Skip to content

Countering the Threat of Sabotage Operations to UK Interests and National Security

Last Updated 07 October 2024

In general terms, for the purposes of the National Security Act (2023), sabotage is: ‘activity conducted for, on behalf of, or for the benefit of a foreign power, resulting in damage to property, sites and data affecting the UK’s interests, and national security. This can be done through, but not limited to, the use of cyber actions and physical damage.’

This guidance outlines the particular sabotage threat and provides a toolbox, signposting users to relevant useful guidance.

The Threat

Today the world is less stable than it has been in the last few decades and the increase in physical threats to assets, services and people within the UK is of concern to us. As you will have seen reported in the media, a key area of threat we’re seeing in the UK and across Europe is acts of sabotage allegedly carried out for the Russian state.

Sabotage activities, on behalf of or for the benefit of a foreign power, may target the UK’s critical assets and the supply chains. Activities that can be viewed as directly opposing the interests of foreign states are likely to be at heightened risk from sabotage activities. This could include, for example, disrupting Western support to Ukraine conflict by targeting the UK defence industry and their broader supply chains of critical goods and military equipment.

Sabotage is a means by which hostile state actors undermine the UK’s national security to further their political, military and economic interests.  These acts may be carried out in the UK but can be conducted from anywhere in the world and still impact the UK’s interests and security.

Sabotage may be conducted directly by members of a foreign intelligence service but could also be conducted by proxies which can include agents, co-optees or other organisations working knowingly or unwittingly on behalf of a foreign state.

Hostile state actors may also pre-position equipment and technology to commit acts of sabotage at a later date. Acts of sabotage may also be preceded by unusual cyber activity on a target’s systems as well as instances of aerial or other hostile reconnaissance around the intended targets.

The means of sabotage will be dependent on the sophistication and capability of the actors and any proxies used. This could impact significantly on the levels of collateral damage caused. Acts of sabotage, for example, could include workers intentionally damaging equipment on a critical programme for the purpose of delaying the UK having specific capabilities, through to use of explosives to destroy essential infrastructure critical to the running of the UK. Arson attacks have recently been seen in several countries however different sabotage methods, including those making use of sophisticated technology, should also be considered.

What You Can Do

Noting the updated threat picture, NPSA recommends that organisations review their security strategies using the following prompts as a guide: 

  • Review your protective security risk assessment and update your security strategies, focussing on your most critical assets.
  • Recruit your people as part of your security effort and consider enhancing your protective security mitigations
  • Revise your response and recovery plans for an act of sabotage.
  • Report any unusual or suspicious activity to your lead government department or the police.

Review Your Security Risk Assessment

Asset Identification

  • Roles with a responsibility for business continuity, should determine and categorise your most critical systems (people, processes, information, technology and facilities), their locations and their impact of loss or damage including unexpected consequences and knock-on impacts locally.
  • These activities should be conducted with people who understand the business, its operations, supply chains and security arrangements.

Identify Threats and Assess Risk

  • Establish if businesses’, including subsidiaries and sites’, activity might put them at heightened risk to sabotage from foreign states, considering their purpose, output and dependencies.  
  • Determine whether certain sites/infrastructure/supply chains are at greater risk due to permissive operating environments and proximity to conflict zones.
  • With suitable subject matter experts, carry out vulnerability assessments considering this context of the critical systems you have identified above. Consider the most likely attack methodologies applicable to the critical systems you have identified.  

Develop a Risk Register and Strategy

  • At this point, you should have a risk register that identifies and prioritises the key risk areas and high-level statements on how they are or will be mitigated.  
  • For each risk identified that you are seeking to reduce, people with related roles and responsibilities should develop mitigation plans. The following sections provide more guidance around this. 

Business Continuity

  • Review your Business Continuity Plans.
  • Where possible, seek to:
    - Increase the redundancy of critical systems.
    - Improve the operational resilience of the organisation.
    - Divest non-critical functions from vulnerable locations. 
    - Reduce, re-locate or evenly distribute business critical stock.

Recruit Your People as Part of Your Security Effort and Consider Enhancing Your Protective Security Mitigations

Sabotage activity can involve a broad range of attack methodologies. Some key protective security mitigations are highlighted below, but other mitigations across the NPSA website should be considered to complement these areas based on your risk assessments.

Security Minded Communications

  • Assess and reduce the digital footprint relating to people, sites, infrastructure, and business operations. An organisation’s online channels, including websites and social media accounts, are often the first port of call for someone seeking information that could help them target it.
  • By adopting a security-minded approach to your communications, you can deny any hostiles (a person who wants to attack or disrupt an organisation) valuable information they require in the attack planning stage, while also reassuring your genuine visitors.

Disrupt Hostile Reconnaissance

  • Most attacks require a degree of hostile reconnaissance during the planning stage. This is normally conducted online, on site, or through utilising knowledge of someone (either wittingly or unwittingly) inside the organisation (known as an ’insider’).
  • Staff security awareness is essential to disrupting hostile reconnaissance and the attack. It is therefore important that you promote a good security culture within your organisation, empowering a security conscious workforce.
  • You should consider whether you’re creating an environment that enables key teams to strategically connect observations around hostile reconnaissance, for example considering the connectivity of online and physical events.
  • Additional support about how to detect and deter hostile reconnaissance can be found in NPSA guidance Disrupting Hostile Reconnaissance  and Deterrence Communications Toolkit.
  • Upskill workforces to be alert to unusual or suspicious activity and know what to do if they do encounter it. See, Check & Notify (SCaN) is an NPSA owned training product designed to empower staff across an organisation to disrupt hostile reconnaissance. The whole package can be accessed by speaking to your local CTSA. Two of the SCaN modules, SCaN for All Staff and SCaN for Line Managers can be accessed directly through the NPSA website and cover an introduction to hostile reconnaissance, how staff should respond and how insider risk should also be considered.

SCaN logo

People Security

  • Upskill workforces to be alert to unusual or suspicious activity utilising the ACT Awareness eLearning course which has been designed for all UK businesses and organisations by the National Counter Terrorism Security Office.
  • People are an organisation's biggest asset, however, in some cases they can also pose an insider risk utilised to either conduct reconnaissance and/or enable acts of sabotage against an organisation.
  • Remind your staff to be alert and not provide sensitive or privileged information that may be of use to someone outside of the organisation (and to report anything suspicious). NPSA provides further advice about encouraging these behaviours through the Employee Vigilance Campaign.
  • The Insider Risk Mitigation Framework is NPSA's recommendation for developing an Insider Threat programme which aims to reduce insider risk.

Physical Security

  • Based on a site-specific risk assessment, it may be judged necessary to implement physical security mitigations. 
  • You should have a clear understanding of what these mitigations are intended to achieve. NPSA’s physical security guidance offers advice.
  • Guidance relating to use of Fire as a Weapon, IEDs and drones is referenced below.

Fire as a Weapon or an Act of Sabotage

  • Using fire as a weapon or an act of sabotage, can stop or damage the operation of a site and intimidate workforces. Fire as a weapon is considered an attack on people, and fire as an act of sabotage is likely to be focused against a predetermined target. 
  • Assess and reduce your risk from these types of attacks utilising the NPSA Fire as a Weapon and Fire As an Act of Sabotage guidance, which look at hazards, how current fire related regulations address these issues and sets out steps to reduce the risk from such a threats.

Improvised Explosive Devices

  • With IED attacks, the scale, containment, deployment technique (e.g. being vehicle born), initiation system and location targeted, can be varied depending on the desired effect but can be used with the aim of intimidating staff, disrupt operations (e.g. postal devices/hoaxes) and causing infrastructure damage.
  • There is a suite of protective security options that can be deployed to help counter risks from an IED based sabotage attack.

Drones

  • Drones can be used to circumvent the ground based protective security measures sites have in place.
  • They can be used as a surveillance tool either before or during an attack to enhance the likelihood of success or impact of a sabotage attack.
  • Depending on the site, simply flying a drone around could cause disruption, resulting in certain operations having to cease or be moved. 
  • Lastly, drones can also be used to deliver a payload. This could be an explosive, CBRN, cyber or non-hazardous material, which is simply introduced to cause disruption and stop operations.
  • NPSA offers a range of guidance on how to mitigate the threat from drones.

Revise Your Incident Management and Recovery Plans

Incident Management

  • Effective incident management is critical to mitigating the impact of incidents at your organisation, site or premises and ensuring a swift and effective recovery. NPSA have developed guidance to assist organisations in incident response
  • Effective incident management relies on advanced planning, and building relationships with internal departments and staff, neighbours and potentially emergency services so key steps can be taken as soon as an incident occurs. 

Exercise and Continuously Review

  • Organisations should test incident response plans to ensure that they are achievable and fit for purpose. This testing should also serve to ensure stakeholders are fully aware of their roles and responsibilities during an incident. 
  • Table-top exercises should be run regularly across a range of priority threat scenarios.
  • Where possible, sites should also consider live exercising to fully rehearse their response to their priority sabotage risks identified in step one. 
  • Business operations change, threats evolve, our adversaries adapt and/or incidents happens. Therefore, it’s critical sites regularly review their business continuity and security plans, updating them accordingly.

Report any unusual activity or suspicious activity to your lead Government department or the police.

If you have any concerns, report these immediately with as much detail as possible to the anti-terrorist hotline (0800 789 321). 
In an emergency, ALWAYS dial 999.

Freedom of Information Act (FOIA)
This information is supplied in confidence and may not be disclosed other than to the agreed readership, without prior reference to NPSA. Within the UK, this material is exempt from disclosure under the relevant Freedom of Information Acts and may be subject to exemption under the Environmental Information Regulations and the Data Protection Act 1998.

Disclaimer
This document has been prepared by the National Protective Security Authority (NPSA). This document is provided on an information basis only, and whilst NPSA has used all reasonable care in producing it, NPSA provides no warranty as to its accuracy or completeness. To the fullest extent permitted by law, NPSA accepts no liability whatsoever for any expense, liability, loss, damage, claim, or proceedings incurred or arising as a result of any error or omission in the document or arising from any person acting, refraining from acting, relying upon or otherwise using the document. You should make your own judgment with regard to the use of this document and seek independent professional advice on your particular circumstances.

© Crown Copyright 2024

Did you find this page useful? Yes No