Mastering the three “Cs” of Security: Clarity, Communication and Consistency
As the Assassination Attempt that happened on July 13th Demonstrated, a Failure of Clarity, Communication and/or Consistency Can Lead to Devastating Consequences. It’s Vital that Your Substation Security Strategy Offers Certainty in All Three Areas.
Albert Einstein once said, “Any fool can know. The point is to understand.” I often refer to this quote in the training programs I conduct because I believe it holds true for utility security in general, especially when it comes to effective substation security. That’s why my previous articles have focused on the more abstract aspects of substation security rather than specific issues like ballistic barriers, fencing or lighting. While we will cover those topics later, it’s important to first grasp the abstract skills, traits and habits that can lead to improved and long-lasting substation and infrastructure security.
Most of us take an arbitrary approach to substation security. We’ll sling one promising solution after another against the wall to see what sticks. When we hear about the latest gear, gadget or technique, we contact the vendor to have them readily explain, “Of course, it’s the answer to all your substation security needs,” only to expend our limited time and capital resources on solutions that don’t address our needs at all.
It’s essential to fully understand the specific threats we’re up against, including their root causes and possible outcomes. We also need to be knowledgeable about strategies, techniques and defenses that can be employed to deal with these threats. This involves staying informed about developments and solutions, as well as continuous research and analysis of the advantages and disadvantages of cutting-edge security practices and technologies.
In recent months, we’ve talked about the risks of relying on unverified assumptions and the significance of making critical decisions. The necessity of being skilled in both areas became evident on July 13, 2024, near Butler, Pennsylvania, when an amateur assassin attempted to shoot a high-profile presidential candidate. Although the assailant failed to achieve their objective, they still managed to injure the target and cause lethal collateral damage.
The assailant, with a rifle in tow, was able to climb onto the roof of an adjacent structure and successfully engage his target despite a multi-jurisdictional security presence. The sole reason for the extensive, multilayered security footprint was to protect the intended victim by identifying and eliminating such threats.
The shooter’s ability to bypass security, enter the secure zone, access a restricted roof and obtain a clear line of sight of the intended victim exposed numerous security failures. Although the on-site security teams were thought to have the necessary skills to intervene before the attack, they failed to do so. So, how did this serious security lapse happen? We will wait for the formal investigations to provide an answer to that question.
Instead, we will analyze some of the security failures apparent from an application perspective. Ironically, these include failures in verifying assumptions and failures in utilizing critical decision-making skills – the very skills we discussed in previous articles. Other conspicuous security shortfalls include unclear roles and responsibilities, ineffective communication strategies and inconsistent implementation.
So, let’s examine the impact of clarity, communication and consistency – three skills or traits that were noticeably absent on July 13th – and their impact on substation and infrastructure security.
Clarity is a simple word with a profound meaning
Webster’s Dictionary states:
Clarity is the quality of being clear: such as
- the quality of being easily understood
- the state of having a full, detailed and orderly mental grasp of something
Clarity should always be a priority in the security sector. For instance, when it comes to information in the utility security sector, ambiguity is always a vulnerability, information must always be clear, concise and precise.
When assigning a task to an individual or a project to a team, it’s essential that expectations, roles, responsibilities, tasks, accountability, authority and chain of command are clearly defined. In team settings, every team member should have a precise understanding of specifically what is expected of the team, including goals, objectives, anticipated outcomes and communication channels. Each team member should fully grasp their specific roles, functions and responsibilities, as well as those of their fellow team members (i.e., who does what, when and where).
It’s important to maintain clarity when sending and receiving information. When you receive information, you should take the time to fully understand the subject, goals, directions, expected outcomes and other relevant details. When relaying information, make sure the recipient understands it correctly. One way to do this is by following the military protocol of having important information repeated back to confirm clarity.
In the critical incident on July 13th, the lack of clear roles, responsibilities and expectations for the various law enforcement agencies caused confusion. It was uncertain who was supposed to do what, how to communicate urgent information and what response options were available.
The lack of clarity resulted in a disjointed security approach that left significant gaps in perimeter protection, slowed the actions of neutralizing the assailant and delayed the extraction of the protectee from the venue.
How does clarity impact substation and infrastructure security? The importance of clarity in substation and critical infrastructure security cannot be overstated. It’s a fundamental truth that for any aspect of security, an accurate picture of who, what, when, where and how many is always necessary. Clarity provides the means for recognizing threats, responding to incidents and remedying them and effectively transferring security-focused information.
Another fundamental truth is that you can’t defend against a threat until you’re aware that it’s a threat. We are constantly exposed to countless threats but have limited resources to respond to them. Therefore, it is crucial to identify the most significant and impactful threats in order to know what to defend against. This requires having a clear understanding of the threat landscape.
Clarity is crucial in incident response. Precise information, clear descriptions and unambiguous details are essential in real-time response, as well as in post-event forensics and investigations. In a violent encounter, a lack of clarity can have fatal consequences. Similarly, a lack of clarity during incident investigations can result in incorrect conclusions and inaccurate determinations.
For utility security practitioners, clarity is an essential element of daily life. Whether engaging with vendors to discuss new substation security requirements or communicating up and down the chain of command, clarity is crucial.
In information transfer, it’s important to ensure that the recipient of information understands the message clearly, concisely and accurately. If you’re providing the information, it’s your responsibility to ensure effective message transfer. If you’re the recipient, it’s also your responsibility to make sure you understand the message accurately. This takes effort, but as the person with security responsibility, it’s crucial to ensure clarity through effective communication.
Effective communication requires intent and planning. Effective communication is crucial and should be clear, timely and consistent. Whether communicating with vendors, coworkers, security colleagues or threat actors, poorly delivered communication can be a proverbial train wreck. In regular interactions, inaccurate or missing information can be costly; in active threat situations, it can be deadly.
Accurate document information is an essential form of communication in utility security. Inaccurate information can be unprofessional and costly when purchasing equipment or defining a scope of work. Precision in reports, studies and proposals is crucial. A well-written document always sets professionals apart from amateurs. While elegance isn’t necessary, accuracy is essential in professional documents.
It is important to understand that effective communication requires planning. Depending on the size and complexity of an event or project, communication planning can be a complicated chore.
Communication planning for real-time interaction and information relay during an event is often overlooked or dismissed as inconsequential. However, time and again, poorly organized and uncoordinated approaches to communication have decimated what was otherwise effective security plans.
The assassination attempt on July 13th underscores how inadequate communication planning can impact security. The perpetrator was identified as he climbed onto the building and into his firing position. Spectators at the event noticed him on the roof and alerted a local law enforcement officer. However, with no communication plan in place, there was no mechanism for communicating the threat to security teams from other agencies. Since the officer didn’t have a clear line of communication, the presence of an active threat wasn’t relayed to the members of the protection detail or the countersniper teams. This allowed the shooter to take up his position and carry out the attack. The failure to develop and implement a clear, concise and actionable communication strategy had lethal consequences.
It is easy to overlook communication planning because it doesn’t become a problem until a critical incident occurs, which is, thankfully, a rate event. However, when an incident does take place, the consequences of poor communication planning can be catastrophic. Whether you are developing a communication strategy for a major event or creating an intrusion response protocol for your critical infrastructure, communication planning is essential. Communication planning is a thankless but absolutely necessary task that requires consistent application.
Consistency is the glue that holds all other security applications together. Without consistent application, you have untenable conditions that are vulnerable to attack. One of the most interesting things about application inconsistencies is how easy they are to recognize and exploit. We are happy to go the extra mile to engage in active security practices when things are fresh and new, but every security practice quickly becomes mundane and tasks become routine. It’s a poorly kept secret that on any given day, more than half of all security protocols are being “phoned in.” We quickly become victims of tedium suffering from both change and inattentional blindness. The issue is that threat actors are aware of this phenomenon and will readily exploit it.
Consistency requires both effort and discipline. Overcoming the mind-numbing effects of routine takes concerted effort and having the will to complete yet another communication plan that you fully expect to never be needed takes real discipline.
When it comes to substation and infrastructure security, it takes consistency to continually follow through with security practices whose only apparent accomplishments are wasting time. But reality is far different. Threat actors pay close attention to how security practices are routinely carried out. They look for vulnerabilities and inconsistencies that can be exploited.
The lack of satisfaction exacerbates the problem of consistency. Since surveillance is almost always covert, we rarely experience the satisfaction of knowing that our continual follow-through on security practices makes a difference or that our consistent application of mundane security protocols matters.
As security professionals, it’s important to maintain consistency in our security practices and to encourage others to do the same. However, it’s important to recognize that you cannot expect others to consistently fulfill their security responsibilities if you are inconsistent in performing yours. As a security practitioner, you must be the leader when it comes to consistency.
On July 13th, it became clear that relying solely on technique and presence is not enough. You must possess effective intangible security skills and hone professional traits, such as avoiding unverified assumptions and utilizing critical decision-making skills. As a security practitioner, it’s essential to recognize the significance of clarity, communication and consistency in utility security and their impact on substation and infrastructure security.
About the Author: Jim Willis is president of InDev Tactical, a security training and consulting firm. He is an electrical engineer, an experienced utility professional and a credentialed homeland security specialist and anti-terrorism expert. If you want to discuss utility-focused security training or consulting assistance, you can reach Jim at 703-623-6819 or jim.willis@indevtactical.net.