Securing critical infrastructure
from design to delivery
An introduction to Effects Based Security Design from G4S's head of solutions design, Noah Price, and the company's security lead at Hinkley Point C nuclear power station, Alistair McBride
Every critical infrastructure site is by its nature complex, with high levels of daily activity in an environment which changes constantly.
Our response to this challenge as ex-military men is to look at the effects our customer wants to achieve rather than the inputs available to us. No site on this scale can be secured to the highest standards using an inputs-based procurement model, when the customer dictates what they want to pay and how many security officers that equates to, without considering what they actually want to achieve.
Effects-Based Security Design (EBSD) is a planning method G4S has adapted from Effects-Based Operations (EBO), a NATO tool. Essentially it is a swift, flexible and robust way of making the right choices to ensure that a site is safe and secure. It is grounded in military-style planning and is based on a number of simple principles: What is the series of effects that the customer wants to achieve and what are the variables that have to be taken into account that could affect the decisions we make?
Our purpose as the world’s leading security company is routed in ‘Securing your world’ and this can only be achieved if during the first two stages of the EBSD cycle we build a complete picture of the customers’ world and the effects we need to deliver.
Some of the most common ‘effects’ that a customer might want to achieve are to Detect, Deter, Delay and Respond, Protect, Secure, Deny, Authenticate, Identify and Observe.
Planning must start with understanding the customer, their motivations and pressures. Ideally this is done with the customer and helps to build credibility and trust. It works best when the customer understands the process and recognises us as the subject matter experts. This level of trust must be earned and our EBSD approach serves to underpin this.
The new Hinkley Point C, the first nuclear power station to be built in the UK in a generation, is being secured by G4S Secure Solutions using EBSD. On such a large scale project, it would be unworkable to go to the customer to ask how they want us to deal with every incident as it happens, the site would grind to a halt.
In practice, we teach this system to every security officer that we employ. From the outset, they are trained to think on their feet within this framework using a training process based on real life examples of threats and problems they may face on a large scale site. At Hinkley Point C, with the backing and support of EDF Energy, we have designed and implemented an ‘Enhanced Security Officer’ training programme which teaches EBSD.
The Seven Stages of EBSD
We work with the customer to get all the information needed, using a process called the ‘Seven Stages’. These are the fundamental issues that need to be addressed to produce a robust and flexible security plan.
1. What is the customer trying to achieve and what’s our role?
What are the customers’ operations, location(s), orientation and what are the site specifics? What are our capabilities, situation, approach and relationship with the customer? What are the customers’ pains?
2. What is the risk/threat environment affecting the desired end state?
We work with the client to determine what the threats are and why. At the end of this stage, we should understand the threats and how they are likely to materialise, where, when and how likely.
Combined, 1 and 2 should give us complete situational awareness, the more information we can glean the better. There is a direct correlation between the amount of knowledge we have and the quality of the plan we are able to construct.
The information gathered at this stage is crucial and if it changes in any way, our team would need to start back at the beginning of the EBSD ‘Seven Stages’ process.
3. What outputs and/or effects must therefore be delivered?
Understanding in detail who and what the threats are, how they are likely to materialise and what impact they could have on the customers’ ability to operate, we then work out what the strategic effects are and where best to deliver them.
4. Where can each action or effect best be accomplished?
Using the information gathered so far, we work out where we want the ‘effects’ stipulated to be achieved bearing in mind the freedoms and constraints discovered in stage one.
5. What resources are required to deliver each output or effect?
We consider each effect in isolation and look at what resources can deliver the effect. We do not limit ourselves at this stage. This promotes innovation and often brings about more cost effective solutions.
6. When and where do the actions take place in relation to each other?
We analyse how we can best deliver the’ effects’ the customer requires within the constraints of their budget and risk appetite. We would typically put forward three plans with varying levels of resource – gold, silver and bronze - that way the client can see very clearly the correlation between resourcing and risk mitigation.
7. What control measures need to be imposed to ensure success?
In the final stage we decide what we need to put in place to ensure that the plan hangs together. Answers could be resources like equipment, boundaries, groupings, governance regimes, training needs. In traditional planning, this question is often overlooked but it is one of the most vital aspects of EBSD.
Noah Price – Head of Solutions Design, G4S Secure Solutions UK
Noah, an ex-Gurkha officer and helicopter pilot, previously the Director of G4S Gurkha Service, now heads our security solutions design capability in the UK.
Alistair McBride - Hinkley Point C (HPC) Account Director
Alistair, a former infantry soldier and risk consultant, is currently the account director leading G4S’s services to Hinkley Point C.