Security has been defined as “the state of relative freedom from threat or harm caused by deliberate, unwanted, hostile, malicious, fraudulent and criminal behaviour”. It operates on a number of levels, ranging from national security issues – such as terrorism, organised crime and hostile acts by nation states – to personal security, intellectual property and commercially sensitive and personal data.

Everyone faces these threats. But engineers are particularly susceptible, as their job is to design, build, operate or maintain infrastructure that may be a target for hostile actors.

The National Protective Security Authority (NPSA) advocates a “security-minded” approach to guard against such threats. The approach can be adopted at any point in the lifecycle of an asset, although with new assets it should be built in at concept stage.

Security-mindedness is the understanding and routine application of appropriate and proportionate security measures to deter or disrupt hostile, malicious, fraudulent and criminal behaviour. A security-minded approach covers physical personnel and cybersecurity, as well as a clear governance structure.

Alexandra Luck is principal at consultancy A Luck Associates and a member of the ICE- and NPSA-backed Register of Security Engineers and Specialists (RSES).

She says: “Security-mindedness is about applying appropriate and proportionate controls, which may not be complex or expensive. Measures can include simple actions such as limiting what information is put on social media and locking your computer when you’re away from your desk."

A security-minded approach involves understanding:

• Why you might be a person of interest to a hostile actor
• How to protect yourself
• How to protect your organisation
• How to protect the information and assets you have access to

Poor security can affect a construction project in many ways, including in terms of financial margins, programme, business reputation, the built asset itself and, worst of all, the lives of people who deliver or use the asset. 

Engineers should ensure that: 

• The asset is designed and built with the necessary physical controls or guards to deter or disrupt any threat
• Their own behaviour during design, construction, operation or maintenance does not threaten the security of the asset
• There is no unauthorised access to, or manipulation or sharing of, information 

Some infrastructure is clearly sensitive to security threats because it fulfils a defence, law enforcement, national security or diplomatic function – for example, government buildings and law courts. But many built assets that do not have an obvious security role may also be of interest to a threat agent. These include critical national infrastructure, landmarks, nationally significant sites, crowded places and anywhere that might be used to host events of security significance. 

This list covers many assets that engineers design, build or maintain as a routine part of their work, including transport and utility networks. And it’s not just the asset as a whole that needs to be considered. It’s any project that includes elements that could be used to damage the integrity of an asset or its ability to function, including structural design details and the location and configuration of cables, control systems and plant.  

The NPSA has developed a game that challenges players to pinpoint security sensitivities in two hypothetical scenarios, on a street and inside a building. It helps players to understand which elements of assets are sensitive, and therefore need appropriate and proportionate protection, and which elements are benign. 

Every person working for an organisation or on a project is responsible for security-mindedness – and it should be a mainstream practice for organisations in the same way that health and safety is, according to Mark Enzer, chief technical officer at consultancy Mott MacDonald.

“It’s deeply embedded in our culture not to do something on a project that could put someone in harm’s way from a health and safety point of view. We need to do the same thing with security,” he says.

The Engineering Council says that appropriate and proportionate security should be an integral part of the design and operation of an asset and encompass its whole lifecycle, as threats and vulnerabilities change and evolve over time. It has produced guidance that sets out the following six key principles to help engineers to identify, assess, manage and communicate security issues:

Craig Ross, security risk management team lead at consultancy WSP, says: “You need to understand what the threats are, what projects are more stringent from a security point of view and when a security professional needs to come on board.”

The ICE maintains the RSES, a list of accredited engineers who specialise in security engineering. RSES members can advise on physical threat prevention measures such as blast protection and hostile vehicle mitigation as well as personnel security issues such as insider threats.

The use of digital technologies is improving collaboration in infrastructure delivery; however, with more digital information being generated and shared, it is imperative that processes are in place to support a security-minded approach without stifling the benefits of collaboration.

Enzer says: “People naturally think that, if there’s a security issue, the resulting behaviour should be to shut everything down and not collaborate. But that can actually lead to worse security. Keeping information in silos makes a project less secure because no one is looking at the interfaces. You need the right people working together to make the overall project secure.”

An international standard, BS EN ISO 19650-5: Supporting a secure future for digital construction, was published in 2020 to help organisations understand the key vulnerability issues and the controls required to manage security risks to a level that is tolerable to the relevant parties.

The NPSI, which has published a guide to the standard, says implementation will help to reduce the risk of loss, misuse or modification of sensitive information that can affect the safety, security and resilience of:

• Assets
• Products
• The built environment, or
• The services provided by, from or through them

It adds: “The measures can also be applied to protect against the loss, theft or disclosure of valuable commercial information and intellectual property as well as personal data.”

The Construction Innovation Hub, which supports the construction industry’s adoption of digital ways of working, recommends that BS EN ISO 19650-5 should be used by any organisation that is involved in the use of information management and technologies in the creation, design, construction, manufacture, operation, management, modification, improvement, demolition and/or recycling of assets or products, as well as the provision of services, within the built environment.

Enzer adds: “You get a better solution if all of the parties on a project talk to each other, and security is part of that better solution. It’s about the right people having access to the right information at the right time.”

Every engineer can act now to implement a security-minded approach: