High Speed 2 and cyber essentials

15 April 2019

By Cyber Collective Partner Aaron Yates, Chief Executive at Berea Associates Ltd.

The current High Speed 2 (HS2) railway project plans to directly connect London, Birmingham, the East Midlands, Leeds, and Manchester once it’s finished, making the commute less burdensome for passengers.

Phase 1 of the project is expected to be completed by 2026. Balfour Beatty Vinci, the joint venture coordinating sections N1 and N2 of the HS2 rail project, have now released their minimum security requirements for suppliers. Their document details the credentials a contractor must hold in order to tender in their supply chain.

One requirement of note is that suppliers must hold an annually-renewed Cyber Essentials certificate. This is a scheme coordinated by HM Government through the National Cyber Security Centre. Specifically, this requirement only applies if the supplier uses building information modelling (BIM) or bills of quantity (BoQ), which, as a result, will likely extend to most subcontractors.

Breach of confidentiality, integrity or the availability of data in the supply chain can lead to fraud, financial loss and project delays.

Such incidents have the potential to cost primary contractors substantial sums in performance penalties. As such, the requirement for Cyber Essentials is a very positive step towards ensuring information security in the supply chain for parts of the HS2 rail project.

Cyber Essentials was designed by HM Government for exactly this purpose. It provides a technical framework to reduce exposure to common threats from the internet, and as such provides a minimum level of assurance about the practices a supplier undertakes to secure their IT operations.

High Speed 2 and cyber essentials This requirement is positive for the wider construction industry, as it makes it easier for other primary contractors to demand the certificate be held. Subcontractors can then work to a single specification, rather than incurring expense while translating differing technical requirements.

The validity of the certification increases further the more it is required, creating a more resilient construction industry in the United Kingdom. Therefore primary contractors in the UK should be actively encouraged to include the requirement for Cyber Essentials as a part of their tender process, where data will be transferred in the supply chain.

When these benefits have been considered previously, some procurement and contract managers have - admirably – taken the initiative to design a proprietary set of controls. Unfortunately, the issue with such an approach is that it creates further administration and expense for subcontractors concerning interpretation and implementation for each distinct tender.

Cyber Essentials can resolve this burden, effectively reducing the red-tape for smaller firms, by working to a single, recognised standard.

This approach is advantageous for all supply chains, especially in the related industries of logistics, warehousing, and manufacturing.

Technology now facilitates many projects operating on a ‘just in time’ basis. However, the lack of security around that technology can quickly become the primary threat to a project’s success.

It is not just immediate project data that is susceptible to creating issues; hotel reservations, vehicle hire, and other support services will also be dependent on technology.

As systems failure is not the only part of the overall project that can lead to undesirable delays or costs; the wider implications of a technology-enabled supply chain must also be considered.

This is where Cyber Essentials can again step in to serve as a standardised requirement.

It is important to note that the benefit of technical controls implemented by Cyber Essentials is not solely for the sake of those procuring goods or services.

They also provide an effective foundation for the wider security of the subcontractor’s business, which may not ordinarily be prioritised without customer demand.

Frustratingly, the Cyber Essentials requirement may be costly for many smaller construction firms. The industry-wide shortage of certificates available and expert cyber consultants has pushed cyber security day rates to in excess of GBP 1,000 +VAT per day on average, which makes the introduction of this requirement unaffordable and unwelcome to many.

For larger companies that want to make the requirement simpler for their subcontractors, Berea offers a viable solution called Cyber AMI. This service delivers the Cyber Essentials scheme in plain-English for non-technical individuals, without the expense of a consultant. Certification is guaranteed.

For more articles like this, download our Cyber Decoder
Cyber Learn more about cyber insurance solutions and risk management >>


  • Sarah StephensSarah Stephens

    As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

    Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

    Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

    For further information, please contact Sarah Stephens, Head of Cyber on +44 (0)20 3394 0486