Round-table Discussion: The importance of specifications

In this ISJ Exclusive, Adam Savage, Marketing and Sales Director, Barkers Fencing chats specifications with Chris Stevens, Technical Security Director, SIDOS UK, Richard Flint, Technical and Commercial Lead, LPCB, part of BRE Global, George Dionisopoulos, Head of Security, NEXTDC and Paul Mutter, HVM Manager, ATG Access.

Adam Savage (AS): We are all here to talk about specifications and what they mean to each of us. We’ve all got slightly different takes on their importance, for different reasons, and what it means if and when specifications get changed, broken as we will often call it and what the ramifications are.

From a manufacturers perspective, we work very hard with standards writers, consultants and end clients to make sure they get something which is appropriate. But, there are occasions when we see that doesn’t necessarily happen. For example, there is a data centre provider we have worked with for a long time; they specified one of our products, it was LPS 1175 B3 rated, StronGuard SL2 palisade and an element of it was PAS68 crash rated palisade, StronGuardRCS.

The contractor in the region didn’t have particularly good knowledge of the standard so what they’d seen was an opportunity, possibly through lack of knowledge, possibly maliciously, to install something which ostensibly looked the same, but had no anti-personnel properties, had never been tested and was not crash rated. I was with the client in their offices to deliver a CPD on standards, design considerations for security etc. and I dropped into conversation about this particular spec issue.

I mentioned that this particular site they had didn’t have our product and I showed them a video which showed a standard palisade fence being breached quickly, by some of Richard’s guys at the LPCB, in comparison to our LPS 1175 B3 StronGuard SL2 system. The video ran for four minutes and the person asked if we could play the video again; I had that smug moment and thought, he’s actually going to pay attention. I replayed the video and he sat there and said: “This is what we’ve got?” I had to awkwardly say, “yes, that’s what you have on your site.” Strangely enough, the conversations are still ongoing about what is going to happen with it.

Here, the client didn’t get what he wanted. From your point of view, Chris, I know you weren’t involved, but you would have spoken with the client and done some assessments regarding security requirements – is that correct?

Chris Steven (CS): Yes, it’s all about the process really – the initial process being that the site is assessed for the risk and the risk assessment then defines what level of delay detection and prevention you are looking to achieve. From that, as a consultant, that’s what you would recommend the client install. I would say the problem lies with the fact that some clients will be swayed by the installer, the contractor, because they see they can make more money by installing a cheaper product.

I have a good example where 358 fencing was to be used on a very large government site; the 358 fencing that the contractor ended up purchasing came from Italy and it had a weld rate of about 30%, which is nowhere near the 70%+ weld rate that an LPS product would have to achieve; this saved the contractor a lot of money.

George Dionisopoulos (GD): It’s not only the installer – it’s also the builder. They often see security as a costly measure and they look at ways to circumvent that cost, as much as possible. When we specify, we want the best for our customers. It’s based on security risk assessment and how we design that and incorporate the broader security measures. This is why it’s crucial that we specify certain standards when it comes to our perimeter, our electronic security, our access security.

People tend to also forget gates, for instance. When you are looking at a perimeter, a lot of people just look at the fence line and forget entry points. From what we’ve seen here in Australia, I don’t think there’s any malicious intent, it’s more about how the builder could save time and money and deliver a product which, to the untrained eye, they can get away with – that’s the challenge. We not only specify in our briefs what standards our security posture has to be, across the breadth of our portfolio, we also have to make sure that our builders have the right specifications and that the installers and integrators follow suit.

Paul Mutter (PM): When you talk about standards, I look after the UK market. You’ve basically got two standards: The PAS 68 and IWA 14. ATG has spent an awful lot of money and time putting together a portfolio of products that meet certain situations and requirements. One of the issues we have is not the contractor going away from specification, but what we need to do in the UK is dive deeper into that standard, to fully understand what has been specified and what the client is after.

It is very easy to buy a cheap bollard, put it on the pavement and the building you are trying to protect be only four or five metres away. Cheap bollards have massive penetration, so it’s all about choosing the right product within that specification to make sure you are doing what the client wants you to do. Not many contractors fully understand standards, so it is about digging down into those standards and getting them to understand what they are buying.

CS: Just to take that back one step; I think the problem is that many clients will not retain the services of the person who has made the specification. I have been very lucky on the Crossrail Project – I worked on it for 16 years – and I wrote the original specification for the whole project. I then saw through the whole of the design phases, all of the delivery and then went back to the stations at the end and verified auditing paperwork that the LPS 1175 product that I had asked for, 16 years ago, was actually that which was installed.

It is a unique situation in the UK where an individual has actually had that oversight from beginning to end. The problem with a lot of projects is that they employ a security consultant just to meet certificates etc. As soon as they have got a specification they drop them – and that’s it. They give it to the contractor and then they receive a piece of paper that says, “you’ve got to do this”.

AS: When you put it that way, it seems crazy that someone would go to the expense of having something specified, consider all the risks and then not actually see it through.

CS: Many of the big companies who provide security services charge extortionate amounts of money and the client doesn’t want to keep them on. Instead of being absolutely upfront and saying, “look you need to see me one day a month so I can have an oversight of what is going on and make sure it’s on track”, it’s typically a big engineering company, for example, who is going to oversee the whole project management. They have a security team and that security team has to finance itself, therefore it is continually making money, making more requirements to make more money; that’s how it works and it’s a dreadful situation. Security should not be like that.

AS: For you Richard, this must be a point of frustration? You put an awful lot of work in at the front end, testing, thinking like the attacker.

Richard Flint (RF): I think our frustration is shared with all of those that are trying to do good work; you’ve invested to prove your products are in the 5% that passed. 95% of the products we test fail when they are first tested, so the frustration I have is that, time and time again, we are getting calls where people are going, “we’ve got to meet this requirement, but we don’t want to buy this product so we’re just going to do this – it’s got to be done by next week.”

That product that you were going to pick is proven. It’s in the 5%. However, you want to go for something and you want to get evidence within a month where they have not tried it; they’ve given you a price without knowing what pass looks like because they’ve never done a test before and the chances are, it’s going to fail.

Coming back to some points earlier, I fully agree with Chris on oversight and training; there is a need for training. I get frustrated by the amount of people that use standards and don’t understand them. I had an email recently about a European Standard for Facades EN1627 for forced entry talking about UK government standards saying, “well, would RC3 be okay in place of a UK government standard?” I can’t go into the depths of the UK standards, but RC3 is stealth level, whereas government security is certainly not about attackers using stealth.

This is for a large national infrastructure company, who very much are regulated and need to comply. In some ways I am pleased they have come to me and asked the question, but in some ways it is concerning that a person that has been in the consulting business in that sector for 15 years is having to admit that they don’t know what EN1627 is and that they don’t understand the standards.

The UK CPNI set up the RSES Register of Security Engineers and Specialists which was a brilliant move; if the people delivering work can’t demonstrate that they understand what they are doing, we definitely have a problem. If you don’t get the foundations right – and to get that right you need to understand threat and risk assessment – you need to know how to put together proper operational requirements and define the specifications around that.

What we are not getting, and where RSES falls short, is contractors. They are the ones who are trying to make money out of the project. Time and time again, we see them, as well as manufacturers who don’t comply with standards, who are desperate to work; if they are not selling products they have not got jobs. So, they will continue to try and sell products, but when they face the 95% failure that we openly talk about, unfortunately, that still puts off a lot of those who are coming to us for testing and certification. Maybe it’s our fault for telling people this is the challenge, but, we want to be honest with that challenge, we want people to do it proactively because if they do it proactively they then can provide a suite of products.

I’m going to finish with something that is quite concerning. Contrary to what Chris said about the cost and why people don’t retain a good security consultant, on some Middle East projects, some very high value ones, I’ve seen the contractor engage some very expensive, large multinational security consultants to de-spec. So, the project owner has invested a lot to come up with a strategy and then it gets to the delivery phase and you’ve got someone saying, “oh, you don’t need that,” breaking it down. I don’t know which of those is correct because security is very much on the ‘gut feel’ of the person doing it and what they know about the project and what their posture is on the risks. However, it is concerning to see two large security consultants battling it out, one who has done the work and one who is picking it apart.

GD: For us in Australia, we are in a different environment. I agree these large engineering firms have bespoke security postures in their portfolios – that is why we deliberately steer away from that and look for an actual security consultancy. We make a clear point that we hold on to the same consultant from the initial design phase right through to the handover to operations; that way, we maintain the standard.

AS: We all share each other’s pain, to a degree, coming from different viewpoints, but I think we all understand the importance of standards. Manufacturers such as Paul and myself, we are well versed in the standards and what the potential threats are, so we develop products to suit the threats. And, I suppose, Richard, from your point of view, you are always developing your standard to come up to meet the latest intelligence as to what the latest threats are.

PM: I think one of the most important things for a product manufacturer like us, is to be there at the very conception of the project or as close to that as possible. Early engagement is an absolute must. You are able then to educate when needed on what the standards are. You are also able to open the eyes of the tier one contractor or the end client as to what they are going to get and how it performs. And, you are then able to rate.

What we all want is early engagement with and education of the end user, including the contractor, because they are the ones that ultimately make that decision. Everyone has said that people don’t understand what they are getting. If a fence looks like a fence, feels like a fence, it’s a fence. We are spending someone’s money and in an urban environment like the UK, where most of our products go, we are spending tax payer money on products; we want to make sure it’s the correct product first time and that it gets installed correctly to match end user specifications.

AS: That’s what we strive for. And when we get that early engagement, we start to develop models for our fencing, the architects, the consultants can put that into drawings so that we know, early on, that those products are going to work.

CS: I understand why manufacturers want to get in at an early stage. All I would say to you is, if you haven’t got a security consultant or a client who knows what you are supposed to deliver, are you prepared to take the liability of defining what the risk is, by proposing a product to the client? I think you are at risk if you take that responsibility on; that’s the disadvantage of a supplier being there at the very early stage. My preferred route would be for either the client to define, or the security consultant to define, and then the manufacturer be brought in to meet that requirement.

PM: I think Chris is absolutely right and stepping back on that, what we would want to do is engage with a qualified professional to carry out a dynamic assessment and then base our findings, our recommendations, upon somebody’s assessment and strategy up front. We wouldn’t go into any project and say you require this, this and this, because Chris is absolutely right – we do not accept any risk or liability when it comes to recommending the product. We have all seen manufacturers who might not have the same approach to delivery.  

GD: It’s about education; being the security lead in an organisation is also about making sure the business understands what it is you’re doing, and then, more importantly, your contractors etc. They too need to understand what it means to have that certain standard that you’re asking, in your specifications and why you have them in place.

This article was originally published in the January 2023 edition of International Security Journal. To read your FREE digital edition, click here.