Saudi Arabian Industrial Sites Need More than Just Physical Security

The author is a Fellow of the Security Institute and Assistant Regional Vice President for ASIS in the Middle East

The High Commission for Industrial Security (HCIS) plays a tremendously positive role in the protection of industrial assets in the Kingdom of Saudi Arabia.

Through its security directives it provides a solid structure and a complex, but comprehensive approval process. This makes the Kingdom of Saudi Arabia probably the most advanced country in the Gulf Co-operation Council in terms of safety and security protection of industrial facilities.

However, recent incidents in Riyadh remind us that significant threats persist and that it’s not only industrial buildings that require protection. Human beings are still easy and rewarding targets for politically motivated adversaries.

When attacks on employees multiply and an industrial employer can no longer guarantee protection for its workforce, that employer and in turn the country will quickly face serious HR and economic problems.

To maintain their operations employers are forced to pay potential employees much more, as well as investing in further security measures.

The HCIS imposes a requirement on industrial facilities to satisfy a stringent approval process, starting with a risk assessment  and progressing all the way to the 100% completion report.

The first stage of this approval process is the security vulnerability assessment. The methodology selected by the High Commission is the American Petroleum Institute version 2004 or its most recent development dated 2013, the API 780.

Vulnerability assessment

The three elements of an integrated security system

Also known as a security risk assessment the security vulnerability assessment is the mandatory method to be used by approved consultants in the Saudi Arabia.

It’s a simple method divided into five major steps (facility characterisation, vulnerability and threat assessment, risk evaluation and recommendations of mitigation countermeasures) which, coupled with the aforementioned security directives of the HCIS (Sec 1 to 12, issued in 2010), provides a good mix of security risk assessment and security audit.

The main drawback of this survey/audit stage is that security directives make many elements of physical security mandatory and fairly non-negotiable.

Because of the exorbitant cost of physical security requirements imposed by the High Commission (fence, gates, etc), industries are very reluctant to adopt any other good practice recommendations made by security consultants.

Naturally, a reputable consultant will make recommendations on issues as diverse as security policies and procedures, security awareness, business continuity planning and emergency preparedness in proposing a holistic approach to a facility’s protection.

The HCIS usually endorses these recommendations, and in doing so makes them binding. However, from the second stage the concept of design (CoD, or 10% preliminary design) only physical security measures will be scrutinised by High Commission experts and evaluated, discussed and approved. The same applies to the third stage, the front-end engineering design (FEED, or preliminary design 30%), albeit to a lesser extent.

This is problematic for two major reasons. First of all, a risk assessment is an all-encompassing document.

Recommendations are made for a purpose and organisational, physical, technical and procedural countermeasures must be implemented together to ensure effectiveness.

Second, physical security is only as good as the personnel who deliver it. As we all know, effective security comprises three elements: architectural security, electronic security and effective personnel to implement policies and procedures.

In short, the HCIS seems to take for granted that organisational and procedural recommendations will be developed and implemented according to the schedule proposed in the risk assessment report.

In practice, typically they are not. A security manager is usually appointed only when operations have started.

Verbal, piecemeal plan

That manager will implement a verbal and piecemeal security plan, based on their previous employment experience. Not once during the approval process will non-physical security be discussed or checked.

HCIS, which oversees the physical security of industrial assets in Saudi Arabia so effectively, should remedy this. Security should be comprehensive and conceived holistically.

The concept of a design stage, for example, should be accompanied with a set of security procedures describing how access will be granted at different access gates, how turnstiles and X-ray machines will be used and under which circumstances.

The security organisation should be described, showing security posts and whether they are fully or part-time manned. Post orders issued to the guard force should show that organisational security has been well thought through and will deliver.

The operation of CCTV surveillance should be based on employment of observation sequences. It isn’t enough to expect alarms to be triggered automatically.

Every hour, for example, the guard on duty at the CCTV surveillance post will check a sequence of cameras in an order provided to him by his immediate supervisor.

This observation should be random, which should not mean leaving it to the guard. The security shift leader should create sequences of surveillance that never overlap, but allow for a comprehensive observation of the site perimeter and high-risk areas over a period of four hours, for example.

Site observation

There are sometimes things more worrying than a trespassing attempt. Site observation and surveillance by a potential adversary are just as worrying, because without discipline and commitment they can be overlooked.

A car, sometimes occupied, sometimes not, parked 20 metres behind any section of the fence and observed several times in a week, for example, will not trigger any alarm.

But it should trigger one in the mind of the guard on duty. This sighting should be entered in the daily report and passed to supervisory level.

Should the car reappear at any stage, corrective action is needed.

When, during a site visit, a security consultant observes a training need for  security guards on duty, it is as worrying for facility security as a gap in the fence.

Training needs must be assessed and understood and a training programme designed, approved, budgeted and scheduled.

Notably, the purpose of physical security is only to provide physical protection to a facility. It is supposed to deter, prevent if possible, detect and delay an attack.

It is meant to provide support to the security guard force who, when properly trained, will assess, act, react and respond to the attack. The guard does not need to guard the gate any more.

But the guard remains the central feature of industrial security because once an alarm has been triggered, or when a suspicious event has occurred, it remains their responsibility to fix the problem.

This can only be achieved through a strong set of policies and procedures, a solid security awareness programme and guard force training.

Although HCIS prioritises industrial security far more than other regional administrations, there is still room for improvement.

Priorities should include integrating responses to organisational and procedural recommendations into the risk assessment, and to incorporate security, business continuity, emergency and crisis management plans into the concept-of-design stage.

Free Download: The Video Surveillance Report 2023

Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!

Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.

Download The Video Surveillance Report