Will all sectors elevate perimeter protection to board level, following Ofwat identifying vulnerability as an explicit part of the 2019 price review? Business development manager at Gallagher Security (Europe) Jason Hunter ponders
The UK Water Services Regulation Authority (Ofwat) recently published its final methodology for its forthcoming 2019 price review – PR19 – which sets out its expectations and requirements for water companies preparing their 2020-2025 business plans. Its assessments challenge the water companies to ‘step up’ on four themes:
- Great customer service;
- Long-term resilience;
- Affordability; and
It expects companies to provide value-for-money bills and ‘challenge themselves to push the efficiency frontier’, in order to provide scope for price reductions. On publication, Ofwat said: “The only way water companies will achieve all this, is to find new and better ways of delivering their services. Our 2019 price review enables, incentivises and encourages water companies to achieve exactly that, so that customers will get more of what really matters to them.”
Tellingly for those in the perimeter protection field, vulnerability will be an explicit part of the price review for the first time. Business plans will be assessed on:
- How well companies use good quality data;
- How well they engage with other utilities and organisations to support the vulnerable; and
- How targeted, efficient and effective their measures to address vulnerability are.
Too often in the past, organisations have seen perimeter protection purely as a measure for protecting their facilities. In the case of water, other utilities, and government or military installations, have referred to this as protecting sites of Critical National Infrastructure (CNI). The emphasis has always been on securing premises in order to prevent losses, whilst not hindering day-to-day operations – and more recently on data and software. However, the emphasis has rarely been on people. This has been achieved within a budget that – according to those who hold the purse strings – should be as low as possible.
Summarising the findings for perimeter protection
The premise is that perimeter protection does not contribute to the organisation or business and, at the bottom line, does not increase revenue or reduce cost. Indeed, the argument is that it simply adds to cost, therefore cutting profit.
PR19 and the methodology now adopted by Ofwat – following the 2019 price reviews – will directly challenge this approach and force water companies to consider reducing its vulnerability as a crucial investment. This is consistent with how I’ve always viewed the situation, and how I’ve found that Gallagher also does for the likes of National Grid, EDF, Severn Trent Water and United Utilities.
Perimeter protection is not simply about securing infrastructure or data. Done well, it should be about appropriate risk management against both cybercrime and terror, as well as more traditional threats which provide the opportunity to improve customer service, increase business efficiency and reduce costs.
People, first and foremost, should be at the heart of the process in terms of the safety and security of premises and resources, and also in planning and decision making on appropriate measures.
Water encapsulates this perfectly, especially in the age of increased fear of deliberate and terrorist attacks which disregard life and where the sanctity of the water supply is so critical. For instance, the Thames Water desalination plant at Beckton – which costs £250m (€283.2m) and began producing clean drinking water in March 2010 – can produce 140-150 million litres of water per day, which is enough for one million people in northeast London.
The impact of infection of a supply such as this could make the death toll of 9/11 appear less significant. We have found that perimeter protection is best planned as part of an integrated solution which includes physical, electronic and human measures, and also incorporates access control and other elements of facilities management as one holistic whole. However, it will still require the standard security risk assessments to be conducted. I favour what is often referred to as the ABC model here – which considers Area, Boundary and Contents.
Recommendations for mitigation
We recommend an increasing level of security according to the proximity of the intruder to the most critical and sensitive assets. The perimeter serves as the first ‘cordon of security’ in these successive levels of protection, though some now argue with the increasing power and definition of radar and CCTV, that we can even set up security layers outside the perimeter. This principle was perfectly but tragically illustrated by the story of former England Cricket Captain Adam Hollioake, who was working inside the Alokozay International Cricket Stadium in Kabul, Afghanistan, as a coach, while a bomb blast at a security checkpoint outside the stadium killed at least three people.
As Hollioake explained: “The protocol is that we have three stages of security. They have to get through the first stage, which was probably 100 metres from the ground; then there is the second stage, which is about 50 metres from the ground; and the final stage is about 15-20 metres … The gentleman was caught at the first checkpoint and, on being caught, he detonated his device and, unfortunately, several of our security and some members of the public were killed.”
The Gallagher approach
Our approach is to design from the perimeter towards the centre, taking each successive boundary as an opportunity to harden the security to thwart an intruder and enable security personnel to respond to any attempted security breach. As aforementioned, CCTV and radar can provide a first layer of protection beyond the perimeter. Internet protocol-based (IP) security systems can monitor and record in HD signals, warnings and alerts from a multiplicity of sensors and systems anywhere on-site and send responses back in real time.
Consider implementing electronics for the outer layers and at doorways to gather intelligence about attackers and relay them live to guards’ mobile phones. Monitored pulse fencing can help harden either more vulnerable areas of perimeter, or assets that require additional levels of security. With vehicle-as-a-weapon attacks being the latest trend for terrorists, hostile vehicle mitigation (HVM) measures to avert against vehicle-borne attacks should also be considered.
Using advanced technologies for authentication
One of the most significant events is entry through building access points. The swipe of a card, the print of a thumb or even the scan of a retina can trigger a cascade of recording and monitoring systems, allowing security operatives to track personnel while on-site. We are even now seeing a growth in the use of trusted identities with smart cards, mobile devices, wearables, embedded chips and other ‘smart’ devices, especially in industries with a focus on regulatory compliance such as government, finance and healthcare. This will accelerate the move from legacy systems to near-field communication (NFC), Bluetooth Low Energy, and advanced smart card technology. I can see the ongoing prevalence of drone technology being used for the future, as well as fixed cameras.
Already, intelligent video algorithms – such as sophisticated motion detection – can identify unusual walking patterns and alert a security guard to watch a screen to which the video is fed. Object-recognition algorithms can identify someone who is loitering suspiciously in a vulnerable area, or even a bag or other suspicious object that is left somewhere that it shouldn’t be. Again, the system can alert a monitoring guard so that appropriate action can be taken.
CCTV bridged to intrusion alarms, physical security patrols and access control systems complete the total integrated security package. In the most advanced cases, access control systems or ‘credentials technologies’ are employing biometrics to restrict access both to physical areas and to intellectual property. These systems use fingerprint, facial, voice, or iris recognition, to authorise a user – sometimes combined with another form of identification, such as a proximity card or PIN to make the system more flexible.
We recommend limiting the number of entrances and exits to a site through the perimeter, and securing them more effectively with speed gates, automatic number plate recognition (ANPR) and appropriate turnstiles, to allow the effective flow of authorised personnel on to site. The balance between maintaining this flow and locking out unauthorised people is a tricky one to strike, as would-be intruders have become increasingly adept at ‘tailgating’ to get through security barriers and doorways.
In this instance, it may be necessary to introduce airlock-type control ‘sterile zones’ to lock down high-security areas more effectively. This is where biometrics may come into their own, offering the ability to identify personnel uniquely with an ‘unlock code’, which only that individual inherently possesses, and even identify unique facial traits. In time we may be very grateful to Ofwat for its farsightedness.
A technology leader in integrated access control, intruder alarms management and perimeter protection, Gallagher’s security solutions are in use at a range of levels in more than 100 countries, including:
- National and local government;
- Transportation; and
- Academic organisations.
A truly global operation, Gallagher provides proven protection to customers in Europe, North and South America, Africa, Asia, Australia, New Zealand, and the Pacific. Gallagher’s comprehensive security and business risk management solutions provide protection for large and small organisations throughout the world, addressing the key issues of security and risk management, personnel workflow and business continuity. Visit security.gallagher.com for more information.