Security in construction projects tends to be an afterthought. It is incorporated later, subjected to cost constraints, and only taken seriously when a security breach happens. The UK security ratings system which evaluates physical security is fairly decent, but the issues lie in the fact that most people in the construction management profession don’t know how to interpret them.
Physical Security And Door Ratings
LPS 1175 is the LPCB rating for attack resistance, which grades products from SR1 to SR6 based on how long they withstand a physical attack with a specific set of tools. SR1 means at least one minute with basic hand tools while SR6 means resistance to a sustained attack with power tools and cutting tools. Most SR ratings for commercial buildings typically fall between SR2 to SR4. SR2 is sufficient for a low-risk office. SR3 is typically the minimum for a site that generally has a higher risk due to the presence of portable high value equipment.
SR ratings deal with physical attacks and do not assess the integrity of the installation itself. A highly rated door within a poorly constructed frame will offer you a lot less protection than the rating may imply. Make sure the installers are LPCB-approved or the equivalent prior to placing an order.
PAS 24 provides a slightly higher rating than LPS 1175 and covers higher security doors and windows. It is cited specifically in the security section of the building regulations, Approved Document Q, which deals with security in new residential buildings. There has been a gradual extension of PAS 24 compliance to all external access doors in residential buildings. It tests for a range of forced entry techniques and key manipulation.
STS 202 is one of the test standards developed by the Door and Hardware Federation. It resembles LPS 1175 in a broad sense, but employs a different test methodology. You will see STS 202 in some commercial specifications and insurance schedules, where the insurer favors the standard.
Secured by Design is a police-endorsed certification scheme, rather than a test standard. It is a scheme that cites LPS 1175 and PAS 24, and incorporates some of the lower bounds of performance for different building types. Secured by Design compliance is now a requirement for many planning authorities in England. On these sites, it is a mandatory requirement as part of the planning permission.
Access Control Systems
In the commercial sector, card and fob systems dominate the marketplace for access control. In many ways, they are the same. Technology that is 20 years old, and is still sold by numerous suppliers, is based on 125kHz RFID, which is insecure and can be cloned in 30 seconds with off-the-shelf equipment. A much more secure and cost equivalent system to implement, are access control systems utilizing 13.56MHz MIFARE or DESFire.
The introduction of systems that utilize biometric access, such as fingerprint and facial recognition systems, solves the credential theft problem, but introduces a different and arguably larger problem. If compromised, biometric data cannot be changed. In the UK, the block of system providers who control biometric data recommend that the data is stored on local systems, rather than in cloud systems, to avoid the problems that are associated with exposed systems.
Mobile access credentials are making an appearance in commercial builds. There are a lot of positives. For one, mobile access means you don’t get stuck collecting access fobs from people once they leave the company. You can deactivate their access on your phone. But not all access control offerings work with mobile credentials. Some access control systems work with mobile credentials but require a proprietary reader, which means you are stuck with one vendor to provide the panel hardware.
For some industries, access control systems are incomplete without the ability to track access. For example, financial, healthcare, and data service industries require systems that track what users did and when they did it. You should be able to get access control systems that track access and also provide logs that are unmodifiable.
Perimeter and Site Security
Securing a construction site and an occupied building are two different problems. When it comes to construction, equipment and materials are the most common targets. The most vulnerable time is after hours and on the weekends. It is common for construction materials to be targeted for theft at the end of a work week when there is the most on the site.
Hoarding, security lighting, and CCTV are generally considered “those expenses we have to incur” rather than “those expenses we should minimize.” Temporary site security should be a cost to minimize, not an expense that you should incur. For example, one theft of power tools or security lighting and CCTV systems may cost several thousands of dollars. When you are properly specifying a system, the cost should be a fraction of one theft incident.
SSAIB and NSI Gold are the two UK recognized approval bodies for security system installers. Your insurer may not accept alarms or CCTV installed by non-accredited companies. Check the policy before engaging the contractor.
Maintenance and Inspection
Security systems deteriorate without notice. A door could have passed its SR3 test during installation, but may not be compliant later if the hinges or fixings have become loose, or if a non-rated cylinder was installed. An inspection should be done at least annually, but may be required more frequently if the site is deemed more risky.
Access Control Systems are not impervious. Vulnerabilities exist within older versions of system firmware. Regular maintenance to update and patch security systems is crucial.
While access control systems provide a layer of security, physical keys still present an open access issue. Many systems still utilize a mechanical system for overrides in an emergency. Key control becomes critical to preventing unauthorized access. Who has control, the process to replace lost keys, the frequency in which key control systems are updated. These are some of the weakest points of systems.