SAGE attendees listen to ASIO T4 head's SCEC address in Canberra.

At Security & Government Expo (SAGE) head of ASIO T4 asked for industry assistance to ensure government security solutions – including those protecting defense installations like the Garden Island RAN base pictured above – continue to offer the highest possible levels of protection as technology rapidly evolves.

Q: What is the Security Construction and Equipment Committee (SCEC)?

A: Most people in the supply side of the security industry have heard of the Security Construction and Equipment Committee (SCEC) and are aware of its function – basically, it’s a committee that’s dedicated to identifying and improving security products for the use of the Australian government – it’s as simple as that.

We also provide a secondary function – that’s oversight of development and endorsement of security policy for the Australian government. The reason we do that is to try to assess the impact of policy that’s being written on government end users. That can be the cost from deploying that policy or do we have the technology to do it. The members of SCEC derive from all of government – we cast a wide net to get advice not only from high security users but also from the general security side.

Members include ASIO, Attorney General’s Department, DFAT, Dept of Defence, Australian Federal Police, ANSTO, ARPANSA, Human Services and the Australian Signals Directorate. We are looking to build on this list because government departments are changing as part of the machinery of government processes and we need new input. All the people that sit on SCEC come with either technical security knowledge, security policy skills or security implementation skills.

Q: Why was SCEC formed and what is its history?

A: That’s a question that would have been on the minds of suppliers required to go through the SCEC testing process. In the 1970s government determined that a lack of assurance mechanisms for security and security products was creating vulnerabilities and putting government at risk. Cabinet then directed ASIO to establish a committee to fix that problem.

We looked to the UK to see what they were doing and decided to mirror their method, which would be very easy to stand up and in 1980 the first SCEC committee was formed. When first established, the SCEC committee reported to a permanent heads committee of security intelligence and this later morphed into the protective security policy committee. We now answer to the government security committee – the GSC. The GSC is an interdepartmental committee that looks at the strategic needs of the whole of government – a security for all approach so not just high security users.

Q: How does the security construction and equipment committee achieve its objectives?

A: We have a number of programmes to do this – the SCEC security consultant’s scheme, the approved locksmiths scheme, the endorsed courier service scheme and the security evaluated product list which has the evaluation programme in it.

ASIO T4 manages consultants and locksmiths on SCEC’s behalf. Both schemes have been designed to brief competent professionals, so we are not training anybody – just briefing them on what government needs and what is required under the protective security policy framework PSPF. Locksmiths and consultants must meet eligibility requirements to get into the programme, have recognised qualifications and demonstrate experience. They also have to agree to a code of conduct.

Locksmiths provide advice on requirements for different zones and supply and install physical security locking products with those zones. Consultants are endorsed to provide physical security advice for the Australian government agencies. They can do design, assessment and commission type 1A alarm systems – and design and construction of security zones as defined by the PSPF and the ASIO T4 tech notes – that is it.

SCEC does not train SCEC-endorsed consultants in anything but those 2 things. There is a sense in the market that a SCEC endorsed consultant can do anything but that’s not the case – it’s up to consultants how they promote themselves, but we are making that clarification.

Q: Could you tell us about the Security Equipment Evaluated Products List (SEEPL)?

A: The thing that’s most relevant to a group of suppliers is the security equipment valuated products list. The SEEPL was never intended to be a design manual – it’s a reference of suitable components for specification into zones as dictated by the PSPF. We expect that when your clients start specifying out of the list, they are not going to use a consultant. However, even minor installations when an electric strike is being selected can resulting in competing priorities like access control, OH&S and fire. For this reason, we advise people not to go it alone but to use a SCEC consultant.

The list has existed in one form or another for 39 years now – the first was the catalogue of security equipment in 1982, which moved to the security equipment catalogue. We are now publishing the list every year and putting it onto the SCEC website, the GovTeams website and in hardcopy. That’s available to SCEC consultants, locksmiths, government agency staff – security advisers, project managers, property specialists and we are also now reaching into procurement to get that communication across.

It’s been an interesting journey for the SEEPL thanks to changes in technology. There has been a lot of movement in some categories of the list and not a lot in others. For instance, the earliest edition included ways to destroy microfiche, in the 1990s it involved destruction of fax machine parts, in the 2000s we had to redefine the criteria because the information density was getting far too great, and we are currently researching the destruction of SSDs to see if current standards are sufficient to ensure that all information is destroyed.

Q: How are security products evaluated for the SEEPL?

A: In terms of security evaluation, it’s not SCEC’s job to do the evaluation, it’s outsourced to ASIO T4. Products are evaluated to ensure equipment meets the government’s requirements. One thing we do for all products is state the limitations of those products – some here will know we use an evaluation system with levels from 1-4, with 4 being the highest level of security and 1 being most basic.

We test administrative security, alarm security and hardware, doors, electronic access control equipment, locks and locking devices, perimeter security and security containers. We don’t test CCTV systems or cameras, electronic access control – there are just too many products in these categories and configuration of systems is a challenge in terms of locking down performance.

Other challenges include the rapid obsolescence of products – upgrades take place every year and we cannot keep up with that tempo. Other things we are not keen to get involved with include things outside our control, whether these be environmental factors such as light for CCTV. When it comes to access control, we have had a lot of queries from government clients in terms of getting the right specification, so we are now writing guidelines on the selection, procurement and installation of access control – it’s being drafted as we speak.

Q: How does SCEC call for products – for instance, how would SCEC get products from the expo floor into the security equipment catalogue? Are you looking for anything special at the moment?

A: We list required new products on the SCEC website on a quarterly basis. We are currently calling for Class A, B and C doors, integral door and frame systems, padlocks, Class A combination locks, indoor motion detectors, Class C keying systems and there is also some interest in RF and laser attenuation products. We would also dearly value more diversity for our indoor motion detectors and our combination locks – if you have any products in these categories, we would love to hear from you.

Q: What are the challenges of the process?

A: The process of sourcing the best security products is challenging – one of the reasons I wanted to come to SAGE was to see how we can help each other in terms of making government procurement of security equipment easier.

We will soon be going through a change of product approval process – so this is a cleaning of all the redundant products in the list, as well as removing unserviceable ones that no longer offer the levels of security required. We will be notifying manufacturers prior to this process so don’t panic if you have endorsed products in the list.

After that we will be going to the department security chiefs and advising them of the products that don’t meet our requirements. The advice we give is going to vary because it’s going to be risk-based decision on how they can phase things out – we will leave it to them based on what other layers of security are around the product that is defunct.

We are going to create gaps in the list through this process and we will need help from manufacturers and suppliers to fill those gaps with new technology.

Q: What is the highest security level for SCEC-endorsed products?

A: The highest level is Type 1A – this level of products secures our most sensitive assets and it’s a significant investment for us. We have one fully approved supplier and another in the pipe. If any other manufacturers or suppliers are interested in coming to the 1A party, they are more than welcome to join.

We’ve developed a transition plan to reduce the financial burden associated with whole of government replacement of Type 1A systems – this is a graduated scheme that was launched in 2015. The policy set out a number of milestones including planning and replacement and the end goal is to have all type 1A systems in Zone 4 or Zone 5 areas and to have this process completed by the first of August 2021. Some departments are meeting the milestones and others aren’t.

Q: How would companies make their case to join Type 1A?

A: Any suppliers or manufacturers that specialise in, or contribute to, Type 1A systems are welcome to approach government clients and ask them if they need assistance in planning, costing or delivering their type 1A transition. It’s a very easy opening for suppliers and consultants and it’s going to help us as well in terms of managing our stakeholders across the line. We don’t want to see a scenario where government departments leave it until July 2021, ring up a consultant and say: “come down we need to replace all this by next week”. So, go and see your government clients – it will help us all.

Q: In what other ways can industry help SCEC?

A: Some challenges we are keen to get industry assistance on is understanding the latest technology. We are seeing a lot of modernisation of our security equipment and we are getting connectivity in devices that have not traditionally had connectivity, so we want to understand better how your devices fit into the ecosystem. Is there data storage, does it transmit data, is it sharing data, who does the data belong to?

One thing we are also keen to advocate for is security systems based on open and accessible architecture – we want to move away from proprietary systems with custom coding or custom encryption and we are going to advise agencies to tender for systems that support interoperability and use accepted industry techniques. At the same time, we are still looking for best practise, not lowest common denominator.

The other thing we are keen on developing is applications for building management control systems. We really want to improve data management, limit access and deny information egress – we want to understand how these systems work and we would be grateful for any help we could get with that. The rise of smart buildings and the automation we have seen in products clash with our high security requirements – we’d dearly like industry to work with us to achieve this outcome in the high security space.

Q: Will SCEC ever move into cyber security?

A: ACSC is responsible for the Australian Government’s messaging and advice on cyber security. For our customers, I would like to see a single source of security advice, regardless of discipline. We’ll be looking into how the Australian Government’s security outreach can be consolidated for the client’s ease of use.

Q: Companies that want to get involved in assisting SCEC with high security systems and building automation – what’s the best way to approach you?

A: The best way is through their government customers who then make a request to the SCEC committee for particular products – they should also keep an eye on where we list products we are seeking. We are always interested in new products if our departments show interest in, so these can be promoted to one of the agencies I listed earlier.

The other thing is that if there is a big security tender it might be worth suggesting your client presents their requirement for a product or solution to SCEC themselves – that’s probably the most direct way of approach – the supplier’s government client will come to SCEC and say ‘we need to use these products they are going to give us an advantage’ and we will then look at the product.

Q: When it comes to government security threats, what’s worrying you most at the moment?

A: It’s the cloud-based technology – not so much this industry but everything. To me it seems an unnecessary requirement to merge devices with Bluetooth with Wi-Fi or any other sort of communication. We’ve seen communication move away from traditional paths and we are now starting to lose sight of where data is going – that’s the bit that scares us most.

The problem we have at the moment is we can say we’re going to have an isolated network and step back, but at some stage users are no longer going to tolerate that. They are going to want a connected system that works. This is why we are calling for more information on what products are connecting to, and where data is going.

If there’s one thing I could suggest to SAGE exhibitors, any changes that can be made to your products to make your government clients and ourselves feel more secure, we suggest you waste no time in making those changes.