The Department of Energy and Climate Change (DECC), in conjunction with the Centre for the Protection of National Infrastructure (CPNI) and industry body, Oil & Gas UK, has published guidance on assessing and controlling the security risks posed by rogue employees and third party contractors working in the energy sector.
The guidance follows acknowledgement that terrorism remains a threat in the UK and one which is relevant to the UK’s energy sector. The Government and energy industry is keen to avoid the kind of attacks on infrastructure that have plagued the Middle East in recent years. To that end, the guidance is intended to alert and inform operators as to the means by which the perceived risks to critical infrastructure may be mitigated.
Rogue Employees and Contractors
One of the principal risks identified is that posed by rogue ‘insiders’ within organisations and with access to, or control of, sensitive information or assets. The potential damage that might be caused by such an insider may vary from simple financial or reputational loss to the malicious sabotage of assets that endangers the health and safety of workers.
In terms of the Health and Safety at Work etc act 1974, employers owe a duty of care to their employees and third parties to provide a safe system of work, employ competent persons and take care not to expose workers or the public to unnecessary risk. That duty arguably extends to the risks posed by rogue insiders and should therefore be considered at the point of engagement of employees or appointment of contracting workers.
Assess the Risk and Incorporate Mitigating Measure into Contracts
In keeping with the Management of Health and Safety at Work Regulations 1999, the primary means of addressing this risk should be by means of a risk assessment of personnel security. The risk assessment should determine the level of risk posed to an organisation arising, for example, from the access to sensitive information that a contractor’s role might require.
The guidance document provides an example risk assessment and recommends different levels of pre-engagement screening depending on the level of risk identified in the assessment. Risk-mitigating controls include requirement for proof of identity and residency, criminal record disclosures and, for high-risk roles, national security vetting. Importantly, the guidance recommends that pre-engagement screening be embedded in services contracts with third party companies, with provision for:-
- The security controls required (both pre-engagement and ongoing) and the requirement for those controls to be implemented throughout the contracting chain;
- Attributing responsibility for any lapse in security;
- The right of the organisation to approve/disapprove the choice of subcontractors; and
- The right of the organisation to audit the implementation of security standards.
While the risks posed by rogue insiders may to some seem unlikely, complacency should be avoided given companies’ health and safety obligations and the associated penalties for non-compliance. Operators of critical infrastructure should ensure that they implement appropriate procedures to address the risk and that similar control measures are cascaded down the contractual chain.
Click here to download the guidance document from DECC’s website