Opinion Piece: AMP8 changes the security conversation for utilities

AMP8 represents the largest investment the UK water industry has ever seen.

Over the next five years, billions will be invested in new infrastructure, upgrades to existing assets, treatment works, pumping stations and network improvements. This investment is essential for long-term resilience, environmental protection and service reliability.

But it also introduces a very real and often underestimated risk.

• More sites.
• More temporary works.
• More remote locations.
• More unattended assets.

And with that, more opportunity for unauthorised access, theft and vandalism.

Key takeaways

• AMP8 significantly increases exposure to security, safety and resilience risk
  The scale, pace and geographic spread of AMP8 programmes introduce more temporary, remote and unattended assets. This fundamentally changes the risk profile for utilities providers.
• Utilities site security is about protecting critical national infrastructure, not just preventing theft
  When utilities sites are compromised, the consequences extend beyond financial loss to service disruption, environmental harm, regulatory scrutiny and public safety exposure.
• Layered, proactive security is essential to meet legal, operational and regulatory expectations
  Duties under CDM 2015 and the Health and Safety at Work etc. Act 1974, combined with resilience expectations from regulators such as Ofwat, require security systems that actively prevent incidents rather than record them after the fact.

Why utilities site security is no longer just an operational issue

From an HSEQ and operational risk perspective, site security under AMP8 is not simply about loss prevention.

It is about protecting critical national infrastructure.

Utilities sites do not exist in isolation. When they are compromised, the impact can escalate quickly and extend far beyond the site boundary.

The consequences include:

• Service disruption to customers
• Environmental incidents and pollution risk
• Programme delays and cost escalation
• Increased regulatory scrutiny
• Public safety exposure

In an AMP8 environment, where programmes are tightly scrutinised and performance outcomes matter, security failures quickly become operational and regulatory issues.

Legal duties do not reduce for remote or temporary sites

Under the Construction (Design and Management) Regulations 2015, there is a clear duty to secure construction sites and prevent unauthorised access.

That duty applies regardless of whether a site is permanent or temporary, urban or remote.

The Health and Safety at Work etc. Act 1974 extends that responsibility further, requiring dutyholders to protect not only workers, but also members of the public who could be affected by the work.

For utilities providers, these duties sit alongside resilience and compliance expectations set by regulators such as Ofwat.

A remote compound with a locked gate does not remove responsibility. In many cases, it increases the level of risk that must be managed.

Why a locked gate is no longer enough

A locked gate is a control.
It is not a security strategy.

Remote utilities sites are attractive targets precisely because they are unattended and out of sight. Fences can be breached. Gates can be forced. Once access is gained, the consequences can escalate rapidly.

Good practice under AMP8 requires a layered approach that reflects the level of risk.

That means combining:

• Physical barriers to delay and deter access
• Lighting and visual deterrence to reduce opportunistic intrusion
• Removal or protection of vulnerable materials such as fuel, copper and plant
• Proactive monitoring with real-time intervention

The objective is not to record what happened overnight.
It is to stop incidents before they escalate into environmental, safety or service failures.

Moving from passive security to active prevention

This is where technology plays an important role when used correctly.

At Clearway, utilities projects are supported with rapid-deploy, solar-powered security solutions designed for remote and temporary sites.

These include smart CCTV systems for smaller or short-duration works, mobile CCTV towers for wider-area coverage, and 24/7 monitoring through a National Security Inspectorate Gold approved alarm receiving centre.

The value is not in the equipment itself, but in what it enables.

Issues are detected, challenged and escalated in real time, rather than discovered after damage, pollution or disruption has already occurred.

Protecting infrastructure that communities rely on

For me, this has never been about security technology.

It is about protecting infrastructure that communities depend on every day. Clean water, effective wastewater treatment and resilient networks are fundamental to public health and environmental protection.

As AMP8 programmes mobilise at scale, the way utilities protect remote and temporary assets will play a critical role in delivering safe, compliant and resilient outcomes.

If you are mobilising AMP8 works or reviewing how you secure utilities sites, I am always happy to share how we are helping clients strengthen security, compliance and operational resilience.

Don Then

Group Director of HSEQ

Don is an accomplished Risk and Safety Leader with over 20 years’ experience delivering safety culture transformation and operational excellence across high-hazard, multi-site and regulated environments, combining strategic governance with hands-on leadership. Holding a Professional Doctorate in Risk Management and an MSc in Risk Management and Safety Leadership, and recognised as CMIOSH, FIIRSM and CEnv, Don has led divisional and programme-wide HSEQ/HSES strategies, embedded ISO management systems (9001, 14001 and 45001), and strengthened assurance, audit and compliance performance at scale. His career includes senior director roles in global logistics and manufacturing, and two decades with the UK regulator as a warranted Principal Inspector and policy leader (including authoring CDM 2015), bringing deep expertise in investigation, enforcement standards, and stakeholder engagement. Don is known for pragmatic, risk-led decision making, influencing at board level, and developing high-performing teams that consistently improve incident performance and operational resilience.