern I had not been given this information, was told ‘But he is on our list of speakers and you didn’t ask me if that had changed’. So, lesson learnt, off I went to create a much more robust security plan, recommending search regimes and other assets be utilised, where they had not previously been deemed proportionate. Who has been invited to the event, or is it a case of general public access, such as in an open field site? Where it is invitation only, how and when have the invitations been despatched? What, if any, requirements have been made to ensure the intended recipient is the person presenting themselves for admission on the day? Which contractors have been engaged to support the event logistically and what do we know about their staff? Is there a likelihood of casual labour being utilised at short notice, once the event is in the public domain for example? These are all typical questions, the answers to which the SecCo will want to be satisfied in order to develop a security plan that identifies residual risk which Gold is likely to accept. Selection and Training: From its origin in the MPS, the SecCo role has been approved by the Association of Chief Police Officers (ACPO) and is now a recommended specialist skill area for each United Kingdom (UK) police force. Given the nature and level of negotiating and influencing often required, senior officers of at least inspector rank, and commonly chief inspectors or above, are sought as volunteers to undertake the role on top of their day job. The MPS course has developed into a product delivered nationally through the College of Policing at Bramshill. I had the privilege of undertaking the various roles of course director, professional lead and lead assessor from 2009-2013. The national course is now of two weeks duration. Delegates must pass a written examination, and progress satisfactorily through exercises in practical application. The course culminates in delegates presenting an assessed security plan. Upon passing all elements, they are classed as ‘occupationally competent’. Within the following twelve months each SecCo must shadow more experienced colleagues in their own force and comply with minimum standards in terms of both deployment and Continuing Professional Development (CPD) activity. Upon doing so, new SecCos are then considered to have completed their initial professionalization and are classed as ‘operationally competent’. National Governance: Early in 2012 governance of the SecCo profession was put on a more formal footing through the establishment of a National CT SecCo Board, sponsored by the MPS Commander for Protective Security as ACPO national lead. As a founder member of the national board I was pleased to be involved in the growth of a recognised and formally approved structure. This provided a framework for governance of the continuing evolution of the role. For the first time a nationally applied role definition was established: ‘The CT SecCo role is to develop a security plan with a view to minimising, managing and mitigating risk in respect of a policed event or operation in support of Gold’s strategy’. This helped to provide clarity on varying perceptions of the role, bearing in mind the operational independence of each UK police force. Such perceptions had, over time, also led to differing interpretations on when it was appropriate for a Gold commander to utilise the services of a SecCo and recruit one onto the event command team. In seeking to address this, the board established the following parameters: ‘A CT SecCo must be considered in respect of the following – • public military events • high profile ceremonial and civic events • events involving protected persons • royal visits • crowded place events, including high profile sporting events, and • any other occasion where the Gold commander believes that the appointment of a CT SecCo will support the delivery of a safe and secure event.’ How SecCo Works: SecCo’s place in the command chain is somewhat difficult to define as an absolute. It will to some extent depend on the scale, type and nature of the event. Although appointed by Gold, the reality of the role in major events is that SecCo will usually work to, and closely with, Silver as the tactical lead. He is a key member of Silver’s tactical planning group in the developmental stages leading up to an event. During the event, SecCo will proactively monitor intelligence and information, in order to continually reappraise threat and risk. He will also continually assess the effective deployment of all protective security assets. Where necessary he will adjust elements of the approved security plan in consultation with Silver, subject to Gold’s approval. Applying security oversight in this way means it is not a case of ‘we had a plan and we stuck to Counter Terrorism
  • 19. ICPEM // Alert // Autumn 2014 19 it’. Rather, ‘we had a plan and it was good. We constantly questioned its effectiveness and made adjustments in the light of what we found’. Working with police colleagues, the SecCo will convene a security tasking meeting. This gives him the opportunity to gauge the preferred approach and scope of all other protective security specialists and practitioners. He will discuss this with them in the light of the strategy for the event that Gold has set, together with all relevant information and intelligence at that time. SecCo will task colleagues to submit their respective plans in order for him to produce an informed report to Gold. This will detail the proposed security plan for the event through a series of specific recommendations. It is then for Gold to accept SecCo’s report as one which is proportionate and effective in reducing risk, or otherwise to discuss and require adjustments. The Risk Matrix: Essentially, the SecCo is seeking to do three things: • to target harden • to reduce vulnerability, and thereby • to lessen risk The cornerstone that underpins SecCo’s considerations is a risk matrix. Within this, threat is determined by a potential attacker’s hostile intent together with their capability to carry out such intent. These two elements, however, are effectively beyond the direct sphere of influence of the SecCo. Where SecCo can have a direct affect through his security plan is in lessening predictability and applying control measures to the event. The more predictable an event is, the easier it will be for those intent on disruption or attack to plan how they will go about doing so. It follows, therefore, that SecCo will take into account the predictability of an event when considering appropriate and proportionate control measures to be applied in respect of it. These two elements will influence vulnerability. The residual risk will result from a combination of the threat with the vulnerability pertinent to the event. Influencing predictability is easier in some circumstances more than others. Depending on the venue, it might be relatively straightforward to introduce subtle changes to public access points, to raise random search on entry to total search, or even to utilise a different entry or exit point for a protected principal. It will be a very different matter with an iconic ceremonial event. Matters of protocol will be significant with such events, making more challenging any quick win in terms of lessening predictability. Where that is the case, SecCo will take this into account in developing the security plan and will recommend assets in order to reduce the residual risk around a highly predictable event. In making recommendations to Gold, SecCo will seek to mitigate against unacceptable risk (the ‘Clapham omnibus’ test), whilst providing a proportionate response taking account of the current threat and intelligence picture. Control measures will need to be both achievable and acceptable, not only to Gold but to all key stakeholders. With a significant proportion of major events organised by or involving publicly funded bodies (local authorities, the military, the royal household, etc.), it comes as no surprise that one of the primary influencing factors of acceptability in recent times is cost. Dealing with Raised Threats: An important element of the security plan is to take account of a changing threat picture and its effect on the risk profile of the event. Whilst we can all think on our feet to some extent, the SecCo’s role in accounting for a range of unspecified occurrences will reduce the need to do so in the lead up to and during an event. Counter Terrorism Caption
  • 20. 20 Two events where this was required of me come to mind. In 2011 I was SecCo for part of the state visit to the UK of His Holiness Pope Benedict XVI. I had developed the security plan for his first engagements within London, which were three separate events within a university college campus. These were a service within the college chapel, then an appearance on stage joining several hundred school children. This lasted about an hour and was on an open field site. Finally, His Holiness attended an inter faith discussion for religious and community leaders and other invited guests in a stately ball room. Each of the three events required a different blend of protective assets. The campus was a porous site in terms of the potential for unauthorised access. This presented certain challenges, especially with regard to the event on the sports field, where the Pope would be visible and static for a prolonged period. Nevertheless, Gold approved my plan for all three. I ensured the venue was secured in accordance with the plan the night before arrival, and off I went home as I was getting up very early the next morning to oversee the security operation on site. Two hours before my alarm went off I got a phone call. (What follows is in the public domain and has been covered by the national media). I was informed that acting on intelligence a number of people believed to be in the advanced stages of attack planning against the Pope had just been arrested. However, not all those sought had been located. I therefore had to assume the real possibility of an imminent threat to the life of His Holiness at my venue. Whilst it is not appropriate to go into the specifics of what was put in place, I was able to adjust the plan so as to provide a greater level of reassurance in the light of the intelligence received. Such a dynamic challenge led me to reflect on what is achievable within such a tight time frame, and to identify which measures would be likely to require a longer lead in time. This learning was subsequently fed into the national training course. The second example of responding dynamically to a raised threat has also been in the public domain and national media. The two largest ‘crowded place’ events in the UK are the Notting Hill Carnival and the Central London New Year’s Eve celebrations. I was SecCo for the latter for three years and privileged to work to Commander Bob Broadhurst (retired) FICPEM as Gold and Superintendent Roger Gomm (retired) FICPEM as Silver. Intelligence, whilst not event-specific, led to concern developing about a possible marauding attack that could target our event. Again, for obvious reasons, I cannot go into specifics as to our response. Suffice it to say that specialist assets deployed were significantly increased, both in number and type. Alongside this, new tactics were devised that would enable any such threat to be confronted more effectively than had previously been considered necessary for this event. Accordingly, there are now available to command teams of such large scale crowded place events deployment options that would not have existed had we not had to respond to such a dynamic threat. Following the logic of the risk matrix outlined above, this means risk has been lessened as a result. Author Profile Jonathan retired last year from the Metropolitan Police Service as a senior officer in Specialist Operations, serving in the Counter Terrorism (CT) Protective Security Command. He is one of the most experienced police CT Security Coordinators in the country and has presented internationally on protective security and risk reduction in major events. He was a speaker at CT Expo Crowded Places conference 2013 and has delivered protective security and major events command training to police and governmental organisations in Europe, Central America and the United Arab Emirates. He has provided risk mitigation strategies for a broad range of high profile events, including the royal wedding of Prince William, the state visits of President Obama and His Holiness Pope Benedict, the annual Trooping the Colour ceremonies and London New Year’s Eve celebrations. He was the national lead security coordinator for the Olympic and Paralympic Torch Relays, involving not only the route, but the safety of numerous protected persons and crowded places every night over the seventy days of the event. He led the National Protective Security Advice Cell during the London 2012 games, giving support and advice through the National Olympic Coordinator to LOCOG and government. Having recently transferred his skills into the corporate sector, Jonathan currently heads security and business continuity for a leading property management company based in the City of London. He develops and oversees the delivery of security strategy across a wide portfolio of high end commercial properties. Jonathan is a fellow of the Security Institute. Counter Terrorism London 2012 Olympic Games, Stratford Gate, Olympic Park0
  • 21. ICPEM // Alert // Autumn 2014 21 will be a ‘converged’ one incorporating systems, procedures, and decision-taking by managers. Many of the root causes of current security weaknesses, have been established by poor management decisions taken over the past 5-6 years and during a cyber crisis, it is commonly evident that poor management decision-making has the potential to further compound those established vulnerabilities. . In common with non-cyber crises the response options chosen by managers are based on judgments and therefore subject to what is discovered, further guided by what is understood, driven by what is known, and what is familiar. The main differentiator of cyber crises perpetrated by an ‘advanced attacker’ is the greater complexity inherent to the crisis, and therefore the greater chance of failure. Like any crisis, this is a test of how effectively the organisation recognises early warning signals, how it responds to sudden-impact events, and how it evaluates risk, which all expose the influence of internalities or heuristics; weaknesses of management processes; and flaws in security and crisis planning. This is compounded by the more common failings evident in cyber crises, which are poor risk awareness, ineffective anticipation, the inability to deal with uncertainty, and poor preparation. Progressing through various stages [see figure 1] from first response through to situational awareness and analysis, onto managing the complexity and consequences, will challenge all the organisation’s crisis management processes. To quote the Concise Oxford English Dictionary a crisis is ‘a time of intense Cyber Attacks Multifaceted Attacks Response to sophisticated cyber attacks, and defense against persistent and prolonged threats is complex. These attacks may be planned as a campaign of ‘intrusions’ across multiple vectors, using different methods, and over many weeks or months. Invariably the more advanced threats may have ambitious objectives such as sabotage or espionage, and are likely to be perpetrated by well-funded adversaries with access to advanced methods of digital and physical penetration. Such converged attacks have the capability to escalate and progressively challenge, and even exploit an organisation’s responses, methods, disparate teams, and decision-takers. Given that targeted attacks will rarely fit a scenario that has been anticipated, organisations will always need to maintain ‘agility’ in their response capabilities, and be prepared to respond and pre-empt a plethora of plausible attack manifestations. This in itself has a considerable deterrent factor, as attackers will be forced to invest time and funding in increasingly sophisticated methods to effect a breech and all but the most determined may prefer to seek ‘softer’ targets. Hence those organisations that are unprepared, are invariably targeted because they present a more attractive risk-reward proposition, which requires less attacker time and investment. Ultimately, an organisation’s response will depend on a broad range of factors and how those factors evolve over the duration of a cyber crisis. More specifically, the response CRISIS MANAGEMENT IN CASES OF MULTIFACETED CYBER ATTACKS By Dan Solomon, Director of Cyber Security Services, Optimal Risk Management
  • 22. 22 difficulty or danger’. In the eyes of organisations, nothing is a crisis until there is recognition of the full extent of consequences. Most companies will be reluctant to classify an incident as a crisis until they realise how intense the difficulty, or the extent of the danger. There may be incidents that are dealt with effectively and early, and as such they never reach the point of ‘intensity’ or represent real danger. However the minute that the organisation reaches the realisation that there is danger or intense difficulty, it is then, that a crisis is upon them. Many failings of companies is the inability to recognise consequences early and they may be in the full throws of a crisis without treating it as such, because of the lack the awareness or the analysis of likely consequences. Incident Response Irrespective of what triggers the first realisation that an organisation may be the victim of an attack, and without a clear perception of whether this is an ongoing event or not, teams are deployed with the initial objectives of detection [what has been detected & identified] and analysis [type of malware, correlated with relevant threat intelligence]. Early analysis is an imperative, to establish the status of system integrity, and identify any loss of command and control. The first steps are therefore to mobilise the appropriate response, and wait for a picture to emerge as quickly as possible. This process may be well understood and should have been exercised in the past, and the imperative is to ensure that the right teams, internal and external, have been mobilised and are responding. Communications need to be effective, particularly when dealing with external parties or staff in other time zones, and the initial priority is to manage the communication between the stakeholders at set intervals, to allow for the timely exchange of information and appropriate action. The early emphasis on managing processes and communications is central to developing and maintaining the situational awareness at this critical stage. Besides the ‘tasking’ of different individuals and teams, the challenge of monitoring the decisions that are being taken and evaluating whether those decisions are based on the appropriate knowledge, requires close scrutiny to two main types of processes: • The process of alerts and indicators and whether this situational information is being translated into actionable intelligence. • The process of how the intelligence is appropriately applied, and how this translates into effective decision-taking. In the early stage, before the full extent of the incident becomes apparent, and a fully informed judgement can be reached about the scale and scope of the event, it is critical to resist the temptation to succumb to ‘basic instincts’ that may shape the response to unfolding events: The first danger at this point is complacency in assuming that the attack will follow the pattern of other known or previous incidents, and that this conclusion can be reasonably reached based on current knowledge. The core issue is whether the incident represents a fundamental surprise that was quite unanticipated even within the context of the current environment; or a situational surprise that should have been anticipated as ‘a possibility’ in the current conditions. In either case the first question should be whether events fit a scenario that has been anticipated, and if this is only partially the case, whether the incident is ‘what it seems’. In order to put events into appropriate context, it is important to avoid reaching any partial conclusions, and resort to a premature reaction, but rather to keep asking the right questions: What don’t we know? What could happen next? However it is important to recognise early where there is no templated response plan for the potential scenarios that the incident may fit into, and whether an existing plan can be appropriately applied and adapted. If the attack has been a ‘converged’ one, then a priority is to differentiate between the symptoms and the causes [particularly if there is the possibility that the attack is being facilitated by an ‘insider’ or any planted hardware] and consider whether this incident is still an ‘IT problem’ and how to respond to that possibility. The challenge at this early stage, especially when faced with a fundamental surprise or a level of malicious sophistication that had not been anticipated, is to maintain clear and rational consideration under increasing pressure as the organisation may already be experiencing the impact of a breech, and Figure 1 - managing the phases of a cyber attack Cyber Attacks
  • 23. ICPEM // Alert // Autumn 2014 23 the consequences escalating. There are many reasons why failures become apparent at this stage including lack of intelligence or ‘early warning’, and an over-dependence on these systems. These common complaints are usually surpassed by the more complex causes of decision-making failure due to misinterpretation, and analytical bias such as a tendency to focus on more familiar aspects of the initial attack or those that have been best rehearsed and prepared for. This propensity to view events within the context of the more ‘probable’ scenarios severely hampers the taking of appropriate decisions at this initial stage, when established assumptions about vulnerabilities are being challenged, and managers are faced with new uncertainties which expose their threat- awareness as being outdated. The Attack Evolution An advanced attacker will employ a multi- phase attack and the evolution of the attack to a second phase is invariably the ‘make or break’ point of the incident and will determine whether it becomes a crisis. As the event takes a new direction, the organisation will be tested to apply and adapt the knowledge that has been built up to this point. More importantly it will force a reassessment of the situation, particularly if the evolution had not been anticipated, and raises the important issue of whether the new development affects decisions taken so far, and whether previous decisions have now become counter-productive in the context of the new reality. For the crisis leader this should launch a new cycle of tasking and the priority is to ensure that the new impact is integrated quickly into team understanding, and triggers appropriate response, or proactive actions. If the situational analysis is accurate at this point the leader should be able to take more proactive steps to limit further escalation, and assess whether to deploy additional resources, and measures, in parallel. However, poor decisions taken previously, or the many potential causes of failure, may all act to limit the effective options at this point, not least may be the lack of effective capabilities. The escalation of the attack is likely to prompt a re-evaluation of risk as the severity of the breech has become apparent. The risk analysis at this point will invariably require an enterprise assessment of the possible implications from the recent turn of events in terms of business operations continuity, revenue recognition, client/customer impact, reputation, and input from the legal team. This will require a clear view of the likely implications as well as the already apparent impact of the attack, and this analysis should have been accumulating throughout the incident if the indicators are effective, and the appropriate staff properly involved. The demarcation between security operations and incident response & forensics [often through external specialists] that are both tasked with tackling threats, and the interface with the a specific team that is tasked with assessing risk, can become complex as a single situational analysis is collated. Crisis Management As a risk team is assembled to evaluate the implications, the incident will now have been deemed a crisis and will trigger the involvement of a crisis management team comprising of a broader mix of senior managerial and departmental responsibilities to handle enterprise-wide implications. As the previous path of ‘containment’ has run its course, the escalation of the incident to the crisis management team will introduce more complexity to the situation. For the organisation that has not faced such a crisis before, or not exercised a cyber crisis scenario, the issues that need to be addressed are immediate and potentially serious, because the crisis management team needs to be ‘fit for task’ with the correct levels of seniority and capability of staff, as the attack has become more sophisticated, and the impact more severe. The introduction of the new team into a dynamic and evolving event is fraught with difficulties in a multi-phase attack, in deciding at what stage the crisis management team should become involved, based on an assessment of how quickly it will become effective, and how it should support the response. Before the incident is deemed a crisis, it may be viewed as counter- productive to involve the crisis management team. Foremost, without complete situational awareness and analysis, it is difficult to brief the team sufficiently for it to choose the appropriate course of action and how to enact a response. More importantly the team, or senior members of the team may hamper security or business continuity decision-making by placing their departmental or functional priorities ahead of the overall risk to the enterprise. For the crisis leader, failing to effectively manage the interface of one ‘informed’ Chief Information Security Officer (CISO) with increasingly ill- informed senior executives and division heads, and managing their inputs as a complex attack unfolds, often leads to ‘bad decisions’ that exacerbate the crisis. This is particularly the case as consequences become increasingly apparent, in respect to in appropriate external communications with shareholders, suppliers, and attempts to manage customer expectations and minimise reputational damage. Managing post-crisis consequences then has the potential to become a destructive process of review, attribution and blame. Cyber Attacks
  • 24. 24 Large companies will have different teams/ functions particularly for security operations and incident response/forensics. In many instances the incident response/forensics will be experts like Optimal Risk brought in from outside. Sometimes there will be a risk team appointed from within the organisation to assess risk on an ongoing basis, and in some cases there is cross membership between this team/committee and others. Crisis management should have its own team with the appropriate skills, qualifications, and authorisations to take appropriate decisions and this invariably is a group of much more senior and cross-functional directors. In some cases these functions are poorly staffed or non-existent, and that contributes to the problem. The Crisis Management Team can become disconnected from the problem and can respond inappropriately to the crisis without the proper integration into the process, and we see this again and again when Managing Directors storm in and micro-manage matters that they should not. Preparing for the Future The status of ‘crisis’ could be defined by the potential implications of a security incident, and in the future it is increasingly likely that cyber incidents will become crises, as cyber attacks could lead to severe impact outcomes, and therefore should now be considered a board-level concern and tier-1 threat. The main principles of crisis management leadership do not differ fundamentally for cyber crises, but this paper has described how the management of a cyber crisis is considerably different when faced with an ‘advanced attacker’ employing sophisticated deception. This cyber ‘context’ is not only the most relevant for the present day, but also the most challenging context in which managers & leaders need to adapt and respond effectively to crises that will severely challenge their abilities. The characteristics of multifaceted attacks now compel organisations to adopt a more proactive approach to security, so it is disingenuous to consider crisis response without crisis prevention. In the future the ability to recover from a severe breech will be increasingly difficult and slow, and so it will be a much greater challenge to be sure that an organisation is resilient or ‘quickly able to bounce back and resume normal operations’. The nature of advanced threats such as espionage or sabotage significantly limits the effectiveness of reactive measures to defending against cyber attacks, and severely complicates incident response options and the feasibility of achieving ‘resilience’ has to be questioned. Anticipating the characteristics of an ‘advanced attacker’ incident requires a degree of heightened awareness that will support the simulation of outcomes and consequences: at first, in theoretical terms so as to assess how best to further explore the process of preparation; and latterly in real- world conditions to identify vulnerabilities and ‘learn from experience’. Without a prepared and rehearsed response to a well- anticipated scenario the response is likely to be poor, and the recriminations broad. Preparing for crisis management scenarios, and developing crisis management capabilities needs to commence now: as soon as possible before the next crisis. The first conclusion that should be reached is that crisis managers and leaders need to be informed and prepared for what they might face, and refine the processes & procedures to cope with a severe cyber event, and this should inform the establishment of more comprehensive preventative security measures. It should also be recognised that failure to prepare, is a failure of organisational leadership. Specifically, leadership for a cyber crisis needs a risk-informed manager, with a clear appreciation of converged threats who can develop board-level appreciation of the security risk landscape. Managers tend to build on hindsight, and in this, they focus excessively on past threats and past experience: irrespective of the rapid evolution of the threats. Similarly, they focus on their best-known vulnerabilities, often because they have been previously targeted, and managers have been forced to focus on what those most recent vulnerabilities were. Their failing is typically lack of insight. Insight into what is within their threat landscape, Cyber Attacks
  • 25. ICPEM // Alert // Autumn 2014 25 insight into what the potential impacts could be on the organisation, and insight into the pace of evolution. To plan how the organisation should defend, respond, recover, and ultimately ‘prepare’ for multiple variants of sophisticated scenarios, is a complex process that exposes the natural weaknesses of organisations that struggle with complex problems, and integrated processes. However effective preparation for both defence and response, requires an integrated approach with the common aim of developing resilience, which cannot be broken down to a ’simple’ formula because it is becoming increasingly futile to consider the individual elements of a complex and persistent attack in isolation in order to construct defence against individual elements of advanced threats. This is particularly the case if the construction of an effective defence is not risk-informed and intelligence-led as far as possible, and this is especially short-sighted if the converged nature of enterprise security risk is not apparent to security planners that are required to assemble a converged response. To achieve high levels of security, the process of security is becoming increasingly complex and it must now integrate different elements of the organisation’s preparedness & planning into an overarching converged framework to include systems, processes, policy and management practices. The need for physical and cyber security domains to collaborate, challenges both functions to dovetail their capabilities effectively, and many organisations struggle with coordinating security planning and incident response. In the majority of cases, organisations rely heavily on well-developed business continuity plans and tend to neglect the development and exercising of defensive and response capabilities against different advanced scenarios and this has the potential to hamper their ability to handle the unexpected or unfamiliar aspects of the ‘next threat’. Napoléon once said ‘uncertainty is the essence of war, surprise its rule’ and preparation for serious security incidents, must be built on the assumption that there will be surprises, and the organisation’s response will have to tackle the unexpected. This raises two issues: Firstly the nature of the response and capabilities; Secondly the ability to deal with the unexpected which is founded in managerial ability & experience. Unfortunately experience is gained over a long period of time, and experience can also degrade over time, particularly with staff turnover. A critical gap exists where organisations need to ‘exercise’ the ability to anticipate the unexpected, be able to identify uncertainties and factor them into their planning, and tackle them head-on. The process of simulating real-world attacks and analysing the performance of security apparatus forensically to determine its strengths and weaknesses is a key platform of organisational preparedness, not only because ‘practice makes perfect’ but because it develops an organisational preoccupation with ‘what if’ scenarios, and the failure to deal with them effectively. The essence of a pre-emptive approach should be based upon developing foresight. Applying a forensic approach to doing so, is key to developing insight into both probable, and plausible outcomes of a breach. The adage that being forewarned is forearmed is always the justification for investing in maintaining awareness and preparation. Good management practice and preparedness requires ‘the ability to anticipate events long before they happen, and develop a planned response to each scenario’. The essence of anticipation is to identify threats Cyber Attacks no matter what the levels of plausibility or probability, and in doing so managers need to accept that the lower probability events are invariably higher-impact ones. In developing and refining capabilities, managers need to be able to review flaws in their plans – regularly - and spot the barriers to effective performance through security exercises. A preoccupation with failure is essential to combating the complacency that tends to set in, and it is an attitude that characterises ‘high-reliability’ teams that require a near-perfectly synchronised and effective performance on every occasion. It requires a commitment to being proactive in the process of planning – testing – and reviewing, and this is central to organisational resilience. This must counter any tendency to over-simplify plans and procedures, as the threats are increasingly sophisticated. So ‘defence’ needs to match the levels of innovation and sophistication that threat actors are introducing. If organisations are not running exercises, not refining plans, not preparing capabilities, or not anticipating future events, then their shareholders and customers cannot have any confidence in the organisation’s resilience to sophisticated attack, or ability to survive the consequences. Author Profile Dan Solomon is Director of Cyber Risk & Security Services at Optimal Risk Management Ltd. He is a leading proponent of a converged approach to security risk, and is a regular presenter and chair at leading cyber security conferences. He is an industrial espionage specialist and a practitioner of FAIR [Factor Analysis of Information Risk] methodology. He is a prominent advocate of red teaming, and a pioneer of cyber war games as an approach to developing organisational resilience. He joined Optimal Risk in 2013, after 3 years as a Senior Partner at Hawk ISM. During that time He also served as Director of the Homeland Security Program at The Atlantic Council UK, and has published & spoken around the world on Intelligence Analysis & National Security, Critical National Infrastructure Protection, Cyber Security and Enterprise Security Risk Management. Web: www.optimalrisk.com Tel: +44 870 766 8424