Feature: Protecting South Africa’s critical infrastructure


‘National key points’ have raised negative comment on several occasions, but the reality is that any state has infrastructure that is critical to the running of the state and the functioning of its economy. Such infrastructure is vulnerable not only in time of war, but also in supposed times of peace, when assorted irregular forces, armed groups and even ‘lone wolf’ actors can cause immense disruption and damage.

Some seem to believe South Africa is immune, but that is not a safe assumption:
• South Africa is very ‘western’ in the eyes of some extremists, and is replete with potential targets, from ‘western’ embassies (remember the 1998 bombings in Dar es Salaam and Nairobi), businesses and tourists, to our own facilities.
• South Africa may side with a government whose opponents might choose to strike at us in retaliation, much as Al Qaeda and ISIS have carried out or encouraged and facilitated attacks in several countries. What has happened in Europe recently, in Kenya and Uganda since 2010, and in Mumbai in 2008 can happen to us.
• We cannot assume there are no home-grown terrorists. Perhaps like the Chechens, who have bombed airliners and trains and attacked theatres, hospitals and schools, killing hundreds for independence from Russia; or Aum Shinrikyo, who released Sarin nerve gas in the Tokyo subway in 1995, killing 12 and injuring 50; or individuals like Timothy McVeigh, who bombed a government building in Oklahoma City in the United States in 1995, killing 168 and injuring more than 600.

While it would arguably be overstating things to speak of a ‘threat’ of such attacks, there very definitely is a real ‘risk’, and that is something for which the government must plan and prepare.

The potential target array is large:
• ‘Key points’ include airports, railway stations and railway junctions, power stations and substations, water treatment plants, telephone exchanges, critical industrial facilities such as refineries and oil storage sites, radio and television stations, and more difficult targets such as dams and harbours.
• More dispersed targets could include long-distance power lines, oil and water pipelines and railway lines, all perhaps more easily repaired but also all rather more easily attacked and disrupted.
• Government buildings might not be such disruptive targets, but could be seen as suitably high profile and worth attacking on that score, and civilian casualties could be high.
• There is also the risk of attacks on embassies and hotels or venues frequented by tourists or, if the intention is to hit South Africa, any venue that draws large numbers of people.

To such ‘physical’ targets must be added potential targets in the cyber domain, including the systems that control electricity and water reticulation, telecommunications, railways, air traffic and some industrial plants.

Those computerised facilities have great advantages, but are also a major and dangerous vulnerability: Consider the cyber-attack on Iran’s uranium enrichment facilities, the denial of service attacks against government offices, banks and similar institutions in Georgia and Estonia, and the more recent attacks on the electricity supply system of the Ukraine. The latter two sets of attacks are more frightening because they were executed remotely, whereas that against Iran required malware to be delivered via a memory stick, something that is easier to guard against. It is also worth remembering that South Africa is one of a few countries in Africa actually vulnerable to cyber-attack.

It is impossible to fully protect every potential target all of the time – there are too many and the forms of attack too varied. So the focus must in the first instance be on prevention – making an attack difficult or less disruptive, and detecting attacks before they can be executed.

Making attacks difficult or less disruptive will require access control, enforced digital security and key system redundancy. New buildings and facilities should be designed with this in mind – among other things no vehicle access, a minimum of windows facing the street, and walkways rather than crawl spaces for cable and pipe runs, to facilitate inspection – who actually inspects crawl spaces to check for bugs or bombs?

Detecting attacks will fall primarily to the intelligence services, who need to be aware of groups that might become a threat and of possible ‘lone wolf’ terrorists (difficult), be alert to whispers and – imperative – maintain close liaison with other intelligence services, even in countries with whom our relations are not particularly good. The Police are also part of this early warning capability, and their personnel must be alert to attack indicators in the course of their routine activities. It is easy to be too paranoid, but it is fatal not to be paranoid enough.

The Defence Force, apart from border protection, should monitor its own intelligence sources for early warning, and can:
• Assist with risk/threat assessment, analysis and planning, including provision of vertical and oblique aerial imagery;
• Provide protection elements for identified targets at times of high risk;
• Provide reaction forces to complement the Police’s national and local Special Task Force elements in pre-empting or responding to attacks in progress and for follow-up; and
• Provide medical and bomb-disposal assistance in the wake of an attack.

In addition, the Navy’s diving teams should be carrying out routine bottom inspections of ports so as to be able to quickly note and identify anomalies in the event of a threat of mining as a means of disrupting our trade, which could involve improvised mines or purpose-built naval mines. Consider the mining of Nicaragua’s port approaches, of the Red Sea approaches to the Suez Canal and in the Persian Gulf. The Air Force, of course, would be responsible for aerial imagery, for reconnaissance and surveillance and for the deployment or reaction teams.

Most of this is fairly obvious and one would like to think that it is in hand. But the matter of providing protection is worth a closer look, because it can also help resolve the problem of the Defence Force’s older personnel.

The experience of most armies is that older personnel make better sentries, check point teams and watch officers – they are more patient, less easily distracted and less likely to ‘flap’ when things go wrong suddenly. Every military has good people who simply do not want to move up to higher ranks and accept the accompanying responsibilities and paper shuffling, but who are at home in the military and would like to serve until pension. While they will reach an age at which there are real physical limits to the duties they can perform, they can be a perfect fit for the duties required for security and protection duties at key installations.

They could be posted to a Defence Force security or guard force to provide security at its own facilities and to provide security teams – watch officers, guards, access control personnel and patrols – for key facilities. This would clearly require funding, but is surely a better solution than keeping people in posts for which they are no longer fit, simply letting them ‘hang around’, or tossing them onto the street to join the pool of unemployed.

Those security/protection teams could be complemented and supplemented by reserve units in the relevant area. Those units could provide reliefs for personnel on leave, local reaction teams and supplementary protection personnel at times of increased risk or threat.

Finally, cyber security/defence: The potential consequences of a major cyber-attack in terms of damage to the economy and to the ability of the country to function are such that this should be regarded as part of the defence domain. This is an intelligence-heavy area, so the requisite intelligence and protection/defence capabilities, and the development or pre-emptive and counter-strike capabilities, should for now lie with Defence Intelligence. Looking forward we may need a separate branch of the Defence Force.

Like most things in defence and security, protection of infrastructure is a team sport: No one agency or service can be effective alone. Nor can one country counter international terrorism on its own.