We are about to begin a new decade and in so consultants will be more responsible for designing the controls systems to be safe and secure. ASHRAE released the latest in the Handbook series, HVAC Applications, in 2019 with updates to chapter 59 on HVAC security. Now this isn’t to be read as a comprehensive guide but instead as an informative introduction or refresher on the bigger picture.
Among the recommendations is for design engineers to add security specialists as consultants whether for physical security systems, software specifications to protect automation and controls devices, or to review other hazards and risks for mitigation. Now this might seem daunting for designers, as quick internet searches quickly show a vast number of prospects with very arcane descriptions that in many cases would not apply to a building’s needs. For our application for HVAC controls systems, the safety and security concerns that should be examined can be slimmed down considerably to avoid the noise of security scare sales pitches:
- Secure from outside penetrations from the internet that can reach building systems and software;
- Safe from contamination of air, water, or other source that can damage equipment or occupants;
- Secure from permissions for outsides to access the building or sensitive systems.
On cyberattacks, we have seen growth every year as well over 70% of organizations surveyed have reported at least one type of attack. Among these are penetrations into the building management system. In the last few years the popular show Mr. Robot (https://en.wikipedia.org/wiki/List_of_Mr._Robot_episodes#Season_1_(2015) , episode 4) has shown an attack of just that type, with the intrusion allegedly altering the HVAC operating conditions until the data center storage devices failed at multiple mirrored sites.
Other ways of damaging or shutting down a building include simply contaminating the ventilation air, whether by a natural event such as a forest fire or fume accident with hazardous chemicals. Terrorism is also a real possibility, such as purposefully introducing chemicals, biological, or radiological threats serving the HVAC systems. As with many secure government sites of nations around the world, sensors can be deployed to monitor the particulates in airstreams and have emergency provisions to adjust airflow accordingly. Since the IT equipment generally does not need fresh air, alerts would be triggered to ensure occupants are evacuated to safety even though the data center itself may continue to operate to support the critical mission needs.
There are a number of other ways an HVAC system can be compromised, and informed design engineers are managing to provide solutions for a number of these challenges with the aid of consultants who have experience with mitigating weaknesses at other facilities that face weather, terrorism, and cyberattacks. In the coming decade it is the hope that we can keep improving and informing to be more vigilant with data centers of the past and into the future.