Physical Protection Practitioner Fundamentals

Session 1

Hostile Vehicle Threat and Mitigation


This session contains links to other websites.  PSN cannot guarantee your security or safety when linking to these sites.

This session draws upon knowledge and perspectives of experienced practitioners together with published research and advice from respected authorities for example, the UK’s Centre for the Protection of National Infrastructure (CPNI), the Australian-New Zealand Counter-Terrorism Committee (ANZCTC). We acknowledge and appreciate the contribution of these and other organisations to public safety.

This session aims to synthesise key practical aspects from these sources in a manner that is relevant to the Australian and Asia-Pacific contexts.

Although focussed on the protection of people, property and places at the operational levels, this session also provides links to references that would assist in a deeper self-directed study that may also include theory, or reports or case studies of incidents.

Continuous learning about the threat landscape, threat countermeasures will assist in improving security resilience and professional recognition of protective security practitioners.

The practitioner session aims to:

  • Further consider the threat landscape.
  • Encourage a deeper understanding into the topic including threat methods and countermeasures.

The Focus of this Practitioner Session

  • Further consider the threat landscape.
  • Encourage a deeper understanding into the topic including threat methods and countermeasures.
  • Develop human-centric situational awareness. While technologies designed to provide data capture and analysis are vitally important, human factors, including decision-making and actions will always determine the quality and ethical outcomes of this necessary process.
  • Place emphasis on the professional-level vigilance that protective security practitioners need to detect, disrupt, deter, and report during two critical periods, the hostile surveillance and the immediate lead-up to an attack.
  • Excludes situational awareness during and immediately after a terrorist attack or other serious security incident (Response and Recovery phases). These later phases will be addressed in separate sessions.

Terminology and Definitions

The definitions of key elements of protective security practice are important to:

  • Ensure messaging is accurately understood across stakeholder networks, and
  • Assist problem solving at the operational levels.

Definitions may change, perhaps reflecting different contexts, situations, threat trends, technological advancement, changing legislation and new national or International Standards.

The following key terminologies and definitions are from a variety of sources, for example the UK’s Centre for the Protection of National Infrastructure (CPNI) and the Australian-New Zealand Counter-Terrorism Committee (ANZCTC).

The source of terminologies and definitions may not be known, or their origin may be ambiguous. This somewhat reflects the evolution of the body of knowledge for protective security. We apologise for any mistake in identifying or omitting the source. We would appreciate feedback to amend any sourcing.

Please refer to the Glossary for a more comprehensive view of definitions and terminologies.

Core terminologies and definitions for this session:

Crowded places:  Crowded places are locations or environments which are easily accessible by large numbers of people on a predictable basis.

Deception:  A method to exploit or manipulate human characteristics or situations. There are various forms including:

  • The use of stolen or cloned ID,
  • Use of access control credential (e.g. cards) of persons no longer authorised such as due to cessation of employment or contract – but not removed from ‘system’,
  • Verbal deception, or
  • A trojan (disguised) vehicle. This method may be accompanied by a decoy action to focus the attention of security to some other location at the site.

Emergency response procedures: Established procedures for situations in the event of a hostile vehicle attack and the possible outcomes such as:

  • Structural collapse
  • Casualty management
  • Evacuation
  • Emergency first responder access.

Encroachment:  Incomplete or incorrectly spaced countermeasures (such as space between fixed security bollards) can allow a hostile vehicle to enter an area unimpeded without the need for the deliberate ramming of perimeter to gain access into building or a crowded space (referred to as ‘impact’).

A hostile vehicle may enter by other methods such as tailgating a legitimate vehicle through a vehicle access control point.

Hostile reconnaissance: The purposeful observation with the intention of collecting information. Typically, this pre-attack activity by terrorists is to qualify a location as a target, discover weak spots (vulnerabilities), assess the level and type of security, inform the best time to conduct the attack, the resources needed and assess the likelihood of success.

Sometimes the pre-attack process includes a ‘rehearsal’.

Improvised explosive device (IED): A device made or placed in an improvised way that incorporates destructive, lethal, noxious, pyrotechnic or incendiary chemicals and is designed to destroy, incapacitate, harass or distract.

Insider threat: A person that has knowledge of privileged, confidential, operational or technical information that would assist in an attack, or a person with authority to be on site, typically without supervision and possibly with access privileges to restricted areas.

Traditionally, the insider threat would be a person working on site. This could be extended to people, including contractors working off-site with legitimate access to physical security-related systems over the internet.

This term is also shared with the cyber security field.

Layered attack scenario: A combination of methods to achieve the attack mission, typically reflecting the strengths and weakness (vulnerability) in physical security of the targeted site. This scenario is sometimes called a ‘complex’ attack. The attack methodology may more reasonably characterised as a Marauding Terrorist Attack (‘MTA’).

Lone offenders: These individuals often radicalise online and motivated to commit to violence. Without a clear group affiliation or guidance, lone offenders are challenging to identify, investigate, and disrupt (FBI).

A lone offender can also be directed or influenced by a terrorist group and especially a group leader, as seen in many suicide attacks around the world.

The terms ‘lone actor’ and ‘lone wolf’ are sometimes used.

Parked vehicles:  An attack may come from a VBIED which may be underneath or on higher levels (such as within a multi-level carpark) of the property or adjacent to the intended targeted property.

Pattern setting: Routines that are observable (during ‘hostile reconnaissance’) and assessed by terrorists (or other criminals) and exploited during an attack.  Pattern setting of use to terrorists includes security procedures including patrols, cleaner routines, deliveries etc.

Penetrative attack: The use of the front or rear of a vehicle as a ram to breach a perimeter or target premises to get a hostile vehicle to the intended target.

Rehearsal: The process used by terrorists to practice an attack as far as practicable and to gain further knowledge about the security strengths (capabilities) and security weaknesses (vulnerabilities) at the targeted site.

The rehearsal may be used to test assumptions about security integrity (including the displayed vigilance by security officers).

Situational awareness: Being mindful of your surroundings, in particular changes to your surroundings and identifying potential threats and dangerous situations.

Threat actor:  Any person, group, organization, or government that conducts or has intent or has the power to cause, conduct, transmit or support malicious activities.

Vehicle-borne improvised explosive device

(VBIED):    An IED carried on or within a motor vehicle.

Key Points

  • Vehicles are used as weapons to kill multiple people during a single attack and cause life-long trauma for survivors.
  • Vehicles are used because they are inexpensive, sometimes innocuous looking, easily obtained and generally require no additional competencies to operate them.
  • Vehicles are often unnoticeable as a weapon until the vehicle’s first impact.
  • Vehicles used in criminal acts not associated with terrorism can be used as weapons or incidentally cause damage.
  • The society’s fear of vehicle-borne attacks has also impacted on the physical design of many new buildings and the management of precincts and other publicly accessible spaces.
  • Research into hostile vehicle scenarios and risk mitigation has led to the development of standards for equipment, architectural design principles and the published guidance by governments.
  • Typical targeted locations include for example, commercial office buildings, shopping centres, bus passenger shelters, places of worship, military bases as well as open public spaces such as city malls, plazas, promenades, street parades, street festivals and marathon routes. Non-terrorist attacks typically include places like hotels (pubs), inns and truck stop facilities.

Issues and Trends: A Global Broader Context

This session focuses on key practical issues for protective security practitioners.

  • While terrorism attacks using vehicles as a weapon are more common in Europe and the Middle East, it is reasonable to believe that this method of terrorist attack could occur in Australia, New Zealand and other countries in the Asia-Pacific region (for example the 2004 attack on the Australian Embassy in Jakarta, Indonesia).
  • Vehicles as a weapon have been used in Australia for acts of violence not related to terrorism. These typically involve one person, the driver. Other weapons are not typically involved.
  • Vehicles used as a weapon against crowds have been used by perpetrators from a variety of backgrounds, as can be seen by attacks by Islamist terrorists and by racially motivated violence by right wing extremists in the USA in recent years.
  • As an over- simplified observation, terrorists typically, but not always intend to die in this type of attack. This mindset mainly relates to radical Islamist ideology. In the USA this type of attack has involved neo-Nazis and other right-wing extremists. To date, they tend to kill and maim people in crowds without the intention to suicide.
  • Bio-chemical and other hazardous chemicals may also be used. Examples include The 1993 attack on the World Trade Center Towers in New York City and the 1995 bombing of the Alfred P. Murrah Federal Building in Oklahama City.
  • Security risk assessments should consider this type of attack. Related training for security officers should be guided by the security risk assessment and advice from government security services and subject matter experts in security and emergency management.
  • The use of hostile vehicles may be a stand-alone action or as a critical and high-impact part of a complex attack or as the British counter-terrorism agencies call a ‘Marauding Terrorist Attack’ (MTA).

Complex Attacks

When vehicles are used as a ramming weapon (normally at pedestrians or to breach a property perimeter), the terrorist plan may include secondary attacks.

Typically (but not always), the driver alights from the vehicle with other weapons (‘mixed mode attack’) such as guns and bladed weapons (e.g. knives, machete) to attack and kill people in the vicinity.

In a complex attack, more than one person (in addition to the vehicle driver) is usually involved, sometimes at different locations at the primary targeted site, and/or simultaneously at other sites. Typically, different weapons and methods are used, including deliberately lit fires.

Complex attacks are well coordinated and sometimes directed in real-time by a controller/handler well away from the scene.

There are various reasons vehicles are often used as a critical component of a complex attack, for example to:

  • Commence the attack with ‘shock and awe’.
  • Kill people and/or destroy buildings and infrastructure.
  • Attack and neutralise security office (or control room) and facility management office.
  • Breach a solid perimeter using force of the vehicle.
  • Draw a focus and response by security personnel away from another location important to the terrorist attack.
  • Develop confusion for security personnel and others providing protective services (including personnel in the security centre/office and facilities office).
  • Create a panicked crowd.
  • Provide strong imagery for mass media.
  • Possibly action a planned ambush against first responders.

Security Managers and Supervisors

  • It is important to have strong knowledge of your broader location i.e. your own property and the immediate precinct (known as ‘Domain Knowledge’). A map of the precinct along with aerial images should be beneficial.
  • Understand that written procedures may not be the best response to an actual attack.
  • Security managers will need to be ready to make quick life-saving decisions without perfect knowledge of the situation.
  • Ensure all physical security and video surveillance systems are maintained to optimised working condition with video surveillance systems giving the best possible situational awareness capability, especially around identified locations that are vulnerable to hostile surveillance and attack.
  • It is important to exercise this type of attack on a repeated basis, followed by reviewing and amending plans, procedures, training and countermeasures. Documentation of exercise plans and outcomes should be a feature of the risk management framework and should be expected to be required during any official review of a terrorist incident.
  • Understand that security officers in the ‘open’ are likely to be closest to the attack. They will be providing tactical situational awareness, tactical responses and situational reports.

Their effectiveness and personal survival may depend on their personal character and skillset such as their initiative, judgment, confidence, oral communications skills and perhaps less on following a written Security Operating Procedure. Where SOPs are highly relevant for control room personnel, they may be far less relevant for security officers at the scene of a major life-threatening incident. Security Operational Guidelines may be more appropriate to circumstances where security officers are in the ‘open’, as they give more approved options within a more flexible framework.

  • Be ready to change to a ‘command and control’ style of leadership. This is about clear decisive action based with imperfect information. Remember ‘time and ‘physical distance’ away from the actions of terrorists improves human survivability.
  • Ensure your security officers are ready, for example:

Aware of the hostile vehicle risk for your facility (or your special event). Include risk and relevant procedures in team briefings. Focus on relevant section of the facility’s standard operating procedures (SOPs) and emergency response procedures. Include in briefings any current threat assessments, any advice that has been provided by police, and any relevant physical or operational changes to property or security resources.

Trained to identify and report suspicious behaviour (for example possible ‘hostile reconnaissance’), suspicious vehicles on site, approaching your site or circling your site.                    


  1. Carpark personnel employed by a car park operators, cleaners and trades personnel working in car parks could be considered for inclusion in this training.

Discourage ‘pattern setting’ i.e. the predictable movements (e.g. patrol routines) by security officers.

Reminded to maintain strong ‘domain knowledge’, vigilance and situational awareness, especially in relation to interior car parking areas, loading docks and vehicle entry and exit locations.

Encouraged to listen and act upon their professional instinct – this may save lives. This applies to both vehicles on site and vehicle moving around or towards the site.

Reminded to report immediately if they see ‘something’.

Competent to operate systems or equipment intended to counter a threat. For example, this may be (in-ground) retractable bollards and closure of carpark gates.

Discrete communication of threat information, including suspicions.

Competent in implementing the site’s emergency response procedures and administering first-aid.

Reminded that drivers of hostile vehicles may not obey road traffic rules. For example, driving down the wrong way or along a pedestrian path.

Security Officer – Frontline Operations


  • Maintain high levels of ‘domain knowledge’, vigilance and situational awareness.
  • Know how to operate all security-related equipment, for example portable fire extinguishers, duress alarms, building lockdown systems, air intake and gas shutdown points.
  • Ensure all security-related equipment are working.
  • Be mentally ready and competent for example, to: 
  •      provide situational reports (‘sitrep’),
  •      be the first to respond,
  •      provide on-scene leadership,
  •      assess casualties,
  •      identify remaining risks and hazards,
  •      administer or arrange first aid,
  •      ensure scene perimeter control, and
  •      assist police and other emergency responding services.


  1. The order of your actions will depend on circumstances and your judgment.
  2. It should be assumed until otherwise determined by police that the driver will have accomplices with weapons.
  3. If not confident in actioning procedures (prior to an attack), seek advice from your manager.

Suspicious Vehicle:  Your Actions – Confirm, Clearly Communicate & Control

CONFIRM whether vehicle on site or parked near the property perimeter exhibits recognisably suspicious characteristics. If you are in the vicinity:

  • Avoid radio communications when a suspicious vehicle is identified on site or immediately outside the property. Seek alternative means to communicate, for example a warden or cleaner to be the messenger.
  • WARNING: Never touch, move or remove a suspicious or extraneous device from a vehicle. Follow organisational guidelines. The handling of any device may cause injury, damage and contaminate forensic evidence.
  • Take Charge and move people away to a safe distance from a parked vehicle or a vehicle that has stopped after ramming: at least 100 metres away. If you cannot safely escape the property, find solid objects to protect yourself and others. Stay away from locations that increase your personal risk, like glassed areas.
  • Cordon off area. If vehicle is on site, do not allow other vehicles or pedestrians to enter property or area.
  • Assess if there are any explosive materials or other hazards in the vicinity of the suspicious or the suspected vehicle, such as fuel storage, gas pipes or air intakes.
  • Report the incident to emergency services and site security control.
  • Mentally prepare your Situation Report (‘SitRep’) for the arrival of police and other emergency services.
  • Terrorists do not negotiate and therefore, security officers need to take immediate and appropriate action to:
  • Firstly, be as safe as you possibly can,
  • Secondly, do what you can to protect the lives of other innocent people. Remember, armed police response is typically swift and uncompromising to provide the best possible safety and resolution in a highly volatile situation.
  • Security officers in secure control rooms should in theory be reasonably protected from violence. They need to action their standard operating procedures for this type of attack.
  • For advice on current security threats and precinct security issues contact local police.

Understanding the Broader Context

PSN members are encouraged to conduct further research into this topic. The broader scope includes for example, specialist knowledge areas such as understanding motivations of terrorist groups and individuals, hostile reconnaissance, emerging attack methodologies, vehicle security barriers (VSB) and precinct security resilience.

The links provided in the above information should further contribute to your knowledge.

The following are recommended references to commence further learning and discussion.

Publication Notes

Note: Caution should be taken in using information of advice from other countries, for example assessments, currency, emergency phone numbers and terminology.

This Practitioner Session published November 2021. This topic is dynamic with information and practices being subject to change.  Professional advice from qualified security consultants/advisors or security trainers should be considered to ensure, among other issues, your specific context.

Feedback and questions welcomed –

© Protective Security Network, Sydney  –  All Rights Reserved. 2022.

error: Content is protected !!