Changes in the price review formula in the water industry could be pointing the way to the sector having to elevate physical, electronic and cyber security to a boardroom issue, says Jason Hunter, Business Development Manager for Gallagher Security (Europe), pictured.
The water regulator Ofwat published its final methodology for its forthcoming 2019 price review – PR19 – which sets out its expectations and requirements for water companies preparing their 2020-25 business plans.
Its assessments challenge the water companies to ‘step up’ on four themes – great customer service, long-term resilience, affordability and innovation. It expects companies to provide value for money bills and ‘challenge themselves to push the efficiency frontier’ to provide scope for price reductions. On publication, it said: “The only way water companies will achieve all this, is to find new and better ways of delivering their services. Our 2019 price review enables, incentivises and encourages water companies to achieve exactly that, so that customers will get more of what really matters to them.”
Tellingly for those in the security field, vulnerability will be an explicit part of the price review for the first time. Business plans will be assessed on how well companies use good quality data; how well they engage with other utilities and organisations to support the vulnerable; and how targeted, efficient and effective their measures to address vulnerability are. Too often in the past, in my view, organisations have seen security, and perimeter protection specifically, purely as a measure for protecting their facilities.
In the case of water, other utilities and government or military installations, we have referred to this as protecting sites of Critical National Infrastructure (CNI).
The emphasis has always been on premises, equipment, machinery, ordinance and resources, and more recently on data and software, but rarely on people. The aim of perimeter protection has historically been seen as to secure premises, in order to prevent losses, while not hindering day-to-day business. This has been achieved within a budget that, according to the bean counters and those who hold the purse strings, should be as low as possible. The premise is that perimeter protection does not contribute to the business and the bottom line, either by increasing revenue or by reducing cost. Indeed, so that argument goes, it simply adds to cost and therefore cuts profit.
PR19 and the methodology now adopted by Ofwat for the 2019 price reviews will directly challenge this approach and force water companies to regard reducing its vulnerability as a crucial investment. And this is consistent with how I’ve always viewed it – and how I’ve found Gallagher does also since I arrived here getting on for a year ago. Indeed, as I write, I’m only just back from New Zealand and our annual company conference, where the holistic message was very much ‘we look after people’.
Security is not simply about securing infrastructure or data. Done well, it should be about appropriate risk management against both cyber and terror as well as more traditional threats that actually provides the opportunity to improve customer service, increase business efficiency and reduce costs.
People, first and foremost, should be at the heart of the process, in terms of safety and security of premises and resources and also in planning and decision making on appropriate measures. Water encapsulates this perfectly, especially in this age of increased fear of deliberate and shockingly-life-disregarding terrorist attack where the sanctity of the water supply is so critical.
For instance, the Thames Water desalination plant at Beckton – which cost £250m and started producing clean drinking water in March 2010 – can produce 140-150 million litres of water per day, which is enough for one million people in north-east London. The impact of infection of a supply such as this could make the death toll of 9/11 appear totally insignificant. We have found that perimeter protection is best planned as part of an integrated solution, which includes physical, electronic and human measures – and also incorporates access control and other elements of facilities management as one holistic whole.
Of course, it will require the usual security risk assessment to be conducted. I favour what is often referred to as the ABC model here – which considers the Area, Boundary and Contents. We recommend an increasing level of security the closer an intruder gets to the most critical and sensitive assets. The perimeter serves as the first ‘cordon of security’ in these successive levels of protection – though some now argue with the increasing power and definition of radar and CCTV that we can even set up security layers outside the perimeter.
This principle was perfectly but tragically illustrated by the story of former England one-day captain Adam Hollioake, who remained in the International Cricket Stadium in Kabul, where he is working as a coach, while a bomb blast killed at least three people just months ago. As he explained: ‘”The protocol is that we have three stages of security. They have to get through the first stage, which was probably 100m from the ground; then there is the second stage, which is about 50m from the ground, and the final stage is about 15-20m from the ground.
“The gentleman was caught at the first checkpoint and, on being caught, he detonated his device and, unfortunately, several of our security and some members of the public were killed.”
Our approach is to design from the perimeter in towards the centre, taking each successive boundary as an opportunity to harden the security to thwart an intruder and enable security personnel to respond to any attempted security breach. As I said earlier, CCTV and radar can provide a first layer of protection beyond the perimeter. IP-based security systems can monitor and record in HD signals, warnings and alerts from a multiplicity of sensors and systems anywhere on site and send responses back in real time.
Consider electronics for the outer layers and at doorways to gather intelligence about attackers and relay them live to guards’ mobile phone. Monitored Pulse Fencing (MPF) can help harden either more vulnerable areas of perimeter or assets that require additional levels of security. And with the emergence of the vehicle as a weapon as the latest deadly terrorist attack method of choice, Hostile Vehicle Mitigation (HVM) measures to avert against vehicle-borne attacks should also be considered.
One of the most significant events is entry through building access points. The swipe of a card, the print of a thumb or even the scan of a retina can trigger a cascade of recording and monitoring systems, allowing security operatives to track personnel while on site. We are even now seeing a growth in the use of trusted identities with smart cards, mobile devices, wearables, embedded chips and other ‘smart’ devices, especially in industries with a focus on regulatory compliance, such as government, finance and healthcare. This will accelerate the move from legacy systems to NFC, Bluetooth Low Energy and advanced smart card technology.
I can see the ongoing prevalence of drone technology being used in the future as well as fixed cameras. Already, intelligent video algorithms, such as sophisticated motion detection, can identify unusual walking patterns and alert a security guard to watch a screen to which the video is fed.
Object-recognition algorithms can identify someone who is loitering suspiciously in a vulnerable area, or even a bag or other suspicious object that is left somewhere it shouldn’t be. Again, the system can alert a monitoring guard so that appropriate action can be taken. CCTV bridged to intrusion alarms, physical security patrols and access control systems complete the total integrated security package. And in the most advanced cases, access control systems, or ‘credentials technologies’, are employing biometrics to restrict access both to physical areas and to intellectual property. These systems use fingerprint, facial, voice or iris recognition to authorise a user, sometimes combined with another form of identification such as a proximity card or PIN, to make the system more flexible.
Limit the number of entrances and exits to a site through the perimeter and secure them more effectively with speed gates, ANPR and appropriate turnstiles to allow the effective flow of authorised personnel onto site. The balance between maintaining this flow and locking out unauthorised people is a tricky one to strike, as would-be intruders have become increasingly adept at ‘tailgating’ to get through security barriers and doorways.
In this instance, it may be necessary to introduce airlock-type control ‘sterile zones’ to lock down high security areas more securely.
This is where biometrics may come into their own, offering the ability to identify personnel uniquely, with an ‘unlock code’ that only that individual inherently possesses, and even identify unique facial traits. In time, we may be very grateful to Ofwat for its farsightedness.
About the writer
Jason Hunter is Business Development Manager for Gallagher Security (Europe), the access control, intruder alarms management and perimeter protection product firm; he previously worked for Avon Barrier Corporation.
