Physical Protection Systems (PPS) Life Cycle and Planning
PPS Life Cycle Phases
Phase 1: Planning
Phase 2: Design & Estimation
Phase 3: Procurement
Phase 4: Installation, Operation & Training
Phase 5: Commissioning & Warranty
Phase 6: Maintenance, Evaluation & Replacement
PPS Life Cycle Phase 1 – Planning
Planning is the most important phase, setting the foundation for a successful project.
Time invested in thorough planning significantly reduces complexities and time required in subsequent phases.
Essential to ensure all necessary security measures are identified and implemented, following a comprehensive risk assessment.
Identify needs and provide a clear justification for the project, aligning it with organizational goals.
Define PPS objectives and explain how they effectively mitigate identified risks.
Document functional requirements detailing specific system functionalities.
Provide operational justification, explaining how the project supports operational needs.
Include economic justification, demonstrating cost-effectiveness and ROI.
Develop a preliminary budgetary estimate to outline expected costs.
Create a preliminary schedule with key milestones and timelines.
Develop Project Charter
The project charter, also known as the project approval paper, formally initiates the project.
Example project: 150,000 Security and blast consultancy for the development of a new Data Centre located at No. 1 Wonderful Lane Singapore (123456)
In Singapore, the development of the Data Centre is subjected to MHA’s Security-By-Design framework.
Engage competent person(s) to provide consultancy services for the SBD process, ensuring the development adheres to MHA’s requirements.
The design and construction of the data center are dependent on the TVRA, BEA, and SPP.
Construction can only commence after MHA approval of the SPP.
Security and blast consultancy for the development of a Data Centre Donald Tan ABC Pte Ltd 1 Jun 2025 Alan Goh
Key Milestones
List the key milestones:
Approval of TVRA: Essential for threat and vulnerability assessment.
Approval of BEA: Ensures blast effects are considered in the design.
Approval of SPP: Final security plan approval required for construction.
Kick-Off Meeting: 1 Jul 2025, to align stakeholders and project team.
Approval of TVRA: 1 Oct 2025, completion of threat and risk assessment.
Approval of BEA: 1 Jan 2026, ensuring structural integrity against blasts.
Approval of SPP: 1 Apr 2026, final security measures approval.
Project Team
Form a project team with representatives from various departments:
Security: Responsible for security measures and compliance.
Procurement: Manages procurement of security-related equipment and services.
Human Resource: Handles personnel security and training.
Facilities: Ensures physical security and maintenance.
Information Technology: Manages IT security aspects.
Include any other relevant departments.
Stakeholders
Tender Evaluation Committee (TEC): Evaluates bids and proposals from vendors.
Approving Authority: Senior management responsible for project approval.
MHA’s Security-By-Design Framework
Centre for Protective Security: Oversees security standards and compliance.
Responsible Person: Individual accountable for security implementation.
Competent Person: Qualified professional ensuring compliance with security standards.
Example:
Ahmad, Security Director, Responsible Person
Leslie, Security Consultant, Competent Person
Mary, CPS Manager, Involved in security and blast consultancy for the development of a Data Centre as of 15 Jun 2021.
Stakeholders Analysis
High Power, High Interest: These stakeholders have the biggest impact; closely manage their expectations and involve them in key decisions.
High Power, Low Interest: Keep these stakeholders satisfied, providing enough information to maintain their support without overburdening them.
Low Power, High Interest: Keep these stakeholders informed and in the loop, as they can provide valuable insights and support.
Low Power, Low Interest: Provide the least amount of attention to these stakeholders, keeping them informed of major updates.
Security Risk Assessment
Security Risk Assessment: A systematic process for identifying assets, threats, and vulnerabilities to ascertain risks.
Identify threat mitigation options and select appropriate measures to reduce risks.
Implement no security program without first performing a comprehensive security risk assessment.
Risk is the potential for loss or damage to an asset, including financial, operational, and reputational impacts.
Risk is measured based on:
Value of the asset in relation to potential threats and vulnerabilities.
Likelihood of a threat occurring and the potential consequences of the event.
Outcome
Risk assessment provides a relative risk profile, defining which assets are at greatest peril against specific threats, helping prioritize security efforts.
Risk Management Process
Step 1: Gather Data and Identify Assets: Collect relevant data and identify all assets that need protection.
Step 2: Identify Threats and Review Security Measures: Determine potential threats and evaluate existing security measures.
Step 3: Design Mitigation Measures: Develop and implement measures to mitigate identified risks.
Step 4: Regularly Review and Update Security Measures and Plans: Continuously monitor and update security measures to adapt to changing threats.
Threats
Establish the Design Basis Threats (DBT): "The adversary against which the utility must be protected," defining the security program’s scope.
DBT Sensitivity
DBT is sensitive and confidential information, requiring protection to maintain security integrity.
It serves as the basis for designing the security program.
Adversaries can use DBT information to undermine security measures.
Categories of Threats
Intentional threats (generally more relevant to physical security elements):
Terrorists: Groups or individuals aiming to cause disruption and damage.
Crimes: Criminal activities targeting assets.
Activists: Individuals or groups protesting or disrupting operations.
Natural threats:
Flood: Water damage to infrastructure and assets.
Fire: Damage to property and equipment.
Storm: Weather-related damage.
Inadvertent threats:
Accidents: Unintentional incidents causing damage.
Errors: Human mistakes leading to security breaches.
Omissions: Negligence in implementing security measures.
Peripheral threats: Indirect risks from external factors.
Classes of Adversary
Outsiders: Individuals or groups external to the organization.
Insiders: Employees or individuals with authorized access.
Outsiders in collusion with insiders: External actors collaborating with internal personnel.
5 Primary Threats
Vehicle-Borne Improvised Explosive Device (VBIED): Explosives delivered via vehicles.
Improvised Explosive Device (IED): Homemade bombs.
Attack by Armed Assailant: Individuals attacking with weapons.
Chemical & Biological Agent: Use of harmful substances.
Unauthorized Entry: Gaining access without permission.
SBD Consultancy
CPS provides baseline threat list to RP to guide security planning.
CP develops threat scenarios to simulate potential attacks and responses.
Assets
Asset:
Is required to maintain business operations, ensuring continuity.
Is valuable to the company, contributing to its financial stability.
Is a resource that requires protection to prevent loss or damage.
Is tangible or intangible, including physical and intellectual properties.
May be critical or less critical, affecting business impact assessment.
Assets Identification
3 steps process:
Step 1 – Define & understand company’s business, including core operations.
Step 2 – Identify site, location, systems, and infrastructure components.
Step 3 – Identify tangible / intangible assets, categorizing all resources.
Valuing Assets Considerations
Replacement cost of assets: Cost to replace damaged or lost assets.
Availability of replacement: Time and ease to acquire replacements.
Loss of revenue due to lost functions: Financial impact of operational downtime.
Existence of backup systems: Availability of redundant systems.
Impact on reputation: Potential damage to company image.
Cost of Loss Formula
Total Cost of Loss = Cost of permanent replacement + Cost of temporary substitute + Total related cost (e.g. remove old asset & installation) + Lost income cost – Available insurance
Vulnerability Assessment (VA)
Vulnerability of assets to threats, identifying weaknesses.
Vulnerabilities are weaknesses that can be exploited by aggressors.
VA examines each asset & threat pair, assessing potential impacts.
Compare asset-threat pairs to develop priority ranking for mitigation.
Vulnerability Assessment (VA) Considerations
Lack of redundancy: Single points of failure.
Collocation of critical systems: Systems located in the same area.
Single point of failure: System failure leads to overall failure.
Ease of access to assets by aggressors: Physical and logical accessibility.
Inadequate security measures: Weak or missing security controls.
Presence of hazardous materials: Increased risk of damage.
Potential for collateral damage from other neighboring companies: External risks.
Vulnerability Assessment (VA) Approaches
Compliance-based:
Check for presence of PPS to meet regulatory standards.
Effective against low threat scenarios.
Easier to perform with checklists and standards.
Performance-based:
Evaluate how each PPS performs under stress conditions.
Assess the overall system effectiveness in real-world scenarios.
Recommended approach for comprehensive security assessment.
How to perform VA?
Establish baseline security first to set a standard for evaluation.
Document review to understand existing security measures.
Interview Stakeholders to gather insights from different perspectives.
Conduct Site Survey to assess physical vulnerabilities.
Perform System Test to evaluate technical security controls.
6-step process Performance-Based VA
Create an Adversary Sequence Diagram (ASD) for all asset locations to map potential attack paths.
Conduct a path analysis to identify the most likely attack routes.
Perform a scenario analysis to evaluate threat impacts.
Complete a neutralization analysis, if appropriate, to assess mitigation effectiveness.
Determine system effectiveness and risk based on assessment results.
Develop and analyze system effectiveness upgrades if risk is unacceptable to reduce potential damage.
Risk Management
After determining the risk to the assets, use risk mitigation measures to reduce the risk to acceptable level
Risk Mitigation Strategies:
Risk Avoidance: Eliminating the risk by avoiding the activity.
Risk Spreading: Distributing the risk across multiple assets.
Risk Transfer: Transferring the risk to a third party (e.g., insurance).
Risk Acceptance: Accepting the risk and its potential consequences.
Risk Reduction: Implementing measures to reduce the likelihood or impact of the risk.
Risk Management Considerations
Selecting Risk Mitigation Options:
Availability: Feasibility of implementing the measure.
Affordability: Cost-effectiveness of the measure.
Feasibility: Practicality of implementing the measure.
Develop Requirements
Major output of the planning phase is the requirements document, detailing security needs.
Identifies reasons for the measures / upgrade, documenting the rationale.
Closely tied to the Risk Assessment, ensuring measures address identified risks.
Captured in the Security Protection Plan (SPP), outlining security strategies.
Linked to TVRA (Threat and Vulnerability Risk Assessment).
Develop Requirements considerations
Invite vendors for demonstrations to showcase different solutions.
Visit other facilities to observe security implementations.
Gather information from industry reports and experts.
Research market to understand available technologies.
Proof-of-concept to test and validate solutions before full deployment.
System Design
Who will design the system?
Customer or end user?
In-house expertise e.g. Security managers, leveraging internal knowledge.
Prepare detail specifications for Invitation For Bid (IFB) or sole source procurement, defining exact requirements.
Consultant or Contractor?
Customer knows the problem but doesn’t know how to solve it, seeking external expertise.
Prepare requirements for Request For Proposal (RFP), outlining desired outcomes.
Budgetary Estimates
Analyse & decide which security measures to implement, based on assessment.
Get estimate costs for each alternative solution, supporting budget planning.
Budgeting & planning purpose, aiding in resource allocation.
Review by senior management & other stakeholders, ensuring alignment.
Include into the operating budget cycle, integrating into financial processes.
How to get estimates?
Consultant, leveraging their expertise and industry knowledge.
Vendors, obtaining quotes for products and services.
Compare alternative solutions using CBA (Cost-Benefit Analysis).
Cost-Benefit Analysis (CBA)
Cost versus Benefit of a given security strategy, comparing expenses and outcomes.
Determine the cost of implementation, quantifying all expenses.
Weight them against impact of loss, assessing potential damages.
Impact of Loss > Cost of Implementation, justifying the investment.
Deliverables
Risk Assessment Report, documenting identified risks and vulnerabilities.
Blast Effects Analysis Report, detailing the potential impact of blasts.
Security Protection Plan, outlining security measures and strategies.
Budget estimate, providing a financial overview of the project.
Design criteria, defining technical requirements.
Procurement method, specifying how resources will be acquired.
Project team, project manager, defining roles and responsibilities.