Security in mind: How do you know what is sensitive or not?

You’re designing a new state-of-the-art facility or structure that is a potential target for criminals, terrorists or hostile states. Would you know which elements of the design would be of particular interest to those threat actors and need to be handled sensitively?

The increasing use of, and dependence on, information and communications technologies means there is a need to address inherent vulnerability issues and therefore the security implications that arise. NPSA advocates a ‘security-minded’ approach to the implementation of all digital engineering tools in order that built environments, assets, products, services, individuals or communities, as well as any associated information are protected. 

Construction professionals and engineers from designers to construction managers of course need to consider the sensitive attributes of traditional hardware such as CCTV, as well as physical infrastructure like bollards and barriers to mitigate attacks by hostile vehicles. They also need to think about the features which control access to areas of assets not accessible to the public, for example doors and electronic locking mechanisms. But would you think about whether there are sensitive aspects of built assets which most people would not automatically consider to be security features, for example the steel structure of a building? 

Sensitive sites requiring specialist knowledge 

NPSA has developed a new digital game that asks players to pinpoint the security sensitivities in two hypothetical scenarios – one out on the street, the other inside the building. Those taking part are asked to correctly determine which elements of the selected assets are sensitive and need to be protected in an appropriate and proportionate way, and which are benign. Not all aspects of security assets are sensitive – the key is understanding which elements pose a risk and could be used to compromise the safety and security of people, built assets or the services provided from or by them. 

A security-minded approach can be adopted at any point in the lifecycle of an asset, but with new assets it should be built in as early as possible – appropriate and proportionate security measures, which encompass personnel, physical and cyber, implemented at this stage can save more expensive measures being required at a later date. There also needs to be a clear governance structure for security, mapping out accountability and responsibility for decision-making, risk ownership and risk mitigation. 

Adopting a security-minded approach will also assist any organisation in protecting against the loss, theft or disclosure of commercial information, personal information and intellectual property.