With your plan of attack in hand, building data gathered from the data request, a flashlight and notebook, you can begin to perform the building security assessment. Here are some examples to consider as part of the review that are relative to the hierarchy of systems identified in part one of this series.
Editor’s note: This is part two of a two-part series. You can find more about preparing for a building security assessment of a large building in part one.
Understanding the electric distribution system in the building is key to successfully identifying weaknesses and system/component vulnerabilities and interdependencies. You need to ensure you understand the following:
- Where is the primary power entering the building? Is it in one location/vault, or are there multiple entry points?
- What about emergency power? Are there emergency generators on-site? If yes, how are they maintained and tested, and how are the generators refueled (as appropriate)?
- What about critical transfer switches, buses and motor control centers? Are they properly protected from inadvertent or unauthorized access?
- Are the normal and emergency power buses properly separated both physically and by how they power the industrial controls?
Water and waste water systems
Failure of these systems and their components can lead to immediate degradation of the facility. Also, their failure can lead to serious health and personnel safety concerns. Here are some questions to consider:
- Where are the water entry points and waste water exit points in the building? If there are more than one, are they on separate sides of the building? Are there any ways for the controls or manual values to cross-connect water and waste water?
- If any of the pipes are suspended in the ceiling of the parking garage, are they protected from inadvertent damage by a high-profile vehicle? What about intentional sabotage?
Internet fiber entry
Where the internet fiber trunk enters the building is especially important. Optimally, there are two separate entry points for internet into the building — especially if internet is critical to the performance of the occupants. Some key perspectives to inquire about are:
- Is the internet fiber trunk protected from flooding, fire, sabotage and unauthorized personnel access?
- If two entry points are provided, are they separated to opposite sides of the building, and are different internet carriers used, thus affording redundancy and resiliency?
Building management system
The building management system (BMS) is a critical industrial control that is essentially the heart of the building’s operations. The BMS normally operates heating/ventilation/air conditioning, chilled water, cooling towers, lighting and other key systems. The assessor needs to spend time with the building maintenance staff to identify how the system is used and how it is updated. A few key questions to include in your assessment are:
- Is the BMS computer connected to the internet? If so, this is a particularly bad practice and should be terminated as soon as practical. Connecting to the internet creates a short-circuit route for a malicious actor to gain access to the BMS and modify the system — to the detriment of the building owner/operator.
- How is the BMS software updated? Is it updated with patches from the vendor on controlled media or a simple email attachment? Again, it is important to ensure the BMS software integrity is controlled and sustained.
- Is the BMS software at the proper patch level? This can be checked by going to the U.S. Department of Homeland Security site, looking up the BMS software on the Alerts and Advisories pages and searching by vendor or BMS name.
There is still more to do
This article just barely scratches the surface on ways to conduct a large building security assessment of both cyber and physical risk. However, the intention is to provide some ideas on ways to organize approaches to key and critical systems and components rather than trying to chase every symptom of a problem.