THE ATLANTIC COUNCIL OF THE UNITED STATES
BLACK SEA ENERGY & ECONOMIC FORUM 2010
SESSION III: CRITICAL INFRASTRUCTURE PROTECTION: SECURITY, BORDERS AND ENERGY
DINU PATRICIU EURASIA CENTER,
ATLANTIC COUNCIL OF THE UNITED STATES
senior vice president for strategy and planning,
SELEX SISTEMI INTEGRATI, S.P.A.
VICE ADM. TIMOTHY JOSIAH,
SENIOR DIRECTOR OF HOMELAND SECURITY,
NONRESIDENT SENIOR FELLOW,
DINU PATRICIU EURASIA CENTER,
ATLANTIC COUNCIL OF THE UNITED STATES
THURSDAY, SEPTEMBER 30, 2010
Federal News Service
ROSS WILSON: For any of you who don’t know me, my name is Ross Wilson. I’m the head of the Dinu Patriciu Eurasia Center at the Atlantic Council, and I’m happy to welcome all of you here. Thank you for joining us for this session on critical infrastructure protection. Before introducing the panel, I thought I’d just kind of suggest to all of us here we kind of think about what we mean when we talk about critical infrastructure, pull that topic apart a little bit.
I’ve been to a number of conferences like this that focus on the Black Sea, focus on Caspian Basin energy, and if this topic – when this topic appears on the agendas of conferences like this, it usually means pipeline security and that was certainly the case 10 years ago, 15 years ago, when Ambassador Morningstar, Ambassador Mann, a couple of other people here and I were working on Baku-Tbilisi-Ceyhan – big preoccupation with pipeline security, both in Azerbaijan and in Turkey and for good reasons.
Attacks and threats on BTC, attacks and threats on pipelines in Iraq, elsewhere in the region, certainly remind us that there are serious pipeline security challenges that companies seeking to mitigate risk and countries seeking to mitigate risk will want to address.
Another critical infrastructure protection set of issues I think concerns other infrastructure like airports, bridges, ports, other sort of vital transportation security, and I think that’s something that’s come to the fore in the United States, particularly in the wake of September 11, 2001, and indeed one of the mandates of our Department of Homeland Security is to try to focus in a more concerted and serious way on those things, on border – and to focus a number of different issues together – border security, transportation security, maritime security, customs, cyber security and other similar kinds of issues.
The last actually, cyber security, is something that we wouldn’t have talked about at all at one of these conferences 10 or 15 years ago, even one that dealt – that wasn’t so much focused on, say, the Black Sea, Caspian Sea region. In February 2010, the then-director of the office of national intelligence – U.S. Office of National Intelligence – Dennis Blair, identified cyber terrorism as a serious potential threat to America’s electricity grid, financial sector and other essential networks.
I think the recent news that many of us will have read about the so-called Stuxnet virus, if that’s the correct way to pronounce that, a sophisticated program apparently designed to disrupt power grids and other industrial infrastructure, particularly the Siemens software that Iran uses to run its Bushehr nuclear power plant, makes this conversation particularly timely. Anyway, to sum up, I think this issue of infrastructure protection takes in a whole lot of different things.
I’d like to introduce our panelists to each of you and then ask you to speak a little bit about some of the concerns you have related and issues that you focus on related to infrastructure protection. Vice Adm. Timothy Josiah is senior director of homeland security for the Raytheon Company, which is a leader in defense and homeland security technologies in the United States and around the world. I know Raytheon is a very serious presence right here in Turkey. In addition to his private-sector expertise, Adm. Josiah also brings 33 years of experience in the U.S. Coast Guard, where he played a key leadership role in the aftermath of the 9/11 attacks in the United States.
Dr. Paul Twomey is the founder of Agro P@cific, a high-level international advisory firm that advises a wide range of companies on their Internet and technology businesses. He is, in addition, a board member of the Atlantic Council and is a leader on Internet protocol and governance issues, worked with a number of governments.
Mr. Luca Izzotti will be representing Selex Sistemi Integrati in lieu of its chief executive officer, Marina Grossi, who was unable to be here unexpectedly today. Mr. Izzotti is the senior vice president for strategy and planning at Selex, which is a subsidiary of Finmeccanica. Mr. Izzotti holds a degree in mechanical engineering, is responsible for the development of a wide range of sensing technologies and combat systems, hopefully bring a useful technological – a different, maybe, technological perspective from those of us more focused on policy matters.
Alexandros Petersen is a nonresident fellow with the Atlantic Council’s Dinu Patriciu Eurasia Center, my center at the council. He’s held a variety of positions at research institutions and think tanks in Washington, D.C., London and Brussels.
So with no further ado, let’s – I’ll ask our panel to – I don’t want to phrase a particular question at this point. What I think would probably be more useful is to take your piece of the critical infrastructure pie, what kinds of issues are the most important, what kinds of issues maybe are people not paying attention to, what would we be most concerned about and what should this region be most concerned about looking ahead over the next couple of years, five years, 10 years and more? Adm. Josiah, maybe to start out with you, if I might?
ADM. TIMOTHY JOSIAH: Sure.
MR. WILSON: Oh, and I should say actually – this first thing I should have said, excuse me – is that the original moderator for this panel got stuck in transit and was unable to rearrange his travel to get here and that is why I am privileged to be able to substitute for him. Please, Admiral?
ADM. JOSIAH: So first maybe a picture of critical infrastructure the way we see it so you’ll understand maybe some context for my comments. In Raytheon, we decided long ago that physical security for a small facility, a large facility, a section of a border, a coastline, a pipeline or a whole country all had great similarity and that we should be trying to build very scalable systems integration capabilities to integrate easily any kind of a sensor that was needed for a particular system.
So that’s kind of where we are today and I’m not going to talk really at all about what Raytheon brings to the table, just that that’s our view of the world, that configurable systems where you don’t have to write software, where the right sensors can be integrated are the key to a good security system.
We have spent a lot of time looking at energy security and are working in particular in some offshore oil and gas infrastructure areas to try to provide the right kind of security there. As I listened to the presentations here for the last day or so, it’s really almost all pipeline focused and these pipelines are crossing many boundaries, different types of terrain, certainly international boundaries and borders. They’re going over and under water and through political subdivisions, near population areas, near sensitive environmental areas.
To us, as much as having a good, well-built pipeline with isolation so you can shut it down if something happens, there needs to be a very close level of collaboration between the pipeline owner and operator and governments and there needs to be an alignment of policy and strategy and technology to make sure that if something happens, whether it’s a terrorist attack or some kind of mechanical failure or some kind of failure of a human being, all of which can have a disaster occur and with the same kinds of consequences, that there’s a pretty close relationship that goes to understanding the systems and minimizing the impact that might occur.
So we always encourage anybody that we work with to begin with a good understanding of threat and vulnerability risk and to think about design from a risk-based perspective. We don’t have any customers that just build it whatever it costs. There are ways to think about what the risk is and to prioritize the safety and security add-ons to any kind of a system. So if the pipeline, and if we talk about pipelines as going past a population center or an environmentally sensitive area or through a port or under a water – or over a waterway like the straits of Istanbul, those may be places where special both safety and security things are taken into effect.
It’s quite possible to buy a very good system that senses when anybody is approaching the perimeter or structure that you’re concerned about, be it a pipeline, but often it’s very difficult to get any kind of a response resource there in real time.
So it’s lots of sophisticated technology that can be applied but it’s really not of a whole lot of use unless you can react in time and that may mean an initial reaction by the private sector that may own and operate the pipeline. It may mean the need for collaboration with local authorities so they can use police or fire or other emergency responders to get there and it also probably means a collaboration at the national level with something as important as one of these pipelines that we’ve been discussing here that comes through.
So we think that for any large-scale system like a pipeline crossing international boundaries, there needs to be a concept of cooperation that’s knitted to the actual surveillance sensor system that provides the basic level of security for the system. That sounds simple but that may mean a system therefore that whether it’s a collaboration document that’s agreed on by different levels of government across geographic sectors – it may be different governments in a region and maybe if you’re in Europe, it’s the EU as well.
So those sorts of things could be quite complex but necessary if you’re actually going to be able to respond and prevent something from happening or respond and minimize and mitigate what happens from an accident.
MR. WILSON: I think your last point is particularly important. You referred to an integrated system and crossing borders, which in my experience in this part of the world generally means you don’t have an integrated system anymore because of severe shortcomings in cooperation and real collaboration as you go across. BTC, a little bit of an exception, but even there, Azerbaijan is responsible for security in Azerbaijan, Georgia for Georgia. Turkey is especially is responsible for security here.
I think there – I know actually that there are some quite significant issues that had to be worked out to develop even a modicum of cooperation and coordination and in effect BTC had to do its own virtual collaboration. Alex, I know you were involved in some of that. Do you want to speak to some of that in the broader political context a little bit?
ALEXANDROS PETERSEN: Sure. Well, unfortunately it looks like maybe we are going to be talking about pipelines, at least the first two speakers, a little bit. But I will. I think it dovetails rather well with the admiral’s presentation, what I’m going to say, which is looking at it, we talk about in this part of the world often when we’re talking about infrastructure security bringing models from outside of the region into the region, things that have worked in North America, things that have worked in the European Union while actually – you mentioned some of the difficulties cross-border with the BTC.
Well, there have been, yes. But interestingly, the BTC has through a number of processes related to the way in which security was implemented by BP as the operating company for the pipeline in Azerbaijan and Georgia and providing security there, working very closely with not only the national governments but also local authorities, as you mentioned. The BTC pipeline has actually become an industry standard for the way in which security has been implemented.
Part of the reason for that – so I would stress I think sort of two levels in this. One is the very sort of 30,000-foot level and then one is the very local level. So the first, the very high level, is the framework under which a company, an extractive company such as BP is able to put together a security framework for this enormously complex energy project. It is, in fact, an oil pipeline and a natural gas pipeline, together a number of pumping stations and other infrastructure along the way and as you mentioned, going through three different countries who don’t necessarily coordinate as much as they ought to.
So it’s a major thing and the framework that allows, I think, an extractive company such as BP or the BTC Consortium to do this effectively is called, in this case, the Voluntary Principles on Security and Human Rights, which is a legal framework that was actually drafted by the U.S. State Department and the U.K. Foreign Office together with input from a number of sort of international NGOs because not only is it the voluntary principles on security, it’s also the voluntary principles on human rights.
So part of the idea is that as, if you will, Western-based extractive companies working in other parts of the world need to apply international standards to the way in which they provide for security, they also need to provide for this important human rights aspect and I’ll come back when I talk about the lower level of security, but why this is so important, the human rights aspect, but this international legal framework which then countries sign up to.
So a number of Western countries and then a number of countries in which there have been projects have signed up to this so that there you have, if you will, far better coordination between, in this case for example, the U.S. and U.K. governments that drafted these voluntary principles but also, then, the host governments at the national level so they’re all on the same page about what is required because the voluntary principles breaks down in a rather clear way what is required from all the different actors.
So once you sign, for example as was the case with the BTC, security protocols with each government, it becomes quite clear how they ought to, at least on paper, work together and you can use that then as a framework.
So it’s extremely important, I think, to have that framework there from the get-go and I think it’s enormously important at least in the BTC case and part of the reason why it has in fact become then the industry standard for infrastructure protection, particularly for pipelines, but now it’s being applied in lots of other areas, and it’s worth nothing, for example, that the World Bank and EBRD have actually adopted the voluntary principles as a framework for lots of their operations in other parts of the world based on the BTC model providing security for projects that they are involved in or that, for example, IFC is involved in in specific infrastructure projects around the world based on the BTC experience.
So you have that overall framework in which you have the input of – it’s drafted by governments, the input of NGOs – in this case, for example, Human Rights Watch and Amnesty International – organizations that you normally don’t see working with, for example, BP or other members of the – that are part of the BTC Consortium.
But in this case you do and I think that’s incredibly important and why is that incredibly important? Because let me just briefly talk about sort of at least in this case – and Ambassador Wilson mentioned this – this is something that has been talked about quite a bit in this part of the world and I think it’s worth kind of reminding us what are the sort of basic three baskets of risks that one comes across – sort of pipeline infrastructure –
MR. WILSON: Maybe just a quick summary so we can go on.
MR. PETERSEN: Sure, sure. I mean, you have basically in this part of the world the spillover of potential conflict, whether it’s the Nagorno-Karabakh conflict or the conflicts in Georgia. Then you have sort of deliberate terrorist attacks or sabotage. Some are trying to blow up the pipeline or some other kind of sabotage or then you have, which is more of a perennial problem which is in this part of the word when you don’t have a pipeline that’s, for example, underground the way that BTC is which is tapping of the resources going through the pipeline from local communities.
That brings me to the final, the sort of local bit, which I said you have this overall legal framework which then allows you to provide for the key pieces, not just the technological pieces of infrastructure protection but what I think are the really important ones, which is in fact the relationship with the local communities because, sure, a company such as BP as the operating company can come in and provide all kinds of fancy monitoring systems and those are required. They’re necessary.
That said, the force multiplier, if you will, of having good relationships with the local communities so that they have a stake in infrastructure protection so that, number one, they’re not, as was initially considered a problem with the BTC pipeline, that they might tap into it to get oil either because they live in poverty or they want more fuel for something, but then also to actively involve them in it, right? So they have a stake.
For example, in this case, part of the reason why it’s become an industry standard is you had horse patrols, for example, along the right-of-way of the pipeline that were organized by BP as the operating company but the horse patrols were actually local individuals from the villages along the right-of-way. So they would patrol their section of the pipeline and it gave them a stake. They received a salary from the operating company in this case to do that and it became an enormously successful program that in other ways has been replicated in other parts of the world.
Another one is having community liaison officers in the villages, in the local communities along the way to address concerns that they have about, for example, eminent domain issues and so on. So if you will, another one, a key thing of course is development projects which is a key thing that the BTC Consortium did was providing lots of local development projects. Now, you might say, well, a lot of people did at the time. What’s the direct connection between a development project and why is it that you do these? Is it for corporate social-responsibility reasons?
Well, actually no, it’s for hard security reasons, right? Because as soon as you get that local community on your side, you begin to get the intelligence that you need, the local intelligence about what potential threats may be. You get the local community actively, for example, in terms of the horse patrols, protecting that infrastructure, and then you get an extremely good relationship going forward in which you ameliorate, at least to some extent, frictions that could lead to some of the three baskets of risk that I talked about.
Just another piece I’ll add to on the end of it, yeah, is that training is a very key part of this. So along with that relationship with the local communities under the human rights sort of umbrella, it was extremely important in this case that the BP operating company and the BTC Consortium provided for training for, in this case, the Georgian and Azerbaijani pipeline security forces in what you might call Western standards of human rights way of operating so that their relationship with the local communities didn’t compromise the infrastructure security of this pipeline either.
MR. WILSON: Good. Thank you very much. Paul, maybe you can help us rise above the world of pipelines and look a little bit more broadly at issues including some of the kinds of things that you do in the cyber Internet sphere.
PAUL TWOMEY: Yeah, well, I was just amused by the idea of horse patrols versus the Internet.
MR. WILSON: Horse patrols and the Internet.
MR. TWOMEY: Yeah. So first, I’d start with an apology. I should do a public apology. For the last 10 or 15 years, I’ve been heavily involved in promoting the Internet as a great and good thing, the last 10 or 11 years in leadership of ICANN, the organization that actually coordinates the backbone of the Internet, and we found at ICANN in ’89 – sorry, ’99 – there were less than 60 million users of the Internet. Now, there’s about 1.8 billion and there is one point I’d build in. If you used a browser, you go into a browser and you type in a URL, sometimes you’d find those funny telephone number things at the bottom, 202.46., whatever, whatever.
Now, it’s heresy, but they’re telephone numbers for computers. That’s a complete heresy. If there are any engineers here, they would stone me to death. We have 4.2 billion of those and we’re running out this year, and we’re moving to a new system which has 340 trillion, trillion, trillion of those addresses and we think they plan to last for 50 years but there are worries that they’ll run out in 20. So why am I making that point?
The point is everything is connected now in ways that I would say nobody in this room, myself included, has any, any comprehension about, degree to which things are connected. Every device that you have – most households – we’ve taken OECD countries now, you’re moving to an environment where most houses will have 20 devices that are connected to the Internet in ways that people won’t understand. Why do I make this point? Because it’s absolutely true in energy, it’s absolutely true in most manufacturing and production.
In all the survey work I have seen of major power stations, including nuclear power stations, you ask the same questions. You say to people, is your system connected to the Internet, and the answer you get from the CIO is, no, and every auditor I know manages to get Internet connection into the supply room within a couple of hours. You say to them, is your system connected to the Internet? No. Do you use voice over IP? Oh yeah, sure. Where’s your voice over IP? Is it in the control room? Yes, of course it’s in the control room.
Well, you know, I will find a way and I’m not a geek and I will find a way where the Internet connection and the supposedly separate SCADA systems are connected. So my public apology is that those of us who have been heavily promoting the Internet and what it should be doing for is that it produces amazing, simply amazing empowerment of individuals and amazing reductions in transaction costs across the economy, just quite incredible.
Three-quarters of – my home country is Australia – three-quarters of the total productivity in Australia between 1995 and 2005 simply came from ICT take-up and the use of the Internet and that’d be pretty much true in the United States and you can basically go country by country and it’s these big impacts of this uptake of this reduction of transaction costs.
The trouble is it’s made it easier for the crooks because they run business models and do the same thing and probably most significantly – well, in some respects in this area significantly – it has certainly increased the capacity both of state-based espionage and state-based cyber warfare to think about how they can use these tools specifically in this arena.
So to take us to the cause célèbre of this week, Stuxnet, which is a new malware thing that’s getting a lot of attention, and actually pretty clever, is a further illustration of the cleverness of people who can actually find ways of getting around even not being connected. So it looks like this piece of malware was built by five-to-10 people over a six-month period.
It used four zero-day attack vectors, which is basically jargon for saying four times cleverer than anything else we’ve seen, to get inside – to get inside a Microsoft operating system that immediately targeted a Siemens Block 35 command control software specific to power stations, or it seems to be specific to power stations.
Now, coincidently, the Bushehr – I don’t pronounce that word properly – Ross does a much better job than I do – power station in Iran runs those systems, and indeed if you were watching any television programming of inspectors going through that plant and you were looking for this, you would have seen it on some of the screens and people have gone back.
Basically, if you run an energy company or anything like that and you’ve got any media come in, turn the screens off. You wouldn’t believe the number of people who go through looking at all the visual they can to see what operating systems are sitting on the computer screens in the background of the video.
So if you look at the background of the video, you can see what operating system that power plant was running and this has been a very clever piece of software. It was probably introduced through infection of the Russian consultants who were working there and they probably were brought in with a USB key that they didn’t know they were doing and the impact of it is that it has the ability to turn of devices or to change devices that operate in 100-millisecond type timeframes.
The Siemens corporate operating system – these sorts of command-and-control SCADA systems are very widespread in the factory floors, very widespread in energy, very widespread in pipelines, et cetera, et cetera, and this thing is one of the first public – is the first public illustration of a very sophisticated attack. It’s either been done by a nation-state or it’s been done by some very well-financed private individuals.
So it’s cheaper, there’s less blood, you’ve got no attribution and it can be more effective than things you would use kinetic for, to use the American language. What we used to say is blow up where I come from, where you blow things up. It’s cheaper and more effective. So I sell fear really in the sense that this is going to be one of those areas that people are going to have to take very seriously. I mean, I know they do. We’ve got surveys already which show 60 percent of respondents from critical infrastructure providers saying that they’ve been targeted by foreign government representatives, 90 percent saying they were targeted by fairly sophisticated criminal-type attacks.
It is going to be an environment where we’re going to have a series of policy issues in front of us about what limitations are we going to put upon these sort of tools and cyber weapons, et cetera. But for the people who actually run these things, for the people who actually are making money on relying upon them, the bottom line is we’ve all taken – in some respects, you can’t run pipelines without this stuff.
So we’ve all taken the economic benefits of these new technologies. What many of us have been lax in is understanding what threats came with the benefit and every technology in human history has brought threats. What we’ve done is say – and often it’s frankly an age issue, how old were you when this all came in.
People have said I don’t understand how it works but boy, look at the efficiencies. I’ll have one of those, thanks, or, that looks really great. I’ll take all the money, please, and what they haven’t understood or actually even wanted to understand is what’s the risk that comes with it and the risk that comes with it is the reflection of its benefit – huge connectivity, a lot of anonymity and you can do very clever things with it.
So cyber is going to be – because it’s becoming the underpinning – it is the underpinning technology of the 21st century, it’s going to be a thing that’s going to occur in all discussions around critical infrastructure protection at all layers. Most of the power – I’ll finish with this – most of the power plants that have been looked at in terms of this area and said were you aware were not aware that they were connected to the Internet, even when they were very careful about what had gone on in the control rooms.
What they didn’t realize was the equipment manufacturers had all put Internet connectivity into the devices they supplied to monitor and maintain. Okay, so even thinking in your household now, what we’re going to be moving to is your refrigerator and your washing machine and others are going to basically like your computer does now, constantly – your computers constantly go back, keep telling the software companies what needs to be updated.
So unless you’ve got great software on your own computer, you don’t know whether your computer is talking to some bad guy or talking to your software operator. We’re going to have the same problem with all sorts of devices.
So I think there’s going to be a whole sort of wake-up process we need here, not just about how do you counter cyber issues but how does it get into your business risk management, how does it get into your risk transfer and your insurance processes and how does it get into your legal reviews of supplies. What are they telling you they are actually doing and what legal liabilities they have if that gets exploited. I could go on for hours but I’ll now stop.
MR. WILSON: Technologies, devices, hopefully you can sort of spread the gap between pipelines on the one hand and some of the issues that Paul was talking about. Please, take five minutes and then we’ll have some questions.
LUCA IZZOTTI: Yeah, I’m surprised to hear some issue that I have already heard on other system design like our traffic control of our civil system, military system. The problem is always the same and starting from this cyber-security factor, I want to point out that the solution is never just technological. So it’s not a technology race and we do not need to make antivirals more powerful than Stuxnet because very often ,the solution is procedural. You just lock your grid and nobody can enter and you solve the problem.
So this is just to point out how this design of the security into a system is many-fold, not just one issue but (every issue ?) together. Do you know where infrastructure comes from? Comes from Latin – I’m Italian, so I love Latin. An infrastructure means a structure between other structures. So that is the problem. You have to defend something that is entangled to other things. If you have a pipeline, you need to have power for the pumps and things like that in oil fields. So you need to have water because we are to pump water into the oil spill and things like that.
So you have to clarify how this entanglement between these different systems is designed and very often it is not designed at all. It just happens. You have the customer. That’s one single point in the system. So the issue of security is an integrated issue and infrastructure is the most integrated system that you can address. This is true from an engineering point of view but this is true from a general point of view. All of our experiences in Sistemi Integrati is as you said, that the biggest problem that you get are in people integration, in organization integration.
So when you start to address the security design in a complex system, you start with an engineering design. But then you have to match these engineering functionalities with a real organization and in this case you have a program, if the system is spread among different organizations because you have to locate clearly functionalities to use and to operate and very often these organizations have some legal constraints.
For example, they cannot share their data and things like that. In terms of, for example, in the maritime security area, you are a Coast Guard admiral. You know that there are problems like this. You cannot share data, military data with the Coast Guard, for example.
So in line of principle, you can just interconnect the military system with the civil system and you have a wonderful maritime picture but you are not allowed to do that because they are different organizations. So which is the lesson? The lesson is that in the system design, you must take a clear eye on the constraint put by organization and you need to work with the organization to design a system that is really usable.
In our experience, this can be done effectively and quite often it also calls for change in organization which is not easy because of law things and other constraints. But in some cases, like in the maritime security in Italy, the government had decided to have an inter-ministerial board where all the relevant organizations were participating to guarantee the security of a big infrastructure system like the maritime surveillance system.
I think that this is a valuable experience. Unless you organize in transnational, transversal to different organizations, forum or panel or operational team, you cannot solve the problem and in this respect, the industry must take a role because you cannot spend very – set up the team and then you come in and say this is the system that you have to use. You must build the system together with this kind of organization.
Then one last issue on this big thing, this is in the design approach. From the industry point of view, there are also other factors that I want to point out that are related to the local people around the infrastructure. When you build a security infrastructure or you put security into a system, in some way or the other you are forced to make offsets, that means to make people, look at people who work there simply because the market where you need more infrastructure are the markets where the labor cost is lower.
So as a business model, you are forced to move richness, wealth, part of the work at the local level and this put on a positive circle because we have to work at the start with the local organization to provide security, then you have to work with the local level forces because it’s better for you, you save money, and in this way you become more involved in the process and you’ve tried to reach the consensus that you could. In this way, there is a positive feedback because the security rises and then you attract new investment.
For this reason, the terrorists, the unlawful organization, try to cut these positive feedback process to drain resources. If they succeed, the impact is not just the blow up of something but is the very factor that they interrupted this positive circle and that the effect in the medium term is much higher because the investment will stop. The company will not take the risk to build infrastructure there.
So in conclusion, this security issue is not real. I have not heard about security, whether you were speaking about these big pipelines. But this must be taken into account at the very beginning of that process of the design because of the constraints that I said because unless you do that, you can have a very bad surprise. Yes, security has a cost but also not to invest in security has a big cost and from my view, this cost is much higher than the benefit that you get if you invest in security. 9/11 is a good example of that.
MR. WILSON: Fascinating discussion, a lot of things I didn’t know anything about. We have a few minutes for questions.
Q: Hi, one question. We’re talking about all – everything is very good. But I’m thinking of the example when does a security issue in pipelines that are always going to – (inaudible) – terrorists. Take Iraq for instance. Now, there’s going to be new pipelines going to be built. Whether American companies or Italian companies – (inaudible) – willing to send their executive there to look at the projects because they cannot get their insurance policies sorted out so that they could be kidnapped.
So what I’m talking about is if you cannot go there effectively, help these areas where you have problem, how are you going to resolve it? So are we not just making a round circle? My question is like will Raytheon or Sistemi Integrati commit to those projects accept the Italians and Americans to work physically, hands-on, on the projects?
MR. WILSON: My answer might be you’re talking politics maybe more than security, but –
ADM. JOSIAH: We think that pipeline security through these areas is a difficult problem because they’re vulnerable over great distances. They have equipment every so often to either isolate them or pumping stations.
You’re asking the question so I assume that you probably know in Iraq, some of the tribal leaders were hired to provide people for physical security. But every time the bad guys showed up, they would leave. There have been the use of sensors has been tried. There are some unattended ground sensors which are kind of seismic sensors that can give you a warning if people get too close.
Now, some of those pipelines in Iraq run through populated areas and that’s not of much use to know that people are around because there’s always people around. So you have a problem of trying to understand what’s happening. It’s a situational awareness through either sensors or human eyes, cameras; maybe you can build some barricades and try to have fences to keep people away.
But when you have something that goes over thousands of kilometers, there’s a great many places where the system is vulnerable and probably the biggest problem is even if you could be aware that something was happening, somebody’s got to be able to get there in time to prevent it from happening and that’s the concept of operations part.
That’s a commitment of resources and effort not probably by a company like Raytheon because we’re not into security – some other company or the government itself that’s very substantial and very expensive over the long term. So it’s not a panacea answer in a country like Iraq, where the volatility is so great.
MR. WILSON: With so many security problems.
ADM. JOSIAH: Right.
MR. IZZOTTI: Can I add on to his point? I agree absolutely with you. Basically, you can militarize everything and you put that at military level and start industry stuff. But from an industry perspective, the best way to manage that is to involve the local people, make them work so they will help you in the security and the investment for you is much better than to put money and military system to defend the pipelines. That doesn’t mean that if the bad guys appear with big weapons so you can defend yourself.
But the force, the amount of force that is required in this scenario to defend yourself from the big threats is much lower because, as the admiral said, it is important just to call the guys, the military guys in time to react and if you have a sensor on the ground, that means people, local people supporting you, you normally have this time. So I think that industry take a vital role in delivering wealth to this population because basically he has an advantage in doing that for the reason that you quoted. So I think it is a very important point.
MR. WILSON: Thank you.
MR. PETERSEN: If I could add just a quick point, a great counterexample to what I was talking about and this touches on the current situation in Iraq where we have the experience. This is not an indictment necessarily against this particular company but we do have the experience, very well-known, of Shell in the Niger Delta which for the past almost 50 years now has been a perfect example of not liaising and coordinating with the local communities in the way that you could and having a problematic relationship with the central government.
And we can see the result and you were talking about the sort of cost-benefit analysis of the security first and then what – I mean, frankly what Shell has lost over the years in terms of because they didn’t make the initial investment that they could have in providing for security in relationship to the local communities has been enormous frankly.
MR. WILSON: Other questions? In the back there, yes please, if you could just identify yourself?
Q: Yes, good afternoon. I’m John Supe (ph). I’m the head of BP in Turkey. Another hat I wear is that I’m the head of the BTC Consortium in Turkey as well and I was delighted to hear such a passionate description of how well we’re doing in terms of securing the pipeline for our shareholders. My question is about asymmetric risk. Do I need this?
MR. WILSON: Probably not.
Q: My question is about asymmetric risk, the type of risk which is low-probability risk, high impact. 9/11 is an example we’ve seen. Gulf of Mexico, although not security related, is another example of asymmetric risk. Perhaps a little more closer to home, on BTC in 2008, we suffered a sabotage attempt, a small amount of explosive, weeks and weeks of media coverage on the spill and what have you. What are the two or three main factors that companies who have major infrastructure need to consider in order to protect against asymmetric risk from a security perspective?
MR. TWOMEY: Well, cyber security is the ultimate asymmetric weapon at the moment. Just ask the Chinese. (Laughter.) And the thing that’s really, for me, really fascinating about all the discussion of cyber security tools, cyber security weapons, is understand the enemy.
And what is interesting in a lot of the discussion around cyber security issues in the commercial space and even a little bit in the national security space but certainly in the commercial space is that they get caught up I think in a quite bizarre, almost Asperger’s syndrome nature of engineering which is if I can’t give you absolute certainty about where something’s come from, attribution, the whole question of attribution, then I can’t tell you what it is.
So people treat these sort of risks as the cloud, the sort of – we’ve got the sense of the cloud out there and this thing came from the cloud and we don’t know what happened. Well, I actually think we should be much more thinking about profiling and really sort of thinking about who are the potential risks and tracking those people. I mean, it is feasible. There are people who do, do this in the commercial space, let alone getting in through other agencies, of thinking much more who is likely to use one of these tools. Who’s likely to produce these sorts of things? Why would they do it? What incentives would they have?
When you start thinking about that, let’s just take oil for example, there is going to be – I’m willing to put money on it now there will be a hacktivist attack. There are going to be the same people who – if people are willing to put as much money to stop Japanese whaling in the southern oceans and ram ships into ships or whatever, somebody’s going to dream up that there’s got to be a way to stop the hydrocarbon fuel cycle and somebody’s going to say what’s the best way to do that and somebody’s going to get into contact with the mafia business model that can do this and somebody’s going to figure out it’s really damn cheap.
If you’re running hydrocarbons and you haven’t thought that through, shame on you frankly and that’s the sort of thing I think when you come to – when you talk about the asymmetric – is just think through incentives. Who’s got incentives? Who’s likely to start thinking about it? What mechanisms can we start doing situational awareness, intelligence gathering about who might be there? What sort of tools have they learned to use and I think the next bit on that in the cyberspace is basically on resilience.
There is no such thing as security. There is no such thing in the Internet world as security. It is impossible to build technology to put in the next fancy piece of hardware that will secure your system. That’s all what’s – it’s necessary but not sufficient. You’ve got to do all that nice techie stuff. The next layer above that is simply the expectation that you’re going to be confronted with attacks. How do you look at those attacks, how do you identify them, what resilience do you have.
It’s the same thing you’re doing for physical, right? You’ve undoubtedly exercised somebody’s going to blow up a piece of the pipeline. You’ve undoubtedly thought about how to deal with that. You’ve undoubtedly thought what’s our response going to be. It’s the same thing in the cyber world. What are the responses we’re going to do? How are we going to do them? How are we going to respond to them? Who’s going to do what, that sort of stuff.
MR. WILSON: Anybody else want to take a quick crack? Admiral?
ADM. JOSIAH: Yeah, I’m kind of on the same theme as Luca here. I’m going to use the Deepwater Horizon. When you have something like that happen, whether it’s because of human error or mechanical failure or inadequate design or maybe somebody, some smart terrorist went down there with a remote-operated vehicle and blew up the – blew it up or whatever. But there’s a lot of ways that something like that could happen.
The consequences of it are of course enormous. The economics that spread to who knows how many companies at sea and ashore and we probably won’t figure out what the total impact there was for a long time.
But in a way, that comes from a failure to consider the worst case scenario that might have happened and I think if you look at some of the disasters that have taken place around the world, over and over again you see that it’s hard for governments or people to actually contemplate what could happen and what the economic consequences might be and prioritize and spend the extra money.
It’s hard to spend that extra money in this kind of a global environment to try to prevent or provide layers of protection of something to happen. But in Raytheon, we espouse use something called the design basis threat, designing based on a high priority. It might be small likelihood, big consequence kind of threat and then finding the worst case scenario to build your design around and so for us there’s lots of examples of this.
Katrina, which of course wiped out communications, the hurricane, in much of the Gulf Coast of the United States, but also shut down the oil industry for a good long time, all kinds of damage to the drilling rigs out there and I think there is remedial thinking taking place right now as to how to have some of those systems beefed up so that that quite can’t happen in as bad a way again. But it comes back to this starting point where security and safety kind of merge together in our thinking here a bit.
But you build it in at the design stage and you have to actual have the ability to think through how bad things might get and what the consequence might be so that you can see there’s a return on your investment by protecting the investment with that early design improvement.
MR. WILSON: It’s a good question, got some interesting stuff. Eric Melby?
Q: I’m Eric Melby. Where do you draw the line between trusting your employees to protect all the infrastructure and suspecting that they might be either overtly or covertly an entry point for weakness?
MR. IZZOTTI: So I believe that you need to design a security system from the beginning taking into account the people as you are addressing, taking into account people miss a lot of things. It doesn’t mean that you have a policized (ph) infrastructure where police is everywhere and the intelligence is everywhere.
But you need to have implemented into the system some things about your people that suggest strange behaviors. So normally, without going into very sophisticated security system like those ones that belong to governments, you can implement quite weak security system that just rise a layer, tell you the reason something is strange which is out of the normal behavior.
So I think that it is very important to have a light counter of all your employees because if employees feel they are harassed by the security, they do not work appropriately. But not doing anything is a big mistake and for this reason you need to design the things at the very beginning. When you say what the company must care for, they need to care for security at the very beginning of the design phase, not later on, because in this way we can take into account into the system solution to this kind of problem.
MR. WILSON: Paul, anything you want to add?
MR. TWOMEY: The Internet and cyberspace is actually, I think, basically a biological system and I think one of the debates – I had this discussion in India and other places – this thing, the tendency to see it in terms of security is probably wrong. I think the model is much more public health, that we actually should think of the way in which people could impact security much more like the public health model which means we’ve all got a responsibility to look after our own health .
Somebody’s got to play the role of the doctor. You’ve got to pressure them to go and see the doctor if you get sick. Somebody’s got to be the Centers for Disease Control. There’s got to be hospitals and then even if you in the normal environment had a system where everybody had to be healthy when they came into work and all that stuff, you’re going to get pandemics and people are just going to get sick. So the trick is you’ve got to be resilient and respond to it.
Now, I think, to come to your question about your people, you want them to do the right thing. You do the usual stuff. But you should make the assumption that just like they can all come down with bird flu, they might be the vectors in which you might get a cyber attack and as a consequence you should be thinking about that and I find it interesting certainly in the Western-Pacific part of the world.
It’s fascinating talking to executives who have got complete programs for SARS, know exactly what to do, these whole national program systems if SARS breaks out, but you talk about a cyber event and they just go, huh, and yet in some respects it’s a very similar sort problem but it’s all about building in the resiliency.
MR. PETERSEN: I’ll just make a quick three words. I think it goes probably to your question but also the previous question, at least when we were doing reports on assessments of infrastructure security, one of which was for example BTC, is we talked about intelligence, redundancies and the relationships.
So part of the mitigating against what your employees might be doing are those redundancies but also intelligence about them, not necessarily in a kind of big-brother way. But it’s also if you think about those three though, and relationship of course being good a good relationship with the people that you work with, good relationship with host governments, good relationship with security first responders, et cetera, et cetera.
But it’s also keeping in mind from the sort of private sector standpoint, fulfilling those three pillars – intelligence, redundancies and relationships – is not necessarily something that can be done if you are trying to as a company do more for less.
MR. WILSON: Thank you very much. I’m mindful that the next panel, which is the whole group, convenes at 3:45. So please join me in thanking our panelists. (Applause.)