King Of The Castle: Security Management for Chemical Companies
GIT SECURITY: Mr. Ehses, making large chemical production plants secure has its own challenges – there are often especially inflammable fluids, explosives, etc....?
Wolfgang Ehses: Chemical compounds and their reactions are the core of our business, with all the risks that it involves. The operation of a chemical plant can therefore not be compared with that of a normal factory. There is very strict monitoring here, whether within the production area, the filling area or the transport. Our many employees ensure that we can demonstrate our high operational standards – worldwide.
The security management cannot do as it likes in such a location – with reference to the hazardous incident regulations, escape routes, worker protection etc. – where are the conflicts of interest most noticeable?
Wolfgang Ehses: I will give you a graphic example: in some areas, there are legal requirements for the protection of accidents or simply essential life-saving measures to be observed that, for example in the case of an accident, would ensure unhindered escape routes, which conflicts with the desire for security using fences, doorways or walls. In addition, often, chemical companies are not alone on the site, but sometimes part of a chemical industry park or such which makes them bring their own security measures into line with the existing infrastructure. So there are, for example, fundamental protection measures for a chemical park with services that are expected for personnel, for the organization, but also for processes and tool-sided for safe operation.
Could you give us one or two examples of this, and how you solve the problem?
Wolfgang Ehses: Let us assume that a factory falls under the hazardous incident regulations because of the specific products that are produced there. If there is an accident, the danger potential is so high that employees must evacuate the compound when a warning siren sounds and gather at a designated meeting point. This meeting point lies 400 meters away from the building. However, to prevent unauthorized persons entering, the Corporate Security team wants to implement a combination of doors with electronic locks, video surveillance and a corresponding solution of a fence equipped with detectors. This concept can be extended together with an employee protection team by doors with an escape function as well as improved access control with authorization checking. After checking the grounds and the associated security concept, the fence is then placed at a greater distance to the chemical plant.
How large are these compounds generally? And what strategy do you adopt in the light of the restrictions you have mentioned, in particular for perimeter protection and with access management?
Wolfgang Ehses: This can be very different for each location – it could easily be a few kilometers all the way round. And then there are external borders such as a river, for example, that we use for transport by ship, or a railway that we use for goods transport. Our strategy is to achieve a locally agreed level of security together with our colleagues from the employee protection group at home and abroad according to effective but also economic standards.
Where do you see the greatest security risks?
Wolfgang Ehses: Leaving natural disasters, technical failures or human error aside, I currently see virtual risks as one of the greatest threats. It is much simpler to sit at home and put an operation out of action by using malware than having to travel there, climb over the fence, find the right location and put oneself in danger of being recognized or being injured by one of the products.
You have worked together with a security service provider. Which tasks does this company look after and which ones are done by your own staff?
Wolfgang Ehses: The security provider I have worked with implements the measures defined in the fundamental protection list (size and outskirts of the factory etc.). In other locations, I have worked with local service providers who provide security services. Normally, Corporate Security personnel check the efficiency and communication of these providers at irregular intervals. And they look at the whole security situation together with those responsible on site. The employees on the company side are trained – such training must take place where it is required before entering certain premises. A knowledge test is required in some areas– without passing this there is no entry.
Could you give us an impression of the practical organization of an alarm management?
Wolfgang Ehses: I will explain it with a fictive example: there is a security event in Brazil on a Saturday morning at 4am German time. The local team initiate an incident response report containing the basic information. At the same time, a local member of staff calls the 24/7 emergency number. The case is forwarded to an Emergency Officer after recoding the basic details. This office decided what sort of event it is and presses just one button of an alarm app on their mobile phone, for example inform the person responsible for security matters. This procedure works at any time of night or day, and we use an external tool to bring all relevant personnel into a conference call. If someone is not reachable, the system recognizes this and will automatically call the next in line in that department. We have had good success with this method.
The contact and cooperation with the authorities is very important for you – how do you organize it?
Wolfgang Ehses: It is probably not very nice for some companies if the District Attorney comes visiting. However, I myself worked in a federal agency and know and understand the characteristics of public administration. So I usually maintain a very good cooperation with agencies like the cybercrime unit in North Rhine Westphalia or such. This has also led to a growing knowledge of cybercrime and the response to this phenomenon being more closely integrated into the processes. In addition, I am also networked and enjoy good communication with other companies and also the federal and state authorities through membership of various committees.
Mr. Ehses, could you explain your security philosophy a little closer?
Wolfgang Ehses: Let me explain it by the image of a castle. This image is not mine but comes from the Internet Guru Bruce Schneier. But it fits the situation well and is like this: a castle is first of all a solid stronghold and difficult to take because of its location and the fortifications. But it has weak points. It has entrances. And the walls are not as high or as thick all the way round, and you might be able to climb up them or to use a ladder. And occasionally you must make repairs – that is, there is a hole in the wall that must be repaired under observance of the local security measures. Therefore there are the guards who, although well-equipped, may not be available in sufficient numbers all around the castle. Now let’s look at a potential attacker: he decides when he is going to attack and using what sort of weapon. Did he identify some weak points in advance and can he attack those directly or does he use some method of distraction to the detriment of the guards so that he can draw them away from the weak points?
Here we are talking about the Trojan horse: attackers have plenty of time – how about an attack in around six months’ time? No virus scanner runs so long. You can see that the attacker has all the advantages and it is also pretty clear that most companies cannot maintain their own cyber defense army. Therefore it is all the more important to have a corresponding industry standard, a sort of standardized wall, as well as have suitable guards ready and an educated workforce that doesn’t leave the doors wide open.
What does that mean for the use of technology – a lot is possible these days, especially in perimeter protection?
Wolfgang Ehses: Technology is good, where it helps. It is always a cost/benefit calculation and ultimately a risk analysis of what you acquire and what you don’t. And you should not forget the analog world in the rush to digitalize everything – perimeters in an analog environment are just as important as in the virtual world. I would like to stress though that the whole concept doesn’t work without people. There must be someone who, for example, reacts to the sensor alert from a fence or the SIEM information about an IT process (event) and takes a decision. The next step is then the local solution – do I send a patrol or do I advise an administrator who puts a system into quarantine? In the best case, there is a good relationship between people and technology.
With regard to video surveillance: it is highly mature nowadays with excellent image quality and video analysis. What do you consider the role of this technology to be with regard to securing chemical plants?
Wolfgang Ehses: There are certainly areas that can be equipped with video surveillance, such as offices and production buildings, harbors and some warehouses, but to cover every last corner with video technology is usually uneconomic. Apart from the purchase of the cameras alone, there are almost the same costs again for running the cables, and then the images that are generated have to be watched, which correspondingly requires additional personnel. You have to look at each case on its own merits.
A very topical subject for protectors of perimeters is drones – although you can detect them quite early and establish what type they are and where they come from, it is not so easy to defend against them. What is your opinion?
Wolfgang Ehses: Drones in the sky above a chemical plant are a disturbing thing for many reasons. For one thing they can be used for spying because their cameras deliver excellent images and videos. But they can also be used as carriers of substances for sabotage or, even worse, be used for terrorist purposes. Some people would say that it’s all science fiction, but drones these days are certainly capable of that. Just because we haven’t seen such a case in Germany yet doesn’t mean that it’s completely unlikely. On the other hand, maintenance flights to see inaccessible places for example are very welcome and cost-effective. But their use after an incident to provide an overview of the situation will certainly be more commonly considered safety and security option in the coming years.
Let us talk a little more about IT security – companies with specific know-how and developments in particular are threatened by industrial espionage, hackers, etc. How do you consider the situation to be at the moment? How does your strategy look?
Wolfgang Ehses: Think back to the image of the castle – here part of the strategy is not to let too many weak points develop, to improve various points a thereby not to be blind to trends. Cyber criminals are developing too, they are improving their strategies, building new tools and making use of the weaknesses and strengths of globalization. In summary, I see the virtual risks advancing strongly and the security departments must move with them. The traditional police office or soldier is no longer sufficient – it is no coincidence that there are courses in Risk and Security Management at Bachelor and Master level.