Preparedness to Respond to Terrorism Incidents: Essential
Services and Critical Infrastructure
1. Executive summary
1.1 Introduction
The terrorist attacks in the United States in 2001 introduced a
new and confronting dimension to the international security
environment. Later attacks in Bali, Madrid, Jakarta and London
confirmed that the terrorism threat is not limited to the United
States. While Australia has not been directly attacked by
terrorists, in recent times, its citizens and interests have been
attacked offshore.
Since 2001, Australia’s national counter-terrorism alert has
been at the ‘medium’ level, meaning a terrorist attack within
Australia could occur.
The 11 September 2001 terrorist attacks and the subsequent
October 2002 Bali bombings prompted reform and enhancement of the
national and Victorian counter‑terrorism arrangements, through the
introduction of new arrangements and legislation and the
improvement of counter‑terrorism capabilities.
Australia’s counter‑terrorism capability operates through a
cooperative partnership between national, state and territory
jurisdictions, with joint responsibility for developing and
maintaining nationwide capability. The Commonwealth has the
national coordination responsibility. The formation of the National
Counter-Terrorism Committee (NCTC) in 2002 has driven the
development of an approach to prepare for, respond to, and recover
from potential terrorist attacks. Commonwealth, state and territory
representatives make up the NCTC, which, among other things, is
responsible for maintaining the national counter‑terrorism plan.
The plan sets out Australia’s high‑level strategy to prevent, and
deal with acts of terrorism in Australia and its territories. It
addresses capability, prevention, preparedness, response and
recovery, and policy development, coordination and strategic
arrangements.
1.1.1 Background
In November 2002 the Victorian government released its
counter‑terrorism policy statement Enhancing Victoria’s
Domestic Security: New measures for the fight against
terrorism. The policy statement included requirements for
Victoria Police to assist operators of essential services relating
to electricity, gas, water, transport and fuel, in the development,
validation and audit of their risk management plans and the
coordination of joint exercises.
In 2003 the Terrorism (Commonwealth Powers) Act 2003
and the Terrorism (Community Protection) Act 2003 were
introduced, establishing new counter‑terrorism powers, including
provisions for the protection of declared essential services.
Victoria was the only jurisdiction to introduce essential services
protection legislation. Later policy responses included
Protecting our Community: Attacking the Causes of
Terrorism released in September 2005 and A Safer
Victoria—Protecting our Community: New Initiatives to
Combat Terrorism in October 2006.
1.1.2 Essential services and critical infrastructure
Protecting essential services and critical infrastructure, is
integral to minimising the impact and consequence of a terrorist
attack. In June 2004 the Council of Australian Governments endorsed
the NCTC’s National Guidelines for Protecting Critical
Infrastructure from Terrorism (the national CIP framework) as
part of the broader national counter‑terrorism arrangements.
Victoria was an early starter in developing an approach to critical
infrastructure protection and a significant contributor to and
early proponent of the development of the national CIP
framework.
Victoria’s approach to critical
infrastructure protection was influenced by the government’s
response to the Longford gas crisis of 1998 and by the fact that
much of the state’s essential services and critical infrastructure
is privately owned or operated. Primary responsibility for
providing adequate protection rests with owners/operators.
In April 2007 the government introduced the Victorian
Framework for Critical Infrastructure Protection from
Terrorism (the CIP framework), which draws on the national CIP
framework, other nationally agreed documents for critical
infrastructure protection, and is consistent with the national CIP
framework. Among other things, the CIP framework formalised the
involvement of Victoria Police in the validation and audit of risk
management plans and the coordination of joint exercises for
critical infrastructure.
Part 6 of the Terrorism (Community Protection) Act 2003
(the Act) and the CIP framework together provide for the protection
of essential services and critical infrastructure to enable
continuity, or quick recovery of, service delivery and operations
in the event of a terrorism incident.
The Act and the CIP framework operate
within Victoria’s emergency management arrangements, which are
based on a common set of arrangements for all emergencies known as
the ‘all hazards, all agencies’ approach. Under this approach all
emergencies, regardless of their cause, are managed through
arrangements set out in the Emergency Management Act 1986,
the Emergency Management Manual Victoria and the State
Emergency Response Plan. This means that the same agencies and
arrangements used to respond to routine incidents and emergencies
are also used to respond to terrorism incidents.
1.2 Audit objective and scope
The objective of this audit was to
examine the state’s preparedness to respond to terrorism incidents,
relating to essential services and critical infrastructure.
In scope
The audit examined the governance
arrangements established to assist operators of essential services
and owners/operators of critical infrastructure to respond to
terrorism incidents. The activities of selected Victorian
government agencies with roles and responsibilities under Part 6 of
the Act and the CIP framework were examined, including how they
consulted and interacted with owners/operators of critical
infrastructure and operators of declared essential services.
Specifically, we examined whether:
- governance aspects of the related state
agencies—including roles, responsibilities and
accountabilities—were clearly defined and understood
- inter-agency risks were identified and
managed
- meaningful consultation and communication across
government agencies and bodies and owner/operators occurred
- adequate performance monitoring occurred to
assess progress with the implementation of Part 6 of the Act and
the CIP framework
- the agencies audited had arrangements for
monitoring the preparedness and capability of operators of declared
essential services and owners/operators of critical infrastructure
to respond to terrorism incidents.
The audit also considered funding for
counter-terrorism initiatives including for preventing, responding
to and recovering from terrorist attacks.
The activities of Victoria Police and
seven Victorian government departments were examined.
Out of scope
Because of the focus of the audit on
response, it did not examine:
- prevention activities involving collecting,
analysing and disseminating intelligence about terrorist intentions
and capabilities
- the implementation of additional powers to
police, mandatory reporting of theft or loss of specified chemicals
and substances, or the protection of counter-terrorism information
introduced in the Act.
Regardless of the cause of an emergency,
the response and recovery efforts of Victorian public sector
agencies are set out under the state’s ‘all hazards, all agencies’
approach to emergency management established by the Emergency
Management Act 1986, the Emergency Management Manual
Victoria and the State Emergency Response Plan. This means
that the same agencies and arrangements used to respond to routine
incidents and emergencies are also used to respond to terrorism
incidents.
Given the audit scope, the audit did not
examine the state’s broader emergency management arrangements. Nor
did it consider the public sector’s preparedness to respond, or its
recovery activities involving the support of disaster affected
communities in the restoration of services, reconstruction of
physical infrastructure and restoration of emotional, social,
economic and physical wellbeing following terrorist incidents. An
examination of the structures, arrangements or activities
established under the emergency management approach would have
diverted the focus of the audit from arrangements introduced by the
government to specifically address the effects of terrorism on
essential services and critical infrastructure.
1.3 Conclusion
Victoria was the first Australian
jurisdiction to develop arrangements for protecting essential
services from the effects of terrorism, including at the national
level. Victoria has played a significant part in developing
capability for protecting essential services and critical
infrastructure, nationally and in other states, in particular the
capability development of crisis centres of other states and
territories.
The government has invested around $255
million in counter-terrorism initiatives, since 2002, to protect
the community against terrorism including prevention, response and
recovery. Victoria Police, emergency services, health services and
other government agencies have been provided with new tools to
combat terrorism and its consequences.
The establishment of a governance
structure comprising the Security and Emergencies Committee of
Cabinet, the Central Government Response Committee, Government
Security and Continuity Network Coordination Group (G‑SCN‑CG) and
Security and Continuity Networks (SCNs) to underpin the
arrangements for protecting essential services and critical
infrastructure is a positive initiative. However, the governance
arrangements could be more effective:
- The co-existence of Part 6 of the Act for
essential services and the CIP framework for critical
infrastructure is confusing to agencies and hinders
coordination.
- SCNs are not fully operational with varying
levels of progress. Two of the nine are operating well, one other
has recently converted to the SCN format after operating for some
time under other arrangements. Two are in the early stages of
operation. Another held its first meeting in October 2008. The
remaining three have not been established. Timeframes for
implementation of the CIP framework have not been set.
- The effectiveness of the G‑SCN‑CG has been
reduced by the delayed development of the SCNs and the co‑chairing
arrangements between the Department of Premier and Cabinet (DPC)
and Victoria Police. The requirement under the arrangements for the
G‑SCN‑CG to focus on the CIP framework rather than both critical
infrastructure and essential services has limited its potential
effectiveness.
- Respective roles and responsibilities of
agencies involved are unclear, particularly in the CIP
framework.
- Efforts to identify and mitigate inter-agency
risks associated with joined-up arrangements for managing the
framework were not evident.
- An adequate performance measurement and
monitoring framework has not been developed.
Governance arrangements to assist
owners/operators of critical infrastructure and operators of
declared essential services to prepare to respond to terrorism
incidents are at different stages of development across sectors. In
the absence of an overarching performance monitoring framework
success in implementing Part 6 of the Act and the CIP framework is
difficult to measure.
Three departments audited have
‘declared’ essential services under the Terrorism (Community
Protection) Act 2003 (the Act). The sectors managed by these
three departments—energy, transport and water—are the most
significant industry sectors in terms of providing for business
continuity and the state’s ability to recover from a terrorist
incident. The alternative arrangements in place for the police and
emergency services sector to prepare to respond to terrorism
incidents are considered reasonable.
As departments in the remaining sectors
have yet to consider whether such declarations are necessary, we
were unable to gain assurance whether all essential services have
been declared.
Three lead departments were not aware of
the critical infrastructure listed on the critical infrastructure
register for their industry sectors. This inhibits their ability to
work with owners/operators to encourage them to take up the
recommended practices identified in the CIP framework.
There is a requirement for risk
management plans of declared essential services to be audited
annually and annual audits of risk management plans for critical
infrastructure are encouraged. However, what would constitute such
an audit has not been defined. Similarly there is no guidance on
the qualifications required of an auditor who can audit the
plans.
Apart from a ‘lessons learned’ database
that is maintained by Victoria Police and records the outcomes of
all NCTC coordinated exercises, there was little evidence of a
systemic capacity to capture information about training exercises
conducted under Part 6 of the Act and the CIP framework. The
lack of a central repository for exercise reports makes collective
analysis of outcomes difficult. We saw no evidence of strategic
analysis of recommendations and consequently, it is not apparent
that reports are driving continuous improvement.
It is clear from the government’s policy
document Enhancing Victoria’s Domestic Security: New measures
for the fight against terrorism that DPC has responsibility to
coordinate Victoria’s major incident management, including for
counter-terrorism policy and planning. While responsibility for
oversight of operators of declared essential services in specific
sectors rests with the relevant minister and department, DPC should
exercise firmer leadership in administering Part 6 of the Act and
implementation of the CIP framework and remove barriers to their
effective implementation.
Since the emergence of national
arrangements, subsequent to introduction of the 2003 Victorian
legislation, and given the issues identified during the audit, it
is timely to review the arrangements for protecting the state’s
essential services and critical infrastructure. Such a review
should aim to reduce the complexity of the state’s arrangements and
streamline practices, consistent with maintaining regulation and
coordination to mitigate risks specific to our highly privatised
service delivery environment.
DPC has advised it intends to examine
Victoria’s critical infrastructure protection arrangements
including Part 6 of the Act and the CIP framework and to assess
their effectiveness and appropriateness for the near to medium
term.
1.4 Recommendations
The Department of Premier and Cabinet
should:
- establish clear oversight and coordination of
the arrangements for both Part 6 of the Terrorism (Community
Protection) Act 2003 and the CIP framework by an appropriate
body, such as the Government Security and Continuity Network
Coordination Group with expanded responsibilities
(Recommendation 4.1)
- lead the development of a performance management
framework for measuring, monitoring and reporting on the
implementation of Part 6 of the Act and the CIP framework. The
framework should include key indicators, targets and reporting
arrangements for assessing the extent to which departments,
agencies and industry have fulfilled their obligations, as well as
measures for monitoring achievement of joint objectives
(Recommendation 4.2)
- clarify the roles and responsibilities of
departments and agencies under Part 6 of the Act and CIP framework
to reduce confusion and gaps (Recommendation
4.3)
- provide definitive guidance on identifying
essential services for declaration to better inform relevant
departments in discharging their responsibilities under Part 6 of
the Act (Recommendation 4.4)
- identify risks arising from the joined-up nature
of the approach to protecting essential services and critical
infrastructure, and to assist departments and agencies to develop
associated risk management arrangements at the whole‑of‑government
level (Recommendation 4.5)
- clarify the requirements in relation to
establishing Security and Continuity Networks in designated
sectors, so that there is a shared understanding of those
requirements. (Recommendation 4.6)
Representatives of lead departments
should obtain necessary security clearances so appropriate officers
can access information relevant to their sectors.
(Recommendation 4.7)
The Department of Premier and
Cabinet, in consultation with Victoria Police, should develop clear
guidance to distinguish between declared essential services and
critical infrastructure to assist departments, Victoria Police and
industry in implementing Part 6 of the Act and the CIP framework
more effectively. (Recommendation 5.1)
The Department of Premier and Cabinet
should provide clear guidance on terms such as ‘audit’, ‘auditor’
and ‘adequacy of the exercise’ to assist departments, Victoria
Police and industry to implement requirements more reliably.
(Recommendation 5.2)
The Department of Premier and Cabinet
and Victoria Police, in consultation with departments, should
standardise reporting on training exercises conducted under Part 6
of the Act and the CIP framework to promote greater consistency and
to enable better identification of lessons learned and continuous
improvement. (Recommendation 5.3)
Reports on the training exercises should be retained in an
appropriately secured central repository so that consolidated
results of the exercises can be drawn together effectively.
(Recommendation 5.4)