Clients and commissioning bodies have an important role to play in the successful delivery of security in major infrastructure projects.
Although the design, delivery, and operation, of protective security is a specialist field, it is important that those commissioning major projects have some understanding of the principle of protective security and appreciate the decision-making role they have in the successful integration of security into the build.
Clear governance structures, informed by an early security risk assessment, are critical to designing in proportionate security. This informed approach will align programme and security goals, reducing the risk of programme delay.
NPSA have developed this guidance as we often see security being considered too late in the design process where the physical security measures conflict with the design aspirations. If security requirements are considered early enough, and if clear requirements are stated, security measures can be designed in at lower cost and in better alignment with the architectural vision.
Aim of guidance
- Ensure security is considered at the earliest possible stages of the project
- Increase your ability to be a security informed customer:
- Allow you to understand your role in decision making around security risks and the importance of establishing good security governance
- Allow you to understand enough about the principles of protective security to realise how it can impact design, the functioning and look and feel of a building
- Allow you to understand how to deliver the build phase of the project securely including information security, use of BIM, Digital twins etc.
There are a number of documents that outline the security role of the client in major infrastructure projects (e.g the ISO 23234: 2021) each describe it slightly differently, but all agree that the client has a role in risk assessment and setting the risk appetite even if they do employ a security consultant during the design and build of the asset.
i.e. Responsibility for security decision making cannot be outsourced
As with any security project the first stage of the process is for the client to undertake a risk assessment after identifying the critical assets and the potential security threats that may impact them. Some projects may not have defined clients, in which case, commercial teams should have a view as to the security requirements of their proposed client base.
NPSA recommend following the process outlined in NPSA’s Protective Security Risk Management.The whole risk management process will be refined and revisited throughout the project and will involve a number of stakeholder but the key role for the client in the process includes:
- Defining the assets, their importance, and the impact of their loss, in order to identify what needs protecting.
- Understanding the whole range of threats that you need to mitigate; crime, forcible terrorist attack, or surreptitious attacks like espionage and sabotage conducted by a range of actors including state threat actors or criminals.
- Conducting a high-level risk assessment early in the project to inform the security requirements.
- Defining the high-level security aims and objectives- this could include the desired security posture- e.g. discrete security. Or may include the requirement to comply with certain regulations. These together with the risk assessment will inform the client security requirements which should be discussed with the design team at RIBA 1 (Preparation & Briefing).
- Set the security risk appetite and sign-off risks throughout the project.
- Ensure the governance structure for delivery of security in the project is clear.
As a senior leader you will be aware of the importance or organisational governance to the smooth running of your business. In order the deliver a major infrastructure project securely with a well protected asset delivered at the end of the process, security governance across the whole project is vital. Major projects are often complex with multiple organisations working together, there may be more than one client in Joint Venture (JV) scenarios for examples and in these cases, it is even more important that the security governance across the JV is clear.
There is guidance available on delivering information Security across JV’s and the structured approach to governance with a board level representative responsible for information security is just as applicable for personnel and physical security.
Information security: best practice for the construction sector
Security deliverables against RIBA stages
NPSA have worked with Royal Institute of British Architects (RIBA) to deliver the first security overlay for the RIBA plan of work.
Although the overlay is primarily targeted at architects it is applicable to all those working on major infrastructure projects. It outlines four key security deliverables during the Plan of Work process:
- Security risk assessment- Produced by the client team at RIBA 0-1
- Security requirements - Produced by the client team and discussed/ agreed with the design team at RIBA 1
- Security strategy - produced by the design team in response the client security requirements at RIBA 2 (updated in 3&4)
- Security Plan - covering how security will be delivered in the project and the built asset, prepared by the client team, an outline should be available at RIBA 1 to inform the requirements and the final version will be developed in RIBA 4-5.
- Security risk assessment - to understand the security risks and decide which require mitigation based on security risk tolerance, cost etc.
- Security Requirement - Ensure all security requirement are communicated with the design team at RIBA 1, prior to Concept Design (RIBA 2)
- Ensure that the Security strategy for how the design will mitigate the risks meets your requirements.
- Ensure the Security plan for delivering security in the built asset meets the requirements of, and is communicated with, those responsible for operational security of the asset.
Principle of Protective Security
It is not the intention of this guidance to cover all aspects of protective security here, we have covered some key considerations below and more information on security for seniors can be found in the following resources:
All aspects of security need to be considered in both the build phase and for the built asset. An integrated security solution covering: Physical, personnel, technical, cyber and information security will be required.
Security provision is risk based, to prevent over or under specifications of security measures. Where there are no regulatory requirements the lack of codified security requirements mean the design team will be looking for a clear steer on the security requirements from you. This is why it is so important to have conducted a security risk assessment early to inform your requirements.
There will need to be compromise in some situations between security specification and design, for example if you have a requirement to mitigate the risk from a large VBIED (Vehicle Borne Improvised Explosive Device) you would ideally incorporate standoff of tens of metres between where vehicles can access and the building envelope. If standoff cannot be achieved there may well need to be compromises to the building design. For example using smaller glazing panels as specialist glazing will be required, or ensuring the design doesn’t have features such as overhangs which are particularly susceptible to blast.
Careful thought about vehicle access to the site in the early design will avoid compromises such as not having sufficient space for vehicle screening or having access lanes which allow vehicles to be ejected from the site before approaching the building.
The use of novel materials that have not be used before may end up being costly if you have a requirement to understand how resistant the design will be to blast. Computational modelling and blast testing can be expensive and time consuming so should be built into project plans. As there are no guarantees that these tests will generate a viable product, conducting tests in parallel to site planning can leave programme plans susceptible to slip.
If you are designing a building for an unknown tenant, then the risk assessment will be more difficult as the threat profile of the tenant will not be known. In these scenarios it is worth considering the benefit of designing to a specific accredited standard such as which give benefits such as SABRE allowing clients to compare your risk management performance against other SABRE facilities and the market generally.
Information management is hugely important during the build phase as loss of control of information at this stage can have a detrimental impact to the security of the built asset. This can have detrimental impacts on perception of the business, the ease of handover of the asset, reputation; all of these can have significant impact on delivery timescales as well as costs for remedial works.
It important that information handling strategy is established, and we recommend following ISO 19650-5 and the additional advice NPSA have produced on adopting a Security-Minded approach to Open and Shared Data.
Further information on Cyber Security in the Built Environment can be found in the IET/NCSC Cope of Practice - Cyber Security In the Built Environment.
Personnel and people security
You should ensure that sensitive information about the build is not put into the public domain, this can often occur during the planning process, during public consultation or in promotional material about the build.
Provisions are made for Sensitive Information to be kept out of planning applications and you should be aware of SIPA- Sensitive Information in Planning applications.
Further information can be found on NPSA's security considerations in the planning process page.
It is important that you and those involved in communication about the project to the public understand the principle of Security Minded Communications.
Summary of Key Messages
- Security decisions cannot be completely outsourced; even if security consultants, architects and security providers are used to represent the client or delivery teams only the client can set the risk tolerance.
- Although security may not be a priority – security requirements can impact the design and if considered too late can lead to costly changes and delays to the delivery of the building.
- Where sectors have regulated requirements for security measures these should be listed in the client security requirement. In unregulated sectors (and where project are going beyond the minimum regulatory requirements) security requirements will be defined by the risk assessment.
- Security requirement will evolve and develop throughout the lifecycle of the project.